diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te
index 3d8048c..5ef15eb 100644
--- a/refpolicy/policy/modules/admin/acct.te
+++ b/refpolicy/policy/modules/admin/acct.te
@@ -99,8 +99,3 @@ optional_policy(`udev',`
 	udev_read_db(acct_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(acct_t)
-')
-')
diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index 1d83fe3..a46294b 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -70,9 +70,4 @@ ifdef(`targeted_policy',`
 		udev_read_db(dmesg_t)
 	')
 
-	ifdef(`TODO',`
-	optional_policy(`rhgb',`
-	rhgb_domain(dmesg_t)
-	')
-	') dnl endif TODO
 ')
diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te
index a7a6a82..0091b4a 100644
--- a/refpolicy/policy/modules/admin/kudzu.te
+++ b/refpolicy/policy/modules/admin/kudzu.te
@@ -152,9 +152,6 @@ optional_policy(`udev',`
 
 ifdef(`TODO',`
 allow kudzu_t modules_conf_t:file unlink;
-optional_policy(`rhgb',`
-        rhgb_domain(kudzu_t)
-')
 optional_policy(`lpd',`
 	allow kudzu_t printconf_t:file { getattr read };
 ')
diff --git a/refpolicy/policy/modules/admin/quota.te b/refpolicy/policy/modules/admin/quota.te
index efced03..296d8c2 100644
--- a/refpolicy/policy/modules/admin/quota.te
+++ b/refpolicy/policy/modules/admin/quota.te
@@ -82,7 +82,4 @@ file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t
 allow quota_t file_t:file quotaon;
 
 allow quota_t proc_t:file getattr;
-optional_policy(`rhgb',`
-	rhgb_domain(quota_t)
-')
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te
index 17331c1..bf83e25 100644
--- a/refpolicy/policy/modules/admin/updfstab.te
+++ b/refpolicy/policy/modules/admin/updfstab.te
@@ -98,7 +98,7 @@ optional_policy(`dbus',`
 	dbus_send_system_bus_msg(updfstab_t)
 ')
 
-optional_policy(`hald',`
+optional_policy(`hal',`
 	hal_stream_connect(updfstab_t)
 ')
 
@@ -121,9 +121,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(updfstab_t)
-')
 allow updfstab_t tmpfs_t:dir getattr;
 ')
 
diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if
index 14fb0c1..77d92bc 100644
--- a/refpolicy/policy/modules/admin/usermanage.if
+++ b/refpolicy/policy/modules/admin/usermanage.if
@@ -182,6 +182,32 @@ interface(`usermanage_domtrans_admin_passwd',`
 
 ########################################
 ## <summary>
+##	Execute passwd admin functions in the admin
+##	passwd domain, and allow the specified role
+##	the admin passwd domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the admin passwd domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the admin passwd domain to use.
+## </param>
+#
+interface(`usermanage_run_admin_passwd',`
+	gen_require(`
+		type sysadm_passwd_t;
+	')
+
+	usermanage_domtrans_admin_passwd($1)
+	role $2 types sysadm_passwd_t;
+	allow sysadm_passwd_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
 ##	Execute useradd in the useradd domain.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 84f7a86..87514dd 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.0)
+policy_module(usermanage,1.0.1)
 
 ########################################
 #
@@ -136,10 +136,6 @@ optional_policy(`nis',`
 	nis_use_ypbind(chfn_t)
 ')
 
-ifdef(`TODO',`
-ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;')
-') dnl endif TODO
-
 ########################################
 #
 # Crack local policy
@@ -224,6 +220,7 @@ init_dontaudit_write_script_pid(groupadd_t)
 domain_use_wide_inherit_fd(groupadd_t)
 
 files_manage_etc_files(groupadd_t)
+files_relabel_etc_files(groupadd_t)
 
 libs_use_ld_so(groupadd_t)
 libs_use_shared_libs(groupadd_t)
@@ -237,6 +234,7 @@ logging_send_syslog_msg(groupadd_t)
 miscfiles_read_localization(groupadd_t)
 
 auth_manage_shadow(groupadd_t)
+auth_relabel_shadow(groupadd_t)
 auth_rw_lastlog(groupadd_t)
 auth_use_nsswitch(groupadd_t)
 
@@ -259,14 +257,6 @@ optional_policy(`rpm',`
 	rpm_rw_pipe(groupadd_t)
 ')
 
-ifdef(`TODO',`
-# Update /etc/shadow and /etc/passwd
-allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto };
-
-# Access terminals.
-ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;')
-') dnl end TODO
-
 ########################################
 #
 # Passwd local policy
@@ -310,6 +300,7 @@ term_use_all_user_ttys(passwd_t)
 term_use_all_user_ptys(passwd_t)
 
 auth_manage_shadow(passwd_t)
+auth_relabel_shadow(passwd_t)
 
