From f2d56103721a508a1a0c90634679a88866497441 Mon Sep 17 00:00:00 2001
From: Dan Walsh
Date: Jan 19 2011 18:49:32 +0000
Subject: Merge branches 'master', 'master', 'master', 'master' and 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 5b78df2..fd599d3 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -841,10 +841,10 @@ index 0000000..8c2e044
+
diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te
new file mode 100644
-index 0000000..eef0c87
+index 0000000..67296b9
--- /dev/null
+++ b/policy/modules/admin/ncftool.te
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,89 @@
+policy_module(ncftool, 1.0.0)
+
+########################################
@@ -859,8 +859,6 @@ index 0000000..eef0c87
+domain_system_change_exemption(ncftool_t)
+role system_r types ncftool_t;
+
-+permissive ncftool_t;
-+
+########################################
+#
+# ncftool local policy
@@ -1184,15 +1182,16 @@ index af55369..bc4ae6d 100644
+ ')
+')
diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc
-index 7077413..70edcd6 100644
+index 7077413..56d1ecb 100644
--- a/policy/modules/admin/readahead.fc
+++ b/policy/modules/admin/readahead.fc
-@@ -1,3 +1,5 @@
+@@ -1,3 +1,6 @@
/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
+/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+
++/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
diff --git a/policy/modules/admin/readahead.if b/policy/modules/admin/readahead.if
index 47c4723..4866a08 100644
--- a/policy/modules/admin/readahead.if
@@ -1219,10 +1218,26 @@ index 47c4723..4866a08 100644
+ domtrans_pattern($1, readahead_exec_t, readahead_t)
+')
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
-index b4ac57e..8fa8451 100644
+index b4ac57e..39fbe42 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
-@@ -53,6 +53,7 @@ domain_read_all_domains_state(readahead_t)
+@@ -16,6 +16,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
+
+ type readahead_var_run_t;
+ files_pid_file(readahead_var_run_t)
++dev_associate(readahead_var_run_t)
+
+ ########################################
+ #
+@@ -32,6 +33,7 @@ files_search_var_lib(readahead_t)
+
+ manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
+ files_pid_filetrans(readahead_t, readahead_var_run_t, file)
++dev_filetrans(readahead_t, readahead_var_run_t, { dir file })
+
+ kernel_read_all_sysctls(readahead_t)
+ kernel_read_system_state(readahead_t)
+@@ -53,6 +55,7 @@ domain_read_all_domains_state(readahead_t)
files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
@@ -1230,7 +1245,7 @@ index b4ac57e..8fa8451 100644
files_create_boot_flag(readahead_t)
files_getattr_all_pipes(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
-@@ -66,6 +67,7 @@ fs_read_cgroup_files(readahead_t)
+@@ -66,6 +69,7 @@ fs_read_cgroup_files(readahead_t)
fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
@@ -1558,6 +1573,18 @@ index 47a8f7d..31f474e 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
+diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te
+index c8ef84b..e241334 100644
+--- a/policy/modules/admin/sectoolm.te
++++ b/policy/modules/admin/sectoolm.te
+@@ -84,6 +84,7 @@ logging_send_syslog_msg(sectoolm_t)
+ sysnet_domtrans_ifconfig(sectoolm_t)
+
+ userdom_manage_user_tmp_sockets(sectoolm_t)
++userdom_dgram_send(sectoolm_t)
+
+ optional_policy(`
+ mount_exec(sectoolm_t)
diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc
index 029cb7e..48d1363 100644
--- a/policy/modules/admin/shorewall.fc
@@ -2710,15 +2737,16 @@ index 0000000..0bbd523
+')
+
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
-index 00a19e3..46db5ff 100644
+index 00a19e3..1aaa958 100644
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
-@@ -1,9 +1,30 @@
+@@ -1,9 +1,33 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
++HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0)
@@ -2739,6 +2767,8 @@ index 00a19e3..46db5ff 100644
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
++#/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
++
+# Don't use because toolchain is broken
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
@@ -2747,10 +2777,73 @@ index 00a19e3..46db5ff 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..c4df4b9 100644
+index f5afe78..60258d1 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -37,8 +37,7 @@ interface(`gnome_role',`
+@@ -1,24 +1,29 @@
+ ## GNU network object model environment (GNOME)
+
+-############################################################
++#######################################
+ ##
+-## Role access for gnome
++## The role template for the gnome module.
