diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 772c47e..2333701 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -14,6 +14,7 @@
 - Fix errors uncovered by sediff.
 - Added policies:
 	anaconda
+	apache
 	apm
 	arpwatch
 	bluetooth
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 58d5924..4f75c58 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -1038,6 +1038,22 @@ interface(`kernel_rw_modprobe_sysctl',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to search generic kernel sysctls.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`kernel_dontaudit_search_kernel_sysctl',`
+	gen_require(`
+		type sysctl_kernel_t;
+	')
+
+	dontaudit $1 sysctl_kernel_t:dir search;
+')
+
+########################################
+## <summary>
 ##	Read generic kernel sysctls.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/apache.fc b/refpolicy/policy/modules/services/apache.fc
index 2042a31..402bac2 100644
--- a/refpolicy/policy/modules/services/apache.fc
+++ b/refpolicy/policy/modules/services/apache.fc
@@ -18,7 +18,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_R
 /usr/lib/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /usr/lib(64)?/apache(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
 /usr/lib(64)?/apache2/modules(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib(64)?/apache(2)?/suexec(2)? --	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
 /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
 /usr/lib(64)?/httpd(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
 
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 0543cff..bb43dde 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -84,6 +84,9 @@ template(`apache_content_template',`
 	allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms;
 	files_create_tmp_files(httpd_$1_script_t,httpd_$1_script_rw_t,{ file lnk_file sock_file fifo_file })
 
+	kernel_dontaudit_search_sysctl(httpd_$1_script_t)
+	kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
+
 	dev_read_rand(httpd_$1_script_t)
 	dev_read_urand(httpd_$1_script_t)
 
@@ -106,20 +109,11 @@ template(`apache_content_template',`
 
 	seutil_dontaudit_search_config(httpd_$1_script_t)
 
-	ifdef(`targeted_policy',`
-		tunable_policy(`httpd_enable_cgi && httpd_unified && ! httpd_disable_trans',`
-			allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
-			allow httpd_$1_script_t httpdcontent:file create_file_perms;
-			allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
-			can_exec(httpd_$1_script_t, httpdcontent)
-		')
-	',`
-		tunable_policy(`httpd_enable_cgi && httpd_unified',`
-			allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
-			allow httpd_$1_script_t httpdcontent:file create_file_perms;
-			allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
-			can_exec(httpd_$1_script_t, httpdcontent)
-		')
+	tunable_policy(`httpd_enable_cgi && httpd_unified',`
+		allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
+		allow httpd_$1_script_t httpdcontent:file create_file_perms;
+		allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
+		can_exec(httpd_$1_script_t, httpdcontent)
 	')
 
 	tunable_policy(`allow_httpd_$1_script_anon_write',`
@@ -147,6 +141,16 @@ template(`apache_content_template',`
 	')
 
 	tunable_policy(`httpd_enable_cgi',`
+		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
+
+		# privileged users run the script:
+		domain_auto_trans(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
+		allow httpd_exec_scripts httpd_$1_script_t:fd use;
+		allow httpd_$1_script_t httpd_exec_scripts:fd use;
+		allow httpd_$1_script_t httpd_exec_scripts:fifo_file rw_file_perms;
+		allow httpd_$1_script_t httpd_exec_scripts:process sigchld;
+
+		# apache runs the script:
 		domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
 		allow httpd_t httpd_$1_script_t:fd use;
 		allow httpd_$1_script_t httpd_t:fd use;
@@ -215,21 +219,6 @@ template(`apache_content_template',`
 	optional_policy(`nscd.te',`
 		nscd_use_socket(httpd_$1_script_t)
 	')
-
-	ifdef(`TODO',`
-	#
-	# If a user starts a script by hand it gets the proper context
-	#
-	ifdef(`targeted_policy', `', `
-	if (httpd_enable_cgi) {
-	domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-	}
-	')
-	role sysadm_r types httpd_$1_script_t;
-
-	dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
-	dontaudit httpd_$1_script_t sysctl_t:dir search;
-	') dnl end TODO
 ')
 
 #######################################
@@ -262,6 +251,7 @@ template(`apache_per_userdomain_template', `
 
 	apache_content_template($1)
 
