diff -ruN /tmp/selinux/policy/attrib.te ./attrib.te
--- /tmp/selinux/policy/attrib.te	2002-08-21 20:22:42.000000000 +0200
+++ ./attrib.te	2002-08-25 18:08:35.000000000 +0200
@@ -119,6 +119,9 @@
 # to all user domains.
 attribute userdomain;
 
+# attribute for all non-administrative devpts types
+attribute userpty_type;
+
 # The user_crond_domain attribute identifies every user_crond domain, presently
 # user_crond_t and sysadm_crond_t.  It is used in TE rules that should be
 # applied to all user domains.
@@ -178,6 +181,13 @@
 # domains the ability to remove all such files (e.g. init, crond).
 attribute tmpfile;
 
+# The user_tmpfile attribute identifies all types associated with temporary
+# files for unpriv_userdomain domains.
+attribute user_tmpfile;
+
+# for the user_xserver_tmp_t etc
+attribute xserver_tmpfile;
+
 # The tmpfsfile attribute identifies all types defined for tmpfs 
 # type transitions. 
 # It is used in TE rules to grant certain domains the ability to
@@ -239,6 +249,10 @@
 # Identifier for log files or directories that only exist for log files.
 attribute logfile;
 
+# Identifier for lock files (/var/lock/*) or directories that only exist for
+# lock files.
+attribute lockfile;
+
 
 
 ##############################
diff -ruN /tmp/selinux/policy/domains/program/bootloader.te ./domains/program/bootloader.te
--- /tmp/selinux/policy/domains/program/bootloader.te	2002-08-21 20:22:43.000000000 +0200
+++ ./domains/program/bootloader.te	2002-08-25 00:49:03.000000000 +0200
@@ -76,6 +78,11 @@
 allow bootloader_t sysadm_tty_device_t:chr_file rw_file_perms;
 allow bootloader_t sysadm_devpts_t:chr_file rw_file_perms;
 
+ifdef(`dpkg.te', `
+# for making an initrd
+can_exec_read(bootloader_t, { mount_exec_t })
+')
+
 # for reading BIOS data
 allow bootloader_t memory_device_t:chr_file r_file_perms;
 
diff -ruN /tmp/selinux/policy/domains/program/checkpolicy.te ./domains/program/checkpolicy.te
--- /tmp/selinux/policy/domains/program/checkpolicy.te	2002-08-15 21:22:06.000000000 +0200
+++ ./domains/program/checkpolicy.te	2002-08-26 01:03:45.000000000 +0200
@@ -55,5 +55,5 @@
 # so it can be used without privilege to write real binary policy file
 can_exec(user_t, checkpolicy_exec_t)
 
-allow checkpolicy_t privrole:fd use;
+allow checkpolicy_t privfd:fd use;
 
diff -ruN /tmp/selinux/policy/domains/program/dpkg.te ./domains/program/dpkg.te
--- /tmp/selinux/policy/domains/program/dpkg.te	2002-08-21 20:22:44.000000000 +0200
+++ ./domains/program/dpkg.te	2002-08-26 01:04:04.000000000 +0200
@@ -101,7 +101,7 @@
 
 # allow user domains to execute dpkg
 allow userdomain dpkg_exec_t:dir r_dir_perms;
-can_exec(user_t, { dpkg_exec_t apt_exec_t })
+can_exec(userdomain, { dpkg_exec_t apt_exec_t })
 
 # allow everyone to read dpkg database
 r_dir_file({ apt_t userdomain }, { var_lib_dpkg_t var_lib_apt_t var_cache_apt_t })
diff -ruN /tmp/selinux/policy/domains/program/initrc.te ./domains/program/initrc.te
--- /tmp/selinux/policy/domains/program/initrc.te	2002-08-21 20:22:44.000000000 +0200
+++ ./domains/program/initrc.te	2002-08-25 18:09:09.000000000 +0200
@@ -9,7 +9,7 @@
 # initrc_t is the domain of the init rc scripts.
 # initrc_exec_t is the type of the init program.
 #
-type initrc_t, domain, privlog, privowner;
+type initrc_t, domain, privlog, privowner, privmail;
 role system_r types initrc_t;
 every_domain(initrc_t)
 type initrc_exec_t, file_type, sysadmfile, exec_type;
@@ -95,6 +95,10 @@
 allow initrc_t var_log_t:file { setattr rw_file_perms };
 allow initrc_t lastlog_t:file { setattr rw_file_perms };
 
+# remove old locks
+allow initrc_t lockfile:dir rw_dir_perms;
+allow initrc_t lockfile:file { getattr unlink };
+
 # Access /var/lib/random-seed.
 allow initrc_t var_lib_t:file rw_file_perms;
 allow initrc_t var_lib_t:file unlink;
@@ -140,9 +144,11 @@
 allow initrc_t ttyfile:chr_file relabelfrom;
 allow initrc_t tty_device_t:chr_file relabelto;
 
