Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.if.userdomain serefpolicy-3.10.0/policy/modules/admin/usermanage.if
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/admin/usermanage.if.userdomain	2011-10-24 13:26:35.236337023 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.if	2011-10-24 13:26:35.756337065 -0400
Dan Walsh 2a89df
@@ -308,7 +308,7 @@ interface(`usermanage_run_useradd',`
Dan Walsh 2a89df
 	role $2 types useradd_t;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# Add/remove user home directories
Dan Walsh 2a89df
-	userdom_manage_home_role($2, useradd_t)
Dan Walsh 2a89df
+	userdom_manage_home_role($2)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	seutil_run_semanage(useradd_t, $2)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.userdomain serefpolicy-3.10.0/policy/modules/admin/usermanage.te
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.userdomain	2011-10-24 13:26:35.711337061 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te	2011-10-24 13:26:35.757337065 -0400
Dan Walsh 37b75a
@@ -517,7 +517,7 @@ seutil_domtrans_setfiles(useradd_t)
Dan Walsh 2a89df
 userdom_use_unpriv_users_fds(useradd_t)
Dan Walsh 2a89df
 # Add/remove user home directories
Dan Walsh 2a89df
 userdom_home_filetrans_user_home_dir(useradd_t)
Dan Walsh 2a89df
-userdom_manage_home_role(system_r, useradd_t)
Dan Walsh 2a89df
+userdom_manage_home(useradd_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 mta_manage_spool(useradd_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.userdomain serefpolicy-3.10.0/policy/modules/apps/execmem.if
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/apps/execmem.if.userdomain	2011-10-24 13:26:35.736337064 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/apps/execmem.if	2011-10-24 13:26:35.757337065 -0400
Dan Walsh 2a89df
@@ -57,8 +57,6 @@ template(`execmem_role_template',`
Dan Walsh 2a89df
 	role $2 types $1_execmem_t;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	userdom_unpriv_usertype($1, $1_execmem_t)
Dan Walsh 2a89df
-	userdom_manage_tmp_role($2, $1_execmem_t)
Dan Walsh 2a89df
-	userdom_manage_tmpfs_role($2, $1_execmem_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	allow $1_execmem_t self:process { execmem execstack };
Dan Walsh 2a89df
 	allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.userdomain serefpolicy-3.10.0/policy/modules/apps/java.if
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/apps/java.if.userdomain	2011-10-24 13:26:35.255337024 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/apps/java.if	2011-10-24 13:26:35.758337065 -0400
Dan Walsh 2a89df
@@ -73,7 +73,8 @@ template(`java_role_template',`
Dan Walsh 2a89df
 	domain_interactive_fd($1_java_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	userdom_unpriv_usertype($1, $1_java_t)
Dan Walsh 2a89df
-	userdom_manage_tmpfs_role($2, $1_java_t)
Dan Walsh 2a89df
+	userdom_manage_tmpfs_role($2)
Dan Walsh 2a89df
+	userdom_manage_tmpfs($1_java_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	allow $1_java_t self:process { ptrace signal getsched execmem execstack };
Dan Walsh 2a89df
 
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.userdomain serefpolicy-3.10.0/policy/modules/apps/mono.if
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/apps/mono.if.userdomain	2011-10-24 13:26:35.261337025 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/apps/mono.if	2011-10-24 13:26:35.759337065 -0400
Dan Walsh 2a89df
@@ -49,7 +49,8 @@ template(`mono_role_template',`
Dan Walsh 2a89df
 	corecmd_bin_domtrans($1_mono_t, $1_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	userdom_unpriv_usertype($1, $1_mono_t)
Dan Walsh 2a89df
-	userdom_manage_tmpfs_role($2, $1_mono_t)
Dan Walsh 2a89df
+	userdom_manage_tmpfs_role($2)
Dan Walsh 2a89df
+	userdom_manage_tmpfs($1_mono_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	optional_policy(`
Dan Walsh 2a89df
 		xserver_role($1_r, $1_mono_t)
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.userdomain serefpolicy-3.10.0/policy/modules/apps/mozilla.if
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.userdomain	2011-10-24 13:26:35.262337026 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if	2011-10-24 13:26:35.760337065 -0400
Dan Walsh 2a89df
@@ -51,7 +51,7 @@ interface(`mozilla_role',`
Dan Walsh 2a89df
 	mozilla_run_plugin(mozilla_t, $1)
Dan Walsh 2a89df
 	mozilla_dbus_chat($2)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	userdom_manage_tmp_role($1, mozilla_t)
Dan Walsh 2a89df
+	userdom_manage_tmp_role($1)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	optional_policy(`
Dan Walsh 2a89df
 		nsplugin_role($1, mozilla_t)
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.userdomain serefpolicy-3.10.0/policy/modules/apps/nsplugin.if
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.userdomain	2011-10-24 13:26:35.267337026 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if	2011-10-24 13:26:35.762337066 -0400
Dan Walsh 2a89df
@@ -103,7 +103,7 @@ ifdef(`hide_broken_symptoms', `
Dan Walsh 2a89df
 	userdom_use_inherited_user_terminals(nsplugin_t)
Dan Walsh 2a89df
 	userdom_use_inherited_user_terminals(nsplugin_config_t)
Dan Walsh 2a89df
 	userdom_dontaudit_setattr_user_home_content_files(nsplugin_t)
Dan Walsh 2a89df
-	userdom_manage_tmpfs_role($1, nsplugin_t)
Dan Walsh 2a89df
+	userdom_manage_tmpfs_role($1)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	optional_policy(`
Dan Walsh 2a89df
 		pulseaudio_role($1, nsplugin_t)
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.userdomain serefpolicy-3.10.0/policy/modules/apps/nsplugin.te
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.userdomain	2011-10-24 13:26:35.267337026 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te	2011-10-24 13:26:35.763337066 -0400
Dan Walsh 37b75a
@@ -281,6 +281,7 @@ userdom_search_user_home_content(nsplugi
Dan Walsh 2a89df
 userdom_read_user_home_content_symlinks(nsplugin_config_t)
Dan Walsh 2a89df
 userdom_read_user_home_content_files(nsplugin_config_t)
Dan Walsh 2a89df
 userdom_dontaudit_search_admin_dir(nsplugin_config_t)
Dan Walsh 2a89df
+userdom_manage_tmpfs(nsplugin_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 tunable_policy(`use_nfs_home_dirs',`
Dan Walsh 2a89df
 	fs_getattr_nfs(nsplugin_t)
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if.userdomain serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if.userdomain	2011-10-24 13:26:35.270337026 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if	2011-10-24 13:26:35.763337066 -0400
Dan Walsh 2a89df
@@ -35,9 +35,9 @@ interface(`pulseaudio_role',`
Dan Walsh 2a89df
 	allow pulseaudio_t $2:unix_stream_socket connectto;
Dan Walsh 2a89df
 	allow $2 pulseaudio_t:unix_stream_socket connectto;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	userdom_manage_home_role($1, pulseaudio_t)
Dan Walsh 2a89df
-	userdom_manage_tmp_role($1, pulseaudio_t)
Dan Walsh 2a89df
-	userdom_manage_tmpfs_role($1, pulseaudio_t)
Dan Walsh 2a89df
+	userdom_manage_home_role($1)
Dan Walsh 2a89df
+	userdom_manage_tmp_role($1)
Dan Walsh 2a89df
+	userdom_manage_tmpfs_role($1)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	allow $2 pulseaudio_t:dbus send_msg;
Dan Walsh 2a89df
 	allow pulseaudio_t $2:dbus { acquire_svc send_msg };
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te.userdomain serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te.userdomain	2011-10-24 13:26:35.271337026 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te	2011-10-24 13:26:35.764337066 -0400
Dan Walsh 2a89df
@@ -95,6 +95,10 @@ logging_send_syslog_msg(pulseaudio_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 miscfiles_read_localization(pulseaudio_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
+userdom_manage_home(pulseaudio_t)
Dan Walsh 2a89df
+userdom_manage_tmp(pulseaudio_t)
Dan Walsh 2a89df
+userdom_manage_tmpfs(pulseaudio_t)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 optional_policy(`
Dan Walsh 2a89df
 	alsa_read_rw_config(pulseaudio_t)
Dan Walsh 2a89df
 ')
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/apps/userhelper.if.userdomain serefpolicy-3.10.0/policy/modules/apps/userhelper.if
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/apps/userhelper.if.userdomain	2011-10-24 13:26:35.285337027 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/apps/userhelper.if	2011-10-24 13:26:35.765337066 -0400
Dan Walsh 6554bb
@@ -294,7 +294,7 @@ template(`userhelper_console_role_templa
