diff --git a/policy-20070703.patch b/policy-20070703.patch
index 1444c4b..8047f56 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -7053,6 +7053,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
  
  sysnet_read_config(radiusd_t)
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.0.6/policy/modules/services/remotelogin.te
+--- nsaserefpolicy/policy/modules/services/remotelogin.te	2007-06-11 16:05:30.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/services/remotelogin.te	2007-08-28 11:20:57.000000000 -0400
+@@ -85,6 +85,7 @@
+ 
+ miscfiles_read_localization(remote_login_t)
+ 
++userdom_read_all_users_home_dirs_symlinks(remote_login_t)
+ userdom_use_unpriv_users_fds(remote_login_t)
+ userdom_search_all_users_home_content(remote_login_t)
+ # Only permit unprivileged user domains to be entered via rlogin,
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.0.6/policy/modules/services/rhgb.te
 --- nsaserefpolicy/policy/modules/services/rhgb.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.6/policy/modules/services/rhgb.te	2007-08-22 08:03:53.000000000 -0400
@@ -8165,7 +8176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.6/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/services/ssh.te	2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/services/ssh.te	2007-08-28 11:18:37.000000000 -0400
 @@ -24,7 +24,7 @@
  
  # Type for the ssh-agent executable.
@@ -8184,7 +8195,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  kernel_search_key(sshd_t)
  kernel_link_key(sshd_t)
  
-@@ -100,6 +102,11 @@
+@@ -80,6 +82,8 @@
+ corenet_tcp_bind_xserver_port(sshd_t)
+ corenet_sendrecv_xserver_server_packets(sshd_t)
+ 
++userdom_read_all_users_home_dirs_symlinks(sshd_t)
++
+ tunable_policy(`ssh_sysadm_login',`
+ 	# Relabel and access ptys created by sshd
+ 	# ioctl is necessary for logout() processing for utmp entry and for w to
+@@ -100,6 +104,11 @@
  	userdom_use_unpriv_users_ptys(sshd_t)
  ')
  
@@ -8196,7 +8216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  optional_policy(`
  	daemontools_service_domain(sshd_t, sshd_exec_t)
  ')
-@@ -119,7 +126,12 @@
+@@ -119,7 +128,12 @@
  ')
  
  optional_policy(`
@@ -10023,7 +10043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.0.6/policy/modules/system/locallogin.te
 --- nsaserefpolicy/policy/modules/system/locallogin.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/system/locallogin.te	2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/system/locallogin.te	2007-08-28 11:20:41.000000000 -0400
 @@ -97,6 +97,11 @@
  term_setattr_all_user_ttys(local_login_t)
  term_setattr_unallocated_ttys(local_login_t)
@@ -10036,7 +10056,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
  auth_rw_login_records(local_login_t)
  auth_rw_faillog(local_login_t)
  auth_manage_pam_console_data(local_login_t)
-@@ -160,6 +165,15 @@
+@@ -130,6 +135,7 @@
+ 
+ miscfiles_read_localization(local_login_t)
+ 
++userdom_read_all_users_home_dirs_symlinks(local_login_t)
+ userdom_spec_domtrans_all_users(local_login_t)
+ userdom_signal_all_users(local_login_t)
+ userdom_search_all_users_home_content(local_login_t)
+@@ -160,6 +166,15 @@
  ')
  
  optional_policy(`
@@ -10052,7 +10080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
  	gpm_getattr_gpmctl(local_login_t)
  	gpm_setattr_gpmctl(local_login_t)
  ')
-@@ -178,13 +192,18 @@
+@@ -178,13 +193,18 @@
  ')
  
  optional_policy(`
@@ -11067,7 +11095,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.6/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/system/selinuxutil.te	2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/system/selinuxutil.te	2007-08-28 11:34:21.000000000 -0400
 @@ -1,5 +1,5 @@
  
 -policy_module(selinuxutil,1.6.2)
@@ -11138,7 +11166,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  logging_send_syslog_msg(newrole_t)
  
  miscfiles_read_localization(newrole_t)
-@@ -361,7 +369,7 @@
+@@ -343,6 +351,8 @@
+ 
+ miscfiles_read_localization(restorecond_t)
+ 
++userdom_read_all_users_home_dirs_symlinks(restorecond_t)
++
+ optional_policy(`
+ 	rpm_use_script_fds(restorecond_t)
+ ')
+@@ -361,7 +371,7 @@
  allow run_init_t self:process setexec;
  allow run_init_t self:capability setuid;
  allow run_init_t self:fifo_file rw_file_perms;
@@ -11147,7 +11184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  
  # often the administrator runs such programs from a directory that is owned
  # by a different user or has restrictive SE permissions, do not want to audit
-@@ -375,6 +383,7 @@
+@@ -375,6 +385,7 @@
  term_dontaudit_list_ptys(run_init_t)
  
  auth_domtrans_chk_passwd(run_init_t)
@@ -11155,7 +11192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  auth_dontaudit_read_shadow(run_init_t)
  
  corecmd_exec_bin(run_init_t)
-@@ -431,7 +440,7 @@
+@@ -431,7 +442,7 @@
  allow semanage_t self:capability { dac_override audit_write };
  allow semanage_t self:unix_stream_socket create_stream_socket_perms;
  allow semanage_t self:unix_dgram_socket create_socket_perms;
@@ -11164,7 +11201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  
  allow semanage_t policy_config_t:file { read write };
  
-@@ -442,7 +451,10 @@
+@@ -442,7 +453,10 @@
  kernel_read_system_state(semanage_t)
  kernel_read_kernel_sysctls(semanage_t)
  
@@ -11175,7 +11212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  
  dev_read_urand(semanage_t)
  
-@@ -465,6 +477,8 @@
+@@ -465,6 +479,8 @@
  
  # Running genhomedircon requires this for finding all users
  auth_use_nsswitch(semanage_t)
@@ -11184,7 +11221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  
  libs_use_ld_so(semanage_t)
  libs_use_shared_libs(semanage_t)
-@@ -488,6 +502,17 @@
+@@ -488,6 +504,17 @@
  # netfilter_contexts:
  seutil_manage_default_contexts(semanage_t)
  
@@ -11202,7 +11239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  # cjp: need a more general way to handle this:
  ifdef(`enable_mls',`
  	# read secadm tmp files
-@@ -515,6 +540,8 @@
+@@ -515,6 +542,8 @@
  allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
  allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
  
@@ -11211,7 +11248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  kernel_read_system_state(setfiles_t)
  kernel_relabelfrom_unlabeled_dirs(setfiles_t)
  kernel_relabelfrom_unlabeled_files(setfiles_t)
-@@ -531,6 +558,7 @@
+@@ -531,6 +560,7 @@
  
  fs_getattr_xattr_fs(setfiles_t)
  fs_list_all(setfiles_t)
@@ -11219,7 +11256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  fs_search_auto_mountpoints(setfiles_t)
  fs_relabelfrom_noxattr_fs(setfiles_t)
  
-@@ -586,6 +614,10 @@
+@@ -586,6 +616,10 @@
  
  ifdef(`hide_broken_symptoms',`
  	optional_policy(`
@@ -11789,9 +11826,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
 +
 +corecmd_exec_all_executables(unconfined_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.0.6/policy/modules/system/userdomain.fc
+--- nsaserefpolicy/policy/modules/system/userdomain.fc	2007-05-29 14:10:58.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/system/userdomain.fc	2007-08-28 11:11:29.000000000 -0400
+@@ -1,4 +1,5 @@
+ HOME_DIR	-d	gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
++HOME_DIR	-l	gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
+ HOME_DIR/.+		gen_context(system_u:object_r:ROLE_home_t,s0)
+ 
+ /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.6/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/system/userdomain.if	2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/system/userdomain.if	2007-08-28 11:17:43.000000000 -0400
 @@ -62,6 +62,10 @@
  
  	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@@ -12386,15 +12432,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
  	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1024,20 +1120,12 @@
- 		kernel_dontaudit_read_ring_buffer($1_t)
- 	')
- 
--	# Allow users to run TCP servers (bind to ports and accept connection from
--	# the same domain and outside users)  disabling this forces FTP passive mode
--	# and may change other protocols
--	tunable_policy(`user_tcp_server',`
--		corenet_tcp_bind_all_nodes($1_t)
+@@ -1029,15 +1125,7 @@
+ 	# and may change other protocols
+ 	tunable_policy(`user_tcp_server',`
+ 		corenet_tcp_bind_all_nodes($1_t)
 -		corenet_tcp_bind_generic_port($1_t)
 -	')
 -
@@ -12404,11 +12445,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -
 -	optional_policy(`
 -		loadkeys_run($1_t,$1_r,$1_tty_device_t)
-+	# Allow users to run TCP servers (bind to ports and accept connection from
-+	# the same domain and outside users)  disabling this forces FTP passive mode
-+	# and may change other protocols
-+	tunable_policy(`user_tcp_server',`
-+		corenet_tcp_bind_all_nodes($1_t)
 +		corenet_tcp_bind_all_unreserved_ports($1_t)
  	')
  
@@ -12462,17 +12498,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
-@@ -1902,6 +1985,41 @@
- 
- ########################################
- ## <summary>
-+##	dontaudit attemps to Create files
-+##	in a user home subdirectory.
+@@ -1817,27 +1900,62 @@
+ ## </param>
+ ## <param name="target_domain">
+ ##	<summary>
+-##	Domain to transition to.
++##	Domain to transition to.
++##	</summary>
++## </param>
++#
++template(`userdom_user_home_domtrans',`
++	gen_require(`
++		type $1_home_dir_t, $1_home_t;
++	')
++
++	files_search_home($2)
++	allow $2 $1_home_dir_t:dir search_dir_perms;
++	domain_auto_trans($2,$1_home_t,$3)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to list user home subdirectories.
 +## </summary>
 +## <desc>
 +##	<p>
-+##	Create, read, write, and delete directories
-+##	in a user home subdirectory.
++##	Do not audit attempts to list user home subdirectories.
 +##	</p>
 +##	<p>
 +##	This is a templated interface, and should only
@@ -12487,23 +12538,82 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +## </param>
 +## <param name="domain">
 +##	<summary>
++##	Domain to not audit
+ ##	</summary>
+ ## </param>
+ #
+-template(`userdom_user_home_domtrans',`
++template(`userdom_dontaudit_list_user_home_dirs',`
+ 	gen_require(`
+-		type $1_home_dir_t, $1_home_t;
++		type $1_home_dir_t;
+ 	')
+ 
+-	files_search_home($2)
+-	allow $2 $1_home_dir_t:dir search_dir_perms;
+-	domain_auto_trans($2,$1_home_t,$3)
++	dontaudit $2 $1_home_dir_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to list user home subdirectories.
++##	Create, read, write, and delete directories
++##	in a user home subdirectory.
+ ## </summary>
+ ## <desc>
+ ##	<p>
+-##	Do not audit attempts to list user home subdirectories.
++##	Create, read, write, and delete directories
++##	in a user home subdirectory.
+ ##	</p>
+ ##	<p>
+ ##	This is a templated interface, and should only
+@@ -1852,21 +1970,22 @@
+ ## </param>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-template(`userdom_dontaudit_list_user_home_dirs',`
++template(`userdom_manage_user_home_content_dirs',`
+ 	gen_require(`
+-		type $1_home_dir_t;
++		type $1_home_dir_t, $1_home_t;
+ 	')
+ 
+-	dontaudit $2 $1_home_dir_t:dir list_dir_perms;
++	files_search_home($2)
++	manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete directories
++##	dontaudit attemps to Create files
+ ##	in a user home subdirectory.
+ ## </summary>
+ ## <desc>
+@@ -1891,13 +2010,12 @@
+ ##	</summary>
+ ## </param>
+ #
+-template(`userdom_manage_user_home_content_dirs',`
 +template(`userdom_dontaudit_create_user_home_content_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type $1_home_dir_t, $1_home_t;
 +		type $1_home_dir_t;
-+	')
-+
+ 	')
+ 
+-	files_search_home($2)
+-	manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
 +	dontaudit $2 $1_home_dir_t:file create;
-+')
-+
-+########################################
-+## <summary>
- ##	Do not audit attempts to set the
- ##	attributes of user home files.
- ## </summary>
+ ')
+ 
+ ########################################
 @@ -3078,7 +3196,7 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
@@ -12513,7 +12623,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -5323,7 +5441,7 @@
+@@ -4615,6 +4733,24 @@
+ 	files_list_home($1)
+ 	allow $1 home_dir_type:dir search_dir_perms;
+ ')
++########################################
++## <summary>
++##	Read all users home directories symlinks.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_read_all_users_home_dirs_symlinks',`
++	gen_require(`
++		attribute home_dir_type;
++	')
++
++	files_list_home($1)
++	allow $1 home_dir_type:lnk_file read_lnk_file_perms;
++')
+ 
+ ########################################
+ ## <summary>
+@@ -5323,7 +5459,7 @@
  		attribute user_tmpfile;
  	')
  
@@ -12522,7 +12657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -5559,3 +5677,280 @@
+@@ -5559,3 +5695,280 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e80025e..a5247a9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.7
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -362,6 +362,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Aug 28 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-2
+- Allow login programs to read symlinks on homedirs
+
 * Mon Aug 27 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-1
 - Update an readd modules