diff --git a/policy-20080710.patch b/policy-20080710.patch
index e90cb7a..d3da088 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -557,8 +557,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.5.13/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2008-10-14 11:58:10.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/admin/netutils.te	2008-10-28 10:56:19.000000000 -0400
-@@ -149,6 +149,10 @@
++++ serefpolicy-3.5.13/policy/modules/admin/netutils.te	2008-10-29 09:05:23.000000000 -0400
+@@ -130,6 +130,8 @@
+ files_read_etc_files(ping_t)
+ files_dontaudit_search_var(ping_t)
+ 
++kernel_read_system_state(ping_t)
++
+ auth_use_nsswitch(ping_t)
+ 
+ libs_use_ld_so(ping_t)
+@@ -149,6 +151,10 @@
  ')
  
  optional_policy(`
@@ -6192,6 +6201,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2008-08-07 11:15:01.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in	2008-10-29 11:09:14.000000000 -0400
+@@ -1441,10 +1441,11 @@
+ #
+ interface(`corenet_tcp_bind_all_unreserved_ports',`
+ 	gen_require(`
+-		attribute port_type, reserved_port_type;
++		attribute port_type;
++		type hi_reserved_port_t, reserved_port_t;
+ 	')
+ 
+-	allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
++	allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:tcp_socket name_bind;
+ ')
+ 
+ ########################################
+@@ -1459,10 +1460,11 @@
+ #
+ interface(`corenet_udp_bind_all_unreserved_ports',`
+ 	gen_require(`
+-		attribute port_type, reserved_port_type;
++		attribute port_type;
++		type hi_reserved_port_t, reserved_port_t;
+ 	')
+ 
+-	allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
++	allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind;
+ ')
+ 
+ ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2008-10-14 11:58:07.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in	2008-10-28 10:56:19.000000000 -0400
@@ -7495,7 +7535,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  #
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.13/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2008-08-14 13:08:27.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if	2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if	2008-10-29 08:25:22.000000000 -0400
 @@ -535,6 +535,24 @@
  
  ########################################
@@ -8816,7 +8856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.5.13/policy/modules/roles/sysadm.te
 --- nsaserefpolicy/policy/modules/roles/sysadm.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.te	2008-10-28 11:25:32.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/roles/sysadm.te	2008-10-29 12:00:43.000000000 -0400
 @@ -15,7 +14,7 @@
  
  role sysadm_r;
@@ -8826,6 +8866,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  ifndef(`enable_mls',`
  	userdom_security_admin_template(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+@@ -109,9 +108,9 @@
+ 	consoletype_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ ')
+ 
+-optional_policy(`
+-	cron_admin_template(sysadm)
+-')
++#optional_policy(`
++#	cron_admin_template(sysadm)
++#')
+ 
+ optional_policy(`
+ 	cvs_exec(sysadm_t)
 @@ -171,6 +170,10 @@
  ')
  
@@ -10666,7 +10719,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/apache.te	2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/apache.te	2008-10-29 08:27:18.000000000 -0400
 @@ -20,6 +20,8 @@
  # Declarations
  #
@@ -10898,7 +10951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  ')
  
-@@ -370,20 +440,45 @@
+@@ -370,20 +440,54 @@
  	corenet_tcp_connect_all_ports(httpd_t)
  ')
  
@@ -10935,6 +10988,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	miscfiles_manage_public_files(httpd_sys_script_t)
 +') 
 +
++tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
++	fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
++')
++
++tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
++	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
++')
++
++
  tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 -	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
 +	domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t)
@@ -10945,7 +11007,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
  	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -394,11 +489,12 @@
+@@ -394,11 +498,12 @@
  	corenet_tcp_bind_ftp_port(httpd_t)
  ')
  