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	auth_use_pam($1_consolehelper_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	userdom_manage_tmpfs_role($2, $1_consolehelper_t)
Dan Walsh 2a89df
+	userdom_manage_tmpfs_role($2)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	optional_policy(`
Dan Walsh 2a89df
 		dbus_connect_session_bus($1_consolehelper_t)
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/apps/userhelper.te.userdomain serefpolicy-3.10.0/policy/modules/apps/userhelper.te
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/apps/userhelper.te.userdomain	2011-10-24 13:26:35.285337027 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/apps/userhelper.te	2011-10-24 13:26:35.766337066 -0400
Dan Walsh 2a89df
@@ -65,6 +65,7 @@ userhelper_exec(consolehelper_domain)
Dan Walsh 2a89df
 userdom_use_user_ptys(consolehelper_domain)
Dan Walsh 2a89df
 userdom_use_user_ttys(consolehelper_domain)
Dan Walsh 2a89df
 userdom_read_user_home_content_files(consolehelper_domain)
Dan Walsh 2a89df
+userdom_manage_tmpfs(consolehelper_domain)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 optional_policy(`
Dan Walsh 2a89df
 	gnome_read_gconf_home_files(consolehelper_domain)
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.userdomain serefpolicy-3.10.0/policy/modules/apps/wine.if
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/apps/wine.if.userdomain	2011-10-24 13:26:35.289337027 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/apps/wine.if	2011-10-24 13:26:35.766337066 -0400
Dan Walsh 2a89df
@@ -105,7 +105,8 @@ template(`wine_role_template',`
Dan Walsh 2a89df
 	corecmd_bin_domtrans($1_wine_t, $1_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	userdom_unpriv_usertype($1, $1_wine_t)
Dan Walsh 2a89df
-	userdom_manage_tmpfs_role($2, $1_wine_t)
Dan Walsh 2a89df
+	userdom_manage_tmpfs_role($2)
Dan Walsh 2a89df
+	userdom_manage_tmpfs($1_wine_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	domain_mmap_low($1_wine_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/apps/wm.if.userdomain serefpolicy-3.10.0/policy/modules/apps/wm.if
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/apps/wm.if.userdomain	2011-10-24 13:26:35.291337027 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/apps/wm.if	2011-10-24 13:26:35.767337066 -0400
Dan Walsh 2a89df
@@ -77,9 +77,13 @@ template(`wm_role_template',`
Dan Walsh 2a89df
 	miscfiles_read_fonts($1_wm_t)
Dan Walsh 2a89df
 	miscfiles_read_localization($1_wm_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	userdom_manage_home_role($2, $1_wm_t)
Dan Walsh 2a89df
-	userdom_manage_tmpfs_role($2, $1_wm_t)
Dan Walsh 2a89df
-	userdom_manage_tmp_role($2, $1_wm_t)
Dan Walsh 2a89df
+	userdom_manage_home_role($2)
Dan Walsh 2a89df
+	userdom_manage_home($1_wm_t)
Dan Walsh 2a89df
+	userdom_manage_tmpfs_role($2)
Dan Walsh 2a89df
+	userdom_manage_tmpfs($1_wm_t)
Dan Walsh 2a89df
+	userdom_manage_tmp_role($2)
Dan Walsh 2a89df
+	userdom_manage_tmp($1_wm_t)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	userdom_exec_user_tmp_files($1_wm_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	optional_policy(`
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.userdomain serefpolicy-3.10.0/policy/modules/roles/sysadm.te
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.userdomain	2011-10-24 13:26:35.739337064 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te	2011-10-24 13:26:35.768337066 -0400
Dan Walsh 37b75a
@@ -61,7 +61,8 @@ sysnet_filetrans_named_content(sysadm_t)
Dan Walsh 6554bb
 # Add/remove user home directories
Dan Walsh 6554bb
 userdom_manage_user_home_dirs(sysadm_t)
Dan Walsh 6554bb
 userdom_home_filetrans_user_home_dir(sysadm_t)
Dan Walsh 6554bb
-userdom_manage_tmp_role(sysadm_r, sysadm_t)
Dan Walsh 6554bb
+userdom_manage_tmp_role(sysadm_r)
Dan Walsh 6554bb
+userdom_manage_tmp(sysadm_t)
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 optional_policy(`
Dan Walsh 37b75a
 	alsa_filetrans_named_content(sysadm_t)
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.userdomain serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.userdomain	2011-10-24 13:26:35.740337064 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te	2011-10-24 13:26:35.777337067 -0400
Dan Walsh 2a89df
@@ -45,9 +45,12 @@ gen_tunable(unconfined_login, true)
Dan Walsh 2a89df
 # calls is not correct, however we dont currently
Dan Walsh 2a89df
 # have another method to add access to these types
Dan Walsh 2a89df
 userdom_base_user_template(unconfined)
Dan Walsh 2a89df
-userdom_manage_home_role(unconfined_r, unconfined_t)
Dan Walsh 2a89df
-userdom_manage_tmp_role(unconfined_r, unconfined_t)
Dan Walsh 2a89df
-userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
Dan Walsh 2a89df
+userdom_manage_home_role(unconfined_r)
Dan Walsh 2a89df
+userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file sock_file fifo_file })
Dan Walsh 2a89df
+userdom_manage_tmp_role(unconfined_r)
Dan Walsh 2a89df
+userdom_manage_tmp(unconfined_t)
Dan Walsh 2a89df
+userdom_manage_tmpfs_role(unconfined_r)
Dan Walsh 2a89df
+userdom_manage_tmpfs(unconfined_t)
Dan Walsh 2a89df
 userdom_unpriv_usertype(unconfined, unconfined_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 type unconfined_exec_t;
Dan Walsh 3dcdda
@@ -347,9 +350,13 @@ optional_policy(`
Dan Walsh 3dcdda
 	lpd_run_checkpc(unconfined_t, unconfined_r)
Dan Walsh 3dcdda
 ')
Dan Walsh 3dcdda
 
Dan Walsh 3dcdda
-#optional_policy(`
Dan Walsh 3dcdda
-#	mock_role(unconfined_r, unconfined_t)
Dan Walsh 3dcdda
-#')
Dan Walsh 3dcdda
+optional_policy(`
Dan Walsh 3dcdda
+	mock_role(unconfined_r, unconfined_t)
Dan Walsh 3dcdda
+')
Dan Walsh 3dcdda
+
Dan Walsh 3dcdda
+optional_policy(`
Dan Walsh 3dcdda
+	thumb_role(unconfined_r, unconfined_usertype)
Dan Walsh 3dcdda
+')
Dan Walsh 3dcdda
 
Dan Walsh 3dcdda
 optional_policy(`
Dan Walsh 3dcdda
 	modutils_run_update_mods(unconfined_t, unconfined_r)
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/services/rshd.te.userdomain serefpolicy-3.10.0/policy/modules/services/rshd.te
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/services/rshd.te.userdomain	2011-10-24 13:26:35.572337050 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/services/rshd.te	2011-10-24 13:26:35.769337066 -0400
Dan Walsh 2a89df
@@ -66,7 +66,7 @@ seutil_read_config(rshd_t)
Dan Walsh 2a89df
 seutil_read_default_contexts(rshd_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 userdom_search_user_home_content(rshd_t)
Dan Walsh 2a89df
-userdom_manage_tmp_role(system_r, rshd_t)
Dan Walsh 2a89df
+userdom_manage_tmp(rshd_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 tunable_policy(`use_nfs_home_dirs',`
Dan Walsh 2a89df
 	fs_read_nfs_files(rshd_t)
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.userdomain serefpolicy-3.10.0/policy/modules/services/ssh.if
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/services/ssh.if.userdomain	2011-10-24 13:26:35.601337052 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/services/ssh.if	2011-10-24 13:26:35.770337066 -0400
Dan Walsh 2a89df
@@ -380,7 +380,7 @@ template(`ssh_role_template',`
Dan Walsh 2a89df
 	manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
Dan Walsh 2a89df
 	manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
Dan Walsh 2a89df
 	userdom_search_user_home_dirs($1_t)
Dan Walsh 2a89df
-	userdom_manage_tmp_role($2, ssh_t)
Dan Walsh 2a89df
+	userdom_manage_tmp(ssh_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	##############################
Dan Walsh 2a89df
 	#
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/services/ssh.te.userdomain serefpolicy-3.10.0/policy/modules/services/ssh.te
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/services/ssh.te.userdomain	2011-10-24 13:26:35.602337053 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/services/ssh.te	2011-10-24 13:26:35.771337066 -0400
Dan Walsh 2a89df
@@ -200,6 +200,7 @@ userdom_read_user_tmp_files(ssh_t)
Dan Walsh 2a89df
 userdom_write_user_tmp_files(ssh_t)
Dan Walsh 2a89df
 userdom_read_user_home_content_symlinks(ssh_t)
Dan Walsh 2a89df
 userdom_read_home_certs(ssh_t)
Dan Walsh 2a89df
+userdom_manage_tmp(ssh_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 tunable_policy(`allow_ssh_keysign',`
Dan Walsh 2a89df
 	domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
Dan Walsh 6554bb
@@ -280,7 +281,7 @@ corenet_sendrecv_xserver_server_packets(
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 userdom_read_user_home_content_files(sshd_t)
Dan Walsh 2a89df
