diff --git a/policy-20080710.patch b/policy-20080710.patch
index a2442b68..8a162d7f 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -337,6 +337,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
+gen_tunable(allow_console_login,false)
+
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.5.1/policy/modules/admin/alsa.te
+--- nsaserefpolicy/policy/modules/admin/alsa.te 2008-07-10 11:38:46.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/admin/alsa.te 2008-07-25 06:59:42.000000000 -0400
+@@ -51,6 +51,8 @@
+
+ auth_use_nsswitch(alsa_t)
+
++init_use_fds(alsa_t)
++
+ libs_use_ld_so(alsa_t)
+ libs_use_shared_libs(alsa_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.fc serefpolicy-3.5.1/policy/modules/admin/amanda.fc
--- nsaserefpolicy/policy/modules/admin/amanda.fc 2008-06-12 23:25:08.000000000 -0400
+++ serefpolicy-3.5.1/policy/modules/admin/amanda.fc 2008-07-24 06:54:04.000000000 -0400
@@ -650,7 +662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.5.1/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2008-07-10 11:38:46.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/admin/logrotate.te 2008-07-24 06:54:04.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/admin/logrotate.te 2008-07-25 06:42:53.000000000 -0400
@@ -71,6 +71,7 @@
fs_search_auto_mountpoints(logrotate_t)
@@ -671,6 +683,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
+@@ -140,9 +143,8 @@
+ ')
+
+ optional_policy(`
+- apache_read_config(logrotate_t)
+- apache_domtrans(logrotate_t)
+ apache_signull(logrotate_t)
++ apache_manage_all_content(logrotate_t)
+ ')
+
+ optional_policy(`
+@@ -184,6 +186,5 @@
+ ')
+
+ optional_policy(`
+- # cjp: why?
+- squid_domtrans(logrotate_t)
++ squid_signal(logrotate_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.5.1/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2008-07-10 11:38:46.000000000 -0400
+++ serefpolicy-3.5.1/policy/modules/admin/logwatch.te 2008-07-24 08:00:57.000000000 -0400
@@ -9734,7 +9765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.5.1/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/apache.if 2008-07-24 06:54:04.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/apache.if 2008-07-25 06:30:35.000000000 -0400
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -10358,7 +10389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-07-10 11:38:46.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/apache.te 2008-07-24 06:54:04.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/apache.te 2008-07-25 07:41:00.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -10579,14 +10610,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ filetrans_pattern(httpd_sys_script_t,httpd_sys_content_t,httpd_sys_content_rw_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
+')
++
++tunable_policy(`allow_httpd_sys_script_anon_write',`
++ miscfiles_manage_public_files(httpd_sys_script_t)
++')
- manage_dirs_pattern(httpd_t,httpdcontent,httpdcontent)
- manage_files_pattern(httpd_t,httpdcontent,httpdcontent)
- manage_lnk_files_pattern(httpd_t,httpdcontent,httpdcontent)
-+tunable_policy(`allow_httpd_sys_script_anon_write',`
-+ miscfiles_manage_public_files(httpd_sys_script_t)
-+')
-+
+tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
+ domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
@@ -10660,27 +10691,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -476,14 +559,15 @@
+@@ -476,6 +559,12 @@
openca_kill(httpd_t)
')
-+tunable_policy(`httpd_can_network_connect_db',`
-+ postgresql_tcp_connect(httpd_t)
-+ postgresql_tcp_connect(httpd_sys_script_t)
-+')
++tunable_policy(`httpd_execmem',`
++ allow httpd_t self:process { execmem execstack };
++ allow httpd_sys_script_t self:process { execmem execstack };
++ allow httpd_suexec_t self:process { execmem execstack };
++')
+
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
- postgresql_unpriv_client(httpd_t)
--
-- tunable_policy(`httpd_can_network_connect_db',`
-- postgresql_tcp_connect(httpd_t)
-- ')
+@@ -483,6 +572,7 @@
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_t)
++ postgresql_tcp_connect(httpd_sys_script_t)
+ ')
')
- optional_policy(`
-@@ -491,6 +575,7 @@
+@@ -491,6 +581,7 @@
')
optional_policy(`
@@ -10688,7 +10720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -520,9 +605,28 @@
+@@ -520,9 +611,28 @@
logging_send_syslog_msg(httpd_helper_t)
tunable_policy(`httpd_tty_comm',`
@@ -10717,7 +10749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -552,22 +656,27 @@
+@@ -552,22 +662,27 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -10751,7 +10783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -591,6 +700,8 @@
+@@ -591,6 +706,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -10760,7 +10792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -599,9 +710,7 @@
+@@ -599,9 +716,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -10771,7 +10803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -634,12 +743,21 @@
+@@ -634,12 +749,21 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -10796,7 +10828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -648,6 +766,12 @@
