diff --git a/policy-20071130.patch b/policy-20071130.patch
index e4fa5a7..efd7940 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -1399,6 +1399,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.3.1
  
  
  #
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.3.1/policy/modules/admin/amanda.te
+--- nsaserefpolicy/policy/modules/admin/amanda.te	2008-02-26 08:23:10.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/amanda.te	2008-05-07 13:40:42.000000000 -0400
+@@ -82,8 +82,7 @@
+ allow amanda_t amanda_config_t:file { getattr read };
+ 
+ # access to amandas data structure
+-allow amanda_t amanda_data_t:dir { read search write };
+-allow amanda_t amanda_data_t:file manage_file_perms;
++manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
+ 
+ # access to amanda_dumpdates_t
+ allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.3.1/policy/modules/admin/anaconda.te
 --- nsaserefpolicy/policy/modules/admin/anaconda.te	2008-02-26 08:23:10.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/admin/anaconda.te	2008-05-06 14:02:43.000000000 -0400
@@ -5711,8 +5724,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-05-06 14:02:43.000000000 -0400
-@@ -0,0 +1,198 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-05-07 10:42:53.000000000 -0400
+@@ -0,0 +1,201 @@
 +
 +policy_module(nsplugin,1.0.0)
 +
@@ -5788,6 +5801,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +dev_read_rand(nsplugin_t)
 +dev_read_sound(nsplugin_t)
 +dev_write_sound(nsplugin_t)
++dev_read_video_dev(nsplugin_t)
++dev_write_video_dev(nsplugin_t)
 +
 +kernel_read_kernel_sysctls(nsplugin_t)
 +kernel_read_system_state(nsplugin_t)
@@ -5824,6 +5839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +userdom_manage_user_tmp_sockets(user,nsplugin_t)
 +userdom_tmp_filetrans_user_tmp(user,nsplugin_t, { file dir sock_file })
 +userdom_read_user_tmpfs_files(user,nsplugin_t)
++userdom_rw_unpriv_user_semaphores(nsplugin_t)
 +
 +userdom_read_user_home_content_symlinks(user, nsplugin_t)
 +userdom_read_user_home_content_files(user, nsplugin_t)
@@ -7098,7 +7114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.3.1/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2008-02-26 08:23:12.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.if	2008-05-06 14:08:38.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/devices.if	2008-05-07 10:37:38.000000000 -0400
 @@ -65,7 +65,7 @@
  
  	relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -8822,7 +8838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.3.1/policy/modules/services/amavis.te
 --- nsaserefpolicy/policy/modules/services/amavis.te	2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/amavis.te	2008-05-06 14:02:43.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/amavis.te	2008-05-07 06:38:24.000000000 -0400
 @@ -13,7 +13,7 @@
  
  # configuration files
@@ -9496,7 +9512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-05-06 16:40:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-05-07 14:22:10.000000000 -0400
 @@ -20,6 +20,8 @@
  # Declarations
  #
@@ -19633,7 +19649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  # Local Policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2008-02-26 08:23:10.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postfix.te	2008-05-06 14:02:43.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/postfix.te	2008-05-07 06:40:55.000000000 -0400
 @@ -6,6 +6,14 @@
  # Declarations
  #
@@ -19677,7 +19693,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  type postfix_map_tmp_t;
  files_tmp_file(postfix_map_tmp_t)
-@@ -99,6 +112,7 @@
+@@ -80,6 +93,9 @@
+ type postfix_public_t;
+ files_type(postfix_public_t)
+ 
++type postfix_var_lib_t;
++files_type(postfix_var_lib_t)
++
+ type postfix_var_run_t;
+ files_pid_file(postfix_var_run_t)
+ 
+@@ -99,6 +115,7 @@
  allow postfix_master_t self:fifo_file rw_fifo_file_perms;
  allow postfix_master_t self:tcp_socket create_stream_socket_perms;
  allow postfix_master_t self:udp_socket create_socket_perms;
@@ -19685,7 +19711,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  allow postfix_master_t postfix_etc_t:file rw_file_perms;
  