 userdom_read_user_home_content_symlinks(sshd_t)
Dan Walsh 2a89df
-userdom_manage_tmp_role(system_r, sshd_t)
Dan Walsh 2a89df
+userdom_manage_tmp(sshd_t)
Dan Walsh 2a89df
 userdom_spec_domtrans_unpriv_users(sshd_t)
Dan Walsh 2a89df
 userdom_signal_unpriv_users(sshd_t)
Dan Walsh 2a89df
 userdom_dyntransition_unpriv_users(sshd_t)
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/services/sssd.te.userdomain serefpolicy-3.10.0/policy/modules/services/sssd.te
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/services/sssd.te.userdomain	2011-10-24 13:26:35.603337053 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/services/sssd.te	2011-10-24 13:26:35.772337066 -0400
Dan Walsh 37b75a
@@ -93,7 +93,7 @@ miscfiles_read_generic_certs(sssd_t)
Dan Walsh 2a89df
 sysnet_dns_name_resolve(sssd_t)
Dan Walsh 2a89df
 sysnet_use_ldap(sssd_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-userdom_manage_tmp_role(system_r, sssd_t)
Dan Walsh 2a89df
+userdom_manage_tmp(sssd_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 optional_policy(`
Dan Walsh 2a89df
 	dbus_system_bus_client(sssd_t)
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.userdomain serefpolicy-3.10.0/policy/modules/services/xserver.te
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/services/xserver.te.userdomain	2011-10-24 13:26:35.746337064 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/services/xserver.te	2011-10-24 13:26:35.773337067 -0400
Dan Walsh 2a89df
@@ -671,7 +671,7 @@ userdom_stream_connect(xdm_t)
Dan Walsh 2a89df
 userdom_manage_user_tmp_dirs(xdm_t)
Dan Walsh 2a89df
 userdom_manage_user_tmp_files(xdm_t)
Dan Walsh 2a89df
 userdom_manage_user_tmp_sockets(xdm_t)
Dan Walsh 2a89df
-userdom_manage_tmpfs_role(system_r, xdm_t)
Dan Walsh 2a89df
+userdom_manage_tmpfs(xdm_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 application_signal(xdm_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.userdomain serefpolicy-3.10.0/policy/modules/system/userdomain.if
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/system/userdomain.if.userdomain	2011-10-24 13:26:35.749337065 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/system/userdomain.if	2011-10-24 13:27:29.940341512 -0400
Dan Walsh 2a89df
@@ -35,21 +35,14 @@ template(`userdom_base_user_template',`
Dan Walsh 2a89df
 	type $1_t, userdomain, $1_usertype;
Dan Walsh 2a89df
 	domain_type($1_t)
Dan Walsh 2a89df
 	role $1_r;
Dan Walsh 2a89df
-	corecmd_shell_entry_type($1_t)
Dan Walsh 2a89df
-	corecmd_bin_entry_type($1_t)
Dan Walsh 2a89df
 	domain_user_exemption_target($1_t)
Dan Walsh 2a89df
 	ubac_constrained($1_t)
Dan Walsh 2a89df
 	role $1_r types $1_t;
Dan Walsh 2a89df
 	allow system_r $1_r;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	term_user_pty($1_t, user_devpts_t)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	term_user_tty($1_t, user_tty_device_t)
Dan Walsh 2a89df
-	term_dontaudit_getattr_generic_ptys($1_t)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
 	allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
Dan Walsh 2a89df
 	allow $1_usertype $1_usertype:fd use;
Dan Walsh 2a89df
-	allow $1_usertype $1_t:key { create view read write search link setattr };
Dan Walsh 2a89df
+	allow $1_usertype $1_usertype:key { create view read write search link setattr };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
 	allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
Dan Walsh 2a89df
@@ -61,114 +54,7 @@ template(`userdom_base_user_template',`
Dan Walsh 2a89df
 	allow $1_usertype $1_usertype:context contains;
Dan Walsh 2a89df
 	dontaudit $1_usertype $1_usertype:socket create;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms };
Dan Walsh 2a89df
-	term_create_pty($1_usertype, user_devpts_t)
Dan Walsh 2a89df
-	# avoid annoying messages on terminal hangup on role change
Dan Walsh 2a89df
-	dontaudit $1_usertype user_devpts_t:chr_file ioctl;
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms };
Dan Walsh 2a89df
-	# avoid annoying messages on terminal hangup on role change
Dan Walsh 2a89df
-	dontaudit $1_usertype user_tty_device_t:chr_file ioctl;
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	application_exec_all($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	kernel_read_kernel_sysctls($1_usertype)
Dan Walsh 2a89df
-	kernel_read_all_sysctls($1_usertype)
Dan Walsh 2a89df
-	kernel_dontaudit_list_unlabeled($1_usertype)
Dan Walsh 2a89df
-	kernel_dontaudit_getattr_unlabeled_files($1_usertype)
Dan Walsh 2a89df
-	kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
Dan Walsh 2a89df
-	kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
Dan Walsh 2a89df
-	kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
Dan Walsh 2a89df
-	kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
Dan Walsh 2a89df
-	kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
Dan Walsh 2a89df
-	kernel_dontaudit_list_proc($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	dev_dontaudit_getattr_all_blk_files($1_usertype)
Dan Walsh 2a89df
-	dev_dontaudit_getattr_all_chr_files($1_usertype)
Dan Walsh 2a89df
-	dev_getattr_mtrr_dev($1_t)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	# When the user domain runs ps, there will be a number of access
Dan Walsh 2a89df
-	# denials when ps tries to search /proc. Do not audit these denials.
Dan Walsh 2a89df
-	domain_dontaudit_read_all_domains_state($1_usertype)
Dan Walsh 2a89df
-	domain_dontaudit_getattr_all_domains($1_usertype)
Dan Walsh 2a89df
-	domain_dontaudit_getsession_all_domains($1_usertype)
Dan Walsh 2a89df
-	dev_dontaudit_all_access_check($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	files_read_etc_files($1_usertype)
Dan Walsh 2a89df
-	files_list_mnt($1_usertype)
Dan Walsh 2a89df
-	files_list_var($1_usertype)
Dan Walsh 2a89df
-	files_read_mnt_files($1_usertype)
Dan Walsh 2a89df
-	files_dontaudit_access_check_mnt($1_usertype)
Dan Walsh 2a89df
-	files_read_etc_runtime_files($1_usertype)
Dan Walsh 2a89df
-	files_read_usr_files($1_usertype)
Dan Walsh 2a89df
-	files_read_usr_src_files($1_usertype)
Dan Walsh 2a89df
-	# Read directories and files with the readable_t type.
Dan Walsh 2a89df
-	# This type is a general type for "world"-readable files.
Dan Walsh 2a89df
-	files_list_world_readable($1_usertype)
Dan Walsh 2a89df
-	files_read_world_readable_files($1_usertype)
Dan Walsh 2a89df
-	files_read_world_readable_symlinks($1_usertype)
Dan Walsh 2a89df
-	files_read_world_readable_pipes($1_usertype)
Dan Walsh 2a89df
-	files_read_world_readable_sockets($1_usertype)
Dan Walsh 2a89df
-	# old broswer_domain():
Dan Walsh 2a89df
-	files_dontaudit_getattr_all_dirs($1_usertype)
Dan Walsh 2a89df
-	files_dontaudit_list_non_security($1_usertype)
Dan Walsh 2a89df
-	files_dontaudit_getattr_all_files($1_usertype)
Dan Walsh 2a89df
-	files_dontaudit_getattr_non_security_symlinks($1_usertype)
Dan Walsh 2a89df
-	files_dontaudit_getattr_non_security_pipes($1_usertype)
Dan Walsh 2a89df
-	files_dontaudit_getattr_non_security_sockets($1_usertype)
Dan Walsh 2a89df
-	files_dontaudit_setattr_etc_runtime_files($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	files_exec_usr_files($1_t)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	fs_list_cgroup_dirs($1_usertype)
Dan Walsh 2a89df
-	fs_dontaudit_rw_cgroup_files($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	storage_rw_fuse($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
 	auth_use_nsswitch($1_t)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	init_stream_connect($1_usertype)
Dan Walsh 2a89df
-	# The library functions always try to open read-write first,
Dan Walsh 2a89df
-	# then fall back to read-only if it fails. 
Dan Walsh 2a89df
-	init_dontaudit_rw_utmp($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	libs_exec_ld_so($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	logging_send_audit_msgs($1_t)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	miscfiles_read_localization($1_t)
Dan Walsh 2a89df
-	miscfiles_read_generic_certs($1_t)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	miscfiles_read_all_certs($1_usertype)
Dan Walsh 2a89df
-	miscfiles_read_localization($1_usertype)
Dan Walsh 2a89df
-	miscfiles_read_man_pages($1_usertype)
Dan Walsh 2a89df
-	miscfiles_read_public_files($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	systemd_dbus_chat_logind($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	tunable_policy(`allow_execmem',`
Dan Walsh 2a89df
-		# Allow loading DSOs that require executable stack.