@@ -10961,7 +11023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	fs_read_nfs_files(httpd_t)
  	fs_read_nfs_symlinks(httpd_t)
  ')
-@@ -408,6 +504,11 @@
+@@ -408,6 +513,11 @@
  	fs_read_cifs_symlinks(httpd_t)
  ')
  
@@ -10973,7 +11035,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
  	allow httpd_sys_script_t httpd_t:fd use;
-@@ -441,8 +542,13 @@
+@@ -441,8 +551,13 @@
  ')
  
  optional_policy(`
@@ -10989,7 +11051,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -454,18 +560,13 @@
+@@ -454,18 +569,13 @@
  ')
  
  optional_policy(`
@@ -11009,7 +11071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -475,6 +576,12 @@
+@@ -475,6 +585,12 @@
  	openca_kill(httpd_t)
  ')
  
@@ -11022,7 +11084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  optional_policy(`
  	# Allow httpd to work with postgresql
  	postgresql_stream_connect(httpd_t)
-@@ -482,6 +589,7 @@
+@@ -482,6 +598,7 @@
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		postgresql_tcp_connect(httpd_t)
@@ -11030,7 +11092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -490,6 +598,7 @@
+@@ -490,6 +607,7 @@
  ')
  
  optional_policy(`
@@ -11038,7 +11100,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -519,9 +628,28 @@
+@@ -519,9 +637,28 @@
  logging_send_syslog_msg(httpd_helper_t)
  
  tunable_policy(`httpd_tty_comm',`
@@ -11067,7 +11129,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Apache PHP script local policy
-@@ -551,22 +679,27 @@
+@@ -551,22 +688,27 @@
  
  fs_search_auto_mountpoints(httpd_php_t)
  
@@ -11101,7 +11163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -584,12 +717,14 @@
+@@ -584,12 +726,14 @@
  append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
  read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
  
@@ -11117,7 +11179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  kernel_read_kernel_sysctls(httpd_suexec_t)
  kernel_list_proc(httpd_suexec_t)
  kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -598,9 +733,7 @@
+@@ -598,9 +742,7 @@
  
  fs_search_auto_mountpoints(httpd_suexec_t)
  
@@ -11128,7 +11190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -633,12 +766,25 @@
+@@ -633,12 +775,25 @@
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -11157,7 +11219,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -647,6 +793,12 @@
+@@ -647,6 +802,12 @@
  	fs_exec_nfs_files(httpd_suexec_t)
  ')
  
@@ -11170,7 +11232,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_suexec_t)
  	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -664,20 +816,20 @@
+@@ -664,20 +825,20 @@
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -11196,7 +11258,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
  read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -691,12 +843,15 @@
+@@ -691,12 +852,15 @@
  # Should we add a boolean?
  apache_domtrans_rotatelogs(httpd_sys_script_t)
  
@@ -11214,7 +11276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -704,6 +859,30 @@
+@@ -704,6 +868,30 @@
  	fs_read_nfs_symlinks(httpd_sys_script_t)
  ')
  
@@ -11245,7 +11307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -716,10 +895,10 @@
+@@ -716,10 +904,10 @@
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -11260,7 +11322,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -727,6 +906,8 @@
+@@ -727,6 +915,8 @@
  # httpd_rotatelogs local policy
  #
  
@@ -11269,7 +11331,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
  
  kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -741,3 +922,66 @@
+@@ -741,3 +931,66 @@
  logging_search_logs(httpd_rotatelogs_t)
  
  miscfiles_read_localization(httpd_rotatelogs_t)
@@ -12503,7 +12565,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/lib/glpi/files(/.*)?		gen_context(system_u:object_r:cron_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.13/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/cron.if	2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/cron.if	2008-10-29 11:57:59.000000000 -0400
 @@ -35,39 +35,24 @@
  #
  template(`cron_per_role_template',`
@@ -13762,7 +13824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.13/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/dbus.if	2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/dbus.if	2008-10-29 11:24:31.000000000 -0400
 @@ -53,19 +53,19 @@
  	gen_require(`
  		type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -13796,7 +13858,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	# For connecting to the bus
 -	allow $2 $1_dbusd_t:unix_stream_socket connectto;
 -	type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
-+	allow $2 $1_dbusd_t:unix_stream_socket { getattr connectto };
++	allow $2 $1_dbusd_t:unix_stream_socket { rw_socket_perms connectto };
 +	allow $2 $1_dbusd_t:unix_dgram_socket getattr;
 +	allow $1_dbusd_t $2:unix_stream_socket rw_socket_perms;
  