-@@ -174,6 +188,7 @@
+@@ -122,6 +139,10 @@
+ 
+ domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+ 
++manage_dirs_pattern(postfix_master_t,postfix_var_lib_t,postfix_var_lib_t)
++manage_files_pattern(postfix_master_t,postfix_var_lib_t,postfix_var_lib_t)
++files_search_var_lib(postfix_master_t)
++
+ # allow access to deferred queue and allow removing bogus incoming entries
+ manage_dirs_pattern(postfix_master_t,postfix_spool_t,postfix_spool_t)
+ manage_files_pattern(postfix_master_t,postfix_spool_t,postfix_spool_t)
+@@ -174,6 +195,7 @@
  
  mta_rw_aliases(postfix_master_t)
  mta_read_sendmail_bin(postfix_master_t)
@@ -19693,7 +19730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  optional_policy(`
  	cyrus_stream_connect(postfix_master_t)
-@@ -248,6 +263,10 @@
+@@ -248,6 +270,10 @@
  
  corecmd_exec_bin(postfix_cleanup_t)
  
@@ -19704,7 +19741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ########################################
  #
  # Postfix local local policy
-@@ -273,18 +292,25 @@
+@@ -273,18 +299,25 @@
  
  files_read_etc_files(postfix_local_t)
  
@@ -19730,7 +19767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ')
  
  optional_policy(`
-@@ -295,8 +321,7 @@
+@@ -295,8 +328,7 @@
  #
  # Postfix map local policy
  #
@@ -19740,7 +19777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
  allow postfix_map_t self:unix_dgram_socket create_socket_perms;
  allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -346,8 +371,6 @@
+@@ -346,8 +378,6 @@
  
  miscfiles_read_localization(postfix_map_t)
  
@@ -19749,7 +19786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  tunable_policy(`read_default_t',`
  	files_list_default(postfix_map_t)
  	files_read_default_files(postfix_map_t)
-@@ -360,6 +383,11 @@
+@@ -360,6 +390,11 @@
  	locallogin_dontaudit_use_fds(postfix_map_t)
  ')
  
@@ -19761,7 +19798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ########################################
  #
  # Postfix pickup local policy
-@@ -384,6 +412,7 @@
+@@ -384,6 +419,7 @@
  #
  
  allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
@@ -19769,7 +19806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
  
-@@ -391,6 +420,12 @@
+@@ -391,6 +427,12 @@
  
  rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
  
@@ -19782,7 +19819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  optional_policy(`
  	procmail_domtrans(postfix_pipe_t)
  ')
-@@ -400,6 +435,10 @@
+@@ -400,6 +442,10 @@
  ')
  
  optional_policy(`
@@ -19793,7 +19830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  	uucp_domtrans_uux(postfix_pipe_t)
  ')
  
-@@ -532,9 +571,6 @@
+@@ -532,9 +578,6 @@
  # connect to master process
  stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
  
@@ -19803,7 +19840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  # for prng_exch
  allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
  allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-@@ -557,6 +593,10 @@
+@@ -557,6 +600,10 @@
  	sasl_connect(postfix_smtpd_t)
  ')
  
@@ -19814,7 +19851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ########################################
  #
  # Postfix virtual local policy
-@@ -572,7 +612,7 @@
+@@ -572,7 +619,7 @@
  files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
  
  # connect to master process
@@ -27877,7 +27914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te	2008-05-06 14:02:43.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.te	2008-05-07 14:02:18.000000000 -0400
 @@ -59,6 +59,9 @@
  type utempter_exec_t;
  application_domain(utempter_t,utempter_exec_t)
@@ -28089,7 +28126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
 -
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.3.1/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/init.if	2008-05-06 14:02:43.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/init.if	2008-05-07 10:57:02.000000000 -0400
 @@ -211,6 +211,13 @@
  			kernel_dontaudit_use_fds($1)
  		')
@@ -28756,7 +28793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.3.1/policy/modules/system/iptables.te
 --- nsaserefpolicy/policy/modules/system/iptables.te	2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/iptables.te	2008-05-06 14:02:43.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/iptables.te	2008-05-07 08:53:39.000000000 -0400
 @@ -48,6 +48,7 @@
  
  fs_getattr_xattr_fs(iptables_t)
@@ -28765,6 +28802,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
  
  mls_file_read_all_levels(iptables_t)
  