Dan Walsh 2a89df
-		allow $1_t self:process execmem;
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	tunable_policy(`allow_execmem && allow_execstack',`
Dan Walsh 2a89df
-		# Allow making the stack executable via mprotect.
Dan Walsh 2a89df
-		allow $1_t self:process execstack;
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	optional_policy(`
Dan Walsh 2a89df
-		abrt_stream_connect($1_usertype)
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	optional_policy(`
Dan Walsh 2a89df
-		fs_list_cgroup_dirs($1_usertype)
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-	
Dan Walsh 2a89df
-	optional_policy(`
Dan Walsh 2a89df
-		ssh_rw_stream_sockets($1_usertype)
Dan Walsh 2a89df
-		ssh_delete_tmp($1_t)
Dan Walsh 2a89df
-		ssh_signal($1_t)
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 #######################################
Dan Walsh 2a89df
@@ -242,6 +128,22 @@ interface(`userdom_ro_home_role',`
Dan Walsh 2a89df
 ##	The user role
Dan Walsh 2a89df
 ##	</summary>
Dan Walsh 2a89df
 ## </param>
Dan Walsh 2a89df
+## <rolebase/>
Dan Walsh 2a89df
+#
Dan Walsh 2a89df
+interface(`userdom_manage_home_role',`
Dan Walsh 2a89df
+	gen_require(`
Dan Walsh 2a89df
+		type user_home_dir_t;
Dan Walsh 2a89df
+		attribute user_home_type;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	role $1 types { user_home_type user_home_dir_t };
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+#######################################
Dan Walsh 2a89df
+## <summary>
Dan Walsh 2a89df
+##	Allow a home directory for which the
Dan Walsh 2a89df
+##	role has full access.
Dan Walsh 2a89df
+## </summary>
Dan Walsh 2a89df
 ## <param name="userdomain">
Dan Walsh 2a89df
 ##	<summary>
Dan Walsh 2a89df
 ##	The user domain
Dan Walsh 2a89df
@@ -249,61 +151,58 @@ interface(`userdom_ro_home_role',`
Dan Walsh 2a89df
 ## </param>
Dan Walsh 2a89df
 ## <rolebase/>
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
-interface(`userdom_manage_home_role',`
Dan Walsh 2a89df
+interface(`userdom_manage_home',`
Dan Walsh 2a89df
 	gen_require(`
Dan Walsh 2a89df
 		type user_home_t, user_home_dir_t;
Dan Walsh 2a89df
 		attribute user_home_type;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	role $1 types { user_home_type user_home_dir_t };
Dan Walsh 2a89df
-
Dan Walsh 2a89df
 	##############################
Dan Walsh 2a89df
 	#
Dan Walsh 2a89df
 	# Domain access to home dir
Dan Walsh 2a89df
 	#
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	type_member $2 user_home_dir_t:dir user_home_dir_t;
Dan Walsh 2a89df
+	type_member $1 user_home_dir_t:dir user_home_dir_t;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# full control of the home directory
Dan Walsh 2a89df
-	allow $2 user_home_t:dir mounton;
Dan Walsh 2a89df
-	allow $2 user_home_t:file entrypoint;
Dan Walsh 2a89df
+	allow $1 user_home_t:dir mounton;
Dan Walsh 2a89df
+	allow $1 user_home_t:file entrypoint;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
Dan Walsh 2a89df
-	allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
Dan Walsh 2a89df
-	manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
-	manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
-	manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
-	manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
-	manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
-	relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
-	relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
-	relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
-	relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
-	relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
-	filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
Dan Walsh 2a89df
-	files_list_home($2)
Dan Walsh 2a89df
+	allow $1 user_home_type:dir_file_class_set { relabelto relabelfrom };
Dan Walsh 2a89df
+	allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
Dan Walsh 2a89df
+	manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
+	manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
+	manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
+	manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
+	manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
+	relabel_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
+	relabel_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
+	relabel_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
+	relabel_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
+	relabel_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
Dan Walsh 2a89df
+	filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
Dan Walsh 2a89df
+	files_list_home($1)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# cjp: this should probably be removed:
Dan Walsh 2a89df
-	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
Dan Walsh 2a89df
+	allow $1 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	tunable_policy(`use_nfs_home_dirs',`
Dan Walsh 2a89df
-		fs_mount_nfs($2)
Dan Walsh 2a89df
-		fs_mounton_nfs($2)
Dan Walsh 2a89df
-		fs_manage_nfs_dirs($2)
Dan Walsh 2a89df
-		fs_manage_nfs_files($2)
Dan Walsh 2a89df
-		fs_manage_nfs_symlinks($2)
Dan Walsh 2a89df
-		fs_manage_nfs_named_sockets($2)
Dan Walsh 2a89df
-		fs_manage_nfs_named_pipes($2)
Dan Walsh 2a89df
+		fs_mount_nfs($1)
Dan Walsh 2a89df
+		fs_mounton_nfs($1)
Dan Walsh 2a89df
+		fs_manage_nfs_dirs($1)
Dan Walsh 2a89df
+		fs_manage_nfs_files($1)
Dan Walsh 2a89df
+		fs_manage_nfs_symlinks($1)
Dan Walsh 2a89df
+		fs_manage_nfs_named_sockets($1)
Dan Walsh 2a89df
+		fs_manage_nfs_named_pipes($1)
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	tunable_policy(`use_samba_home_dirs',`
Dan Walsh 2a89df
-		fs_mount_cifs($2)
Dan Walsh 2a89df
-		fs_mounton_cifs($2)
Dan Walsh 2a89df
-		fs_manage_cifs_dirs($2)
Dan Walsh 2a89df
-		fs_manage_cifs_files($2)
Dan Walsh 2a89df
-		fs_manage_cifs_symlinks($2)
Dan Walsh 2a89df
-		fs_manage_cifs_named_sockets($2)
Dan Walsh 2a89df
-		fs_manage_cifs_named_pipes($2)
Dan Walsh 2a89df
+		fs_mount_cifs($1)
Dan Walsh 2a89df
+		fs_mounton_cifs($1)
Dan Walsh 2a89df
+		fs_manage_cifs_dirs($1)
Dan Walsh 2a89df
+		fs_manage_cifs_files($1)
Dan Walsh 2a89df
+		fs_manage_cifs_symlinks($1)
Dan Walsh 2a89df
+		fs_manage_cifs_named_sockets($1)
Dan Walsh 2a89df
+		fs_manage_cifs_named_pipes($1)
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
@@ -316,6 +215,21 @@ interface(`userdom_manage_home_role',`
Dan Walsh 2a89df
 ##	Role allowed access.
Dan Walsh 2a89df
 ##	</summary>
Dan Walsh 2a89df
 ## </param>
Dan Walsh 2a89df
+## <rolebase/>
Dan Walsh 2a89df
+#
Dan Walsh 2a89df
+interface(`userdom_manage_tmp_role',`
Dan Walsh 2a89df
+	gen_require(`
Dan Walsh 2a89df
+		attribute user_tmp_type;
Dan Walsh 2a89df
+		type user_tmp_t;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	role $1 types user_tmp_t;
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+#######################################
Dan Walsh 2a89df
+## <summary>
Dan Walsh 2a89df
+##	Manage user temporary files
Dan Walsh 2a89df
+## </summary>
Dan Walsh 2a89df
 ## <param name="domain">
Dan Walsh 2a89df
 ##	<summary>
Dan Walsh 2a89df
 ##	Domain allowed access.
Dan Walsh 2a89df
@@ -323,27 +237,25 @@ interface(`userdom_manage_home_role',`
Dan Walsh 2a89df
 ## </param>
Dan Walsh 2a89df
 ## <rolebase/>
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
-interface(`userdom_manage_tmp_role',`
Dan Walsh 2a89df
+interface(`userdom_manage_tmp',`
Dan Walsh 2a89df
 	gen_require(`
Dan Walsh 2a89df
 		attribute user_tmp_type;
Dan Walsh 2a89df
 		type user_tmp_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	role $1 types user_tmp_t;
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	files_poly_member_tmp($2, user_tmp_t)
Dan Walsh 2a89df
+	files_poly_member_tmp($1, user_tmp_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	manage_dirs_pattern($2, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
-	manage_files_pattern($2, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
-	manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
-	manage_sock_files_pattern($2, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
-	manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
-	files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
Dan Walsh 2a89df
-	relabel_dirs_pattern($2, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
-	relabel_files_pattern($2, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
-	relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
-	relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
-	relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
+	manage_dirs_pattern($1, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
+	manage_files_pattern($1, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
+	manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
+	manage_sock_files_pattern($1, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
+	manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
+	files_tmp_filetrans($1, user_tmp_t, { dir file lnk_file sock_file fifo_file })
Dan Walsh 2a89df
+	relabel_dirs_pattern($1, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
+	relabel_files_pattern($1, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
+	relabel_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
+	relabel_sock_files_pattern($1, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
+	relabel_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 #######################################
