diff --git a/policy-20071130.patch b/policy-20071130.patch
index df3f36c..694fcff 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -13893,18 +13893,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.f
/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.2.5/policy/modules/services/oddjob.fc
+--- nsaserefpolicy/policy/modules/services/oddjob.fc 2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.2.5/policy/modules/services/oddjob.fc 2008-01-31 15:22:43.000000000 -0500
+@@ -1,4 +1,4 @@
+-/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
++/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+
+ /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.2.5/policy/modules/services/oddjob.if
+--- nsaserefpolicy/policy/modules/services/oddjob.if 2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/oddjob.if 2008-01-31 15:49:10.000000000 -0500
+@@ -44,6 +44,7 @@
+ ')
+
+ domtrans_pattern(oddjob_t, $2, $1)
++ domain_user_exemption_target($1)
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.2.5/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/oddjob.te 2008-01-18 12:40:46.000000000 -0500
-@@ -15,6 +15,7 @@
++++ serefpolicy-3.2.5/policy/modules/services/oddjob.te 2008-01-31 15:44:28.000000000 -0500
+@@ -10,14 +10,20 @@
+ type oddjob_exec_t;
+ domain_type(oddjob_t)
+ init_daemon_domain(oddjob_t, oddjob_exec_t)
++domain_obj_id_change_exemption(oddjob_t)
+ domain_subj_id_change_exemption(oddjob_t)
+
type oddjob_mkhomedir_t;
type oddjob_mkhomedir_exec_t;
domain_type(oddjob_mkhomedir_t)
+-init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+domain_obj_id_change_exemption(oddjob_mkhomedir_t)
- init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
++init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
-@@ -68,20 +69,38 @@
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(oddjob_t,oddjob_exec_t,s0 - mcs_systemhigh)
++')
++
+ # pid files
+ type oddjob_var_run_t;
+ files_pid_file(oddjob_var_run_t)
+@@ -68,20 +74,38 @@
# oddjob_mkhomedir local policy
#
@@ -21350,7 +21384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.5/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/authlogin.if 2008-01-31 13:43:36.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/authlogin.if 2008-01-31 15:15:50.000000000 -0500
@@ -99,7 +99,7 @@
template(`authlogin_per_role_template',`
@@ -21396,7 +21430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
# for SSP/ProPolice
dev_read_urand($1)
# for fingerprint readers
-@@ -221,11 +237,35 @@
+@@ -221,11 +237,36 @@
logging_send_audit_msgs($1)
logging_send_syslog_msg($1)
@@ -21414,6 +21448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+ dbus_system_bus_client_template(notused, $1)
+ optional_policy(`
+ oddjob_dbus_chat($1)
++ oddjob_domtrans_mkhomedir($1)
+ ')
+ ')
+
@@ -21433,7 +21468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
-@@ -342,6 +382,8 @@
+@@ -342,6 +383,8 @@
optional_policy(`
kerberos_use($1)
@@ -21442,7 +21477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
optional_policy(`
-@@ -356,6 +398,28 @@
+@@ -356,6 +399,28 @@
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -21471,7 +21506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -369,12 +433,12 @@
+@@ -369,12 +434,12 @@
##
##
##
@@ -21486,7 +21521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
##
##
#
-@@ -386,6 +450,7 @@
+@@ -386,6 +451,7 @@
auth_domtrans_chk_passwd($1)
role $2 types system_chkpwd_t;
allow system_chkpwd_t $3:chr_file rw_file_perms;
@@ -21494,7 +21529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -1457,6 +1522,7 @@
+@@ -1457,6 +1523,7 @@
optional_policy(`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
@@ -21502,7 +21537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
-@@ -1491,3 +1557,23 @@
+@@ -1491,3 +1558,23 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b03bd86..b5aaa21 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.2.5
-Release: 23%{?dist}
+Release: 24%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -387,7 +387,7 @@ exit 0
%endif
%changelog
-* Wed Jan 30 2008 Dan Walsh 3.2.5-23
+* Wed Jan 30 2008 Dan Walsh 3.2.5-24
- Allow allow_httpd_mod_auth_pam to work
* Wed Jan 30 2008 Dan Walsh 3.2.5-22