+@@ -113,3 +114,7 @@
+ optional_policy(`
+ 	udev_read_db(iptables_t)
+ ')
++
++optional_policy(`
++	unconfined_rw_stream_sockets(iptables_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.3.1/policy/modules/system/iscsi.te
 --- nsaserefpolicy/policy/modules/system/iscsi.te	2008-02-26 08:23:09.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/system/iscsi.te	2008-05-06 14:02:43.000000000 -0400
@@ -28982,7 +29027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.3.1/policy/modules/system/logging.fc
 --- nsaserefpolicy/policy/modules/system/logging.fc	2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.fc	2008-05-06 14:02:43.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.fc	2008-05-07 14:09:20.000000000 -0400
 @@ -4,6 +4,8 @@
  /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
  /etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
@@ -28992,7 +29037,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  /sbin/auditctl		--	gen_context(system_u:object_r:auditctl_exec_t,s0)
  /sbin/auditd		--	gen_context(system_u:object_r:auditd_exec_t,s0)
  /sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
-@@ -46,7 +48,7 @@
+@@ -36,6 +38,7 @@
+ /var/log/spooler[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+ /var/log/syslog-ng(/.*)? --	gen_context(system_u:object_r:syslogd_var_run_t,s0)
++/var/lib/syslog-ng(/.*)? --	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+ 
+ ifndef(`distro_gentoo',`
+ /var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+@@ -46,7 +49,7 @@
  ')
  
  /var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
@@ -29001,7 +29054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  /var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,s0)
  /var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
  /var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)
-@@ -57,3 +59,8 @@
+@@ -57,3 +60,8 @@
  /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
  
  /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
@@ -30525,7 +30578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.3.1/policy/modules/system/selinuxutil.if
 --- nsaserefpolicy/policy/modules/system/selinuxutil.if	2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.if	2008-05-06 14:02:43.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.if	2008-05-07 10:50:23.000000000 -0400
 @@ -215,8 +215,6 @@
  	seutil_domtrans_newrole($1)
  	role $2 types newrole_t;
@@ -30666,7 +30719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ##	Full management of the semanage
  ##	module store.
  ## </summary>
-@@ -1141,3 +1215,140 @@
+@@ -1141,3 +1215,141 @@
  	selinux_dontaudit_get_fs_mount($1)
  	seutil_dontaudit_read_config($1)
  ')
@@ -30772,6 +30825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +	files_read_usr_files($1)
 +	files_list_pids($1)
 +	fs_list_inotifyfs($1)
++	fs_getattr_all_fs($1)
 +
 +	mls_file_write_all_levels($1)
 +	mls_file_read_all_levels($1)
@@ -31097,6 +31151,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran
  
  selinux_compute_access_vector(setrans_t)
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.3.1/policy/modules/system/sysnetwork.fc
+--- nsaserefpolicy/policy/modules/system/sysnetwork.fc	2008-02-26 08:23:10.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.fc	2008-05-07 10:59:24.000000000 -0400
+@@ -57,3 +57,5 @@
+ ifdef(`distro_gentoo',`
+ /var/lib/dhcpc(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
+ ')
++
++/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.3.1/policy/modules/system/sysnetwork.if
 --- nsaserefpolicy/policy/modules/system/sysnetwork.if	2008-02-26 08:23:09.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if	2008-05-06 14:02:43.000000000 -0400
@@ -31198,8 +31261,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.3.1/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te	2008-05-06 14:02:43.000000000 -0400
-@@ -45,7 +45,7 @@
++++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te	2008-05-07 10:58:33.000000000 -0400
+@@ -20,6 +20,10 @@
+ init_daemon_domain(dhcpc_t,dhcpc_exec_t)
+ role system_r types dhcpc_t;
+ 
++type dhcpc_helper_exec_t;
++domain_entry_file(dhcpc_helper_exec_t)
++init_script_domtrans_spec(dhcpc_t, dhcpc_helper_exec_t)
++
+ type dhcpc_state_t;
+ files_type(dhcpc_state_t)
+ 
+@@ -45,7 +49,7 @@
  dontaudit dhcpc_t self:capability sys_tty_config;
  # for access("/etc/bashrc", X_OK) on Red Hat
  dontaudit dhcpc_t self:capability { dac_read_search sys_module };
@@ -31208,7 +31282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  allow dhcpc_t self:fifo_file rw_file_perms;
  allow dhcpc_t self:tcp_socket create_stream_socket_perms;
  allow dhcpc_t self:udp_socket create_socket_perms;
-@@ -123,7 +123,7 @@
+@@ -123,7 +127,7 @@
  files_read_etc_runtime_files(dhcpc_t)
  files_search_home(dhcpc_t)
  files_search_var_lib(dhcpc_t)
@@ -31217,7 +31291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  
  init_rw_utmp(dhcpc_t)
  
-@@ -136,6 +136,7 @@
+@@ -136,6 +140,7 @@
  
  modutils_domtrans_insmod(dhcpc_t)
  