Dan Walsh 6554bb
@@ -424,6 +336,21 @@ interface(`userdom_exec_user_tmp_files',
Dan Walsh 2a89df
 ##	Role allowed access.
Dan Walsh 2a89df
 ##	</summary>
Dan Walsh 2a89df
 ## </param>
Dan Walsh 2a89df
+## <rolecap/>
Dan Walsh 2a89df
+#
Dan Walsh 2a89df
+interface(`userdom_manage_tmpfs_role',`
Dan Walsh 2a89df
+	gen_require(`
Dan Walsh 2a89df
+		attribute user_tmpfs_type;
Dan Walsh 2a89df
+		type user_tmpfs_t;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	role $1 types user_tmpfs_t;
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+#######################################
Dan Walsh 2a89df
+## <summary>
Dan Walsh 2a89df
+##	Allow access for the user tmpfs type
Dan Walsh 2a89df
+## </summary>
Dan Walsh 2a89df
 ## <param name="domain">
Dan Walsh 2a89df
 ##	<summary>
Dan Walsh 2a89df
 ##	Domain allowed access.
Dan Walsh 6554bb
@@ -431,25 +358,23 @@ interface(`userdom_exec_user_tmp_files',
Dan Walsh 2a89df
 ## </param>
Dan Walsh 2a89df
 ## <rolecap/>
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
-interface(`userdom_manage_tmpfs_role',`
Dan Walsh 2a89df
+interface(`userdom_manage_tmpfs',`
Dan Walsh 2a89df
 	gen_require(`
Dan Walsh 2a89df
 		attribute user_tmpfs_type;
Dan Walsh 2a89df
 		type user_tmpfs_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	role $1 types user_tmpfs_t;
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
-	manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
-	manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
-	manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
-	manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
-	fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
Dan Walsh 2a89df
-	relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
-	relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
-	relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
-	relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
-	relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
+	manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
+	manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
+	manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
+	manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
+	manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
+	fs_tmpfs_filetrans($1, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
Dan Walsh 2a89df
+	relabel_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
+	relabel_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
+	relabel_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
+	relabel_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
+	relabel_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 #######################################
Dan Walsh 6554bb
@@ -578,260 +503,31 @@ template(`userdom_change_password_templa
Dan Walsh 2a89df
 template(`userdom_common_user_template',`
Dan Walsh 2a89df
 	gen_require(`
Dan Walsh 2a89df
 		attribute unpriv_userdomain;
Dan Walsh 2a89df
+		attribute common_userdomain;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	userdom_basic_networking($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	##############################
Dan Walsh 2a89df
-	#
Dan Walsh 2a89df
-	# User domain Local policy
Dan Walsh 2a89df
-	#
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	# evolution and gnome-session try to create a netlink socket
Dan Walsh 2a89df
-	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
Dan Walsh 2a89df
-	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
Dan Walsh 2a89df
-	allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
Dan Walsh 2a89df
-	allow $1_t self:socket create_socket_perms;
Dan Walsh 6554bb
-
Dan Walsh 2a89df
-	allow $1_usertype unpriv_userdomain:fd use;
Dan Walsh 6554bb
-
Dan Walsh 2a89df
-	kernel_read_system_state($1_usertype)
Dan Walsh 2a89df
-	kernel_read_network_state($1_usertype)
Dan Walsh 2a89df
-	kernel_read_software_raid_state($1_usertype)
Dan Walsh 2a89df
-	kernel_read_net_sysctls($1_usertype)
Dan Walsh 2a89df
-	# Very permissive allowing every domain to see every type:
Dan Walsh 2a89df
-	kernel_get_sysvipc_info($1_usertype)
Dan Walsh 2a89df
-	# Find CDROM devices:
Dan Walsh 2a89df
-	kernel_read_device_sysctls($1_usertype)
Dan Walsh 2a89df
-	kernel_request_load_module($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	corenet_udp_bind_generic_node($1_usertype)
Dan Walsh 2a89df
-	corenet_udp_bind_generic_port($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	dev_read_rand($1_usertype)
Dan Walsh 2a89df
-	dev_write_sound($1_usertype)
Dan Walsh 2a89df
-	dev_read_sound($1_usertype)
Dan Walsh 2a89df
-	dev_read_sound_mixer($1_usertype)
Dan Walsh 2a89df
-	dev_write_sound_mixer($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	files_exec_etc_files($1_usertype)
Dan Walsh 2a89df
-	files_search_locks($1_usertype)
Dan Walsh 2a89df
-	# Check to see if cdrom is mounted
Dan Walsh 2a89df
-	files_search_mnt($1_usertype)
Dan Walsh 2a89df
-	# cjp: perhaps should cut back on file reads:
Dan Walsh 2a89df
-	files_read_var_files($1_usertype)
Dan Walsh 2a89df
-	files_read_var_symlinks($1_usertype)
Dan Walsh 2a89df
-	files_read_generic_spool($1_usertype)
Dan Walsh 2a89df
-	files_read_var_lib_files($1_usertype)
Dan Walsh 2a89df
-	# Stat lost+found.
Dan Walsh 2a89df
-	files_getattr_lost_found_dirs($1_usertype)
Dan Walsh 2a89df
-	files_read_config_files($1_usertype)
Dan Walsh 2a89df
-	fs_read_noxattr_fs_files($1_usertype)
Dan Walsh 2a89df
-	fs_read_noxattr_fs_symlinks($1_usertype)
Dan Walsh 2a89df
-	fs_rw_cgroup_files($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	application_getattr_socket($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	logging_send_syslog_msg($1_usertype)
Dan Walsh 2a89df
-	logging_send_audit_msgs($1_usertype)
Dan Walsh 2a89df
-	selinux_get_enforce_mode($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	# cjp: some of this probably can be removed
Dan Walsh 2a89df
-	selinux_get_fs_mount($1_usertype)
Dan Walsh 2a89df
-	selinux_validate_context($1_usertype)
Dan Walsh 2a89df
-	selinux_compute_access_vector($1_usertype)
Dan Walsh 2a89df
-	selinux_compute_create_context($1_usertype)
Dan Walsh 2a89df
-	selinux_compute_relabel_context($1_usertype)
Dan Walsh 2a89df
-	selinux_compute_user_contexts($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	# for eject
Dan Walsh 2a89df
-	storage_getattr_fixed_disk_dev($1_usertype)
Dan Walsh 6554bb
+	typeattribute $1_t common_userdomain;
Dan Walsh 6554bb
 
Dan Walsh 2a89df
-	auth_read_login_records($1_usertype)
Dan Walsh 2a89df
-	auth_run_pam($1_t,$1_r)
Dan Walsh 2a89df
-	auth_run_utempter($1_t,$1_r)
Dan Walsh 3dcdda
-
Dan Walsh 2a89df
-	init_read_utmp($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	seutil_read_file_contexts($1_usertype)
Dan Walsh 2a89df
-	seutil_read_default_contexts($1_usertype)
Dan Walsh 2a89df
-	seutil_run_newrole($1_t,$1_r)
Dan Walsh 2a89df
-	seutil_exec_checkpolicy($1_t)
Dan Walsh 2a89df
-	seutil_exec_setfiles($1_usertype)
Dan Walsh 2a89df
-	# for when the network connection is killed
Dan Walsh 2a89df
-	# this is needed when a login role can change
Dan Walsh 2a89df
-	# to this one.