+@@ -648,6 +772,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -10809,7 +10841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -665,10 +789,6 @@
+@@ -665,10 +795,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -10820,7 +10852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -678,7 +798,8 @@
+@@ -678,7 +804,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -10830,7 +10862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -692,19 +813,44 @@
+@@ -692,19 +819,44 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -10878,7 +10910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -717,10 +863,10 @@
+@@ -717,10 +869,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -10893,7 +10925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -728,6 +874,8 @@
+@@ -728,6 +880,8 @@
# httpd_rotatelogs local policy
#
@@ -10902,7 +10934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_files_pattern(httpd_rotatelogs_t,httpd_log_t,httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -742,3 +890,48 @@
+@@ -742,3 +896,48 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -17982,7 +18014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.5.1/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2008-07-10 11:38:46.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/mailman.te 2008-07-24 06:54:04.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/mailman.te 2008-07-25 07:31:24.000000000 -0400
@@ -53,10 +53,9 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
@@ -24354,7 +24386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.5.1/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2008-07-10 11:38:46.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/sendmail.te 2008-07-24 06:54:04.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/sendmail.te 2008-07-25 07:31:50.000000000 -0400
@@ -20,13 +20,17 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -24383,7 +24415,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
-@@ -69,19 +74,23 @@
+@@ -64,24 +69,29 @@
+
+ fs_getattr_all_fs(sendmail_t)
+ fs_search_auto_mountpoints(sendmail_t)
++fs_rw_anon_inodefs_files(sendmail_t)
+
+ term_dontaudit_use_console(sendmail_t)
# for piping mail to a command
corecmd_exec_shell(sendmail_t)
@@ -24407,7 +24445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
auth_use_nsswitch(sendmail_t)
-@@ -91,27 +100,46 @@
+@@ -91,27 +101,46 @@
libs_read_lib_files(sendmail_t)
logging_send_syslog_msg(sendmail_t)
@@ -24456,7 +24494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
postfix_exec_master(sendmail_t)
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
-@@ -119,6 +147,7 @@
+@@ -119,6 +148,7 @@
optional_policy(`
procmail_domtrans(sendmail_t)
@@ -24464,7 +24502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
')
optional_policy(`
-@@ -126,24 +155,25 @@
+@@ -126,24 +156,25 @@
')
optional_policy(`
@@ -26243,8 +26281,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.5.1/policy/modules/services/squid.if
--- nsaserefpolicy/policy/modules/services/squid.if 2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/squid.if 2008-07-24 06:54:04.000000000 -0400
-@@ -131,3 +131,95 @@
++++ serefpolicy-3.5.1/policy/modules/services/squid.if 2008-07-25 06:35:25.000000000 -0400
+@@ -131,3 +131,114 @@
interface(`squid_use',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -26340,6 +26378,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
+ files_list_pids($1)
+ manage_all_pattern($1,squid_var_run_t)
+')
++
++########################################
++##
++## Send a signal to squid.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`squid_signal',`
++ gen_require(`
++ type squid_t;
++ ')
++
++ allow $1 squid_t:process signal;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.5.1/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2008-07-10 11:38:46.000000000 -0400
+++ serefpolicy-3.5.1/policy/modules/services/squid.te 2008-07-24 06:54:04.000000000 -0400
@@ -31127,7 +31184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
# /opt
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.5.1/policy/modules/system/modutils.if
--- nsaserefpolicy/policy/modules/system/modutils.if 2008-06-12 23:25:07.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/system/modutils.if 2008-07-24 06:54:04.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/system/modutils.if 2008-07-25 07:26:20.000000000 -0400
@@ -66,6 +66,25 @@
########################################
@@ -31154,6 +31211,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
## Unconditionally execute insmod in the insmod domain.
##
##
+@@ -275,6 +294,7 @@
+ modutils_domtrans_update_mods($1)
+ role $2 types update_modules_t;
+ allow update_modules_t $3:chr_file rw_term_perms;
++ modutils_run_insmod(update_modules_t, $2, $3)
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.5.1/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2008-07-10 11:38:46.000000000 -0400
+++ serefpolicy-3.5.1/policy/modules/system/modutils.te 2008-07-24 06:54:04.000000000 -0400