@@ -16571,7 +16633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.5.13/policy/modules/services/munin.te
 --- nsaserefpolicy/policy/modules/services/munin.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/munin.te	2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/munin.te	2008-10-28 19:45:12.000000000 -0400
 @@ -13,6 +13,9 @@
  type munin_etc_t alias lrrd_etc_t;
  files_config_file(munin_etc_t)
@@ -16637,7 +16699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dev_read_urand(munin_t)
  
  domain_use_interactive_fds(munin_t)
-+domain_dontaudit_read_all_domains_state(munin_t)
++domain_read_all_domains_state(munin_t)
  
  files_read_etc_files(munin_t)
  files_read_etc_runtime_files(munin_t)
@@ -19584,7 +19646,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.5.13/policy/modules/services/ppp.te
 --- nsaserefpolicy/policy/modules/services/ppp.te	2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/ppp.te	2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/ppp.te	2008-10-29 10:47:55.000000000 -0400
 @@ -37,8 +37,8 @@
  type pppd_etc_rw_t;
  files_type(pppd_etc_rw_t)
@@ -19669,7 +19731,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  miscfiles_read_localization(pptp_t)
  
  sysnet_read_config(pptp_t)
-+sysnet_exec_ifconfig(pppd_t)
++sysnet_exec_ifconfig(pptp_t)
  
  userdom_dontaudit_use_unpriv_user_fds(pptp_t)
  
@@ -29047,7 +29109,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.13/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te	2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te	2008-10-29 09:04:33.000000000 -0400
 @@ -20,6 +20,9 @@
  init_daemon_domain(dhcpc_t,dhcpc_exec_t)
  role system_r types dhcpc_t;
@@ -30086,7 +30148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if	2008-10-28 12:38:58.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if	2008-10-29 11:53:44.000000000 -0400
 @@ -28,10 +28,14 @@
  		class context contains;
  	')
@@ -30696,7 +30758,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	<summary>
  ##	The prefix of the user domain (e.g., user
  ##	is the prefix for user_t).
-@@ -699,188 +672,206 @@
+@@ -686,10 +659,6 @@
+ 
+ 	userdom_exec_generic_pgms_template($1)
+ 
+-	optional_policy(`
+-		userdom_xwindows_client_template($1)
+-	')
+-
+ 	##############################
+ 	#
+ 	# User domain Local policy
+@@ -699,188 +668,204 @@
  	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
  	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
  
@@ -30786,10 +30859,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	auth_read_login_records($1_t)
 -	auth_search_pam_console_data($1_t)
 +	auth_read_login_records($1_usertype)
-+	auth_search_pam_console_data($1_usertype)
  	auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
  	auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-+	authlogin_per_role_template($1, $1_t, $1_r)
  
 -	init_read_utmp($1_t)
 +	init_read_utmp($1_usertype)
@@ -30983,7 +31054,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  #######################################
-@@ -902,9 +893,7 @@
+@@ -902,9 +887,7 @@
  ## </param>
  #
  template(`userdom_login_user_template', `
@@ -30994,7 +31065,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	userdom_base_user_template($1)
  
-@@ -930,74 +919,77 @@
+@@ -930,74 +913,77 @@
  
  	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
  	dontaudit $1_t self:process setrlimit;
@@ -31105,7 +31176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -1031,9 +1023,6 @@
+@@ -1031,9 +1017,6 @@
  	domain_interactive_fd($1_t)
  
  	typeattribute $1_devpts_t user_ptynode;
@@ -31115,7 +31186,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	typeattribute $1_tty_device_t user_ttynode;
  