Dan Walsh 2a89df
-	seutil_dontaudit_signal_newrole($1_t)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	tunable_policy(`user_direct_mouse',`
Dan Walsh 2a89df
-		dev_read_mouse($1_usertype)
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	tunable_policy(`user_ttyfile_stat',`
Dan Walsh 2a89df
-		term_getattr_all_ttys($1_t)
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	optional_policy(`
Dan Walsh 2a89df
-		# Allow graphical boot to check battery lifespan
Dan Walsh 2a89df
-		apm_stream_connect($1_usertype)
Dan Walsh 2a89df
-	')
Dan Walsh 6554bb
-
Dan Walsh 6554bb
-	optional_policy(`
Dan Walsh 2a89df
-		canna_stream_connect($1_usertype)
Dan Walsh 6554bb
-	')
Dan Walsh 6554bb
-
Dan Walsh 6554bb
-	optional_policy(`
Dan Walsh 2a89df
-		chrome_role($1_r, $1_usertype)
Dan Walsh 6554bb
-	')
Dan Walsh 6554bb
-
Dan Walsh 6554bb
-	optional_policy(`
Dan Walsh 2a89df
-		colord_read_lib_files($1_usertype)
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	optional_policy(`
Dan Walsh 2a89df
-		dbus_system_bus_client($1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-		allow $1_usertype $1_usertype:dbus  send_msg;
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-		optional_policy(`
Dan Walsh 2a89df
-			avahi_dbus_chat($1_usertype)
Dan Walsh 2a89df
-		')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-		optional_policy(`
Dan Walsh 2a89df
-			policykit_dbus_chat($1_usertype)
Dan Walsh 2a89df
-		')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-		optional_policy(`
Dan Walsh 2a89df
-			bluetooth_dbus_chat($1_usertype)
Dan Walsh 2a89df
-		')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-		optional_policy(`
Dan Walsh 2a89df
-			consolekit_dbus_chat($1_usertype)
Dan Walsh 2a89df
-			consolekit_read_log($1_usertype)
Dan Walsh 2a89df
-		')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-		optional_policy(`
Dan Walsh 2a89df
-			devicekit_dbus_chat($1_usertype)
Dan Walsh 2a89df
-			devicekit_dbus_chat_power($1_usertype)
Dan Walsh 2a89df
-			devicekit_dbus_chat_disk($1_usertype)
Dan Walsh 2a89df
-		')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-		optional_policy(`
Dan Walsh 2a89df
-			evolution_dbus_chat($1_usertype)
Dan Walsh 2a89df
-			evolution_alarm_dbus_chat($1_usertype)
Dan Walsh 2a89df
-		')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-		optional_policy(`
Dan Walsh 2a89df
-			gnome_dbus_chat_gconfdefault($1_usertype)
Dan Walsh 2a89df
-		')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-		optional_policy(`
Dan Walsh 2a89df
-			hal_dbus_chat($1_usertype)
Dan Walsh 2a89df
-		')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-		optional_policy(`
Dan Walsh 2a89df
-			kde_dbus_chat_backlighthelper($1_usertype)
Dan Walsh 2a89df
-		')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-		optional_policy(`
Dan Walsh 2a89df
-			modemmanager_dbus_chat($1_usertype)
Dan Walsh 2a89df
-		')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-		optional_policy(`
Dan Walsh 2a89df
-			networkmanager_dbus_chat($1_usertype)
Dan Walsh 2a89df
-			networkmanager_read_lib_files($1_usertype)
Dan Walsh 2a89df
-		')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-		optional_policy(`
Dan Walsh 2a89df
-			vpn_dbus_chat($1_usertype)
Dan Walsh 2a89df
-		')
Dan Walsh 6554bb
-	')
Dan Walsh 6554bb
-
Dan Walsh 6554bb
-	optional_policy(`
Dan Walsh 2a89df
-		git_session_role($1_r, $1_usertype)
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	optional_policy(`
Dan Walsh 2a89df
-		inetd_use_fds($1_usertype)
Dan Walsh 2a89df
-		inetd_rw_tcp_sockets($1_usertype)
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	optional_policy(`
Dan Walsh 2a89df
-		inn_read_config($1_usertype)
Dan Walsh 2a89df
-		inn_read_news_lib($1_usertype)
Dan Walsh 2a89df
-		inn_read_news_spool($1_usertype)
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	optional_policy(`
Dan Walsh 2a89df
-		lircd_stream_connect($1_usertype)
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	optional_policy(`
Dan Walsh 2a89df
-		locate_read_lib_files($1_usertype)
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	# for running depmod as part of the kernel packaging process
Dan Walsh 2a89df
-	optional_policy(`
Dan Walsh 2a89df
-		modutils_read_module_config($1_usertype)
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	optional_policy(`
Dan Walsh 2a89df
-		mta_rw_spool($1_usertype)
Dan Walsh 2a89df
-		mta_manage_queue($1_usertype)
Dan Walsh 2a89df
-		mta_filetrans_home_content($1_usertype)
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	optional_policy(`
Dan Walsh 2a89df
-		nsplugin_role($1_r, $1_usertype)
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	optional_policy(`
Dan Walsh 2a89df
-		tunable_policy(`allow_user_mysql_connect',`
Dan Walsh 2a89df
-			mysql_stream_connect($1_t)
Dan Walsh 2a89df
-		')
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	optional_policy(`
Dan Walsh 2a89df
-		oident_manage_user_content($1_t)
Dan Walsh 2a89df
-		oident_relabel_user_content($1_t)
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	optional_policy(`
Dan Walsh 2a89df
-		# to allow monitoring of pcmcia status
Dan Walsh 2a89df
-		pcmcia_read_pid($1_usertype)
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	optional_policy(`
Dan Walsh 2a89df
-		pcscd_read_pub_files($1_usertype)
Dan Walsh 2a89df
-		pcscd_stream_connect($1_usertype)
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	optional_policy(`
Dan Walsh 2a89df
-		tunable_policy(`allow_user_postgresql_connect',`
Dan Walsh 2a89df
-			postgresql_stream_connect($1_usertype)
Dan Walsh 2a89df
-			postgresql_tcp_connect($1_usertype)
Dan Walsh 2a89df
-		')
Dan Walsh 2a89df
-	')
Dan Walsh 3dcdda
+	userdom_basic_networking($1_usertype)
Dan Walsh 3dcdda
 
Dan Walsh 2a89df
-	optional_policy(`
Dan Walsh 2a89df
-		resmgr_stream_connect($1_usertype)
Dan Walsh 2a89df
-	')
Dan Walsh 6554bb
+	auth_run_pam(common_userdomain,$1_r)
Dan Walsh 6554bb
+	auth_run_utempter(common_userdomain,$1_r)
Dan Walsh 6554bb
+	seutil_run_newrole(common_userdomain,$1_r)
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 	optional_policy(`
Dan Walsh 2a89df
-		rpc_dontaudit_getattr_exports($1_usertype)
Dan Walsh 2a89df
-		rpc_manage_nfs_rw_content($1_usertype)
Dan Walsh 6554bb
+		chrome_role($1_r, common_userdomain)
Dan Walsh 6554bb
 	')
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 	optional_policy(`
Dan Walsh 2a89df
-		rpcbind_stream_connect($1_usertype)
Dan Walsh 6554bb
+		git_session_role($1_r, common_userdomain)
Dan Walsh 6554bb
 	')
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 	optional_policy(`
Dan Walsh 2a89df
-		samba_stream_connect_winbind($1_usertype)
Dan Walsh 6554bb
+		nsplugin_role($1_r, common_userdomain)
Dan Walsh 6554bb
 	')
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 	optional_policy(`
Dan Walsh 2a89df
-		sandbox_transition($1_usertype, $1_r)
Dan Walsh 2a89df
+		sandbox_transition(common_userdomain, $1_r)
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	optional_policy(`
Dan Walsh 6554bb
@@ -839,11 +535,7 @@ template(`userdom_common_user_template',
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	optional_policy(`
Dan Walsh 2a89df
-		slrnpull_search_spool($1_usertype)
Dan Walsh 2a89df
-	')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	optional_policy(`
Dan Walsh 2a89df
-		thumb_role($1_r, $1_usertype)
Dan Walsh 2a89df
+		thumb_role($1_r, common_userdomain)
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
 
Dan Walsh 6554bb
@@ -872,10 +564,9 @@ template(`userdom_login_user_template',
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	userdom_base_user_template($1)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	userdom_manage_home_role($1_r, $1_usertype)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-	userdom_manage_tmp_role($1_r, $1_usertype)
Dan Walsh 2a89df
-	userdom_manage_tmpfs_role($1_r, $1_usertype)
Dan Walsh 2a89df
+	userdom_manage_home_role($1_r)
Dan Walsh 2a89df
+	userdom_manage_tmp_role($1_r)
Dan Walsh 2a89df
+	userdom_manage_tmpfs_role($1_r)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	ifelse(`$1',`unconfined',`',`
Dan Walsh 2a89df
 		gen_tunable(allow_$1_exec_content, true)
Dan Walsh 6554bb
@@ -1010,9 +701,6 @@ template(`userdom_restricted_user_templa
Dan Walsh 2a89df
 	typeattribute $1_t unpriv_userdomain;
Dan Walsh 2a89df
 	domain_interactive_fd($1_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
Dan Walsh 2a89df
-	dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
