diff --git a/policy-20070703.patch b/policy-20070703.patch
index 1a6b623..fef70c1 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -1003,15 +1003,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-3.0.8/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/bootloader.te 2007-10-30 16:10:10.000000000 -0400
-@@ -18,6 +18,7 @@
- type bootloader_exec_t;
- application_domain(bootloader_t,bootloader_exec_t)
- role system_r types bootloader_t;
-+domain_trusted_type(bootloader_t)
-
- #
- # bootloader_etc_t is the configuration file,
++++ serefpolicy-3.0.8/policy/modules/admin/bootloader.te 2007-10-30 20:38:12.000000000 -0400
+@@ -215,3 +215,7 @@
+ userdom_dontaudit_search_staff_home_dirs(bootloader_t)
+ userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
+ ')
++
++optional_policy(`
++ unconfined_domain(bootloader_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.if serefpolicy-3.0.8/policy/modules/admin/brctl.if
--- nsaserefpolicy/policy/modules/admin/brctl.if 2007-10-22 13:21:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/brctl.if 2007-10-29 23:59:29.000000000 -0400
@@ -3754,8 +3754,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-10-30 16:16:10.000000000 -0400
-@@ -6,9 +6,28 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-10-30 20:49:39.000000000 -0400
+@@ -6,6 +6,22 @@
# Declarations
#
@@ -3778,13 +3778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
# Mark process types as domains
attribute domain;
-+# Mark process types as Trusted Computer Base domains
-+attribute tcbdomain;
-+
- # Transitions only allowed from domains to other domains
- neverallow domain ~domain:process { transition dyntransition };
-
-@@ -80,9 +99,13 @@
+@@ -80,9 +96,13 @@
allow domain self:lnk_file r_file_perms;
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
@@ -3798,7 +3792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
# Use trusted objects in /dev
dev_rw_null(domain)
-@@ -134,3 +157,32 @@
+@@ -134,3 +154,28 @@
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -3827,10 +3821,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+optional_policy(`
+ rpm_dontaudit_rw_pipes(domain)
+')
-+
-+optional_policy(`
-+ unconfined_domain(tcbdomain)
-+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.0.8/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2007-10-22 13:21:41.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/files.fc 2007-10-29 23:59:29.000000000 -0400
@@ -6015,6 +6005,113 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
corenet_sendrecv_rndc_client_packets(ndc_t)
fs_getattr_xattr_fs(ndc_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.0.8/policy/modules/services/bitlbee.fc
+--- nsaserefpolicy/policy/modules/services/bitlbee.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/bitlbee.fc 2007-10-30 20:45:17.000000000 -0400
+@@ -0,0 +1,3 @@
++/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
++/etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0)
++/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.if serefpolicy-3.0.8/policy/modules/services/bitlbee.if
+--- nsaserefpolicy/policy/modules/services/bitlbee.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/bitlbee.if 2007-10-30 20:45:17.000000000 -0400
+@@ -0,0 +1,22 @@
++## Bitlbee service
++
++########################################
++##
++## Read bitlbee configuration files
++##
++##
++##
++## Domain allowed accesss.
++##
++##
++#
++interface(`bitlbee_read_config',`
++ gen_require(`
++ type bitlbee_conf_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 bitlbee_conf_t:dir { getattr read search };
++ allow $1 bitlbee_conf_t:file { read getattr };
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.0.8/policy/modules/services/bitlbee.te
+--- nsaserefpolicy/policy/modules/services/bitlbee.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/bitlbee.te 2007-10-30 20:45:17.000000000 -0400
+@@ -0,0 +1,70 @@
++
++policy_module(bitlbee, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type bitlbee_t;
++type bitlbee_exec_t;
++init_daemon_domain(bitlbee_t, bitlbee_exec_t)
++inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
++
++type bitlbee_conf_t;
++files_config_file(bitlbee_conf_t)
++
++type bitlbee_var_t;
++files_type(bitlbee_var_t)
++
++########################################
++#
++# Local policy
++#
++#
++
++allow bitlbee_t self:udp_socket create_socket_perms;
++allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
++allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
++
++bitlbee_read_config(bitlbee_t)
++
++# user account information is read and edited at runtime; give the usual
++# r/w access to bitlbee_var_t
++manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
++files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
++
++corenet_all_recvfrom_unlabeled(bitlbee_t)
++corenet_udp_sendrecv_generic_if(bitlbee_t)
++corenet_udp_sendrecv_generic_node(bitlbee_t)
++corenet_udp_sendrecv_lo_node(bitlbee_t)
++corenet_tcp_sendrecv_generic_if(bitlbee_t)
++corenet_tcp_sendrecv_generic_node(bitlbee_t)
++corenet_tcp_sendrecv_lo_node(bitlbee_t)
++# Allow bitlbee to connect to jabber servers
++corenet_tcp_connect_jabber_client_port(bitlbee_t)
++corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
++# to AIM servers:
++corenet_tcp_connect_aol_port(bitlbee_t)
++corenet_tcp_sendrecv_aol_port(bitlbee_t)
++# and to MMCC (Yahoo IM) servers:
++corenet_tcp_connect_mmcc_port(bitlbee_t)
++corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
++# and to MSNP (MSN Messenger) servers:
++corenet_tcp_connect_msnp_port(bitlbee_t)
++corenet_tcp_sendrecv_msnp_port(bitlbee_t)
++
++files_read_etc_files(bitlbee_t)
++files_search_pids(bitlbee_t)
++# grant read-only access to the user help files
++files_read_usr_files(bitlbee_t)
++
++libs_legacy_use_shared_libs(bitlbee_t)
++libs_use_ld_so(bitlbee_t)
++
++sysnet_dns_name_resolve(bitlbee_t)
++
++optional_policy(`
++ # normally started from inetd using tcpwrappers, so use those entry points
++ tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.0.8/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/bluetooth.te 2007-10-29 23:59:29.000000000 -0400
@@ -10349,7 +10446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb
manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.0.8/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rpc.if 2007-10-30 19:57:15.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rpc.if 2007-10-30 20:52:50.000000000 -0400
@@ -89,8 +89,11 @@
# bind to arbitary unused ports
corenet_tcp_bind_generic_port($1_t)
@@ -10363,6 +10460,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
fs_rw_rpc_named_pipes($1_t)
fs_search_auto_mountpoints($1_t)
+@@ -214,6 +217,24 @@
+
+ ########################################
+ ##
++## Execute domain in nfsd domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`rpc_domtrans_rpcd',`
++ gen_require(`
++ type rpcd_t, rpcd_exec_t;
++ ')
++
++ domtrans_pattern($1,rpcd_exec_t,rpcd_t)
++')
++
++########################################
++##
+ ## Read NFS exported content.
+ ##
+ ##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-10-29 23:59:29.000000000 -0400
@@ -13390,16 +13512,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.0.8/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/hotplug.te 2007-10-30 16:08:20.000000000 -0400
-@@ -10,6 +10,7 @@
- type hotplug_exec_t;
- kernel_domtrans_to(hotplug_t,hotplug_exec_t)
- init_daemon_domain(hotplug_t,hotplug_exec_t)
-+domain_trusted_type(hotplug_t)
-
- type hotplug_etc_t;
- files_config_file(hotplug_etc_t)
-@@ -179,6 +180,7 @@
++++ serefpolicy-3.0.8/policy/modules/system/hotplug.te 2007-10-30 20:40:30.000000000 -0400
+@@ -179,6 +179,7 @@
sysnet_read_dhcpc_pid(hotplug_t)
sysnet_rw_dhcp_config(hotplug_t)
sysnet_domtrans_ifconfig(hotplug_t)
@@ -13407,6 +13521,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
')
optional_policy(`
+@@ -188,6 +189,10 @@
+ ')
+
+ optional_policy(`
++ unconfined_domain(bootloader_t)
++')
++
++optional_policy(`
+ updfstab_domtrans(hotplug_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.8/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-10-22 13:21:40.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/init.if 2007-10-29 23:59:29.000000000 -0400
@@ -13647,7 +13772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-10-30 19:53:21.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-10-30 21:08:32.000000000 -0400
@@ -10,6 +10,20 @@
# Declarations
#
@@ -13669,7 +13794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# used for direct running of init scripts
# by admin domains
attribute direct_run_init;
-@@ -19,12 +33,13 @@
+@@ -19,6 +33,8 @@
# Mark process types as daemons
attribute daemon;
@@ -13678,13 +13803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
#
# init_t is the domain of the init process.
#
- type init_t;
- type init_exec_t;
--domain_type(init_t)
- domain_entry_file(init_t,init_exec_t)
- kernel_domtrans_to(init_t,init_exec_t)
- role system_r types init_t;
-@@ -45,7 +60,7 @@
+@@ -45,7 +61,7 @@
mls_trusted_object(initctl_t)
type initrc_t;
@@ -13693,7 +13812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
domain_type(initrc_t)
domain_entry_file(initrc_t,initrc_exec_t)
role system_r types initrc_t;
-@@ -73,7 +88,7 @@
+@@ -73,7 +89,7 @@
#
# Use capabilities. old rule:
@@ -13702,7 +13821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -171,13 +186,14 @@
+@@ -171,13 +187,14 @@
nscd_socket_use(init_t)
')
@@ -13717,13 +13836,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
userdom_shell_domtrans_sysadm(init_t)
+',`
+ optional_policy(`
-+ unconfined_domain(init_t)
+ unconfined_shell_domtrans(init_t)
++ unconfined_domain(init_t)
+ ')
')
########################################
-@@ -186,7 +202,7 @@
+@@ -186,7 +203,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -13732,7 +13851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
-@@ -196,15 +212,13 @@
+@@ -196,15 +213,13 @@
allow initrc_t self:tcp_socket create_stream_socket_perms;
allow initrc_t self:udp_socket create_socket_perms;
allow initrc_t self:fifo_file rw_file_perms;
@@ -13750,7 +13869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
-@@ -233,6 +247,8 @@
+@@ -233,6 +248,8 @@
# for lsof which is used by alsa shutdown:
kernel_dontaudit_getattr_message_if(initrc_t)
@@ -13759,7 +13878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_read_kernel_symbol_table(initrc_t)
corenet_all_recvfrom_unlabeled(initrc_t)
-@@ -283,7 +299,6 @@
+@@ -283,7 +300,6 @@
mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
@@ -13767,7 +13886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
selinux_get_enforce_mode(initrc_t)
-@@ -365,8 +380,6 @@
+@@ -365,8 +381,6 @@
seutil_read_config(initrc_t)
@@ -13776,7 +13895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
userdom_read_all_users_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -497,6 +510,47 @@
+@@ -497,6 +511,47 @@
')
optional_policy(`
@@ -13824,7 +13943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
')
-@@ -632,12 +686,6 @@
+@@ -632,12 +687,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -13837,7 +13956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ifdef(`distro_redhat',`
-@@ -649,15 +697,10 @@
+@@ -649,15 +698,10 @@
')
optional_policy(`
@@ -13853,7 +13972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
openvpn_read_config(initrc_t)
')
-@@ -703,6 +746,9 @@
+@@ -703,6 +747,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -13863,7 +13982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -750,6 +796,10 @@
+@@ -750,6 +797,10 @@
')
optional_policy(`