  	##############################
-@@ -1042,12 +1031,25 @@
+@@ -1042,12 +1025,25 @@
  	#
  
  	# privileged home directory writers
@@ -31147,7 +31218,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	optional_policy(`
  		loadkeys_run($1_t,$1_r,$1_tty_device_t)
-@@ -1087,14 +1089,16 @@
+@@ -1079,7 +1075,9 @@
+ 
+ 	userdom_restricted_user_template($1)
+ 
++	optional_policy(`
+ 	userdom_xwindows_client_template($1)
++	')
+ 
+ 	##############################
+ 	#
+@@ -1087,14 +1085,16 @@
  	#
  
  	authlogin_per_role_template($1, $1_t, $1_r)
@@ -31169,23 +31250,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	logging_dontaudit_send_audit_msgs($1_t)
  
  	# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1102,28 +1106,19 @@
+@@ -1102,28 +1102,19 @@
  	selinux_get_enforce_mode($1_t)
  
  	optional_policy(`
 -		alsa_read_rw_config($1_t)
-+		alsa_read_rw_config($1_usertype)
- 	')
- 
- 	optional_policy(`
+-	')
+-
+-	optional_policy(`
 -		dbus_per_role_template($1, $1_t, $1_r)
 -		dbus_system_bus_client_template($1, $1_t)
 -
 -		optional_policy(`
 -			consolekit_dbus_chat($1_t)
--		')
--
--		optional_policy(`
++		alsa_read_rw_config($1_usertype)
+ 		')
+ 
+ 		optional_policy(`
 -			cups_dbus_chat($1_t)
 -		')
 +		apache_per_role_template($1, $1_usertype, $1_r)
@@ -31202,7 +31283,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -1134,8 +1129,7 @@
+@@ -1134,8 +1125,7 @@
  ## </summary>
  ## <desc>
  ##	<p>
@@ -31212,17 +31293,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	</p>
  ##	<p>
  ##	This template creates a user domain, types, and
-@@ -1157,8 +1151,8 @@
+@@ -1157,8 +1147,8 @@
  	# Declarations
  	#
  
-+	userdom_login_user_template($1)
++	userdom_restricted_xwindows_user_template($1)
  	# Inherit rules for ordinary users.
 -	userdom_restricted_user_template($1)
  	userdom_common_user_template($1)
  
  	##############################
-@@ -1167,11 +1161,10 @@
+@@ -1167,11 +1157,10 @@
  	#
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -31235,7 +31316,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	# cjp: why?
  	files_read_kernel_symbol_table($1_t)
  
-@@ -1189,36 +1182,41 @@
+@@ -1189,36 +1178,41 @@
  		')
  	')
  
@@ -31290,7 +31371,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -1263,8 +1261,7 @@
+@@ -1263,8 +1257,7 @@
  	#
  
  	# Inherit rules for ordinary users.
@@ -31300,7 +31381,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	typeattribute $1_t privhome;
  	domain_obj_id_change_exemption($1_t)
-@@ -1295,8 +1292,6 @@
+@@ -1295,8 +1288,6 @@
  	# Manipulate other users crontab.
  	allow $1_t self:passwd crontab;
  
@@ -31309,7 +31390,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1318,8 +1313,6 @@
+@@ -1318,8 +1309,6 @@
  
  	dev_getattr_generic_blk_files($1_t)
  	dev_getattr_generic_chr_files($1_t)
@@ -31318,7 +31399,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	# Allow MAKEDEV to work
  	dev_create_all_blk_files($1_t)
  	dev_create_all_chr_files($1_t)
-@@ -1374,13 +1367,6 @@
+@@ -1374,13 +1363,6 @@
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -31332,7 +31413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	optional_policy(`
  		postgresql_unconfined($1_t)
  	')
-@@ -1432,6 +1418,7 @@
+@@ -1432,6 +1414,7 @@
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -31340,7 +31421,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1461,10 +1448,6 @@
+@@ -1461,10 +1444,6 @@
  	seutil_run_semanage($1,$2,$3)
  	seutil_run_setfiles($1, $2, $3)
  