Dan Walsh 2a89df
-
Dan Walsh 2a89df
 	##############################
Dan Walsh 2a89df
 	#
Dan Walsh 2a89df
 	# Local policy
Dan Walsh 6554bb
@@ -3929,6 +3617,10 @@ template(`userdom_unpriv_usertype',`
Dan Walsh 2a89df
 	
Dan Walsh 2a89df
 	auth_use_nsswitch($2)
Dan Walsh 2a89df
 	ubac_constrained($2)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	userdom_manage_home_role($1_r)
Dan Walsh 2a89df
+	userdom_manage_tmp_role($1_r)
Dan Walsh 2a89df
+	userdom_manage_tmpfs_role($1_r)
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 ########################################
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.te.userdomain serefpolicy-3.10.0/policy/modules/system/userdomain.te
Dan Walsh 3dcdda
--- serefpolicy-3.10.0/policy/modules/system/userdomain.te.userdomain	2011-10-24 13:26:35.691337060 -0400
Dan Walsh 3dcdda
+++ serefpolicy-3.10.0/policy/modules/system/userdomain.te	2011-10-24 13:26:35.776337067 -0400
Dan Walsh 2a89df
@@ -69,6 +69,8 @@ attribute userdomain;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 # unprivileged user domains
Dan Walsh 2a89df
 attribute unpriv_userdomain;
Dan Walsh 2a89df
+# common user domains
Dan Walsh 2a89df
+attribute common_userdomain;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 attribute untrusted_content_type;
Dan Walsh 2a89df
 attribute untrusted_content_tmp_type;
Dan Walsh 37b75a
@@ -141,22 +143,147 @@ miscfiles_cert_type(home_cert_t)
Dan Walsh 2a89df
 userdom_user_home_content(home_cert_t)
Dan Walsh 2a89df
 ubac_constrained(home_cert_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-tunable_policy(`allow_console_login',`
Dan Walsh 2a89df
-	term_use_console(userdomain)
Dan Walsh 2a89df
-')
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-allow userdomain userdomain:process signull;
Dan Walsh 2a89df
+allow unpriv_userdomain self:netlink_kobject_uevent_socket create_socket_perms;
Dan Walsh 2a89df
+dontaudit unpriv_userdomain self:netlink_audit_socket create_socket_perms;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 # Nautilus causes this avc
Dan Walsh 2a89df
 dontaudit unpriv_userdomain self:dir setattr;
Dan Walsh 2a89df
 allow unpriv_userdomain self:key manage_key_perms;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
+userdom_manage_home(unpriv_userdomain)
Dan Walsh 2a89df
+userdom_manage_tmp(unpriv_userdomain)
Dan Walsh 2a89df
+userdom_manage_tmpfs(unpriv_userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 optional_policy(`
Dan Walsh 2a89df
 	alsa_read_rw_config(unpriv_userdomain)
Dan Walsh 2a89df
 	alsa_manage_home_files(unpriv_userdomain)
Dan Walsh 37b75a
 	alsa_relabel_home_files(unpriv_userdomain)
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
+
Dan Walsh 37b75a
+##############################
Dan Walsh 37b75a
+#
Dan Walsh 37b75a
+# User domain Local policy
Dan Walsh 37b75a
+#
Dan Walsh 2a89df
+allow userdomain userdomain:process signull;
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+allow userdomain user_devpts_t:chr_file { setattr rw_chr_file_perms };
Dan Walsh 2a89df
+term_create_pty(userdomain, user_devpts_t)
Dan Walsh 2a89df
+# avoid annoying messages on terminal hangup on role change
Dan Walsh 2a89df
+dontaudit userdomain user_devpts_t:chr_file ioctl;
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+allow userdomain user_tty_device_t:chr_file { setattr rw_chr_file_perms };
Dan Walsh 2a89df
+# avoid annoying messages on terminal hangup on role change
Dan Walsh 2a89df
+dontaudit userdomain user_tty_device_t:chr_file ioctl;
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+corecmd_shell_entry_type(userdomain)
Dan Walsh 2a89df
+corecmd_bin_entry_type(userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+term_user_pty(userdomain, user_devpts_t)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+term_user_tty(userdomain, user_tty_device_t)
Dan Walsh 2a89df
+term_dontaudit_getattr_generic_ptys(userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+application_exec_all(userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+kernel_read_kernel_sysctls(userdomain)
Dan Walsh 2a89df
+kernel_read_all_sysctls(userdomain)
Dan Walsh 2a89df
+kernel_dontaudit_list_unlabeled(userdomain)
Dan Walsh 2a89df
+kernel_dontaudit_getattr_unlabeled_files(userdomain)
Dan Walsh 2a89df
+kernel_dontaudit_getattr_unlabeled_symlinks(userdomain)
Dan Walsh 2a89df
+kernel_dontaudit_getattr_unlabeled_pipes(userdomain)
Dan Walsh 2a89df
+kernel_dontaudit_getattr_unlabeled_sockets(userdomain)
Dan Walsh 2a89df
+kernel_dontaudit_getattr_unlabeled_blk_files(userdomain)
Dan Walsh 2a89df
+kernel_dontaudit_getattr_unlabeled_chr_files(userdomain)
Dan Walsh 2a89df
+kernel_dontaudit_list_proc(userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+dev_dontaudit_getattr_all_blk_files(userdomain)
Dan Walsh 2a89df
+dev_dontaudit_getattr_all_chr_files(userdomain)
Dan Walsh 2a89df
+dev_getattr_mtrr_dev(userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+# When the user domain runs ps, there will be a number of access
Dan Walsh 2a89df
+# denials when ps tries to search /proc. Do not audit these denials.
Dan Walsh 2a89df
+domain_dontaudit_read_all_domains_state(userdomain)
Dan Walsh 2a89df
+domain_dontaudit_getattr_all_domains(userdomain)
Dan Walsh 2a89df
+domain_dontaudit_getsession_all_domains(userdomain)
Dan Walsh 2a89df
+dev_dontaudit_all_access_check(userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+files_read_etc_files(userdomain)
Dan Walsh 2a89df
+files_list_mnt(userdomain)
Dan Walsh 2a89df
+files_list_var(userdomain)
Dan Walsh 2a89df
+files_read_mnt_files(userdomain)
Dan Walsh 2a89df
+files_dontaudit_access_check_mnt(userdomain)
Dan Walsh 2a89df
+files_read_etc_runtime_files(userdomain)
Dan Walsh 2a89df
+files_read_usr_files(userdomain)
Dan Walsh 2a89df
+files_read_usr_src_files(userdomain)
Dan Walsh 2a89df
+# Read directories and files with the readable_t type.
Dan Walsh 2a89df
+# This type is a general type for "world"-readable files.
Dan Walsh 2a89df
+files_list_world_readable(userdomain)
Dan Walsh 2a89df
+files_read_world_readable_files(userdomain)
Dan Walsh 2a89df
+files_read_world_readable_symlinks(userdomain)
Dan Walsh 2a89df
+files_read_world_readable_pipes(userdomain)
Dan Walsh 2a89df
+files_read_world_readable_sockets(userdomain)
Dan Walsh 2a89df
+# old broswer_domain():
Dan Walsh 2a89df
+files_dontaudit_getattr_all_dirs(userdomain)
Dan Walsh 2a89df
+files_dontaudit_list_non_security(userdomain)
Dan Walsh 2a89df
+files_dontaudit_getattr_all_files(userdomain)
Dan Walsh 2a89df
+files_dontaudit_getattr_non_security_symlinks(userdomain)
Dan Walsh 2a89df
+files_dontaudit_getattr_non_security_pipes(userdomain)
Dan Walsh 2a89df
+files_dontaudit_getattr_non_security_sockets(userdomain)
Dan Walsh 2a89df
+files_dontaudit_setattr_etc_runtime_files(userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+files_exec_usr_files(userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+fs_list_cgroup_dirs(userdomain)
Dan Walsh 2a89df
+fs_dontaudit_rw_cgroup_files(userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+storage_rw_fuse(userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+init_stream_connect(userdomain)
Dan Walsh 2a89df
+# The library functions always try to open read-write first,
Dan Walsh 2a89df
+# then fall back to read-only if it fails. 
Dan Walsh 2a89df
+init_dontaudit_rw_utmp(userdomain)
Dan Walsh 2a89df
+libs_exec_ld_so(userdomain)
Dan Walsh 2a89df
+logging_send_audit_msgs(userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+miscfiles_read_localization(userdomain)
Dan Walsh 2a89df
+miscfiles_read_generic_certs(userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+miscfiles_read_all_certs(userdomain)
Dan Walsh 2a89df
+miscfiles_read_localization(userdomain)
Dan Walsh 2a89df
+miscfiles_read_man_pages(userdomain)
Dan Walsh 2a89df
+miscfiles_read_public_files(userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+systemd_dbus_chat_logind(userdomain)
Dan Walsh 2a89df
+
Dan Walsh 37b75a
+tunable_policy(`allow_console_login',`
Dan Walsh 37b75a
+	term_use_console(userdomain)
Dan Walsh 37b75a
+')
Dan Walsh 37b75a
+
Dan Walsh 2a89df
+tunable_policy(`allow_execmem',`
Dan Walsh 2a89df
+	# Allow loading DSOs that require executable stack.
Dan Walsh 2a89df
+	allow userdomain self:process execmem;
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+tunable_policy(`allow_execmem && allow_execstack',`
Dan Walsh 2a89df
+	# Allow making the stack executable via mprotect.