@@ -31225,7 +31299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  userdom_dontaudit_search_staff_home_dirs(dhcpc_t)
  
  ifdef(`distro_redhat', `
-@@ -153,11 +154,19 @@
+@@ -153,11 +158,19 @@
  ')
  
  optional_policy(`
@@ -31245,7 +31319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  	optional_policy(`
  		networkmanager_dbus_chat(dhcpc_t)
  	')
-@@ -186,6 +195,10 @@
+@@ -186,6 +199,10 @@
  ')
  
  optional_policy(`
@@ -31256,7 +31330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  	nis_use_ypbind(dhcpc_t)
  	nis_signal_ypbind(dhcpc_t)
  	nis_read_ypbind_pid(dhcpc_t)
-@@ -202,9 +215,7 @@
+@@ -202,9 +219,7 @@
  ')
  
  optional_policy(`
@@ -31267,7 +31341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  optional_policy(`
-@@ -215,6 +226,7 @@
+@@ -215,6 +230,7 @@
  optional_policy(`
  	seutil_sigchld_newrole(dhcpc_t)
  	seutil_dontaudit_search_config(dhcpc_t)
@@ -31275,7 +31349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  optional_policy(`
-@@ -226,6 +238,10 @@
+@@ -226,6 +242,10 @@
  ')
  
  optional_policy(`
@@ -31286,7 +31360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  	kernel_read_xen_state(dhcpc_t)
  	kernel_write_xen_state(dhcpc_t)
  	xen_append_log(dhcpc_t)
-@@ -239,7 +255,6 @@
+@@ -239,7 +259,6 @@
  
  allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
  allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
@@ -31294,7 +31368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  
  allow ifconfig_t self:fd use;
  allow ifconfig_t self:fifo_file rw_fifo_file_perms;
-@@ -253,6 +268,7 @@
+@@ -253,6 +272,7 @@
  allow ifconfig_t self:sem create_sem_perms;
  allow ifconfig_t self:msgq create_msgq_perms;
  allow ifconfig_t self:msg { send receive };
@@ -31302,7 +31376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  
  # Create UDP sockets, necessary when called from dhcpc
  allow ifconfig_t self:udp_socket create_socket_perms;
-@@ -268,7 +284,10 @@
+@@ -268,7 +288,10 @@
  kernel_read_system_state(ifconfig_t)
  kernel_read_network_state(ifconfig_t)
  kernel_search_network_sysctl(ifconfig_t)
@@ -31313,7 +31387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  
  corenet_rw_tun_tap_dev(ifconfig_t)
  
-@@ -279,8 +298,11 @@
+@@ -279,8 +302,11 @@
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
  
@@ -31325,7 +31399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  
  domain_use_interactive_fds(ifconfig_t)
  
-@@ -308,7 +330,7 @@
+@@ -308,7 +334,7 @@
  		unconfined_domain(ifconfig_t)
  	')
  ')
@@ -31334,7 +31408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ifdef(`hide_broken_symptoms',`
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
-@@ -332,6 +354,14 @@
+@@ -332,6 +358,14 @@
  ')
  
  optional_policy(`
@@ -32179,7 +32253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-26 08:23:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-05-06 14:02:43.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-05-07 10:42:29.000000000 -0400
 @@ -29,9 +29,14 @@
  	')
  
