diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 7078d54..99c7778 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Merge xdm into xserver.
 - Remove kernel module reversed interfaces.
 - Add filename attribute to module XML tag and lineno attribute to
   interface XML tag.
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 76b7bb3..1dbfc75 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -215,4 +215,7 @@ gen_tunable(user_ttyfile_stat,false)
 ## If this is disallowed, no Internet content
 ## will be stored.
 gen_tunable(write_untrusted_content,false)
+
+## Allow xdm logins as sysadm
+gen_tunable(xdm_sysadm_login,false)
 ')
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index e3264e0..7dbb20b 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -3024,6 +3024,23 @@ interface(`files_search_spool',`
 ')
 
 ########################################
+## <summary>
+##	Do not audit attempts to search generic
+##	spool directories.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_search_spool',`
+	gen_require(`
+		type var_spool_t;
+	')
+
+	dontaudit $1 var_spool_t:dir search_dir_perms;
+')
+
+########################################
 #
 # files_list_spool(domain)
 #
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index a9451c9..f20330b 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -595,6 +595,17 @@ interface(`mta_getattr_spool',`
 	allow $1 mail_spool_t:file getattr;
 ')
 
+interface(`mta_dontaudit_getattr_spool',`
+	gen_require(`
+		type mail_spool_t;
+	')
+
+	files_dontaudit_search_spool($1)
+	dontaudit $1 mail_spool_t:dir search;
+	dontaudit $1 mail_spool_t:lnk_file read;
+	dontaudit $1 mail_spool_t:file getattr;
+')
+
 #######################################
 ## <summary>
 ##	Create private objects in the 
diff --git a/refpolicy/policy/modules/services/xdm.fc b/refpolicy/policy/modules/services/xdm.fc
deleted file mode 100644
index 8cc4f02..0000000
--- a/refpolicy/policy/modules/services/xdm.fc
+++ /dev/null
@@ -1,32 +0,0 @@
-
-/usr/(s)?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
-
-/etc/kde3?/kdm/Xstartup	--	gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/kde3?/kdm/Xreset	--	gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/kde3?/kdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/kde3?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
-
-/etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/X11/[wx]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-/etc/X11/wdm/Xsetup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/X11/wdm/Xstartup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/X11/Xsession[^/]*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
-
-/opt/kde3/bin/kdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
-
-/tmp/\.X0-lock		--	gen_context(system_u:object_r:xdm_xserver_tmp_t,s0)
-
-/usr/lib(64)?/qt-.*/etc/settings(/.*)?	gen_context(system_u:object_r:xdm_var_run_t,s0)
-
-/var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
-
-ifdef(`distro_suse',`
-/var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
-')
-
-/var/run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
-/var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/xdm.if b/refpolicy/policy/modules/services/xdm.if
deleted file mode 100644
index 4c29517..0000000
--- a/refpolicy/policy/modules/services/xdm.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>X windows login display manager</summary>
diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te
deleted file mode 100644
index ea49d15..0000000
--- a/refpolicy/policy/modules/services/xdm.te
+++ /dev/null
@@ -1,440 +0,0 @@
-
-policy_module(xdm,1.1.3)
-
-########################################
-#
-# Declarations
-#
-
-type xdm_t;
-
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
-	type xdm_exec_t;
-')
-init_domain(xdm_t,xdm_exec_t)
-init_daemon_domain(xdm_t,xdm_exec_t)
-
-type xsession_exec_t;
-files_type(xsession_exec_t)
-
-type xdm_xserver_tmp_t;
-files_type(xdm_xserver_tmp_t)
-
-type xdm_lock_t;
-files_lock_file(xdm_lock_t)
-
-type xdm_rw_etc_t;
-files_type(xdm_rw_etc_t)
-
-type xdm_var_lib_t;
-files_type(xdm_var_lib_t)
-
-type xdm_var_run_t;
-files_type(xdm_var_run_t)
-
-type xdm_tmp_t;
-files_tmp_file(xdm_tmp_t)
-
-type xdm_tmpfs_t;
-files_tmpfs_file(xdm_tmpfs_t)
-
-########################################
-#
-# Local policy
-#
-
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms };
-allow xdm_t self:fifo_file rw_file_perms;
-allow xdm_t self:shm create_shm_perms;
-allow xdm_t self:sem create_sem_perms;
-allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow xdm_t self:unix_dgram_socket create_socket_perms;
-allow xdm_t self:tcp_socket create_stream_socket_perms;
-allow xdm_t self:udp_socket create_socket_perms;
-
-# Allow gdm to run gdm-binary
-can_exec(xdm_t, xdm_exec_t)
-
-# wdm has its own config dir /etc/X11/wdm
-# this is ugly, daemons should not create files under /etc!
-allow xdm_t xdm_rw_etc_t:dir rw_dir_perms;
-allow xdm_t xdm_rw_etc_t:file create_file_perms;
-
-allow xdm_t xdm_var_run_t:dir setattr;
-# for xdmctl
-allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
-
-kernel_read_system_state(xdm_t)
-kernel_read_kernel_sysctl(xdm_t)
-
-corecmd_exec_shell(xdm_t)
-corecmd_exec_bin(xdm_t)
-corecmd_exec_sbin(xdm_t)
-
-corenet_tcp_sendrecv_generic_if(xdm_t)
-corenet_udp_sendrecv_generic_if(xdm_t)
-corenet_raw_sendrecv_generic_if(xdm_t)
-corenet_tcp_sendrecv_all_nodes(xdm_t)
-corenet_udp_sendrecv_all_nodes(xdm_t)
-corenet_raw_sendrecv_all_nodes(xdm_t)
-corenet_tcp_sendrecv_all_ports(xdm_t)
-corenet_udp_sendrecv_all_ports(xdm_t)
-corenet_non_ipsec_sendrecv(xdm_t)
-corenet_tcp_bind_all_nodes(xdm_t)
-corenet_udp_bind_all_nodes(xdm_t)
-corenet_tcp_connect_all_ports(xdm_t)
-# xdm tries to bind to biff_port_t
-corenet_dontaudit_tcp_bind_all_ports(xdm_t)
-
-dev_read_rand(xdm_t)
-dev_read_urand(xdm_t)
-dev_read_sysfs(xdm_t)
-dev_getattr_framebuffer(xdm_t)
-dev_setattr_framebuffer(xdm_t)
-dev_getattr_mouse(xdm_t)
-dev_setattr_mouse(xdm_t)
-dev_rw_apm_bios(xdm_t)
-dev_setattr_apm_bios(xdm_t)
-dev_rw_dri_dev(xdm_t)
-dev_rw_agp_dev(xdm_t)
-dev_getattr_xserver_misc_dev(xdm_t)
-dev_setattr_xserver_misc_dev(xdm_t)
-dev_getattr_misc(xdm_t)
-dev_setattr_misc(xdm_t)
-dev_dontaudit_rw_misc(xdm_t)
-dev_getattr_video_dev(xdm_t)
-dev_setattr_video_dev(xdm_t)
-dev_getattr_scanner(xdm_t)
-dev_setattr_scanner(xdm_t)
-dev_getattr_snd_dev(xdm_t)
-dev_setattr_snd_dev(xdm_t)
-dev_getattr_power_management(xdm_t)
-dev_setattr_power_management(xdm_t)
-
-domain_use_wide_inherit_fd(xdm_t)
-# Do not audit denied probes of /proc.
-domain_dontaudit_read_all_domains_state(xdm_t)
-
-files_read_etc_files(xdm_t)
-files_read_etc_runtime_files(xdm_t)
-files_exec_etc_files(xdm_t)
-files_list_mnt(xdm_t)
-# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
-files_read_usr_files(xdm_t)
-# Poweroff wants to create the /poweroff file when run from xdm
-files_create_boot_flag(xdm_t)
-
-fs_getattr_all_fs(xdm_t)
-fs_search_auto_mountpoints(xdm_t)
-
-selinux_get_fs_mount(xdm_t)
-selinux_validate_context(xdm_t)
-selinux_compute_access_vector(xdm_t)
-selinux_compute_create_context(xdm_t)
-selinux_compute_relabel_context(xdm_t)
-selinux_compute_user_contexts(xdm_t)
-
-storage_dontaudit_read_fixed_disk(xdm_t)
-storage_dontaudit_write_fixed_disk(xdm_t)
-storage_dontaudit_setattr_fixed_disk(xdm_t)
-storage_dontaudit_raw_read_removable_device(xdm_t)
-storage_dontaudit_raw_write_removable_device(xdm_t)
-storage_dontaudit_setattr_removable_device(xdm_t)
-storage_dontaudit_rw_scsi_generic(xdm_t)
-
-term_setattr_console(xdm_t)
-term_dontaudit_use_console(xdm_t)
-term_use_unallocated_tty(xdm_t)
-term_setattr_unallocated_ttys(xdm_t)
-
-auth_rw_lastlog(xdm_t)
-auth_read_login_records(xdm_t)
-auth_append_login_records(xdm_t)
-auth_manage_pam_pid(xdm_t)
-auth_exec_pam(xdm_t)
-auth_manage_pam_console_data(xdm_t)
-
-init_rw_utmp(xdm_t)
-init_use_script_pty(xdm_t)
-# Run telinit->init to shutdown.
-init_exec(xdm_t)
-init_write_initctl(xdm_t)
-
-libs_use_ld_so(xdm_t)
-libs_use_shared_libs(xdm_t)
-libs_exec_lib_files(xdm_t)
-
-logging_send_syslog_msg(xdm_t)
-logging_read_generic_logs(xdm_t)
-
-miscfiles_read_localization(xdm_t)
-miscfiles_read_fonts(xdm_t)
-
-seutil_read_config(xdm_t)
-seutil_read_default_contexts(xdm_t)
-
-sysnet_read_config(xdm_t)
-
-userdom_dontaudit_use_unpriv_user_fd(xdm_t)
-userdom_dontaudit_search_sysadm_home_dir(xdm_t)
-# for .dmrc
-userdom_read_unpriv_user_home_files(xdm_t)
-# Search /proc for any user domain processes.
-userdom_read_all_userdomains_state(xdm_t)
-
-ifdef(`strict_policy',`
-	allow xdm_t xdm_lock_t:file create_file_perms;
-	files_filetrans_lock(xdm_t,xdm_lock_t)
-
-	allow xdm_t xdm_tmp_t:dir create_dir_perms;
-	allow xdm_t xdm_tmp_t:file create_file_perms;
-	allow xdm_t xdm_tmp_t:file create_file_perms;
-	files_filetrans_tmp(xdm_t, xdm_tmp_t, { file dir sock_file })
-
-	allow xdm_t xdm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
-	allow xdm_t xdm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow xdm_t xdm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
-	allow xdm_t xdm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow xdm_t xdm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
-	fs_filetrans_tmpfs(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
-	allow xdm_t xdm_var_lib_t:file create_file_perms;
-	allow xdm_t xdm_var_lib_t:dir create_dir_perms;
-	files_filetrans_var_lib(xdm_t,xdm_var_lib_t)
-
-	allow xdm_t xdm_var_run_t:dir manage_dir_perms;
-	allow xdm_t xdm_var_run_t:fifo_file manage_file_perms;
-	files_filetrans_pid(xdm_t,xdm_var_run_t,{ dir fifo_file })
-
-	domain_subj_id_change_exempt(xdm_t)
-	domain_role_change_exempt(xdm_t)
-	domain_obj_id_change_exempt(xdm_t)
-
-	auth_domtrans_chk_passwd(xdm_t)
-	auth_domtrans_pam_console(xdm_t)	
-
-	xserver_dontaudit_read_all_users_iceauth(xdm_t)
-
-	optional_policy(`alsa',`
-		alsa_domtrans(xdm_t)
-	')
-')
-
-ifdef(`targeted_policy',`
-	allow xdm_t self:process { execheap execmem };
-	unconfined_domain_template(xdm_t)
-	unconfined_domtrans(xdm_t)
-')
-
-optional_policy(`gpm',`
-	# Talk to the console mouse server.
-	gpm_stream_connect(xdm_t)
-	gpm_setattr_gpmctl(xdm_t)
-')
-
-optional_policy(`hostname',`
-	hostname_exec(xdm_t)
-')
-
-optional_policy(`loadkeys',`
-	loadkeys_exec(xdm_t)
-')
-
-optional_policy(`locallogin',`
-	locallogin_signull(xdm_t)
-')
-
-optional_policy(`nscd',`
-	nscd_use_socket(xdm_t)
-')
-
-optional_policy(`selinuxutil',`
-	seutil_sigchld_newrole(xdm_t)
-')
-
-optional_policy(`udev',`
-	udev_read_db(xdm_t)
-')
-
-optional_policy(`userhelper',`
-	userhelper_dontaudit_search_config(xdm_t)
-')
-
-optional_policy(`usermanage',`
-	usermanage_read_crack_db(xdm_t)
-')
-
-ifdef(`TODO',`
-# cjp: TODO: integrate strict policy:
-allow initrc_t xdm_var_run_t:fifo_file unlink;
-
-# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
-# handle of a file inside the dir!!!
-allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
-dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
-allow xdm_xserver_t xdm_var_run_t:file { getattr read };
-
-allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
-allow xdm_t xdm_xserver_t:process signal;
-allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
-allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms };
-allow xdm_xserver_t xdm_t:process signal;
-
-# init script wants to check if it needs to update windowmanagerlist
-allow initrc_t xdm_rw_etc_t:file { getattr read };
-ifdef(`distro_suse', `
-# set permissions on /tmp/.X11-unix
-allow initrc_t xdm_tmp_t:dir setattr;
-')
-
-# Transition to user domains for user sessions.
-domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain)
-allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto;
-allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms;
-allow unpriv_userdomain xdm_xserver_t:fd use;
-allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read };
-allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms;
-allow xdm_xserver_t unpriv_userdomain:fd use;
-
-# Do not audit user access to the X log files due to file handle inheritance
-dontaudit unpriv_userdomain xserver_log_t:file { write append };
-
-# gnome-session creates socket under /tmp/.ICE-unix/
-allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms;
-allow unpriv_userdomain xdm_tmp_t:sock_file create;
-
-# Allow xdm logins as sysadm_r:sysadm_t
-bool xdm_sysadm_login false;
-if (xdm_sysadm_login) {
-domain_trans(xdm_t, xsession_exec_t, sysadm_t)
-allow sysadm_t xdm_xserver_t:unix_stream_socket connectto;
-allow sysadm_t xdm_xserver_t:shm r_shm_perms;
-allow sysadm_t xdm_xserver_t:fd use;
-allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read };
-allow xdm_xserver_t sysadm_t:shm rw_shm_perms;
-allow xdm_xserver_t sysadm_t:fd use;
-}
-
-# Label pid and temporary files with derived types.
-rw_dir_create_file(xdm_xserver_t, xdm_tmp_t)
-allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms;
-
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
-
-allow xdm_t device_t:dir rw_dir_perms;
-can_resmgrd_connect(xdm_t)
-
-# Access xdm log files.
-file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file)
-allow xdm_t xserver_log_t:dir rw_dir_perms;
-allow xdm_t xserver_log_t:dir setattr;
-# Access /var/gdm/.gdmfifo.
-allow xdm_t xserver_log_t:fifo_file create_file_perms;
-
-allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto;
-allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms;
-allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use;
-allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read };
-allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms;
-allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use;
-
-# Remove /tmp/.X11-unix/X0.
-allow xdm_t xdm_xserver_tmp_t:dir { remove_name write };
-allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
-
-# Need to further investigate these permissions and
-# perhaps define derived types.
-allow xdm_t var_lib_t:dir { write search add_name remove_name  create unlink };
-allow xdm_t var_lib_t:file { create write unlink };
-
-# Connect to xfs.
-ifdef(`xfs.te', `
-allow xdm_t xfs_tmp_t:dir search;
-allow xdm_t xfs_tmp_t:sock_file write;
-can_unix_connect(xdm_t, xfs_t)
-')
-
-# Signal any user domain.
-allow xdm_t userdomain:process signal_perms;
-
-# Do not audit denied attempts to access devices.
-dontaudit xdm_t devpts_t:dir search;
-
-# Do not audit attempts to write to index files under /usr
-dontaudit xdm_t usr_t:file write;
-
-# Do not audit user access to the X log files due to file handle inheritance
-dontaudit unpriv_userdomain xserver_log_t:file { write append };
-
-# Do not audit attempts to check whether user root has email
-dontaudit xdm_t { var_spool_t mail_spool_t }:dir search;
-dontaudit xdm_t mail_spool_t:file getattr;
-
-# Run the X server in a derived domain.
-xserver_domain(xdm)
-
-ifdef(`rhgb.te', `
-allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
-allow xdm_xserver_t ramfs_t:file create_file_perms;
-allow rhgb_t xdm_xserver_t:process signal;
-')
-
-# Insert video drivers.  
-allow insmod_t xserver_log_t:file write;
-allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
-
-# Search /var/run.
-allow xdm_xserver_t var_run_t:dir search;
-
-# FIXME: After per user fonts are properly working
-# xdm_xserver_t may no longer have any reason
-# to read ROLE_home_t - examine this in more detail
-# (xauth?)
-
-# Search home directories.
-allow xdm_xserver_t home_root_t:dir search;
-allow xdm_xserver_t user_home_type:dir search;
-allow xdm_xserver_t user_home_type:file { getattr read };
-
-if (use_nfs_home_dirs) {
-allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr };
-allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms;
-allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms;
-can_exec(xdm_t, nfs_t)
-}
-
-if (use_samba_home_dirs) {
-allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms;
-allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms;
-can_exec(xdm_t, cifs_t)
-}
-
-ifdef(`support_polyinstatiation', `
-# xdm_t can polyinstantiate
-files_polyinstantiate_all(xdm_t)
-# xdm needs access for linking .X11-unix to poly /tmp
-allow xdm_t polymember:dir { add_name remove_name write };
-allow xdm_t polymember:lnk_file { create unlink };
-# xdm needs access for copying .Xauthority into new home
-allow xdm_t polymember:file { create getattr write };
-')
-
-#
-# Wants to delete .xsession-errors file
-#
-allow xdm_t user_home_type:file unlink;
-#
-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
-#
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
-
-# VNC v4 module in X server
-corenet_tcp_bind_vnc_port(xdm_xserver_t)
-
-# Supress permission check on .ICE-unix
-dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/xfs.if b/refpolicy/policy/modules/services/xfs.if
index 676a628..93e0241 100644
--- a/refpolicy/policy/modules/services/xfs.if
+++ b/refpolicy/policy/modules/services/xfs.if
@@ -17,3 +17,23 @@ interface(`xfs_read_socket',`
 	allow $1 xfs_tmp_t:dir search;
 	allow $1 xfs_tmp_t:sock_file { getattr read };
 ')
+
+########################################
+## <summary>
+##	Connect to a X font server over
+##	a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`xfs_stream_connect',`
+	gen_require(`
+		type xfs_tmp_t, xfs_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 xfs_tmp_t:dir search;
+	allow $1 xfs_tmp_t:sock_file write;
+	allow $1 xfs_t:unix_stream_socket connectto;
+')
diff --git a/refpolicy/policy/modules/services/xserver.fc b/refpolicy/policy/modules/services/xserver.fc
index 5277385..79bc20c 100644
--- a/refpolicy/policy/modules/services/xserver.fc
+++ b/refpolicy/policy/modules/services/xserver.fc
@@ -1,17 +1,59 @@
-
+#
+# HOME_DIR
+#
+ifdef(`strict',`
 HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
 HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
 HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
+')
+
+#
+# /etc
+#
 
 /etc/init\.d/xfree86-common --	gen_context(system_u:object_r:xserver_exec_t,s0)
 
+/etc/kde3?/kdm/Xstartup	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/kde3?/kdm/Xreset	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/kde3?/kdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/kde3?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/[wx]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)
+/etc/X11/wdm/Xsetup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/wdm/Xstartup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/Xsession[^/]*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+
+#
+# /opt
+#
+
+/opt/kde3/bin/kdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+
+#
+# /tmp
+#
+
 /tmp/\.ICE-unix		-d	gen_context(system_u:object_r:ice_tmp_t,s0)
 /tmp/\.ICE-unix/.*	-s	<<none>>
+/tmp/\.X0-lock		--	gen_context(system_u:object_r:xdm_xserver_tmp_t,s0)
 /tmp/\.X11-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
 /tmp/\.X11-unix/.*	-s	<<none>>
 
+#
+# /usr
+#
+
+/usr/(s)?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
+
+/usr/lib(64)?/qt-.*/etc/settings(/.*)?	gen_context(system_u:object_r:xdm_var_run_t,s0)
+
 /usr/var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 
+/usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/X11R6/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/X11R6/bin/X		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/X11R6/bin/xauth    --      gen_context(system_u:object_r:xauth_exec_t,s0)
@@ -23,11 +65,23 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
 /usr/X11R6/lib/X11/xkb	-d	gen_context(system_u:object_r:xkb_var_lib_t,s0)
 /usr/X11R6/lib/X11/xkb/.* --	gen_context(system_u:object_r:xkb_var_lib_t,s0)
 
+#
+# /var
+#
+
 /var/[xgk]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 
+/var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
 
 /var/log/[kw]dm\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/gdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
+
+/var/run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+ifdef(`distro_suse',`
+/var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
+')
diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if
index 37de6fb..37ac35e 100644
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@@ -6,9 +6,6 @@ template(`xserver_common_domain_template',`
 	#
 	# Declarations
 	#
-	gen_require(`
-		type xkb_var_lib_t, xserver_log_t;
-	')
 
 	type $1_xserver_t;
 	domain_type($1_xserver_t)
@@ -52,6 +49,9 @@ template(`xserver_common_domain_template',`
 	allow $1_xserver_t $1_xserver_tmp_t:sock_file manage_file_perms;
 	files_filetrans_tmp($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file })
 
+	allow $1_xserver_t xdm_xserver_tmp_t:dir rw_dir_perms;
+	type_transition $1_xserver_t xdm_xserver_tmp_t:sock_file $1_xserver_tmp_t;
+
 	allow $1_xserver_t $1_xserver_tmpfs_t:dir manage_dir_perms;
 	allow $1_xserver_t $1_xserver_tmpfs_t:file manage_file_perms;
 	allow $1_xserver_t $1_xserver_tmpfs_t:lnk_file create_lnk_perms;
@@ -151,6 +151,10 @@ template(`xserver_common_domain_template',`
 		nscd_use_socket($1_xserver_t)
 	')
 
+	optional_policy(`xfs',`
+		xfs_stream_connect($1_xserver_t)
+	')
+
 	ifdef(`TODO',`
 	ifdef(`distro_redhat',`
 		ifdef(`rpm.te', `
@@ -159,15 +163,6 @@ template(`xserver_common_domain_template',`
 			rpm_use_fd($1_xserver_t)
 		')
 	')
-
-	file_type_auto_trans($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)
-
-	# Connect to xfs.
-	ifdef(`xfs.te', `
-		can_unix_connect($1_xserver_t, xfs_t)
-		allow $1_xserver_t xfs_tmp_t:dir r_dir_perms;
-		allow $1_xserver_t xfs_tmp_t:sock_file rw_file_perms;
-	')
 	') dnl end TODO
 ')
 
@@ -205,12 +200,6 @@ template(`xserver_per_userdomain_template',`
 	# Declarations
 	#
 
-	gen_require(`
-		type xauth_exec_t;
-		type xserver_exec_t;
-		type iceauth_exec_t;
-	')
-
 	xserver_common_domain_template($1)
 	role $3 types $1_xserver_t;
 
@@ -326,6 +315,9 @@ template(`xserver_per_userdomain_template',`
 	allow $2 $1_xauth_home_t:file manage_file_perms;
 	allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
 
+	allow xdm_t $1_xauth_home_t:file manage_file_perms;
+	userdom_filetrans_user_home_dir($1,xdm_t,$1_xauth_home_t,file)
+
 	domain_use_wide_inherit_fd($1_xauth_t)
 
 	files_read_etc_files($1_xauth_t)
@@ -406,115 +398,154 @@ template(`xserver_per_userdomain_template',`
 	')
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Define a derived domain for the X server when executed
-##	by an X Display Manager.
+##	Transition to a user Xauthority domain.
 ## </summary>
-## <param name="prefix">
-##	The prefix of the display manager domain.
+## <desc>
+##	<p>
+##	Transition to a user Xauthority domain.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
 ## </param>
-## <param name="xdm_domain">
-##	The type of the display manager domain.
+## <param name="domain">
+##	Domain allowed access.
 ## </param>
 #
-template(`xserver_displaymgr_domain_template',`
-
-	##############################
-	#
-	# Declarations
-	#
-
-	xserver_common_domain_template($1)
-	init_system_domain($1_xserver_t,xserver_exec_t)
-
-	##############################
-	#
-	# Local policy
-	#
+template(`xserver_domtrans_user_xauth',`
+	gen_require(`
+		type $1_xauth_t, xauth_exec_t;
+	')
 
-	domain_auto_trans($2, xserver_exec_t, $1_xserver_t)
-	allow $2 $1_xserver_t:fd use;
-	allow $1_xserver_t $2:fd use;
-	allow $1_xserver_t $2:fifo_file rw_file_perms;
-	allow $1_xserver_t $2:process { signal sigchld };
-	allow $2 $1_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
+	domain_auto_trans($2, xauth_exec_t, $1_xauth_t)
+	allow $2 $1_xauth_t:fd use;
+	allow $1_xauth_t $2:fd use;
+	allow $1_xauth_t $2:fifo_file rw_file_perms;
+	allow $1_xauth_t $2:process sigchld;
+')
 
-	allow $2 $1_xserver_tmp_t:file unlink;
+########################################
+## <summary>
+##	Connect to XDM over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`xserver_stream_connect_xdm',`
+	gen_require(`
+		type xdm_t;
+	')
 
-	allow $2 $1_xserver_tmp_t:dir r_dir_perms;
-	allow $2 $1_xserver_tmp_t:sock_file rw_file_perms;
-	allow $2 $1_xserver_t:unix_stream_socket connectto;
+	allow $1 xdm_t:unix_stream_socket connectto;
+')
 
-	allow $2 $1_xserver_t:shm rw_shm_perms;
-	allow $1_xserver_t $2:shm rw_shm_perms;
+########################################
+## <summary>
+##	Create a named socket in a XDM
+##	temporary directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`xserver_create_xdm_tmp_socket',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
 
-	# Run xkbcomp.
-	can_exec($1_xserver_t, xkb_var_lib_t)
-	allow $1_xserver_t xkb_var_lib_t:lnk_file read;
-	files_search_var_lib($1_xserver_t)
+	files_search_tmp($1)
+	allow $1 xdm_tmp_t:dir ra_dir_perms;
+	allow $1 xdm_tmp_t:sock_file create;
+')
 
-	init_use_fd($1_xserver_t)
+########################################
+## <summary>
+##	Read XDM pid files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`xserver_read_xdm_pid',`
+	gen_require(`
+		type xdm_var_run_t;
+	')
 
-	userdom_dontaudit_search_all_users_home($1_xserver_t)
+	files_search_pids($1)
+	allow $1 xdm_var_run_t:file r_file_perms;
+')
 
-	ifdef(`TODO',`
-	# Read all global and per user fonts
-	read_fonts($1_xserver_t, sysadm)
-	read_fonts($1_xserver_t, staff)
-	read_fonts($1_xserver_t, user)
+########################################
+## <summary>
+##	Make an X session script an entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+##	The domain for which the shell is an entrypoint.
+## </param>
+#
+interface(`xserver_xsession_entry_type',`
+	gen_require(`
+		type xsession_exec_t;
+	')
 
-	dontaudit $1_xserver_t sysadm_t:shm { unix_read unix_write };
-	allow $1_xserver_t xdm_tmpfs_t:file rw_file_perms;
-	') dnl end TODO
+	domain_entry_file($1,xsession_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Transition to a user Xauthority domain.
+##	Execute an X session in the target domain.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
 ## </summary>
 ## <desc>
 ##	<p>
-##	Transition to a user Xauthority domain.
+##	Execute an Xsession in the target domain.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
 ##	</p>
 ##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
 ##	</p>
 ## </desc>
-## <param name="userdomain_prefix">
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-## </param>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
+## <param name="target_domain">
+##	The type of the shell process.
+## </param>
 #
-template(`xserver_domtrans_user_xauth',`
+interface(`xserver_xsession_spec_domtrans',`
 	gen_require(`
-		type $1_xauth_t, xauth_exec_t;
+		type xsession_exec_t;
 	')
 
-	domain_auto_trans($2, xauth_exec_t, $1_xauth_t)
-	allow $2 $1_xauth_t:fd use;
-	allow $1_xauth_t $2:fd use;
-	allow $1_xauth_t $2:fifo_file rw_file_perms;
-	allow $1_xauth_t $2:process sigchld;
+	domain_trans($1,xsession_exec_t,$2)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read all user
-##	.ICEauthority files.
+##	Do not audit attempts to write the X server
+##	log files.
 ## </summary>
 ## <param name="domain">
-##	Domain do not audit.
+##	Domain to not audit
 ## </param>
 #
-interface(`xserver_dontaudit_read_all_users_iceauth',`
+interface(`xserver_dontaudit_write_log',`
 	gen_require(`
-		attribute iceauth_home_type;
+		type xserver_log_t;
 	')
 
-	dontaudit $1 iceauth_home_type:file r_file_perms;
+	dontaudit $1 xserver_log_t:file { append write };
 ')
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index 1b291fc..623f759 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -1,13 +1,11 @@
 
-policy_module(xserver,1.0.0)
+policy_module(xserver,1.0.1)
 
 ########################################
 #
 # Declarations
 #
 
-attribute iceauth_home_type;
-
 type ice_tmp_t;
 files_tmp_file(ice_tmp_t)
 
@@ -17,6 +15,33 @@ files_type(iceauth_exec_t)
 type xauth_exec_t;
 files_type(xauth_exec_t)
 
+type xdm_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+	type xdm_exec_t;
+')
+init_domain(xdm_t,xdm_exec_t)
+init_daemon_domain(xdm_t,xdm_exec_t)
+
+type xdm_lock_t;
+files_lock_file(xdm_lock_t)
+
+type xdm_rw_etc_t;
+files_type(xdm_rw_etc_t)
+
+type xdm_var_lib_t;
+files_type(xdm_var_lib_t)
+
+type xdm_var_run_t;
+files_pid_file(xdm_var_run_t)
+
+type xdm_tmp_t;
+files_tmp_file(xdm_tmp_t)
+
+type xdm_tmpfs_t;
+files_tmpfs_file(xdm_tmpfs_t)
+
 # type for /var/lib/xkb
 type xkb_var_lib_t;
 files_config_file(xkb_var_lib_t)
@@ -25,10 +50,422 @@ files_config_file(xkb_var_lib_t)
 type xserver_exec_t;
 files_type(xserver_exec_t)
 
+type xsession_exec_t;
+files_type(xsession_exec_t)
+
 # Type for the X server log file.
 type xserver_log_t;
 logging_log_file(xserver_log_t)
 
+ifdef(`strict_policy',`
+	xserver_common_domain_template(xdm)
+	init_system_domain(xdm_xserver_t,xserver_exec_t)
+')
+
 optional_policy(`prelink',`
 	prelink_object_file(xkb_var_lib_t)
 ')
+
+########################################
+#
+# XDM Local policy
+#
+
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms };
+allow xdm_t self:fifo_file rw_file_perms;
+allow xdm_t self:shm create_shm_perms;
+allow xdm_t self:sem create_sem_perms;
+allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow xdm_t self:unix_dgram_socket create_socket_perms;
+allow xdm_t self:tcp_socket create_stream_socket_perms;
+allow xdm_t self:udp_socket create_socket_perms;
+
+# Supress permission check on .ICE-unix
+dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
+
+# Allow gdm to run gdm-binary
+can_exec(xdm_t, xdm_exec_t)
+
+# wdm has its own config dir /etc/X11/wdm
+# this is ugly, daemons should not create files under /etc!
+allow xdm_t xdm_rw_etc_t:dir rw_dir_perms;
+allow xdm_t xdm_rw_etc_t:file create_file_perms;
+
+kernel_read_system_state(xdm_t)
+kernel_read_kernel_sysctl(xdm_t)
+
+corecmd_exec_shell(xdm_t)
+corecmd_exec_bin(xdm_t)
+corecmd_exec_sbin(xdm_t)
+
+corenet_tcp_sendrecv_generic_if(xdm_t)
+corenet_udp_sendrecv_generic_if(xdm_t)
+corenet_raw_sendrecv_generic_if(xdm_t)
+corenet_tcp_sendrecv_all_nodes(xdm_t)
+corenet_udp_sendrecv_all_nodes(xdm_t)
+corenet_raw_sendrecv_all_nodes(xdm_t)
+corenet_tcp_sendrecv_all_ports(xdm_t)
+corenet_udp_sendrecv_all_ports(xdm_t)
+corenet_non_ipsec_sendrecv(xdm_t)
+corenet_tcp_bind_all_nodes(xdm_t)
+corenet_udp_bind_all_nodes(xdm_t)
+corenet_tcp_connect_all_ports(xdm_t)
+# xdm tries to bind to biff_port_t
+corenet_dontaudit_tcp_bind_all_ports(xdm_t)
+
+dev_read_rand(xdm_t)
+dev_read_urand(xdm_t)
+dev_read_sysfs(xdm_t)
+dev_getattr_framebuffer(xdm_t)
+dev_setattr_framebuffer(xdm_t)
+dev_getattr_mouse(xdm_t)
+dev_setattr_mouse(xdm_t)
+dev_rw_apm_bios(xdm_t)
+dev_setattr_apm_bios(xdm_t)
+dev_rw_dri_dev(xdm_t)
+dev_rw_agp_dev(xdm_t)
+dev_getattr_xserver_misc_dev(xdm_t)
+dev_setattr_xserver_misc_dev(xdm_t)
+dev_getattr_misc(xdm_t)
+dev_setattr_misc(xdm_t)
+dev_dontaudit_rw_misc(xdm_t)
+dev_getattr_video_dev(xdm_t)
+dev_setattr_video_dev(xdm_t)
+dev_getattr_scanner(xdm_t)
+dev_setattr_scanner(xdm_t)
+dev_getattr_snd_dev(xdm_t)
+dev_setattr_snd_dev(xdm_t)
+dev_getattr_power_management(xdm_t)
+dev_setattr_power_management(xdm_t)
+
+domain_use_wide_inherit_fd(xdm_t)
+# Do not audit denied probes of /proc.
+domain_dontaudit_read_all_domains_state(xdm_t)
+
+files_read_etc_files(xdm_t)
+files_read_etc_runtime_files(xdm_t)
+files_exec_etc_files(xdm_t)
+files_list_mnt(xdm_t)
+# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
+files_read_usr_files(xdm_t)
+# Poweroff wants to create the /poweroff file when run from xdm
+files_create_boot_flag(xdm_t)
+
+fs_getattr_all_fs(xdm_t)
+fs_search_auto_mountpoints(xdm_t)
+
+selinux_get_fs_mount(xdm_t)
+selinux_validate_context(xdm_t)
+selinux_compute_access_vector(xdm_t)
+selinux_compute_create_context(xdm_t)
+selinux_compute_relabel_context(xdm_t)
+selinux_compute_user_contexts(xdm_t)
+
+storage_dontaudit_read_fixed_disk(xdm_t)
+storage_dontaudit_write_fixed_disk(xdm_t)
+storage_dontaudit_setattr_fixed_disk(xdm_t)
+storage_dontaudit_raw_read_removable_device(xdm_t)
+storage_dontaudit_raw_write_removable_device(xdm_t)
+storage_dontaudit_setattr_removable_device(xdm_t)
+storage_dontaudit_rw_scsi_generic(xdm_t)
+
+term_setattr_console(xdm_t)
+term_dontaudit_use_console(xdm_t)
+term_use_unallocated_tty(xdm_t)
+term_setattr_unallocated_ttys(xdm_t)
+
+auth_rw_lastlog(xdm_t)
+auth_read_login_records(xdm_t)
+auth_append_login_records(xdm_t)
+auth_manage_pam_pid(xdm_t)
+auth_exec_pam(xdm_t)
+auth_manage_pam_console_data(xdm_t)
+
+init_rw_utmp(xdm_t)
+init_use_script_pty(xdm_t)
+# Run telinit->init to shutdown.
+init_exec(xdm_t)
+init_write_initctl(xdm_t)
+
+libs_use_ld_so(xdm_t)
+libs_use_shared_libs(xdm_t)
+libs_exec_lib_files(xdm_t)
+
+logging_send_syslog_msg(xdm_t)
+logging_read_generic_logs(xdm_t)
+
+miscfiles_read_localization(xdm_t)
+miscfiles_read_fonts(xdm_t)
+
+seutil_read_config(xdm_t)
+seutil_read_default_contexts(xdm_t)
+
+sysnet_read_config(xdm_t)
+
+userdom_dontaudit_use_unpriv_user_fd(xdm_t)
+userdom_dontaudit_search_sysadm_home_dir(xdm_t)
+# for .dmrc
+userdom_read_unpriv_user_home_files(xdm_t)
+# Search /proc for any user domain processes.
+userdom_read_all_userdomains_state(xdm_t)
+userdom_signal_all_users(xdm_t)
+
+ifdef(`enable_polyinstantiation',`
+	# xdm_t can polyinstantiate
+	files_polyinstantiate_all(xdm_t)
+')
+
+ifdef(`strict_policy',`
+	allow xdm_t xdm_lock_t:file create_file_perms;
+	files_filetrans_lock(xdm_t,xdm_lock_t)
+
+	allow xdm_t xdm_tmp_t:dir create_dir_perms;
+	allow xdm_t xdm_tmp_t:file create_file_perms;
+	allow xdm_t xdm_tmp_t:file create_file_perms;
+	files_filetrans_tmp(xdm_t, xdm_tmp_t, { file dir sock_file })
+
+	allow xdm_t xdm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+	allow xdm_t xdm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow xdm_t xdm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+	allow xdm_t xdm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow xdm_t xdm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+	fs_filetrans_tmpfs(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+	allow xdm_t xdm_var_lib_t:file create_file_perms;
+	allow xdm_t xdm_var_lib_t:dir create_dir_perms;
+	files_filetrans_var_lib(xdm_t,xdm_var_lib_t)
+
+	allow xdm_t xdm_var_run_t:dir manage_dir_perms;
+	allow xdm_t xdm_var_run_t:fifo_file manage_file_perms;
+	files_filetrans_pid(xdm_t,xdm_var_run_t,{ dir fifo_file })
+
+	allow xdm_t xdm_xserver_t:process signal;
+	allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
+
+	allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
+	allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms };
+
+	# transition to the xdm xserver
+	domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t)
+	allow xdm_t xdm_xserver_t:fd use;
+	allow xdm_xserver_t xdm_t:fd use;
+	allow xdm_xserver_t xdm_t:fifo_file rw_file_perms;
+	allow xdm_xserver_t xdm_t:process { signal sigchld };
+	allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
+
+	allow xdm_t xdm_xserver_t:shm rw_shm_perms;
+
+	# connect to xdm xserver over stream socket
+	allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
+	allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
+	allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
+
+	# Remove /tmp/.X11-unix/X0.
+	allow xdm_t xdm_xserver_tmp_t:dir { remove_name write };
+	allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
+	allow xdm_t xdm_xserver_tmp_t:file unlink;
+
+	allow xdm_t xserver_log_t:dir { rw_dir_perms setattr };
+	allow xdm_t xserver_log_t:file manage_file_perms;
+	allow xdm_t xserver_log_t:fifo_file manage_file_perms;
+	logging_filetrans_log(xdm_t,xserver_log_t,file)
+
+	domain_subj_id_change_exempt(xdm_t)
+	domain_role_change_exempt(xdm_t)
+	domain_obj_id_change_exempt(xdm_t)
+
+	auth_domtrans_chk_passwd(xdm_t)
+	auth_domtrans_pam_console(xdm_t)	
+
+	# FIXME:
+	# xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
+
+	tunable_policy(`xdm_sysadm_login',`
+		userdom_xsession_spec_domtrans_all_users(xdm_t)
+		# FIXME:
+#		xserver_rw_session_template(xdm,userdomain)
+	',`
+		userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
+		# FIXME:
+#		xserver_rw_session_template(xdm,unpriv_userdomain)
+#		dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
+#		allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
+	')
+
+	optional_policy(`alsa',`
+		alsa_domtrans(xdm_t)
+	')
+')
+
+ifdef(`targeted_policy',`
+	allow xdm_t self:process { execheap execmem };
+	unconfined_domain_template(xdm_t)
+	unconfined_domtrans(xdm_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(xdm_t)
+	fs_manage_nfs_files(xdm_t)
+	fs_manage_nfs_symlinks(xdm_t)
+	fs_execute_nfs_files(xdm_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(xdm_t)
+	fs_manage_cifs_files(xdm_t)
+	fs_manage_cifs_symlinks(xdm_t)
+	fs_execute_cifs_files(xdm_t)
+')
+
+optional_policy(`gpm',`
+	# Talk to the console mouse server.
+	gpm_stream_connect(xdm_t)
+	gpm_setattr_gpmctl(xdm_t)
+')
+
+optional_policy(`hostname',`
+	hostname_exec(xdm_t)
+')
+
+optional_policy(`loadkeys',`
+	loadkeys_exec(xdm_t)
+')
+
+optional_policy(`locallogin',`
+	locallogin_signull(xdm_t)
+')
+
+optional_policy(`mta',`
+	# Do not audit attempts to check whether user root has email
+	mta_dontaudit_getattr_spool(xdm_t)
+')
+
+optional_policy(`nscd',`
+	nscd_use_socket(xdm_t)
+')
+
+optional_policy(`selinuxutil',`
+	seutil_sigchld_newrole(xdm_t)
+')
+
+optional_policy(`udev',`
+	udev_read_db(xdm_t)
+')
+
+optional_policy(`userhelper',`
+	userhelper_dontaudit_search_config(xdm_t)
+')
+
+optional_policy(`usermanage',`
+	usermanage_read_crack_db(xdm_t)
+')
+
+optional_policy(`xfs',`
+	xfs_stream_connect(xdm_t)
+')
+
+########################################
+#
+# XDM Xserver local policy
+#
+
+ifdef(`strict_policy',`
+	allow xdm_xserver_t xdm_t:process signal;
+	allow xdm_xserver_t xdm_t:shm rw_shm_perms;
+
+	# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
+	# handle of a file inside the dir!!!
+	allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
+	dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
+
+	allow xdm_xserver_t xdm_var_run_t:file { getattr read };
+
+	# Label pid and temporary files with derived types.
+	allow xdm_xserver_t xdm_tmp_t:dir rw_dir_perms;
+	allow xdm_xserver_t xdm_tmp_t:file manage_file_perms;
+	allow xdm_xserver_t xdm_tmp_t:lnk_file create_lnk_perms;
+	allow xdm_xserver_t xdm_tmp_t:sock_file manage_file_perms;
+
+	# Run xkbcomp.
+	allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
+	can_exec(xdm_xserver_t, xkb_var_lib_t)
+	files_search_var_lib(xdm_xserver_t)
+
+	# VNC v4 module in X server
+	corenet_tcp_bind_vnc_port(xdm_xserver_t)
+
+	fs_search_auto_mountpoints(xdm_xserver_t)
+
+	init_use_fd(xdm_xserver_t)
+
+	# FIXME: After per user fonts are properly working
+	# xdm_xserver_t may no longer have any reason
+	# to read ROLE_home_t - examine this in more detail
+	# (xauth?)
+	userdom_read_unpriv_user_home_files(xdm_xserver_t)
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_manage_nfs_dirs(xdm_xserver_t)
+		fs_manage_nfs_files(xdm_xserver_t)
+		fs_manage_nfs_symlinks(xdm_xserver_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_manage_cifs_dirs(xdm_xserver_t)
+		fs_manage_cifs_files(xdm_xserver_t)
+		fs_manage_cifs_symlinks(xdm_xserver_t)
+	')
+
+	ifdef(`TODO',`
+	# Read all global and per user fonts
+	read_fonts(xdm_xserver_t, sysadm)
+	read_fonts(xdm_xserver_t, staff)
+	read_fonts(xdm_xserver_t, user)
+	') dnl end TODO
+')
+
+ifdef(`TODO',`
+# cjp: TODO: integrate strict policy:
+# init script wants to check if it needs to update windowmanagerlist
+allow initrc_t xdm_rw_etc_t:file { getattr read };
+ifdef(`distro_suse', `
+# set permissions on /tmp/.X11-unix
+allow initrc_t xdm_tmp_t:dir setattr;
+')
+
+allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+
+can_resmgrd_connect(xdm_t)
+
+# Need to further investigate these permissions and
+# perhaps define derived types.
+allow xdm_t var_lib_t:dir { write search add_name remove_name  create unlink };
+allow xdm_t var_lib_t:file { create write unlink };
+
+# Do not audit attempts to write to index files under /usr
+dontaudit xdm_t usr_t:file write;
+
+ifdef(`rhgb.te', `
+allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
+allow xdm_xserver_t ramfs_t:file create_file_perms;
+allow rhgb_t xdm_xserver_t:process signal;
+')
+
+ifdef(`enable_polyinstantiation',`
+# xdm needs access for linking .X11-unix to poly /tmp
+allow xdm_t polymember:dir { add_name remove_name write };
+allow xdm_t polymember:lnk_file { create unlink };
+# xdm needs access for copying .Xauthority into new home
+allow xdm_t polymember:file { create getattr write };
+')
+
+#
+# Wants to delete .xsession-errors file
+#
+allow xdm_t user_home_type:file unlink;
+#
+# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
+#
+allow pam_t xdm_t:fifo_file { getattr ioctl write };
+') dnl end TODO
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index bcfeb15..863c3be 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -436,6 +436,17 @@ template(`base_user_template',`
 		usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 	')
 