@@ -31351,7 +31432,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	optional_policy(`
  		aide_run($1,$2, $3)
  	')
-@@ -1484,6 +1467,14 @@
+@@ -1484,6 +1463,14 @@
  	optional_policy(`
  		netlabel_run_mgmt($1,$2, $3)
  	')
@@ -31366,7 +31447,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -1741,11 +1732,15 @@
+@@ -1741,11 +1728,15 @@
  #
  template(`userdom_user_home_content',`
  	gen_require(`
@@ -31385,7 +31466,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -1841,11 +1836,11 @@
+@@ -1841,11 +1832,11 @@
  #
  template(`userdom_search_user_home_dirs',`
  	gen_require(`
@@ -31399,7 +31480,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -1875,11 +1870,11 @@
+@@ -1875,11 +1866,11 @@
  #
  template(`userdom_list_user_home_dirs',`
  	gen_require(`
@@ -31413,7 +31494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -1923,12 +1918,12 @@
+@@ -1923,12 +1914,12 @@
  #
  template(`userdom_user_home_domtrans',`
  	gen_require(`
@@ -31429,7 +31510,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -1958,10 +1953,11 @@
+@@ -1958,10 +1949,11 @@
  #
  template(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
@@ -31443,7 +31524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -1993,11 +1989,47 @@
+@@ -1993,11 +1985,47 @@
  #
  template(`userdom_manage_user_home_content_dirs',`
  	gen_require(`
@@ -31493,7 +31574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2029,10 +2061,10 @@
+@@ -2029,10 +2057,10 @@
  #
  template(`userdom_dontaudit_setattr_user_home_content_files',`
  	gen_require(`
@@ -31506,7 +31587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2062,11 +2094,11 @@
+@@ -2062,11 +2090,11 @@
  #
  template(`userdom_read_user_home_content_files',`
  	gen_require(`
@@ -31520,7 +31601,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2096,11 +2128,11 @@
+@@ -2096,11 +2124,11 @@
  #
  template(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -31535,7 +31616,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2130,10 +2162,14 @@
+@@ -2130,10 +2158,14 @@
  #
  template(`userdom_dontaudit_write_user_home_content_files',`
  	gen_require(`
@@ -31552,7 +31633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2163,11 +2199,11 @@
+@@ -2163,11 +2195,11 @@
  #
  template(`userdom_read_user_home_content_symlinks',`
  	gen_require(`
@@ -31566,7 +31647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2197,11 +2233,11 @@
+@@ -2197,11 +2229,11 @@
  #
  template(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -31580,7 +31661,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2231,10 +2267,10 @@
+@@ -2231,10 +2263,10 @@
  #
  template(`userdom_dontaudit_exec_user_home_content_files',`
  	gen_require(`
@@ -31593,7 +31674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2266,12 +2302,12 @@
+@@ -2266,12 +2298,12 @@
  #
  template(`userdom_manage_user_home_content_files',`
  	gen_require(`
@@ -31609,7 +31690,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2303,10 +2339,10 @@
+@@ -2303,10 +2335,10 @@
  #
  template(`userdom_dontaudit_manage_user_home_content_dirs',`
  	gen_require(`
@@ -31622,7 +31703,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2338,12 +2374,12 @@
+@@ -2338,12 +2370,12 @@
  #
  template(`userdom_manage_user_home_content_symlinks',`
  	gen_require(`
@@ -31638,7 +31719,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2375,12 +2411,12 @@
+@@ -2375,12 +2407,12 @@
  #
  template(`userdom_manage_user_home_content_pipes',`
  	gen_require(`
@@ -31654,7 +31735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2412,12 +2448,12 @@
+@@ -2412,12 +2444,12 @@
  #
  template(`userdom_manage_user_home_content_sockets',`
  	gen_require(`
@@ -31670,7 +31751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2462,11 +2498,11 @@
+@@ -2462,11 +2494,11 @@
  #
  template(`userdom_user_home_dir_filetrans',`
  	gen_require(`
@@ -31684,7 +31765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2511,11 +2547,11 @@
+@@ -2511,11 +2543,11 @@
  #
  template(`userdom_user_home_content_filetrans',`
  	gen_require(`
@@ -31698,7 +31779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2555,11 +2591,11 @@
+@@ -2555,11 +2587,11 @@
  #
  template(`userdom_user_home_dir_filetrans_user_home_content',`
  	gen_require(`
@@ -31712,7 +31793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2589,11 +2625,11 @@
+@@ -2589,11 +2621,11 @@
  #
  template(`userdom_write_user_tmp_sockets',`
  	gen_require(`
@@ -31726,7 +31807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2623,11 +2659,11 @@
+@@ -2623,11 +2655,11 @@
  #
  template(`userdom_list_user_tmp',`
  	gen_require(`
@@ -31740,7 +31821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2659,10 +2695,10 @@
+@@ -2659,10 +2691,10 @@
  #
  template(`userdom_dontaudit_list_user_tmp',`
  	gen_require(`
@@ -31753,7 +31834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2694,10 +2730,10 @@
+@@ -2694,10 +2726,10 @@
  #
  template(`userdom_dontaudit_manage_user_tmp_dirs',`
  	gen_require(`
@@ -31766,7 +31847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2727,12 +2763,12 @@
+@@ -2727,12 +2759,12 @@
  #
  template(`userdom_read_user_tmp_files',`
  	gen_require(`
@@ -31782,7 +31863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2764,10 +2800,10 @@
+@@ -2764,10 +2796,10 @@
  #
  template(`userdom_dontaudit_read_user_tmp_files',`
  	gen_require(`
@@ -31795,7 +31876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2799,10 +2835,10 @@
+@@ -2799,10 +2831,10 @@
  #
  template(`userdom_dontaudit_append_user_tmp_files',`
  	gen_require(`
@@ -31808,7 +31889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2832,12 +2868,12 @@
+@@ -2832,12 +2864,12 @@
  #
  template(`userdom_rw_user_tmp_files',`
  	gen_require(`
@@ -31824,7 +31905,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2869,10 +2905,10 @@
+@@ -2869,10 +2901,10 @@
  #
  template(`userdom_dontaudit_manage_user_tmp_files',`
  	gen_require(`
@@ -31837,7 +31918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2904,12 +2940,12 @@
+@@ -2904,12 +2936,12 @@
  #
  template(`userdom_read_user_tmp_symlinks',`
  	gen_require(`
@@ -31853,7 +31934,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2941,11 +2977,11 @@
+@@ -2941,11 +2973,11 @@
  #
  template(`userdom_manage_user_tmp_dirs',`
  	gen_require(`
@@ -31867,7 +31948,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2977,11 +3013,11 @@
+@@ -2977,11 +3009,11 @@
  #
  template(`userdom_manage_user_tmp_files',`
  	gen_require(`
@@ -31881,7 +31962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -3013,11 +3049,11 @@
+@@ -3013,11 +3045,11 @@
  #
  template(`userdom_manage_user_tmp_symlinks',`
  	gen_require(`
@@ -31895,7 +31976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -3049,11 +3085,11 @@
+@@ -3049,11 +3081,11 @@
  #
  template(`userdom_manage_user_tmp_pipes',`
  	gen_require(`
@@ -31909,7 +31990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -3085,11 +3121,11 @@
+@@ -3085,11 +3117,11 @@
  #
  template(`userdom_manage_user_tmp_sockets',`
  	gen_require(`
@@ -31923,7 +32004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -3134,10 +3170,10 @@
+@@ -3134,10 +3166,10 @@
  #
  template(`userdom_user_tmp_filetrans',`
  	gen_require(`
@@ -31936,7 +32017,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	files_search_tmp($2)
  ')
  
-@@ -3178,19 +3214,19 @@
+@@ -3178,19 +3210,19 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -31960,7 +32041,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	</p>
  ##	<p>
  ##	This is a templated interface, and should only
-@@ -3211,13 +3247,13 @@
+@@ -3211,13 +3243,13 @@
  #
  template(`userdom_rw_user_tmpfs_files',`
  	gen_require(`
@@ -31978,7 +32059,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -4616,11 +4652,11 @@
+@@ -4616,11 +4648,11 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
@@ -31992,7 +32073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -4640,6 +4676,14 @@
+@@ -4640,6 +4672,14 @@
  
  	files_list_home($1)
  	allow $1 home_dir_type:dir list_dir_perms;
@@ -32007,7 +32088,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -4677,6 +4721,8 @@
+@@ -4677,6 +4717,8 @@
  	')
  
  	dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@@ -32016,7 +32097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -4721,6 +4767,25 @@
+@@ -4721,6 +4763,25 @@
  
  ########################################
  ## <summary>
@@ -32042,7 +32123,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Create, read, write, and delete all files
  ##	in all users home directories.
  ## </summary>
-@@ -4946,7 +5011,7 @@
+@@ -4946,7 +5007,7 @@
  
  ########################################
  ## <summary>
@@ -32051,7 +32132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5318,7 +5383,7 @@
+@@ -5318,7 +5379,7 @@
  
  ########################################
  ## <summary>
@@ -32060,7 +32141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5326,18 +5391,17 @@
+@@ -5326,18 +5387,17 @@
  ##	</summary>
  ## </param>
  #
@@ -32083,7 +32164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5345,17 +5409,17 @@
+@@ -5345,17 +5405,17 @@
  ##	</summary>
  ## </param>
  #
@@ -32105,7 +32186,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5363,18 +5427,18 @@
+@@ -5363,18 +5423,18 @@
  ##	</summary>
  ## </param>
  #
@@ -32129,18 +32210,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5382,12 +5446,49 @@
+@@ -5382,7 +5442,44 @@
  ##	</summary>
  ## </param>
  #
 -interface(`userdom_getattr_all_users',`
 +interface(`userdom_dontaudit_use_unpriv_users_ttys',`
- 	gen_require(`
--		attribute userdomain;
++	gen_require(`
 +		attribute user_ttynode;
- 	')
- 
--	allow $1 userdomain:process getattr;
++	')
++
 +	dontaudit $1 user_ttynode:chr_file rw_file_perms;
 +')
 +
@@ -32174,15 +32253,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </param>
 +#
 +interface(`userdom_getattr_all_users',`
-+	gen_require(`
-+		attribute userdomain;
-+	')
-+
-+	allow $1 userdomain:process getattr;
- ')
- 
- ########################################
-@@ -5483,6 +5584,42 @@
+ 	gen_require(`
+ 		attribute userdomain;
+ 	')
+@@ -5483,6 +5580,42 @@
  
  ########################################
  ## <summary>
@@ -32225,7 +32299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5513,3 +5650,548 @@
+@@ -5513,3 +5646,546 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -32593,9 +32667,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#
 +template(`userdom_admin_login_user_template',`
 +					      
-+  userdom_login_user_template($1)
-+
-+  allow $1_t self:capability sys_nice;
++  userdom_unpriv_user_template($1)
 +
 +  domain_read_all_domains_state($1_t)
 +  domain_getattr_all_domains($1_t)