@@ -34151,7 +34225,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	</summary>
  ## </param>
  #
-@@ -4231,11 +4404,11 @@
+@@ -3962,6 +4135,24 @@
+ 
+ ########################################
+ ## <summary>
++##	RW unpriviledged user SysV sempaphores.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_rw_unpriv_user_semaphores',`
++	gen_require(`
++		attribute unpriv_userdomain;
++	')
++
++	allow $1 unpriv_userdomain:sem rw_sem_perms;
++')
++
++########################################
++## <summary>
+ ##	Manage unpriviledged user SysV shared
+ ##	memory segments.
+ ## </summary>
+@@ -4231,11 +4422,11 @@
  #
  interface(`userdom_search_staff_home_dirs',`
  	gen_require(`
@@ -34165,7 +34264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4251,10 +4424,10 @@
+@@ -4251,10 +4442,10 @@
  #
  interface(`userdom_dontaudit_search_staff_home_dirs',`
  	gen_require(`
@@ -34178,7 +34277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4270,11 +4443,11 @@
+@@ -4270,11 +4461,11 @@
  #
  interface(`userdom_manage_staff_home_dirs',`
  	gen_require(`
@@ -34192,7 +34291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4289,16 +4462,16 @@
+@@ -4289,16 +4480,16 @@
  #
  interface(`userdom_relabelto_staff_home_dirs',`
  	gen_require(`
@@ -34212,7 +34311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	users home directory.
  ## </summary>
  ## <param name="domain">
-@@ -4307,12 +4480,35 @@
+@@ -4307,12 +4498,35 @@
  ##	</summary>
  ## </param>
  #
@@ -34251,7 +34350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4327,13 +4523,13 @@
+@@ -4327,13 +4541,13 @@
  #
  interface(`userdom_read_staff_home_content_files',`
  	gen_require(`
@@ -34269,7 +34368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4531,10 +4727,10 @@
+@@ -4531,10 +4745,10 @@
  #
  interface(`userdom_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -34282,7 +34381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4551,10 +4747,10 @@
+@@ -4551,10 +4765,10 @@
  #
  interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -34295,7 +34394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4569,10 +4765,10 @@
+@@ -4569,10 +4783,10 @@
  #
  interface(`userdom_search_sysadm_home_dirs',`
  	gen_require(`
@@ -34308,7 +34407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4588,10 +4784,10 @@
+@@ -4588,10 +4802,10 @@
  #
  interface(`userdom_dontaudit_search_sysadm_home_dirs',`
  	gen_require(`
@@ -34321,7 +34420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4606,10 +4802,10 @@
+@@ -4606,10 +4820,10 @@
  #
  interface(`userdom_list_sysadm_home_dirs',`
  	gen_require(`
@@ -34334,7 +34433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4625,10 +4821,10 @@
+@@ -4625,10 +4839,10 @@
  #
  interface(`userdom_dontaudit_list_sysadm_home_dirs',`
  	gen_require(`
@@ -34347,7 +34446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4644,12 +4840,11 @@
+@@ -4644,12 +4858,11 @@
  #
  interface(`userdom_dontaudit_read_sysadm_home_content_files',`
  	gen_require(`
@@ -34363,7 +34462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4676,10 +4871,10 @@
+@@ -4676,10 +4889,10 @@
  #
  interface(`userdom_sysadm_home_dir_filetrans',`
  	gen_require(`
@@ -34376,7 +34475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4694,10 +4889,10 @@
+@@ -4694,10 +4907,10 @@
  #
  interface(`userdom_search_sysadm_home_content_dirs',`
  	gen_require(`
@@ -34389,7 +34488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4712,13 +4907,13 @@
+@@ -4712,13 +4925,13 @@
  #
  interface(`userdom_read_sysadm_home_content_files',`
  	gen_require(`
@@ -34407,7 +34506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4754,11 +4949,49 @@
+@@ -4754,11 +4967,49 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
@@ -34458,7 +34557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4778,6 +5011,14 @@
+@@ -4778,6 +5029,14 @@
  
  	files_list_home($1)
  	allow $1 home_dir_type:dir list_dir_perms;
@@ -34473,7 +34572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4839,6 +5080,26 @@
+@@ -4839,6 +5098,26 @@
  
  ########################################
  ## <summary>
@@ -34500,7 +34599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete all directories
  ##	in all users home directories.
  ## </summary>
-@@ -4859,6 +5120,25 @@
+@@ -4859,6 +5138,25 @@
  
  ########################################
  ## <summary>
@@ -34526,7 +34625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete all files
  ##	in all users home directories.
  ## </summary>
-@@ -4879,6 +5159,26 @@
+@@ -4879,6 +5177,26 @@
  
  ########################################
  ## <summary>
@@ -34553,7 +34652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete all symlinks
  ##	in all users home directories.
  ## </summary>
-@@ -5115,7 +5415,7 @@
+@@ -5115,7 +5433,7 @@
  #
  interface(`userdom_relabelto_generic_user_home_dirs',`
  	gen_require(`
@@ -34562,7 +34661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_search_home($1)
-@@ -5304,6 +5604,63 @@
+@@ -5304,6 +5622,63 @@
  
  ########################################
  ## <summary>
@@ -34626,7 +34725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete directories in
  ##	unprivileged users home directories.
  ## </summary>
-@@ -5509,7 +5866,7 @@
+@@ -5509,7 +5884,7 @@
  