+	optional_policy(`xserver',`
+		dev_rw_xserver_misc_dev($1_t)
+		xserver_xsession_entry_type($1_t)
+		xserver_dontaudit_write_log($1_t)
+		xserver_stream_connect_xdm($1_t)
+		# certain apps want to read xdm.pid file
+		xserver_read_xdm_pid($1_t)
+		# gnome-session creates socket under /tmp/.ICE-unix/
+		xserver_create_xdm_tmp_socket($1_t)
+	')
+
 	ifdef(`TODO',`
 	#
 	# Cups daemon running as user tries to write /etc/printcap
@@ -464,20 +475,8 @@ template(`base_user_template',`
 	# Use X
 	x_client_domain($1, $1)
 
-	ifdef(`xserver.te', `
-		allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
-	')
-
 	ifdef(`xdm.te', `
-		# Connect to the X server run by the X Display Manager.
-		can_unix_connect($1_t, xdm_t)
-		# certain apps want to read xdm.pid file
-		r_dir_file($1_t, xdm_var_run_t)
 		allow $1_t xdm_var_lib_t:file r_file_perms;
-		allow xdm_t $1_home_dir_t:dir getattr;
-		ifdef(`xauth.te', `
-			file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
-		')
 	')
 
 	# start read_fonts()
@@ -2542,6 +2541,28 @@ interface(`userdom_spec_domtrans_all_users',`
 
 ########################################
 ## <summary>
+##	Execute an Xserver session in all unprivileged user domains.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_xsession_spec_domtrans_all_users',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	xserver_xsession_spec_domtrans($1,userdomain)
+	allow $1 userdomain:fd use;
+	allow userdomain $1:fd use;
+	allow userdomain $1:fifo_file rw_file_perms;
+	allow userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Execute a shell in all unprivileged user domains.  This
 ##	is an explicit transition, requiring the
 ##	caller to use setexeccon().
@@ -2564,6 +2585,28 @@ interface(`userdom_spec_domtrans_unpriv_users',`
 
 ########################################
 ## <summary>
+##	Execute an Xserver session in all unprivileged user domains.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	xserver_xsession_spec_domtrans($1,unpriv_userdomain)
+	allow $1 unpriv_userdomain:fd use;
+	allow unpriv_userdomain $1:fd use;
+	allow unpriv_userdomain $1:fifo_file rw_file_perms;
+	allow unpriv_userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Manage unpriviledged user SysV sempaphores.
 ## </summary>
 ## <param name="domain">
@@ -3616,6 +3659,7 @@ interface(`userdom_read_unpriv_user_home_files',`
 		attribute user_home_dir_type, user_home_type;
 	')
 
+	files_search_home($1)
 	allow $1 user_home_dir_type:dir search_dir_perms;
 	allow $1 user_home_type:dir r_dir_perms;
 	allow $1 user_home_type:lnk_file { getattr read };
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 92d9aa6..834645a 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.2.5)
+policy_module(userdomain,1.2.6)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;