+ifdef(`rpm.te', `
 # Create and read /boot/kernel.h.
 allow initrc_t boot_t:lnk_file r_file_perms;
 file_type_auto_trans(initrc_t, boot_t, boot_runtime_t)
+')
 
 # Delete and re-create /boot/System.map.
 allow initrc_t boot_t:dir { read getattr write remove_name add_name };
diff -ruN /tmp/selinux/policy/domains/program/ipsec.te ./domains/program/ipsec.te
--- /tmp/selinux/policy/domains/program/ipsec.te	2002-08-21 20:22:44.000000000 +0200
+++ ./domains/program/ipsec.te	2002-08-25 19:51:54.000000000 +0200
@@ -25,7 +25,7 @@
 
 type ipsec_mgmt_t, domain, privlog, admin;
 type ipsec_mgmt_exec_t, file_type, sysadmfile, exec_type;
-type ipsec_mgmt_var_run_t, file_type, sysadmfile;
+type ipsec_mgmt_var_run_t, file_type, sysadmfile, pidfile;
 domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
 file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_mgmt_var_run_t)
 
@@ -214,6 +214,7 @@
 
 dontaudit ipsec_mgmt_t devpts_t:dir { getattr read };
 dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr;
+dontaudit ipsec_mgmt_t device_t:dir { getattr read };
 
 allow ipsec_mgmt_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file { read write ioctl };
 allow ipsec_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file { read write };
diff -ruN /tmp/selinux/policy/domains/program/kcheckpass.te ./domains/program/kcheckpass.te
--- /tmp/selinux/policy/domains/program/kcheckpass.te	2002-08-22 16:21:26.000000000 +0200
+++ ./domains/program/kcheckpass.te	2002-08-25 18:27:42.000000000 +0200
@@ -19,7 +19,7 @@
 allow kcheckpass_t sbin_t:dir search;
 allow kcheckpass_t self:fifo_file { read write ioctl };
 allow kcheckpass_t self:unix_stream_socket create_stream_socket_perms;
-allow kcheckpass_t { user_t sysadm_t }:unix_stream_socket { read write ioctl };
+allow kcheckpass_t userdomain:unix_stream_socket { read write ioctl };
 allow kcheckpass_t self:unix_dgram_socket create_socket_perms;
 
 allow kcheckpass_t self:process { fork sigchld };
@@ -32,4 +32,5 @@
 
 dontaudit kcheckpass_t user_home_dir_type:dir search;
 dontaudit kcheckpass_t xdm_t:fd use;
-dontaudit kcheckpass_t user_tmp_t:file read;
+dontaudit kcheckpass_t user_tmpfile:file read;
+dontaudit kcheckpass_t device_t:dir search;
diff -ruN /tmp/selinux/policy/domains/program/ssh.te ./domains/program/ssh.te
--- /tmp/selinux/policy/domains/program/ssh.te	2002-08-21 20:22:46.000000000 +0200
+++ ./domains/program/ssh.te	2002-08-25 18:13:50.000000000 +0200
@@ -83,7 +90,7 @@
 
 # Relabel and access ptys created by sshd
 allow sshd_t sshd_devpts_t:chr_file { setattr getattr relabelfrom relabelto };
-allow sshd_t user_devpts_t:chr_file { setattr relabelto rw_file_perms };
+allow sshd_t { sysadm_devpts_t userpty_type }:chr_file { setattr relabelto rw_file_perms };
 
 #################################
 #
@@ -101,7 +108,7 @@
 
 # Relabel ptys created by sshd
 allow sshd_login_t sshd_devpts_t:chr_file { relabelfrom relabelto };
-allow sshd_login_t user_devpts_t:chr_file { getattr relabelfrom relabelto };
+allow sshd_login_t { sysadm_devpts_t userpty_type }:chr_file { getattr relabelfrom relabelto };
 
 # Obtain the SID for the user
 allow sshd_t security_t:security get_user_sids;
diff -ruN /tmp/selinux/policy/macros/admin_macros.te ./macros/admin_macros.te
--- /tmp/selinux/policy/macros/admin_macros.te	2002-08-21 20:22:47.000000000 +0200
+++ ./macros/admin_macros.te	2002-08-25 18:55:18.000000000 +0200
@@ -82,12 +84,12 @@
 
 # Create files in /tmp/orbit-* and /tmp/.ICE-unix
 # with our derived tmp type rather than user_tmp_t.
-file_type_auto_trans($1_t, user_tmp_t, $1_tmp_t)
+file_type_auto_trans($1_t, user_tmpfile, $1_tmp_t)
 
 ifdef(`xserver.te',
 `# Create files in /tmp/.X11-unix with our X servers derived
 # tmp type rather than user_xserver_tmp_t.
-file_type_auto_trans($1_xserver_t, user_xserver_tmp_t, $1_xserver_tmp_t)')
+file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t)')
 
 #
 # A user who is authorized for sysadm_t may nonetheless have
diff -ruN /tmp/selinux/policy/macros/user_macros.te ./macros/user_macros.te
--- /tmp/selinux/policy/macros/user_macros.te	2002-08-22 17:15:07.000000000 +0200
+++ ./macros/user_macros.te	2002-08-25 00:31:53.000000000 +0200
@@ -16,23 +16,24 @@
 define(`user_domain',`
 # Use capabilities
 allow $1_t self:capability { net_bind_service dac_override setuid setgid chown sys_tty_config fowner };
+dontaudit $1_t self:capability { sys_nice fsetid };
 
 # Type for home directory.
 ifelse($1, sysadm, `
 type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
 type $1_home_t, file_type, sysadmfile, home_type;
+type $1_tmp_t, file_type, sysadmfile, tmpfile;
 ', `
 type $1_home_dir_t, file_type, sysadmfile, home_dir_type, user_home_dir_type, home_type, user_home_type;
 type $1_home_t, file_type, sysadmfile, home_type, user_home_type;
 # do not allow privhome access to sysadm_home_dir_t
 file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t)
+type $1_tmp_t, file_type, sysadmfile, tmpfile, user_tmpfile;
 ')
 
 # Create, access, and remove files in home directory.
 file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t)
 
-# Type for temporary files.
-type $1_tmp_t, file_type, sysadmfile, tmpfile;
 # Use the type when creating files in /tmp.
 file_type_auto_trans($1_t, tmp_t, $1_tmp_t)
 # Bind to a Unix domain socket in /tmp.
@@ -44,15 +45,40 @@
 allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
 # Use the type when relabeling terminal devices.
 type_change $1_t tty_device_t:chr_file $1_tty_device_t;
+ifdef(`dpkg.te', `
+# Debian login is from shadow utils and does not allow resetting the perms.
+# have to fix this!
+type_change $1_t ttyfile:chr_file $1_tty_device_t;
+')
 
 # Type and access for pty devices.
+ifelse(`$1', `sysadm', `
 can_create_pty($1)
+', `
+can_create_pty($1, `, userpty_type')
+')
+
 # Use the type when relabeling pty devices.
 ifdef(`rlogind.te',
 `type_change $1_t rlogind_devpts_t:chr_file $1_devpts_t;')
 ifdef(`ssh.te', `
 type_change $1_t sshd_devpts_t:chr_file $1_devpts_t;
-')
+
+# Access /tmp/ssh files.
+allow $1_t sshd_tmp_t:dir rw_dir_perms;
+allow $1_t sshd_tmp_t:file create_file_perms;
+
+# Connect to sshd.
+can_tcp_connect($1_t, sshd_t)
+
+# Connect to ssh proxy.
+can_tcp_connect($1_t, $1_ssh_t)
+
+allow $1_t sshd_t:fd use;
+allow $1_t sshd_t:tcp_socket rw_stream_socket_perms;
+# Use a Unix stream socket inherited from sshd.
+allow $1_t sshd_t:unix_stream_socket rw_stream_socket_perms;
+')dnl end of ssh section
 
 # Type for tmpfs/shm files.
 type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
@@ -60,12 +86,6 @@
 file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
 allow $1_tmpfs_t tmpfs_t:filesystem associate;
 
-# Access /tmp/ssh files.
-ifdef(`ssh.te', `
-allow $1_t sshd_tmp_t:dir rw_dir_perms;
-allow $1_t sshd_tmp_t:file create_file_perms;
-')
-
 # Read and write /var/catman.
 allow $1_t catman_t:dir rw_dir_perms;
 allow $1_t catman_t:notdevfile_class_set create_file_perms;
diff -ruN /tmp/selinux/policy/types/file.te ./types/file.te
--- /tmp/selinux/policy/types/file.te	2002-08-21 20:22:48.000000000 +0200
+++ ./types/file.te	2002-08-25 18:15:48.000000000 +0200
@@ -159,7 +155,7 @@
 type var_run_t, file_type, sysadmfile;
 type var_log_t, file_type, sysadmfile, logfile;
 type faillog_t, file_type, sysadmfile, logfile;
-type var_lock_t, file_type, sysadmfile;
+type var_lock_t, file_type, sysadmfile, lockfile;
 type var_lib_t, file_type, sysadmfile;
 # for /var/{spool,lib}/texmf index files
 type tetex_data_t, file_type, sysadmfile, tmpfile;