  ########################################
  ## <summary>
@@ -34635,7 +34734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5517,18 +5874,17 @@
+@@ -5517,12 +5892,48 @@
  ##	</summary>
  ## </param>
  #
@@ -34648,60 +34747,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
 -	allow $1 user_ttynode:chr_file rw_term_perms;
 +	manage_files_pattern($1, user_tmp_t,  user_tmp_t)
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to use unprivileged
--##	user ttys.
++')
++
++########################################
++## <summary>
 +##	Write all unprivileged users lnk_files in /tmp
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5536,17 +5892,17 @@
- ##	</summary>
- ## </param>
- #
--interface(`userdom_dontaudit_use_unpriv_users_ttys',`
-+interface(`userdom_manage_unpriv_users_tmp_symlinks',`
- 	gen_require(`
--		attribute user_ttynode;
-+		type user_tmp_t;
- 	')
- 
--	dontaudit $1 user_ttynode:chr_file rw_file_perms;
-+	manage_lnk_files_pattern($1, user_tmp_t,  user_tmp_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read the process state of all user domains.
-+##	Read and write unprivileged user ttys.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5554,19 +5910,56 @@
- ##	</summary>
- ## </param>
- #
--interface(`userdom_read_all_users_state',`
-+interface(`userdom_use_unpriv_users_ttys',`
- 	gen_require(`
--		attribute userdomain;
-+		attribute user_ttynode;
- 	')
- 
--	read_files_pattern($1,userdomain,userdomain)
--	kernel_search_proc($1)
-+	allow $1 user_ttynode:chr_file rw_term_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Get the attributes of all user domains.
--## </summary>
-+##	Do not audit attempts to use unprivileged
-+##	user ttys.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -34709,17 +34759,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_dontaudit_use_unpriv_users_ttys',`
++interface(`userdom_manage_unpriv_users_tmp_symlinks',`
 +	gen_require(`
-+		attribute user_ttynode;
++		type user_tmp_t;
 +	')
 +
-+	dontaudit $1 user_ttynode:chr_file rw_file_perms;
++	manage_lnk_files_pattern($1, user_tmp_t,  user_tmp_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read the process state of all user domains.
++##	Read and write unprivileged user ttys.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -34727,23 +34777,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_read_all_users_state',`
++interface(`userdom_use_unpriv_users_ttys',`
 +	gen_require(`
-+		attribute userdomain;
++		attribute user_ttynode;
 +	')
 +
++	allow $1 user_ttynode:chr_file rw_term_perms;
+ ')
+ 
+ ########################################
+@@ -5559,7 +5970,7 @@
+ 		attribute userdomain;
+ 	')
+ 
+-	read_files_pattern($1,userdomain,userdomain)
 +	ps_process_pattern($1,userdomain)
-+	kernel_search_proc($1)
-+')
-+
-+########################################
-+## <summary>
-+##	Get the attributes of all user domains.
-+## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
-@@ -5674,6 +6067,42 @@
+ 	kernel_search_proc($1)
+ ')
+ 
+@@ -5674,6 +6085,42 @@
  
  ########################################
  ## <summary>
@@ -34786,7 +34838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5704,3 +6133,408 @@
+@@ -5704,3 +6151,408 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a8fab7c..2c44272 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 45%{?dist}
+Release: 48%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -288,9 +288,9 @@ SELinux Reference policy targeted base module.
 %post targeted
 if [ $1 -eq 1 ]; then
 %loadpolicy targeted
-semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
-semanage login -m -S targeted  -P user -s "unconfined_u" -r s0-s0:c0.c1023 __default__ 2> /dev/null
-semanage login -m -S targeted  -P user -s "unconfined_u" -r s0-s0:c0.c1023 root 2> /dev/null
+semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 
+semanage login -m -S targeted  -s "unconfined_u" -r s0-s0:c0.c1023 __default__
+semanage login -m -S targeted  -s "unconfined_u" -r s0-s0:c0.c1023 root
 semanage user -a -S targeted  -P user -R guest_r guest_u
 semanage user -a -S targeted  -P user -R xguest_r xguest_u 
 restorecon -R /root /var/log /var/run 2> /dev/null
@@ -385,6 +385,15 @@ exit 0
 %endif
 
 %changelog
+* Wed May 7 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-48
+- Allow amanada to create data files
+
+* Wed May 7 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-47
+- Fix initial install, semanage setup
+
+* Tue May 6 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-46
+- Allow system_r for httpd_unconfined_script_t
+
 * Wed Apr 30 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-45
 - Remove dmesg boolean
 - Allow user domains to read/write game data