diff --git a/policy-20070703.patch b/policy-20070703.patch
index 3e8ac57..853a0b9 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -12734,7 +12734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.7/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/userdomain.if	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/userdomain.if	2007-09-07 15:05:57.000000000 -0400
 @@ -45,7 +45,7 @@
  	type $1_tty_device_t; 
  	term_user_tty($1_t,$1_tty_device_t)
@@ -13106,7 +13106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  		samba_stream_connect_winbind($1_t)
  	')
  
-@@ -954,21 +881,162 @@
+@@ -954,21 +881,163 @@
  ##	</summary>
  ## </param>
  #
@@ -13166,6 +13166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	dontaudit $1_t self:capability { sys_nice fsetid };
 +
 +	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
++	dontaudit $1_t self:process setrlimit;
 +	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
 +
 +	allow $1_t self:context contains;
@@ -13275,7 +13276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	domain_interactive_fd($1_t)
  
  	typeattribute $1_devpts_t user_ptynode;
-@@ -977,23 +1045,51 @@
+@@ -977,23 +1046,51 @@
  	typeattribute $1_tmp_t user_tmpfile;
  	typeattribute $1_tty_device_t user_ttynode;
  
@@ -13338,7 +13339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
  	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1029,15 +1125,7 @@
+@@ -1029,15 +1126,7 @@
  	# and may change other protocols
  	tunable_policy(`user_tcp_server',`
  		corenet_tcp_bind_all_nodes($1_t)
@@ -13355,7 +13356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	optional_policy(`
-@@ -1054,17 +1142,6 @@
+@@ -1054,17 +1143,6 @@
  		setroubleshoot_stream_connect($1_t)
  	')
  
@@ -13373,7 +13374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -1102,6 +1179,8 @@
+@@ -1102,6 +1180,8 @@
  		class passwd { passwd chfn chsh rootok crontab };
  	')
  
@@ -13382,7 +13383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	##############################
  	#
  	# Declarations
-@@ -1127,7 +1206,7 @@
+@@ -1127,7 +1207,7 @@
  	# $1_t local policy
  	#
  
@@ -13391,7 +13392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	allow $1_t self:process { setexec setfscreate };
  
  	# Set password information for other users.
-@@ -1139,7 +1218,11 @@
+@@ -1139,7 +1219,11 @@
  	# Manipulate other users crontab.
  	allow $1_t self:passwd crontab;
  
@@ -13404,7 +13405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
-@@ -1856,17 +1939,53 @@
+@@ -1856,17 +1940,53 @@
  ##	</summary>
  ## </param>
  #
@@ -13462,7 +13463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	in a user home subdirectory.
  ## </summary>
  ## <desc>
-@@ -1891,13 +2010,12 @@
+@@ -1891,13 +2011,12 @@
  ##	</summary>
  ## </param>
  #
@@ -13479,7 +13480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3078,7 +3196,7 @@
+@@ -3078,7 +3197,7 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -13488,7 +13489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4615,6 +4733,24 @@
+@@ -4615,6 +4734,24 @@
  	files_list_home($1)
  	allow $1 home_dir_type:dir search_dir_perms;
  ')
@@ -13513,7 +13514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  ########################################
  ## <summary>
-@@ -5323,7 +5459,7 @@
+@@ -5323,7 +5460,7 @@
  		attribute user_tmpfile;
  	')
  
@@ -13522,7 +13523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -5559,3 +5695,299 @@
+@@ -5559,3 +5696,299 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')