+	typeattribute httpd_$1_content_t httpd_script_domains;
 #	typeattribute httpd_$1_content_t $1_file_type;
 
 	role $3 types httpd_$1_script_t;
@@ -290,39 +280,23 @@ template(`apache_per_userdomain_template', `
 	allow $2 httpd_$1_script_exec_t:file { create_file_perms relabelto relabelfrom };
 	allow $2 httpd_$1_script_exec_t:lnk_file { create_lnk_perms relabelto relabelfrom };
 
-	ifdef(`targeted_policy',`
-		tunable_policy(`httpd_enable_cgi',`
-			domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
-			allow $2 httpd_$1_script_t:fd use;
-			allow httpd_$1_script_t $2:fd use;
-			allow httpd_$1_script_t $2:fifo_file rw_file_perms;
-			allow httpd_$1_script_t $2:process sigchld;
-		')
+	tunable_policy(`httpd_enable_cgi',`
+		# If a user starts a script by hand it gets the proper context
+		domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
+		allow $2 httpd_$1_script_t:fd use;
+		allow httpd_$1_script_t $2:fd use;
+		allow httpd_$1_script_t $2:fifo_file rw_file_perms;
+		allow httpd_$1_script_t $2:process sigchld;
+	')
 
-		tunable_policy(`httpd_enable_cgi && httpd_unified',`
-			domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
-			allow $2 httpd_$1_script_t:fd use;
-			allow httpd_$1_script_t $2:fd use;
-			allow httpd_$1_script_t $2:fifo_file rw_file_perms;
-			allow httpd_$1_script_t $2:process sigchld;
-		')
-	',`
-		tunable_policy(`httpd_enable_cgi',`
-			# If a user starts a script by hand it gets the proper context
-			domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
-			allow $2 httpd_$1_script_t:fd use;
-			allow httpd_$1_script_t $2:fd use;
-			allow httpd_$1_script_t $2:fifo_file rw_file_perms;
-			allow httpd_$1_script_t $2:process sigchld;
-		')
+	tunable_policy(`httpd_enable_cgi && httpd_unified',`
+		allow httpd_$1_script_t httpdcontent:file entrypoint;
 
-		tunable_policy(`httpd_enable_cgi && httpd_unified',`
-			domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
-			allow $2 httpd_$1_script_t:fd use;
-			allow httpd_$1_script_t $2:fd use;
-			allow httpd_$1_script_t $2:fifo_file rw_file_perms;
-			allow httpd_$1_script_t $2:process sigchld;
-		')
+		domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
+		allow $2 httpd_$1_script_t:fd use;
+		allow httpd_$1_script_t $2:fd use;
+		allow httpd_$1_script_t $2:fifo_file rw_file_perms;
+		allow httpd_$1_script_t $2:process sigchld;
 	')
 
 	# allow accessing files/dirs below the users home dir
@@ -405,6 +379,40 @@ interface(`apache_use_fd',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to read and write Apache
+##	unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`apache_dontaudit_rw_stream_socket',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	dontaudit $1 httpd_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write Apache
+##	TCP sockets.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`apache_dontaudit_rw_tcp_socket',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	dontaudit $1 httpd_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
 ##	Allow the specified domain to read
 ##	apache configuration files.
 ## </summary>
@@ -506,7 +514,7 @@ interface(`apache_dontaudit_append_log',`
 		type httpd_log_t;
 	')
 
-	dontaudit $1 httpd_log_t:file append;
+	dontaudit $1 httpd_log_t:file { getattr append };
 ')
 
