diff --git a/policy-20070703.patch b/policy-20070703.patch
index d9d3e50c..50ed3ca8 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -3164,7 +3164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.7/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/apache.if 2007-09-05 07:16:31.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/apache.if 2007-09-05 22:22:33.000000000 -0400
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -3409,7 +3409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
##
##
##
-@@ -1013,46 +1047,143 @@
+@@ -1013,46 +1047,141 @@
##
##
#
@@ -3554,8 +3554,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ # Allow $1 to restart the apache service
+ apache_script_domtrans($1)
+ domain_system_change_exemption($1)
-+ domain_role_change_exemption($1)
-+ domain_obj_id_change_exemption($1)
+ role_transition $2 httpd_script_exec_t system_r;
+ allow $2 system_r;
+
@@ -6184,8 +6182,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.0.7/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/mysql.if 2007-09-04 16:56:14.000000000 -0400
-@@ -157,3 +157,80 @@
++++ serefpolicy-3.0.7/policy/modules/services/mysql.if 2007-09-05 22:11:26.000000000 -0400
+@@ -157,3 +157,79 @@
logging_search_logs($1)
allow $1 mysqld_log_t:file { write append setattr ioctl };
')
@@ -6241,13 +6239,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
+ type mysqld_script_exec_t;
+ ')
+
-+ allow $1 mysqld_t:process { ptrace signal_perms };
++ allow $1 mysqld_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, mysqld_t, mysqld_t)
+
+ # Allow $1 to restart the apache service
+ mysql_script_domtrans($1)
-+ domain_role_change_exemption($1)
+ domain_system_change_exemption($1)
-+ domain_obj_id_change_exemption($1)
+ role_transition $2 mysqld_script_exec_t system_r;
+ allow $2 system_r;
+
@@ -7324,8 +7321,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.0.7/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/postgresql.if 2007-09-05 15:13:11.000000000 -0400
-@@ -113,3 +113,78 @@
++++ serefpolicy-3.0.7/policy/modules/services/postgresql.if 2007-09-05 22:13:10.000000000 -0400
+@@ -113,3 +113,77 @@
# Some versions of postgresql put the sock file in /tmp
allow $1 postgresql_tmp_t:sock_file write;
')
@@ -7379,13 +7376,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+ type postgresql_log_t;
+ ')
+
-+ allow $1 postgresql_t:process { ptrace signal_perms };
++ allow $1 postgresql_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, postgresql_t, postgresql_t)
+
+ # Allow $1 to restart the apache service
+ postgresql_script_domtrans($1)
+ domain_system_change_exemption($1)
-+ domain_role_change_exemption($1)
-+ domain_obj_id_change_exemption($1)
+ role_transition $2 postgresql_script_exec_t system_r;
+ allow $2 system_r;
+
@@ -10347,7 +10343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.7/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-08-22 07:14:12.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/init.te 2007-09-04 12:01:50.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/init.te 2007-09-05 22:21:18.000000000 -0400
@@ -10,6 +10,20 @@
# Declarations
#
@@ -10418,7 +10414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
-@@ -496,6 +511,39 @@
+@@ -496,6 +511,43 @@
')
optional_policy(`
@@ -10449,8 +10445,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+
+ tunable_policy(`allow_daemons_use_tty',`
+ unconfined_use_terminals(daemon)
++ term_use_all_user_ttys(daemon)
++ term_use_all_user_ptys(daemon)
+ ', `
+ unconfined_dontaudit_use_terminals(daemon)
++ term_dontaudit_use_all_user_ttys(daemon)
++ term_dontaudit_use_all_user_ptys(daemon)
+ ')
+')
+
@@ -10458,7 +10458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
')
-@@ -631,12 +679,6 @@
+@@ -631,12 +683,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -10471,7 +10471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ifdef(`distro_redhat',`
-@@ -702,6 +744,9 @@
+@@ -702,6 +748,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -10720,7 +10720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.7/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/logging.if 2007-09-04 17:01:26.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/logging.if 2007-09-05 22:22:05.000000000 -0400
@@ -33,8 +33,13 @@
##
#
@@ -11014,12 +11014,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+ type auditd_var_run_t;
+ ')
+
-+ allow $1 auditd_t:process { ptrace signal_perms };
++ allow $1 auditd_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, auditd_t, auditd_t)
++
+ # Allow $1 to restart the apache service
+ audit_script_domtrans($1)
-+ domain_role_change_exemption($1)
+ domain_system_change_exemption($1)
-+ domain_obj_id_change_exemption($1)
+ role_transition $2 audit_script_exec_t system_r;
+ allow $2 system_r;
+
@@ -11068,14 +11068,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+ type var_log_t;
+ ')
+
-+ allow $1 syslogd_t:process { ptrace signal_perms };
-+ allow $1 klogd_t:process { ptrace signal_perms };
++ allow $1 syslogd_t:process { ptrace signal_perms getattr };
++ allow $1 klogd_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, syslogd_t, syslogd_t)
++ read_files_pattern($1, klogd_t, klogd_t)
+
+ # Allow $1 to restart the apache service
+ syslog_script_domtrans($1)
-+ domain_role_change_exemption($1)
+ domain_system_change_exemption($1)
-+ domain_obj_id_change_exemption($1)
+ role_transition $2 syslog_script_exec_t system_r;
+ allow $2 system_r;
+
@@ -12585,7 +12585,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.7/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/userdomain.if 2007-09-04 16:56:00.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/userdomain.if 2007-09-05 22:07:53.000000000 -0400
+@@ -45,7 +45,7 @@
+ type $1_tty_device_t;
+ term_user_tty($1_t,$1_tty_device_t)
+
+- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession };
++ allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
+ allow $1_t self:fd use;
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+ allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -62,6 +62,10 @@
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@@ -14025,7 +14034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
+## Policy for webadm user
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.7/policy/modules/users/webadm.te
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/users/webadm.te 2007-08-31 15:27:24.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/users/webadm.te 2007-09-05 21:49:04.000000000 -0400
@@ -0,0 +1,42 @@
+policy_module(webadm,1.0.0)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 58e300a9..a3ee0a10 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -194,8 +194,8 @@ make clean
%if %{BUILD_TARGETED}
# Build targeted policy
# Commented out because only targeted ref policy currently builds
-%setupCmds targeted mcs n y
-%installCmds targeted mcs n y
+%setupCmds targeted mcs y y
+%installCmds targeted mcs y y
%endif
%if %{BUILD_MLS}
@@ -207,8 +207,8 @@ make clean
%if %{BUILD_OLPC}
# Build targeted policy
# Commented out because only targeted ref policy currently builds
-%setupCmds olpc mcs n y
-%installCmds olpc mcs n y
+%setupCmds olpc mcs y y
+%installCmds olpc mcs y y
%endif
make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs