diff --git a/policy-20070703.patch b/policy-20070703.patch
index 77ccf48..9e4930c 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -434,7 +434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.0.4/policy/modules/admin/logrotate.te
 --- nsaserefpolicy/policy/modules/admin/logrotate.te	2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/admin/logrotate.te	2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/admin/logrotate.te	2007-07-28 10:42:11.000000000 -0400
 @@ -75,11 +75,13 @@
  mls_file_read_up(logrotate_t)
  mls_file_write_down(logrotate_t)
@@ -449,7 +449,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
  
  # Run helper programs.
  corecmd_exec_bin(logrotate_t)
-@@ -114,8 +116,6 @@
+@@ -95,6 +97,7 @@
+ files_read_etc_files(logrotate_t)
+ files_read_etc_runtime_files(logrotate_t)
+ files_read_all_pids(logrotate_t)
++files_search_all(logrotate_t)
+ # Write to /var/spool/slrnpull - should be moved into its own type.
+ files_manage_generic_spool(logrotate_t)
+ files_manage_generic_spool_dirs(logrotate_t)
+@@ -114,8 +117,6 @@
  
  seutil_dontaudit_read_config(logrotate_t)
  
@@ -458,7 +466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
  userdom_dontaudit_search_sysadm_home_dirs(logrotate_t)
  userdom_use_unpriv_users_fds(logrotate_t)
  
-@@ -177,14 +177,6 @@
+@@ -177,14 +178,6 @@
  ')
  
  optional_policy(`
@@ -2135,6 +2143,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
  	auth_manage_pam_pid($1_userhelper_t)
  	auth_manage_var_auth($1_userhelper_t)
  	auth_search_pam_console_data($1_userhelper_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/usernetctl.te serefpolicy-3.0.4/policy/modules/apps/usernetctl.te
+--- nsaserefpolicy/policy/modules/apps/usernetctl.te	2007-07-25 10:37:37.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/apps/usernetctl.te	2007-07-28 11:05:08.000000000 -0400
+@@ -6,14 +6,6 @@
+ # Declarations
+ #
+ 
+-## <desc>
+-## <p>
+-## Allow users to control network interfaces
+-## (also needs USERCTL=true)
+-## </p>
+-## </desc>
+-gen_tunable(user_net_control,false)
+-
+ type usernetctl_t;
+ type usernetctl_exec_t;
+ application_domain(usernetctl_t,usernetctl_exec_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.0.4/policy/modules/apps/vmware.fc
 --- nsaserefpolicy/policy/modules/apps/vmware.fc	2007-07-03 07:05:43.000000000 -0400
 +++ serefpolicy-3.0.4/policy/modules/apps/vmware.fc	2007-07-25 13:27:51.000000000 -0400
@@ -2630,6 +2656,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +	allow $1 root_t:dir rw_dir_perms;
 +	allow $1 root_t:file { create getattr write };
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.4/policy/modules/kernel/filesystem.if
+--- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-07-03 07:05:38.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.if	2007-07-30 10:20:15.000000000 -0400
+@@ -1192,6 +1192,24 @@
+ 
+ ########################################
+ ## <summary>
++##      unmount a FUSE filesystem.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`fs_unmount_fusefs',`
++        gen_require(`
++                type fusefs_t;
++        ')
++
++        allow $1 fusefs_t:filesystem unmount;
++')
++
++########################################
++## <summary>
+ ##	Search inotifyfs filesystem. 
+ ## </summary>
+ ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.4/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2007-07-25 10:37:36.000000000 -0400
 +++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.te	2007-07-25 13:27:51.000000000 -0400
@@ -6561,8 +6615,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  	fs_search_auto_mountpoints($1_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.4/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/rpc.te	2007-07-25 13:27:51.000000000 -0400
-@@ -59,6 +59,8 @@
++++ serefpolicy-3.0.4/policy/modules/services/rpc.te	2007-07-30 09:46:58.000000000 -0400
+@@ -59,10 +59,13 @@
  manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
  files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
  
@@ -6571,7 +6625,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  kernel_read_system_state(rpcd_t) 
  kernel_search_network_state(rpcd_t) 
  # for rpc.rquotad
-@@ -76,9 +78,11 @@
+ kernel_read_sysctl(rpcd_t)  
++kernel_getattr_core_if(nfsd_t)
+ 
+ fs_list_rpc(rpcd_t)
+ fs_read_rpc_files(rpcd_t)
+@@ -76,9 +79,11 @@
  miscfiles_read_certs(rpcd_t)
  
  seutil_dontaudit_search_config(rpcd_t)
@@ -6583,7 +6642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  ')
  
  ########################################
-@@ -91,9 +95,13 @@
+@@ -91,9 +96,13 @@
  allow nfsd_t exports_t:file { getattr read };
  allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
  
@@ -6597,7 +6656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  
  corenet_tcp_bind_all_rpc_ports(nfsd_t)
  corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -123,6 +131,7 @@
+@@ -123,6 +132,7 @@
  tunable_policy(`nfs_export_all_rw',`
  	fs_read_noxattr_fs_files(nfsd_t) 
  	auth_manage_all_files_except_shadow(nfsd_t)
@@ -6605,7 +6664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  ')
  
  tunable_policy(`nfs_export_all_ro',`
-@@ -143,6 +152,8 @@
+@@ -143,6 +153,8 @@
  manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
  files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
  
@@ -6614,7 +6673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  kernel_read_network_state(gssd_t)
  kernel_read_network_state_symlinks(gssd_t)	
  kernel_search_network_sysctl(gssd_t)	
-@@ -158,6 +169,11 @@
+@@ -158,6 +170,11 @@
  
  miscfiles_read_certs(gssd_t)
  
@@ -7260,7 +7319,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.4/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/xserver.if	2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/services/xserver.if	2007-07-30 10:01:38.000000000 -0400
+@@ -141,7 +141,7 @@
+ 	fs_getattr_xattr_fs($1_xserver_t)
+ 	fs_search_nfs($1_xserver_t)
+ 	fs_search_auto_mountpoints($1_xserver_t)
+-	fs_search_ramfs($1_xserver_t)
++	fs_manage_ramfs_files($1_xserver_t)
+ 
+ 	init_getpgid($1_xserver_t)
+ 
 @@ -353,12 +353,6 @@
  	# allow ps to show xauth
  	ps_process_pattern($2,$1_xauth_t)
@@ -10523,7 +10591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +corecmd_exec_all_executables(unconfined_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.4/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/system/userdomain.if	2007-07-26 10:11:38.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/system/userdomain.if	2007-07-28 11:09:17.000000000 -0400
 @@ -62,6 +62,10 @@
  
  	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@@ -11159,21 +11227,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
  	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
  	# Need the following rule to allow users to run vpnc
-@@ -1033,14 +1127,6 @@
- 	')
- 
- 	optional_policy(`
--		kerberos_use($1_t)
+@@ -1029,15 +1123,7 @@
+ 	# and may change other protocols
+ 	tunable_policy(`user_tcp_server',`
+ 		corenet_tcp_bind_all_nodes($1_t)
+-		corenet_tcp_bind_generic_port($1_t)
 -	')
 -
 -	optional_policy(`
--		loadkeys_run($1_t,$1_r,$1_tty_device_t)
+-		kerberos_use($1_t)
 -	')
 -
 -	optional_policy(`
- 		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- 		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+-		loadkeys_run($1_t,$1_r,$1_tty_device_t)
++		corenet_tcp_bind_all_unreserved_ports($1_t)
  	')
+ 
+ 	optional_policy(`
 @@ -1054,17 +1140,6 @@
  		setroubleshoot_stream_connect($1_t)
  	')
@@ -11806,7 +11876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
 +## <summary>Policy for webadm user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.4/policy/modules/users/webadm.te
 --- nsaserefpolicy/policy/modules/users/webadm.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.4/policy/modules/users/webadm.te	2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/users/webadm.te	2007-07-27 14:44:20.000000000 -0400
 @@ -0,0 +1,70 @@
 +policy_module(webadm,1.0.0)
 +
@@ -11815,7 +11885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
 +# webadmin local policy
 +#
 +
-+userdom_login_user_template(webadm)
++userdom_base_user_template(webadm)
 +allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
 +
 +# Allow webadm_t to restart the apache service
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f260ac2..4164f69 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.4
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -359,6 +359,9 @@ exit 0
 %endif
 
 %changelog
+* Mon Jul 30 2007 Dan Walsh <dwalsh@redhat.com> 3.0.4-3
+- Allow xserver to write to ramfs mounted by rhgb
+
 * Tue Jul 23 2007 Dan Walsh <dwalsh@redhat.com> 3.0.4-2
 - Add context for dbus machine id