 ########################################
@@ -574,3 +582,95 @@ interface(`apache_domtrans_sys_script',`
 		allow httpd_sys_script_t $1:process sigchld;
 	')
 ')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write Apache
+##	system script unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`apache_dontaudit_rw_sys_script_stream_socket',`
+	gen_require(`
+		type httpd_sys_script_t;
+	')
+
+	dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	Execute all user scripts in the user
+##	script domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`apache_domtrans_all_scripts',`
+	gen_require(`
+		attribute httpd_exec_scripts;
+	')
+
+	typeattribute $1 httpd_exec_scripts;
+')
+
+########################################
+## <summary>
+##	Execute all user scripts in the user
+##	script domain.  Add user script domains
+##	to the specified role.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="role">
+##	The role to be allowed the script domains.
+## </param>
+#
+# cjp: this is missing the terminal since scripts
+# do not output to the terminal
+interface(`apache_run_all_scripts',`
+	gen_require(`
+		attribute httpd_exec_scripts, httpd_script_domains;
+	')
+
+	role $2 types httpd_script_domains;
+	apache_domtrans_all_scripts($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	apache squirrelmail data.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`apache_read_squirrelmail_data',`
+	gen_require(`
+		type httpd_squirrelmail_t;
+	')
+
+	allow $1 httpd_squirrelmail_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	apache squirrelmail data.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`apache_append_squirrelmail_data',`
+	gen_require(`
+		type httpd_squirrelmail_t;
+	')
+
+	allow $1 httpd_squirrelmail_t:file { getattr append };
+')
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index e0d79b4..80755b2 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -22,9 +22,16 @@ policy_module(apache,1.0)
 
 attribute httpdcontent;
 
+# domains that can exec all users scripts
+attribute httpd_exec_scripts;
+
+# user script domains
+attribute httpd_script_domains;
+
 type httpd_t;
 type httpd_exec_t;
 init_daemon_domain(httpd_t,httpd_exec_t)
+role system_r types httpd_t;
 
 # httpd_cache_t is the type given to the /var/cache/httpd
 # directory and the files under that directory
@@ -36,11 +43,10 @@ type httpd_config_t;
 files_type(httpd_config_t)
 
 type httpd_helper_t;
-domain_type(httpd_helper_t)
-role system_r types httpd_helper_t;
-
 type httpd_helper_exec_t;
+domain_type(httpd_helper_t)
 domain_entry_file(httpd_helper_t,httpd_helper_exec_t)
+role system_r types httpd_helper_t;
 
 type httpd_lock_t;
 files_lock_file(httpd_lock_t)
@@ -54,11 +60,10 @@ type httpd_modules_t;
 files_type(httpd_modules_t)
 
 type httpd_php_t;
-domain_type(httpd_php_t)
-role system_r types httpd_php_t;
-
 type httpd_php_exec_t;
+domain_type(httpd_php_t)
 domain_entry_file(httpd_php_t,httpd_php_exec_t)
+role system_r types httpd_php_t;
 
 type httpd_php_tmp_t;
 files_tmp_file(httpd_php_tmp_t)
@@ -68,11 +73,10 @@ files_type(httpd_squirrelmail_t)
 
 # SUEXEC runs user scripts as their own user ID
 type httpd_suexec_t; #, daemon;
-domain_type(httpd_suexec_t)
-role system_r types httpd_suexec_t;
-
 type httpd_suexec_exec_t;
+domain_type(httpd_suexec_t)
 domain_entry_file(httpd_suexec_t,httpd_suexec_exec_t)
+role system_r types httpd_suexec_t;
 
 type httpd_suexec_tmp_t;
 files_tmp_file(httpd_suexec_tmp_t)
@@ -89,12 +93,11 @@ files_tmpfs_file(httpd_tmpfs_t)
 # Unconfined domain for apache scripts.
 # Only to be used as a last resort
 type httpd_unconfined_script_t;
+type httpd_unconfined_script_exec_t; # customizable
 domain_type(httpd_unconfined_script_t)
+domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t)
 role system_r types httpd_unconfined_script_t;
 
-type httpd_unconfined_script_exec_t; # customizable
-files_type(httpd_unconfined_script_exec_t)
-
 # for apache2 memory mapped files
 type httpd_var_lib_t;
 files_type(httpd_var_lib_t)
@@ -178,15 +181,15 @@ allow httpd_t httpd_tmp_t:dir create_dir_perms;
 allow httpd_t httpd_tmp_t:file create_file_perms;
 files_create_tmp_files(httpd_t, httpd_tmp_t, { file dir })
 