Dan Walsh 2a89df
+	allow userdomain self:process execstack;
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	abrt_stream_connect(userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	fs_list_cgroup_dirs(userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+	
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	ssh_rw_stream_sockets(userdomain)
Dan Walsh 2a89df
+	ssh_delete_tmp(userdomain)
Dan Walsh 2a89df
+	ssh_signal(userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 optional_policy(`
Dan Walsh 2a89df
 	gnome_filetrans_home_content(userdomain)
Dan Walsh 2a89df
 ')
Dan Walsh 37b75a
@@ -172,3 +299,240 @@ optional_policy(`
Dan Walsh 2a89df
 optional_policy(`
Dan Walsh 2a89df
 	xserver_filetrans_home_content(userdomain)
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+##############################
Dan Walsh 2a89df
+#
Dan Walsh 2a89df
+# Common User domain Local policy
Dan Walsh 2a89df
+#
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+# evolution and gnome-session try to create a netlink socket
Dan Walsh 2a89df
+dontaudit common_userdomain self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
Dan Walsh 2a89df
+dontaudit common_userdomain self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
Dan Walsh 2a89df
+allow common_userdomain self:netlink_kobject_uevent_socket create_socket_perms;
Dan Walsh 2a89df
+allow common_userdomain self:socket create_socket_perms;
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+allow common_userdomain unpriv_userdomain:fd use;
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+kernel_read_system_state(common_userdomain)
Dan Walsh 2a89df
+kernel_read_network_state(common_userdomain)
Dan Walsh 2a89df
+kernel_read_software_raid_state(common_userdomain)
Dan Walsh 2a89df
+kernel_read_net_sysctls(common_userdomain)
Dan Walsh 2a89df
+# Very permissive allowing every domain to see every type:
Dan Walsh 2a89df
+kernel_get_sysvipc_info(common_userdomain)
Dan Walsh 2a89df
+# Find CDROM devices:
Dan Walsh 2a89df
+kernel_read_device_sysctls(common_userdomain)
Dan Walsh 2a89df
+kernel_request_load_module(common_userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+corenet_udp_bind_generic_node(common_userdomain)
Dan Walsh 2a89df
+corenet_udp_bind_generic_port(common_userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+dev_read_rand(common_userdomain)
Dan Walsh 2a89df
+dev_write_sound(common_userdomain)
Dan Walsh 2a89df
+dev_read_sound(common_userdomain)
Dan Walsh 2a89df
+dev_read_sound_mixer(common_userdomain)
Dan Walsh 2a89df
+dev_write_sound_mixer(common_userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+files_exec_etc_files(common_userdomain)
Dan Walsh 2a89df
+files_search_locks(common_userdomain)
Dan Walsh 2a89df
+# Check to see if cdrom is mounted
Dan Walsh 2a89df
+files_search_mnt(common_userdomain)
Dan Walsh 2a89df
+# cjp: perhaps should cut back on file reads:
Dan Walsh 2a89df
+files_read_var_files(common_userdomain)
Dan Walsh 2a89df
+files_read_var_symlinks(common_userdomain)
Dan Walsh 2a89df
+files_read_generic_spool(common_userdomain)
Dan Walsh 2a89df
+files_read_var_lib_files(common_userdomain)
Dan Walsh 2a89df
+# Stat lost+found.
Dan Walsh 2a89df
+files_getattr_lost_found_dirs(common_userdomain)
Dan Walsh 2a89df
+files_read_config_files(common_userdomain)
Dan Walsh 2a89df
+fs_read_noxattr_fs_files(common_userdomain)
Dan Walsh 2a89df
+fs_read_noxattr_fs_symlinks(common_userdomain)
Dan Walsh 2a89df
+fs_rw_cgroup_files(common_userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+application_getattr_socket(common_userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+logging_send_syslog_msg(common_userdomain)
Dan Walsh 2a89df
+logging_send_audit_msgs(common_userdomain)
Dan Walsh 2a89df
+selinux_get_enforce_mode(common_userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+# cjp: some of this probably can be removed
Dan Walsh 2a89df
+selinux_get_fs_mount(common_userdomain)
Dan Walsh 2a89df
+selinux_validate_context(common_userdomain)
Dan Walsh 2a89df
+selinux_compute_access_vector(common_userdomain)
Dan Walsh 2a89df
+selinux_compute_create_context(common_userdomain)
Dan Walsh 2a89df
+selinux_compute_relabel_context(common_userdomain)
Dan Walsh 2a89df
+selinux_compute_user_contexts(common_userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+# for eject
Dan Walsh 2a89df
+storage_getattr_fixed_disk_dev(common_userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+auth_read_login_records(common_userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+init_read_utmp(common_userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+seutil_read_file_contexts(common_userdomain)
Dan Walsh 2a89df
+seutil_read_default_contexts(common_userdomain)
Dan Walsh 2a89df
+seutil_exec_checkpolicy(common_userdomain)
Dan Walsh 2a89df
+seutil_exec_setfiles(common_userdomain)
Dan Walsh 2a89df
+# for when the network connection is killed
Dan Walsh 2a89df
+# this is needed when a login role can change
Dan Walsh 2a89df
+# to this one.
Dan Walsh 2a89df
+seutil_dontaudit_signal_newrole(common_userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+tunable_policy(`user_direct_mouse',`
Dan Walsh 2a89df
+	dev_read_mouse(common_userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+tunable_policy(`user_ttyfile_stat',`
Dan Walsh 2a89df
+	term_getattr_all_ttys(common_userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	# Allow graphical boot to check battery lifespan
Dan Walsh 2a89df
+	apm_stream_connect(common_userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	canna_stream_connect(common_userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	colord_read_lib_files(common_userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	dbus_system_bus_client(common_userdomain)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	allow common_userdomain common_userdomain:dbus  send_msg;
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	optional_policy(`
Dan Walsh 2a89df
+		avahi_dbus_chat(common_userdomain)
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	optional_policy(`
Dan Walsh 2a89df
+		policykit_dbus_chat(common_userdomain)
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	optional_policy(`
Dan Walsh 2a89df
+		bluetooth_dbus_chat(common_userdomain)
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	optional_policy(`
Dan Walsh 2a89df
+		consolekit_dbus_chat(common_userdomain)
Dan Walsh 2a89df
+		consolekit_read_log(common_userdomain)
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	optional_policy(`
Dan Walsh 2a89df
+		devicekit_dbus_chat(common_userdomain)
Dan Walsh 2a89df
+		devicekit_dbus_chat_power(common_userdomain)
Dan Walsh 2a89df
+		devicekit_dbus_chat_disk(common_userdomain)
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	optional_policy(`
Dan Walsh 2a89df
+		evolution_dbus_chat(common_userdomain)
Dan Walsh 2a89df
+		evolution_alarm_dbus_chat(common_userdomain)
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	optional_policy(`
Dan Walsh 2a89df
+		gnome_dbus_chat_gconfdefault(common_userdomain)
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	optional_policy(`
Dan Walsh 2a89df
+		hal_dbus_chat(common_userdomain)
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	optional_policy(`
Dan Walsh 2a89df
+		kde_dbus_chat_backlighthelper(common_userdomain)
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	optional_policy(`
Dan Walsh 2a89df
+		modemmanager_dbus_chat(common_userdomain)
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	optional_policy(`
Dan Walsh 2a89df
+		networkmanager_dbus_chat(common_userdomain)
Dan Walsh 2a89df
+		networkmanager_read_lib_files(common_userdomain)
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	optional_policy(`
Dan Walsh 2a89df
+		vpn_dbus_chat(common_userdomain)
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	inetd_use_fds(common_userdomain)
Dan Walsh 2a89df
+	inetd_rw_tcp_sockets(common_userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	inn_read_config(common_userdomain)
Dan Walsh 2a89df
+	inn_read_news_lib(common_userdomain)
Dan Walsh 2a89df
+	inn_read_news_spool(common_userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	lircd_stream_connect(common_userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	locate_read_lib_files(common_userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+# for running depmod as part of the kernel packaging process
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	modutils_read_module_config(common_userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	mta_rw_spool(common_userdomain)
Dan Walsh 2a89df
+	mta_manage_queue(common_userdomain)
Dan Walsh 2a89df
+	mta_filetrans_home_content(common_userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	tunable_policy(`allow_user_mysql_connect',`
Dan Walsh 2a89df
+		mysql_stream_connect(common_userdomain)
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	oident_manage_user_content(common_userdomain)
Dan Walsh 2a89df
+	oident_relabel_user_content(common_userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	# to allow monitoring of pcmcia status
Dan Walsh 2a89df
+	pcmcia_read_pid(common_userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	pcscd_read_pub_files(common_userdomain)
Dan Walsh 2a89df
+	pcscd_stream_connect(common_userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	tunable_policy(`allow_user_postgresql_connect',`
Dan Walsh 2a89df
+		postgresql_stream_connect(common_userdomain)
Dan Walsh 2a89df
+		postgresql_tcp_connect(common_userdomain)
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	resmgr_stream_connect(common_userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	rpc_dontaudit_getattr_exports(common_userdomain)
Dan Walsh 2a89df
+	rpc_manage_nfs_rw_content(common_userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	rpcbind_stream_connect(common_userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	samba_stream_connect_winbind(common_userdomain)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+optional_policy(`
Dan Walsh 2a89df
+	slrnpull_search_spool(common_userdomain)
Dan Walsh 2a89df
+')