 # allow checking if a shell is executable
 corecmd_check_exec_shell(passwd_t)
@@ -320,6 +311,7 @@ files_read_etc_runtime_files(passwd_t)
 files_manage_etc_files(passwd_t)
 files_search_var(passwd_t)
 files_dontaudit_search_pids(passwd_t)
+files_relabel_etc_files(passwd_t)
 
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
@@ -335,6 +327,9 @@ miscfiles_read_localization(passwd_t)
 seutil_dontaudit_search_config(passwd_t)
 
 userdom_use_unpriv_users_fd(passwd_t)
+# make sure that getcon succeeds
+userdom_getattr_all_userdomains(passwd_t)
+userdom_read_all_userdomains_state(passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
 userdom_dontaudit_search_all_users_home(passwd_t)
@@ -343,19 +338,6 @@ optional_policy(`nis',`
 	nis_use_ypbind(passwd_t)
 ')
 
-ifdef(`TODO',`
-# Update /etc/shadow and /etc/passwd
-allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
-
-# Inherit and use descriptors from login.
-ifdef(`gnome-pty-helper.te', `allow passwd_t gphdomain:fd use;')
-
-# make sure that getcon succeeds
-allow passwd_t userdomain:dir search;
-allow passwd_t userdomain:file read;
-allow passwd_t userdomain:process getattr;
-') dnl endif TODO
-
 ########################################
 #
 # Password admin local policy
@@ -403,7 +385,10 @@ term_use_all_user_ttys(sysadm_passwd_t)
 term_use_all_user_ptys(sysadm_passwd_t)
 
 auth_manage_shadow(sysadm_passwd_t)
+auth_relabel_shadow(sysadm_passwd_t)
 
+# allow checking if a shell is executable
+corecmd_check_exec_shell(sysadm_passwd_t)
 # allow vipw to exec the editor
 corecmd_search_sbin(sysadm_passwd_t)
 corecmd_exec_bin(sysadm_passwd_t)
@@ -413,6 +398,7 @@ files_read_usr_files(sysadm_passwd_t)
 domain_use_wide_inherit_fd(sysadm_passwd_t)
 
 files_manage_etc_files(sysadm_passwd_t)
+files_relabel_etc_files(sysadm_passwd_t)
 files_read_etc_runtime_files(sysadm_passwd_t)
 # for nscd lookups
 files_dontaudit_search_pids(sysadm_passwd_t)
@@ -439,24 +425,6 @@ optional_policy(`nis',`
 	nis_use_ypbind(sysadm_passwd_t)
 ')
 
-ifdef(`TODO',`
-role sysadm_r types sysadm_passwd_t;
-domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
-
-# Inherit and use descriptors from login.
-ifdef(`gnome-pty-helper.te', `allow sysadm_passwd_t gphdomain:fd use;')
-
-# allow checking if a shell is executable
-allow sysadm_passwd_t shell_exec_t:file execute;
-
-# Update /etc/shadow and /etc/passwd
-allow sysadm_passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
-
-ifdef(`targeted_policy', `
-role system_r types sysadm_passwd_t;
-')
-') dnl endif TODO
-
 ########################################
 #
 # Useradd local policy
@@ -494,6 +462,7 @@ term_use_all_user_ttys(useradd_t)
 term_use_all_user_ptys(useradd_t)
 
 auth_manage_shadow(useradd_t)
+auth_relabel_shadow(useradd_t)
 auth_rw_lastlog(useradd_t)
 auth_use_nsswitch(useradd_t)
 
@@ -506,6 +475,7 @@ domain_use_wide_inherit_fd(useradd_t)
 
 files_manage_etc_files(useradd_t)
 files_search_var_lib(useradd_t)
+files_relabel_etc_files(useradd_t)
 
 init_use_fd(useradd_t)
 init_rw_script_pid(useradd_t)
@@ -542,14 +512,3 @@ optional_policy(`rpm',`
 	rpm_use_fd(useradd_t)
 	rpm_rw_pipe(useradd_t)
 ')
-
-ifdef(`TODO',`
-# Update /etc/shadow and /etc/passwd
-allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto };
-
-# Access terminals.
-ifdef(`gnome-pty-helper.te', `allow useradd_t gphdomain:fd use;')
-
-# /var/mail is a link to /var/spool/mail
-allow useradd_t mail_spool_t:lnk_file read;
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 7edc7a3..d558496 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -418,10 +418,6 @@ optional_policy(`udev', `
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(httpd_t)
-')
-
 can_tcp_connect(web_client_domain, httpd_t)
 
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te
index cb041f4..59e8d3f 100644
--- a/refpolicy/policy/modules/services/apm.te
+++ b/refpolicy/policy/modules/services/apm.te
@@ -230,7 +230,4 @@ optional_policy(`cron',`
 
 r_dir_file(apmd_t, hwdata_t)
 
-optional_policy(`rhgb',`
-	rhgb_domain(apmd_t)
-')
 ')
diff --git a/refpolicy/policy/modules/services/arpwatch.te b/refpolicy/policy/modules/services/arpwatch.te
index 49a3b38..74e4d5c 100644
--- a/refpolicy/policy/modules/services/arpwatch.te
+++ b/refpolicy/policy/modules/services/arpwatch.te
@@ -114,9 +114,3 @@ optional_policy(`udev',`
 	udev_read_db(arpwatch_t)
 ')
 
-ifdef(`TODO',`
-# TODO from daemon_domain
-optional_policy(`rhgb',`
-	rhgb_domain(arpwatch_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te
index ca5e534..c26bede 100644
--- a/refpolicy/policy/modules/services/avahi.te
+++ b/refpolicy/policy/modules/services/avahi.te
@@ -108,8 +108,3 @@ optional_policy(`udev',`
 	udev_read_db(avahi_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(avahi_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te
index e41fed1..f5e2d15 100644
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@@ -181,9 +181,6 @@ ifdef(`TODO',`
 can_udp_send(domain, named_t)
 can_udp_send(named_t, domain)
 can_tcp_connect(domain, named_t)
-optional_policy(`rhgb',`
-	rhgb_domain(named_t)
-')
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index 3bed3e6..b17758d 100644
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -158,12 +158,6 @@ optional_policy(`udev',`
 	udev_read_db(bluetooth_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(bluetooth_t)
-')
-') dnl end TOOD
-
 ########################################
 #
 # Bluetooth helper local policy
diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te
index 105671c..afbab29 100644
--- a/refpolicy/policy/modules/services/canna.te
+++ b/refpolicy/policy/modules/services/canna.te
@@ -107,10 +107,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(canna_t)
-')
-
 optional_policy(`canna',`
 	canna_stream_connect(i18n_input_t)
 ')
diff --git a/refpolicy/policy/modules/services/cpucontrol.te b/refpolicy/policy/modules/services/cpucontrol.te
index 2a067e0..02aa896 100644
--- a/refpolicy/policy/modules/services/cpucontrol.te
+++ b/refpolicy/policy/modules/services/cpucontrol.te
@@ -73,12 +73,6 @@ optional_policy(`udev',`
 	udev_read_db(cpucontrol_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(cpucontrol_t)
-')
-') dnl end TODO
-
 ########################################
 #
 # CPU frequency scaling daemons
@@ -132,9 +126,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(cpuspeed_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(cpuspeed_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 250af7c..7f106b9 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -200,10 +200,6 @@ ifdef(`TODO',`
 # NB The constraints file has some entries for crond_t, this makes it
 # different from all other domains...
 
-optional_policy(`rhgb',`
-rhgb_domain(crond_t)
-')
-
 # crond tries to search /root.  Not sure why.
 allow crond_t sysadm_home_dir_t:dir r_dir_perms;
 
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index b84ecd6..b1a3cf3 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -226,9 +226,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(cupsd_t)
-')
 allow web_client_domain cupsd_t:tcp_socket { connectto recvfrom };
 allow cupsd_t web_client_domain:tcp_socket { acceptfrom recvfrom };
 allow cupsd_t kernel_t:tcp_socket recvfrom;
@@ -377,13 +374,6 @@ optional_policy(`udev',`
 	udev_read_db(ptal_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(ptal_t)
-')
-') dnl end TODO
-
-
 allow userdomain ptal_t:unix_stream_socket connectto;
 allow userdomain ptal_var_run_t:sock_file write;
 allow userdomain ptal_var_run_t:dir search;
@@ -491,12 +481,6 @@ optional_policy(`udev',`
 	udev_read_db(hplip_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(hplip_t)
-')
-') dnl end TODO
-
 allow hplip_t devpts_t:dir search;
 allow hplip_t devpts_t:chr_file { getattr ioctl };
 
@@ -627,12 +611,6 @@ optional_policy(`udev',`
 	udev_read_db(cupsd_config_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(cupsd_config_t)
-')
-') dnl end TODO
-
 allow cupsd_config_t devpts_t:dir search;
 allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
 
diff --git a/refpolicy/policy/modules/services/cyrus.te b/refpolicy/policy/modules/services/cyrus.te
index 0a40f25..fa3c897 100644
--- a/refpolicy/policy/modules/services/cyrus.te
+++ b/refpolicy/policy/modules/services/cyrus.te
@@ -140,9 +140,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(cyrus_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(cyrus_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te
index 71bbbd8..e54be52 100644
--- a/refpolicy/policy/modules/services/dbus.te
+++ b/refpolicy/policy/modules/services/dbus.te
@@ -139,9 +139,3 @@ optional_policy(`sysnetwork',`
 optional_policy(`udev',`
 	udev_read_db(system_dbusd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(system_dbusd_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te
index c13ddbf..0ad9809 100644
--- a/refpolicy/policy/modules/services/dhcp.te
+++ b/refpolicy/policy/modules/services/dhcp.te
@@ -138,9 +138,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(dhcpd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(dhcpd_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/dictd.te b/refpolicy/policy/modules/services/dictd.te
index 60b402b..c13cf87 100644
--- a/refpolicy/policy/modules/services/dictd.te
+++ b/refpolicy/policy/modules/services/dictd.te
@@ -101,9 +101,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(dictd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(dictd_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/distcc.te b/refpolicy/policy/modules/services/distcc.te
index 5728da1..c84cd3a 100644
--- a/refpolicy/policy/modules/services/distcc.te
+++ b/refpolicy/policy/modules/services/distcc.te
@@ -107,9 +107,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(distccd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(distccd_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
index 2315bca..6955ca3 100644
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -185,9 +185,3 @@ optional_policy(`nis',`
 optional_policy(`nscd',`
 	nscd_use_socket(dovecot_auth_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(dovecot_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te
index a82e455..6af68c3 100644
--- a/refpolicy/policy/modules/services/finger.te
+++ b/refpolicy/policy/modules/services/finger.te
@@ -131,12 +131,6 @@ optional_policy(`udev',`
 	udev_read_db(fingerd_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(fingerd_t)
-')
-')
-
 # stop it accessing sub-directories, prevents checking a Maildir for new mail,
 # have to change this when we create a type for Maildir
 dontaudit fingerd_t user_home_t:dir search;
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index 8b44ff0..1490fb1 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -220,9 +220,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev', `
 	udev_read_db(ftpd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(ftpd_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/gpm.te b/refpolicy/policy/modules/services/gpm.te
index 296f97f..4ff3699 100644
--- a/refpolicy/policy/modules/services/gpm.te
+++ b/refpolicy/policy/modules/services/gpm.te
@@ -95,7 +95,4 @@ ifdef(`TODO',`
 # Access the mouse.
 # cjp: why write?
 allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms;
-optional_policy(`rhgb',`
-	rhgb_domain(gpm_t)
-')
 ')
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 1a4d53e..4234ace 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -183,10 +183,6 @@ optional_policy(`updfstab',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(hald_t)
-')
-
 allow hald_t device_t:dir create_dir_perms;
 
 optional_policy(`hald',`
diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te
index 1a858ea..5673c90 100644
--- a/refpolicy/policy/modules/services/howl.te
+++ b/refpolicy/policy/modules/services/howl.te
@@ -92,9 +92,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(howl_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(howl_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 00e089e..37de543 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -155,12 +155,6 @@ ifdef(`targeted_policy',`
 	')
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(inetd_t)
-')
-') dnl TODO
-
 ########################################
 #
 # inetd child local_policy
diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te
index ba6218e..cc15668 100644
--- a/refpolicy/policy/modules/services/inn.te
+++ b/refpolicy/policy/modules/services/inn.te
@@ -144,10 +144,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(innd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(innd_t)
-')
-allow innd_t sysadm_t:unix_dgram_socket sendto;
-')
diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te
index 33e41a7..852efe5 100644
--- a/refpolicy/policy/modules/services/kerberos.te
+++ b/refpolicy/policy/modules/services/kerberos.te
@@ -148,12 +148,6 @@ optional_policy(`udev',`
 	udev_read_db(kadmind_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(kadmind_t)
-')
-') dnl end TODO
-
 ########################################
 #
 # Krb5kdc local policy
@@ -254,10 +248,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(krb5kdc_t)
-')
-
 # Allow user programs to talk to KDC
 allow krb5kdc_t userdomain:udp_socket recvfrom;
 allow userdomain krb5kdc_t:udp_socket recvfrom;
diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te
index 0f535ff..973a7d3 100644
--- a/refpolicy/policy/modules/services/ldap.te
+++ b/refpolicy/policy/modules/services/ldap.te
@@ -148,9 +148,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(slapd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(slapd_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te
index 9c1943b..976f754 100644
--- a/refpolicy/policy/modules/services/lpd.te
+++ b/refpolicy/policy/modules/services/lpd.te
@@ -233,10 +233,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(lpd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(lpd_t)
-')
-') dnl end TODO
-
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
index 39a289a..6a23c8d 100644
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@@ -141,9 +141,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(mysqld_t)
-')
 optional_policy(`daemontools',`
 	domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
 	mysqld_signal(svc_start_t)
diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te
index b225a40..d70bbea 100644
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@@ -143,12 +143,6 @@ optional_policy(`vpn',`
 	vpn_domtrans(NetworkManager_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(NetworkManager_t)
-')
-') dnl end TODO
-
 ###########################################################
 #
 # Partially converted rules.  THESE ARE ONLY TEMPORARY
diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te
index 9228e0f..282ab38 100644
--- a/refpolicy/policy/modules/services/nis.te
+++ b/refpolicy/policy/modules/services/nis.te
@@ -130,12 +130,6 @@ optional_policy(`udev',`
 	udev_read_db(ypbind_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(ypbind_t)
-')
-') dnl end TODO
-
 ########################################
 #
 # ypserv local policy
@@ -228,10 +222,6 @@ optional_policy(`udev', `
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb', `
-rhgb_domain(ypserv_t)
-')
-
 # Read and write /var/yp.
 ifdef(`rpcd.te', `
 allow rpcd_t ypserv_conf_t:file { getattr read };
diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te
index 437c54c..ff3eedf 100644
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@@ -133,9 +133,3 @@ optional_policy(`samba',`
 optional_policy(`udev',`
 	udev_read_db(nscd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(nscd_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te
index 71dfd7f..2752ca5 100644
--- a/refpolicy/policy/modules/services/ntp.te
+++ b/refpolicy/policy/modules/services/ntp.te
@@ -161,9 +161,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(ntpd_t)
-')
 allow ntpd_t sysadm_t:udp_socket sendto;
 allow sysadm_t ntpd_t:udp_socket recvfrom;
 
diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te
index bd8a790..d55ed99 100644
--- a/refpolicy/policy/modules/services/pegasus.te
+++ b/refpolicy/policy/modules/services/pegasus.te
@@ -1,5 +1,5 @@
 
-policy_module(pegasus,1.0.1)
+policy_module(pegasus,1.0.2)
 
 ########################################
 #
@@ -13,6 +13,9 @@ init_daemon_domain(pegasus_t,pegasus_exec_t)
 type pegasus_data_t;
 files_type(pegasus_data_t)
 
+type pegasus_tmp_t;
+files_tmp_file(pegasus_tmp_t)
+
 type pegasus_conf_t;
 files_type(pegasus_conf_t)
 
@@ -29,30 +32,37 @@ files_pid_file(pegasus_var_run_t)
 
 allow pegasus_t self:capability { dac_override net_bind_service audit_write }; 
 dontaudit pegasus_t self:capability sys_tty_config;
+allow pegasus_t self:process signal;
 allow pegasus_t self:fifo_file rw_file_perms;
 allow pegasus_t self:unix_dgram_socket create_socket_perms;
 allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
 allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 allow pegasus_t self:tcp_socket create_stream_socket_perms;
 
-allow pegasus_t pegasus_conf_t:dir r_dir_perms;
+allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
 allow pegasus_t pegasus_conf_t:file { r_file_perms link unlink };
 allow pegasus_t pegasus_conf_t:lnk_file r_file_perms;
 
 allow pegasus_t pegasus_data_t:dir rw_dir_perms;
 allow pegasus_t pegasus_data_t:file create_file_perms;
 allow pegasus_t pegasus_data_t:lnk_file create_lnk_perms;
+type_transition pegasus_t pegasus_conf_t:{ file dir } pegasus_data_t;
 
 allow pegasus_t pegasus_mof_t:dir r_dir_perms;
 allow pegasus_t pegasus_mof_t:file r_file_perms;
 allow pegasus_t pegasus_mof_t:lnk_file { getattr read };
 
+allow pegasus_t pegasus_tmp_t:dir create_dir_perms;
+allow pegasus_t pegasus_tmp_t:file create_file_perms;
+files_create_tmp_files(pegasus_t, pegasus_tmp_t, { file dir })
+
 allow pegasus_t pegasus_var_run_t:file create_file_perms;
-allow pegasus_t pegasus_var_run_t:sock_file { create setattr };
+allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
 allow pegasus_t pegasus_var_run_t:dir rw_dir_perms;
 files_create_pid(pegasus_t,pegasus_var_run_t)
 
 kernel_read_kernel_sysctl(pegasus_t)
+kernel_read_fs_sysctl(pegasus_t)
 kernel_read_system_state(pegasus_t)
 kernel_search_vm_sysctl(pegasus_t)
 
@@ -76,7 +86,7 @@ fs_search_auto_mountpoints(pegasus_t)
 term_dontaudit_use_console(pegasus_t)
 
 auth_use_nsswitch(pegasus_t)
-auth_read_shadow(pegasus_t)
+auth_domtrans_chk_passwd(pegasus_t)
 
 domain_use_wide_inherit_fd(pegasus_t)
 domain_read_all_domains_state(pegasus_t)
@@ -122,16 +132,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(pegasus_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(pegasus_t)
-')
-') dnl end TODO
-
-# bad rules
-type pegasus_conf_exec_t, entry_type;
-files_type(pegasus_conf_exec_t)
-allow pegasus_conf_exec_t pegasus_conf_t:dir rw_dir_perms;
-allow pegasus_conf_exec_t pegasus_conf_t:file create_file_perms;
-allow pegasus_conf_exec_t pegasus_conf_t:lnk_file create_lnk_perms;
diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te
index a10db69..b3c0188 100644
--- a/refpolicy/policy/modules/services/portmap.te
+++ b/refpolicy/policy/modules/services/portmap.te
@@ -133,10 +133,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(portmap_t)
-')
-
 ifdef(`rpcd.te',`can_udp_send(portmap_t, rpcd_t)')
 allow portmap_t rpcd_t:udp_socket sendto;
 allow rpcd_t portmap_t:udp_socket recvfrom;
diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te
index b4e17cb..fad6075 100644
--- a/refpolicy/policy/modules/services/postgresql.te
+++ b/refpolicy/policy/modules/services/postgresql.te
@@ -185,9 +185,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(postgresql_t)
-')
 ifdef(`targeted_policy', `', `
 bool allow_user_postgresql_connect false;
 
diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te
index 01d6808..3f55df5 100644
--- a/refpolicy/policy/modules/services/ppp.te
+++ b/refpolicy/policy/modules/services/ppp.te
@@ -316,15 +316,6 @@ optional_policy(`udev',`
         udev_read_db(pptp_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(pppd_t)
-')
-optional_policy(`rhgb',`
-        rhgb_domain(pptp_t)
-')
-')
-
 ifdef(`postfix.te', `
 	allow pppd_t postfix_etc_t:dir search;
 	allow pppd_t postfix_etc_t:file r_file_perms;
diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te
index cad3ab7..f112cb0 100644
--- a/refpolicy/policy/modules/services/privoxy.te
+++ b/refpolicy/policy/modules/services/privoxy.te
@@ -95,9 +95,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(privoxy_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(privoxy_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te
index 0d808de..cb79790 100644
--- a/refpolicy/policy/modules/services/radius.te
+++ b/refpolicy/policy/modules/services/radius.te
@@ -130,9 +130,3 @@ optional_policy(`snmp',`
 optional_policy(`udev',`
 	udev_read_db(radiusd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(radiusd_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/radvd.te b/refpolicy/policy/modules/services/radvd.te
index 0592642..b5b07b2 100644
--- a/refpolicy/policy/modules/services/radvd.te
+++ b/refpolicy/policy/modules/services/radvd.te
@@ -94,9 +94,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(radvd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(radvd_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/rpc.if b/refpolicy/policy/modules/services/rpc.if
index 4d92875..705944d 100644
--- a/refpolicy/policy/modules/services/rpc.if
+++ b/refpolicy/policy/modules/services/rpc.if
@@ -113,12 +113,6 @@ template(`rpc_domain_template', `
 	optional_policy(`udev',`
 		udev_read_db($1_t)
 	')
-
-	ifdef(`TODO',`
-		optional_policy(`rhgb',`
-			rhgb_domain($1_t)
-		')
-	')
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 193a788..f4536be 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -308,12 +308,6 @@ optional_policy(`udev', `
 	udev_read_db(smbd_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(smbd_t)
-')
-') dnl end TODO
-
 ifdef(`hide_broken_symptoms', `
 gen_require(`
 	type boot_t, default_t, tmpfs_t;
@@ -428,12 +422,6 @@ optional_policy(`udev',`
 	udev_read_db(nmbd_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(nmbd_t)
-')
-')
-
 ########################################
 #
 # smbmount Local policy
@@ -640,12 +628,6 @@ optional_policy(`udev',`
 	udev_read_db(winbind_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(winbind_t)
-')
-') dnl end TODO
-
 ########################################
 #
 # Winbind helper local policy
diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te
index ed6dac6..514a0a2 100644
--- a/refpolicy/policy/modules/services/sasl.te
+++ b/refpolicy/policy/modules/services/sasl.te
@@ -99,10 +99,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(saslauthd_t)
 ')
-
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(saslauthd_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 1b19f5b..593d14f 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -136,10 +136,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-rhgb_domain(sendmail_t)
-')
-
 allow sendmail_t etc_mail_t:dir rw_dir_perms;
 allow sendmail_t etc_mail_t:file create_file_perms;
 # for the start script to run make -C /etc/mail
diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te
index 3635a35..6b194b3 100644
--- a/refpolicy/policy/modules/services/snmp.te
+++ b/refpolicy/policy/modules/services/snmp.te
@@ -149,10 +149,6 @@ can_udp_send(snmpd_t, sysadm_t)
 optional_policy(`cupsd',`
 	allow snmpd_t cupsd_rw_etc_t:file { getattr read };
 ')
-
-optional_policy(`rhgb',`
-	rhgb_domain(snmpd_t)
-')
 ') dnl end TODO
 
 ifdef(`distro_redhat', `
diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te
index d246dda..6ea4919 100644
--- a/refpolicy/policy/modules/services/spamassassin.te
+++ b/refpolicy/policy/modules/services/spamassassin.te
@@ -146,10 +146,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(spamd_t)
-')
-
 optional_policy(`amavis', `
 # for bayes tokens
 allow spamd_t var_lib_t:dir { getattr search };
diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te
index f449403..f4cc464 100644
--- a/refpolicy/policy/modules/services/squid.te
+++ b/refpolicy/policy/modules/services/squid.te
@@ -177,9 +177,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(squid_t)
-')
 ifdef(`apache.te',`
 can_tcp_connect(squid_t, httpd_t)
 ')
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index c9d3bfa..d7b84d7 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -255,10 +255,4 @@ ifdef(`targeted_policy',`',`
 	optional_policy(`udev',`
 		udev_read_db(ssh_keygen_t)
 	')
-
-	ifdef(`TODO',`
-	optional_policy(`rhgb',`
-		rhgb_domain(ssh_keygen_t)
-	')
-	')
 ')
diff --git a/refpolicy/policy/modules/services/stunnel.te b/refpolicy/policy/modules/services/stunnel.te
index d6c7168..f274d29 100644
--- a/refpolicy/policy/modules/services/stunnel.te
+++ b/refpolicy/policy/modules/services/stunnel.te
@@ -113,13 +113,7 @@ ifdef(`distro_gentoo', `
 	optional_policy(`udev',`
         	udev_read_db(stunnel_t)
 	')
-
-	ifdef(`TODO',`
-	optional_policy(`rhgb',`
-        	rhgb_domain(stunnel_t)
-	')
-	') dnl end TODO
-', `
+',`
 	allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 
 	dev_read_urand(stunnel_t)
diff --git a/refpolicy/policy/modules/services/tftp.te b/refpolicy/policy/modules/services/tftp.te
index 77e8716..af3268f 100644
--- a/refpolicy/policy/modules/services/tftp.te
+++ b/refpolicy/policy/modules/services/tftp.te
@@ -104,9 +104,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev', `
         udev_read_db(tftpd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-        rhgb_domain(tftpd_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te
index 42a145a..7a5b4be 100644
--- a/refpolicy/policy/modules/services/zebra.te
+++ b/refpolicy/policy/modules/services/zebra.te
@@ -131,9 +131,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(zebra_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(zebra_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 4fcad8d..ed33f9f 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -368,14 +368,18 @@ interface(`auth_manage_shadow',`
 ')
 
 #######################################
-#
-# auth_relabelto_shadow(domain)
+## <summary>
+##	Relabel to the shadow
+##	password file type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
 #
 interface(`auth_relabelto_shadow',`
 	gen_require(`
 		attribute can_relabelto_shadow_passwords;
 		type shadow_t;
-		class file relabelto;
 	')
 
 	files_search_etc($1)
@@ -385,6 +389,26 @@ interface(`auth_relabelto_shadow',`
 
 #######################################
 ## <summary>
+##	Relabel from and to the shadow
+##	password file type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`auth_relabel_shadow',`
+	gen_require(`
+		attribute can_relabelto_shadow_passwords;
+		type shadow_t;
+	')
+
+	files_search_etc($1)
+	allow $1 shadow_t:file { relabelfrom relabelto };
+	typeattribute $1 can_relabelto_shadow_passwords;
+')
+
+#######################################
+## <summary>
 ##	Append to the login failure log.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 2099669..eea835a 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -253,10 +253,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(pam_console_t)
-')
-
 ifdef(`xdm.te', `
 	allow pam_console_t xdm_var_run_t:file { getattr read };
 ')
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index 9c1a4bc..f56f161 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -87,11 +87,3 @@ optional_policy(`udev',`
 optional_policy(`userdomain',`
 	userdom_dontaudit_use_unpriv_user_fd(hwclock_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-rhgb_domain(hwclock_t)
-')
-
-optional_policy(`gnome-pty-helper', `allow hwclock_t sysadm_gph_t:fd use;')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 9a9a820..c43fa98 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -894,9 +894,11 @@ interface(`files_mounton_all_mountpoints',`
 	gen_require(`
 		attribute mountpoint;
 		class dir { getattr search mounton };
+		class file { getattr mounton };
 	')
 
 	allow $1 mountpoint:dir { getattr search mounton };
+	allow $1 mountpoint:file { getattr mounton };
 ')
 
 ########################################
@@ -1333,6 +1335,23 @@ interface(`files_exec_etc_files',`
 
 ')
 
+#######################################
+## <summary>
+##	Relabel from and to generic files in /etc.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_relabel_etc_files',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir list_dir_perms;
+	allow $1 etc_t:file { relabelfrom relabelto };
+')
+
 ########################################
 #
 # files_create_boot_flag(domain)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index c0d6199..1928763 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -203,12 +203,3 @@ optional_policy(`udev',`
 optional_policy(`updfstab',`
 	updfstab_domtrans(hotplug_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-rhgb_domain(hotplug_t)
-')
-
-dontaudit hotplug_t { init_t kernel_t }:file read;
-
-') dnl end TODO
diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te
index 89b7b65..cc6d402 100644
--- a/refpolicy/policy/modules/system/ipsec.te
+++ b/refpolicy/policy/modules/system/ipsec.te
@@ -141,12 +141,6 @@ optional_policy(`udev',`
 	udev_read_db(ipsec_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(ipsec_t)
-')
-')
-
 ########################################
 #
 # ipsec_mgmt Local policy
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index 85e6ef5..c1ea3db 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -102,13 +102,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(iptables_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-rhgb_domain(iptables_t)
-')
-
-optional_policy(`gnome-pty-helper',`
-	allow iptables_t sysadm_gph_t:fd use;
-')
-') dnl ifdef TODO
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index e30e46c..309379c 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -175,12 +175,6 @@ optional_policy(`udev',`
 	udev_read_db(auditd_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-rhgb_domain(auditd_t)
-')
-') dnl endif TODO
-
 ########################################
 #
 # klogd local policy
@@ -380,12 +374,7 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(syslogd_t)
-')
-
 allow syslogd_t tmpfs_t:dir search;
-dontaudit syslogd_t unlabeled_t:file { getattr read };
 dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
 
 # log to the xconsole
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 3fe62a3..6fadbbc 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -117,12 +117,6 @@ optional_policy(`udev',`
 	udev_read_db(clvmd_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(clvmd_t)
-')
-') dnl end TODO
-
 ########################################
 #
 # LVM Local policy
@@ -270,11 +264,5 @@ ifdef(`TODO',`
 allow lvm_t var_t:dir { search getattr };
 allow lvm_t ramfs_t:filesystem unmount;
 
-optional_policy(`gnome-pty-helper',`
-	allow lvm_t sysadm_gph_t:fd use;
-')
-optional_policy(`rhgb',`
-rhgb_domain(lvm_t)
-')
 dontaudit lvm_t xconsole_device_t:fifo_file getattr;
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 391eaab..82ae9be 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -141,13 +141,4 @@ ifdef(`TODO',`
 
 # for when /etc/mtab loses its type
 allow mount_t file_t:file unlink;
-
-ifdef(`gnome-pty-helper.te', `
-allow mount_t sysadm_gph_t:fd use;
-')
-
-optional_policy(`rhgb',`
-rhgb_domain(mount_t)
-')
-
 ') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index a415bd8..2a63867 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -147,12 +147,6 @@ optional_policy(`udev',`
 	udev_read_db(cardmgr_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(cardmgr_t)
-')
-') dnl end TODO
-
 # Create device files in /tmp.
 # cjp: why is this created all over the place?
 allow cardmgr_t cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te
index 96a96d4..1611c40 100644
--- a/refpolicy/policy/modules/system/raid.te
+++ b/refpolicy/policy/modules/system/raid.te
@@ -88,7 +88,4 @@ ifdef(`TODO',`
 dontaudit mdadm_t device_t:{ fifo_file file chr_file blk_file } { read getattr };
 
 allow mdadm_t var_t:dir getattr;
-optional_policy(`rhgb',`
-	rhgb_domain(mdadm_t)
-')
 ') dnl TODO
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 59e2632..8347a59 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -244,12 +244,6 @@ optional_policy(`userdomain',`
 	userdom_use_all_user_fd(dhcpc_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-rhgb_domain(dhcpc_t)
-')
-') dnl endif TODO
-
 ########################################
 #
 # Ifconfig local policy
@@ -343,10 +337,3 @@ optional_policy(`nis',`
 optional_policy(`ppp',`
 	ppp_use_fd(ifconfig_t)
 ')
-
-ifdef(`TODO',`
-ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
-optional_policy(`rhgb',`
-rhgb_domain(ifconfig_t)
-')
-') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 7b55339..b653070 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -2478,6 +2478,40 @@ interface(`userdom_dontaudit_use_unpriv_user_tty',`
 
 ########################################
 ## <summary>
+##	Read the process state of all user domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_read_all_userdomains_state',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:dir search_dir_perms;
+	allow $1 userdomain:file r_file_perms;
+	kernel_search_proc($1)
+')
+
+########################################
+## <summary>
+##	Get the attributes of all user domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_getattr_all_userdomains',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:process getattr;
+')
+
+########################################
+## <summary>
 ##	Inherit the file descriptors from all user domains
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index d7927f3..c7950a8 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.0.1)
+policy_module(userdomain,1.0.2)
 
 ########################################
 #
@@ -295,6 +295,7 @@ ifdef(`targeted_policy',`
 	')
 
 	optional_policy(`usermanage',`
+		usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
 		usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
 		usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
 	')