-allow httpd_t httpd_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow httpd_t httpd_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow httpd_t httpd_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
-allow httpd_t httpd_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-allow httpd_t httpd_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow httpd_t httpd_tmpfs_t:dir create_dir_perms;
+allow httpd_t httpd_tmpfs_t:file create_file_perms;
+allow httpd_t httpd_tmpfs_t:lnk_file create_lnk_perms;
+allow httpd_t httpd_tmpfs_t:sock_file create_file_perms;
+allow httpd_t httpd_tmpfs_t:fifo_file create_file_perms;
 fs_create_tmpfs_data(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 
 allow httpd_t httpd_var_lib_t:file create_file_perms;
-allow httpd_t httpd_var_lib_t:dir create_dir_perms;
+allow httpd_t httpd_var_lib_t:dir rw_dir_perms;
 files_create_var_lib(httpd_t,httpd_var_lib_t)
 
 allow httpd_t httpd_var_run_t:file create_file_perms;
@@ -341,6 +344,14 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_symlinks(httpd_t)
 ')
 
+tunable_policy(`httpd_ssi_exec',`
+	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
+	allow httpd_t httpd_sys_script_t:fd use;
+	allow httpd_sys_script_t httpd_t:fd use;
+	allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
+	allow httpd_sys_script_t httpd_t:process sigchld;
+')
+
 # When the admin starts the server, the server wants to access
 # the TTY or PTY associated with the session. The httpd appears
 # to run correctly without this permission, so the permission
@@ -391,10 +402,6 @@ optional_policy(`rhgb.te',`
 
 can_tcp_connect(web_client_domain, httpd_t)
 
-allow httpd_t home_root_t:dir getattr;
-dontaudit httpd_t sysadm_home_dir_t:dir getattr;
-allow httpd_sys_script_t var_spool_t:dir getattr;
-
 ifdef(`targeted_policy',`
 	if (httpd_enable_homedirs) {
 		allow httpd_t user_home_dir_t:dir { getattr search };
@@ -406,14 +413,6 @@ ifdef(`targeted_policy',`
 		allow httpd_suexec_t user_home_dir_t:dir { getattr search };
 	}
 ')
-
-optional_policy(`mta.te',`
-	# apache should set close-on-exec
-	dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
-	dontaudit system_mail_t httpd_log_t:file { append getattr };
-	allow system_mail_t httpd_squirrelmail_t:file { append read };
-	dontaudit system_mail_t httpd_t:tcp_socket { read write };
-')
 ') dnl end TODO
 
 ########################################
@@ -434,6 +433,8 @@ allow httpd_helper_t httpd_log_t:file append;
 libs_use_ld_so(httpd_helper_t)
 libs_use_shared_libs(httpd_helper_t)
 
+logging_send_syslog_msg(httpd_helper_t)
+
 ########################################
 #
 # Apache PHP script local policy
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index eb91503..4c9ad48 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -254,10 +254,16 @@ interface(`mta_mailserver_delivery',`
 #
 interface(`mta_mailserver_user_agent',`
 	gen_require(`
-		attribute mailserver_user_agent;
+		attribute mta_user_agent;
 	')
 
-	typeattribute $1 mailserver_user_agent;
+	typeattribute $1 mta_user_agent;
+
+	optional_policy(`apache.te',`
+		# apache should set close-on-exec
+		apache_dontaudit_rw_stream_socket($1)
+		apache_dontaudit_rw_sys_script_stream_socket($1)
+	')
 ')
 
 #######################################
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 98733d3..07b40e9 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -119,6 +119,17 @@ ifdef(`targeted_policy',`
 	')
 ')
 
+optional_policy(`apache.te',`
+	apache_read_squirrelmail_data(system_mail_t)
+	apache_append_squirrelmail_data(system_mail_t)
+
+	# apache should set close-on-exec
+	apache_dontaudit_append_log(system_mail_t)
+	apache_dontaudit_rw_stream_socket(system_mail_t)
+	apache_dontaudit_rw_tcp_socket(system_mail_t)
+	apache_dontaudit_rw_sys_script_stream_socket(system_mail_t)
+')
+
 optional_policy(`cron.te',`
 	cron_read_system_job_tmp_files(system_mail_t)
 ')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 45dafca..1aa37fb 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -122,7 +122,7 @@ ifdef(`targeted_policy',`
 
 	optional_policy(`apache.te',`
 		apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
-		# cjp: why is this not run
+		#apache_run_all_scripts(sysadm_t,sysadm_r)
 		#apache_domtrans_sys_script(sysadm_t)
 	')