+ ##
+-##
++##
+ ##
+-## Role allowed access
++## The user role.
+ ##
+ ##
+-##
++##
+ ##
+-## User domain for the role
++## The user domain associated with the role.
+ ##
+ ##
+ #
+ interface(`gnome_role',`
+ gen_require(`
++ type gkeyringd_t;
++ attribute gkeyringd_domain;
++ attribute gnome_domain;
+ type gconfd_t, gconfd_exec_t;
+ type gconf_tmp_t;
++ type gnome_home_t;
++ type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
+ ')
+
+ role $1 types gconfd_t;
+@@ -33,12 +38,34 @@ interface(`gnome_role',`
+ #gnome_stream_connect_gconf_template($1, $2)
+ read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
+ allow $2 gconfd_t:unix_stream_socket connectto;
++
++ #######################################
++ #
++ # keyringd policy
++ #
++ role $1 types gkeyringd_t;
++
++ domtrans_pattern($2, gkeyringd_exec_t, gkeyringd_t)
++
++ allow $2 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
++ allow $2 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
++
++ allow $2 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
++ allow $2 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
++
++ ps_process_pattern(gkeyringd_t, $2)
++
++ ps_process_pattern($2, gkeyringd_t)
++ allow $2 gkeyringd_t:process { ptrace signal_perms };
++
++ # Looks like it wants to run gkeyringd in $2 domain using setexeccon or runcon.
++ dontaudit $2 gkeyringd_exec_t:file entrypoint;
++
+ ')
########################################
##
@@ -2760,7 +2853,7 @@ index f5afe78..c4df4b9 100644
##
##
##
-@@ -46,25 +45,304 @@ interface(`gnome_role',`
+@@ -46,25 +73,353 @@ interface(`gnome_role',`
##
##
#
@@ -2779,9 +2872,58 @@ index f5afe78..c4df4b9 100644
########################################
##
-## Read gconf config files.
-+## Run gconfd in gconfd domain.
++## Connect to gkeyringd with a unix stream socket.
##
-##
++##
++##
++## Role prefix.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_stream_connect_gkeyringd',`
++ gen_require(`
++ type gkeyringd_t, gkeyringd_tmp_t;
++ ')
++
++ stream_connect_pattern($2, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_t)
++ gnome_search_gconf_tmp_dirs($2)
++')
++
++########################################
++##
++## Connect to gkeyringd with a unix stream socket.
++##
++##
++##
++## Role prefix.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_stream_connect_all_gkeyringd',`
++ gen_require(`
++ attribute gkeyringd_domain;
++ type gkeyringd_tmp_t;
++ ')
++
++ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
++ gnome_search_gconf_tmp_dirs($1)
++')
++
++########################################
++##
++## Run gconfd in gconfd domain.
++##
+##
+##
+## Domain allowed access.
@@ -2847,10 +2989,10 @@ index f5afe78..c4df4b9 100644
+#
+interface(`gnome_signal_all',`
+ gen_require(`
-+ attribute gnomedomain;
++ attribute gnome_domain;
+ ')
+
-+ allow $1 gnomedomain:process signal;
++ allow $1 gnome_domain:process signal;
+')
+
+########################################
@@ -3071,7 +3213,7 @@ index f5afe78..c4df4b9 100644
gen_require(`
type gconf_etc_t;
')
-@@ -76,7 +354,27 @@ template(`gnome_read_gconf_config',`
+@@ -76,7 +431,27 @@ template(`gnome_read_gconf_config',`
#######################################
##
@@ -3100,7 +3242,7 @@ index f5afe78..c4df4b9 100644
##
##
##
-@@ -84,37 +382,40 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +459,36 @@ template(`gnome_read_gconf_config',`
##
##
#
@@ -3119,7 +3261,7 @@ index f5afe78..c4df4b9 100644
########################################
##
-## gconf connection template.
-+## Read gconf home files
++## Execute gnome keyringd in the caller domain.
##
-##
+##
@@ -3129,52 +3271,90 @@ index f5afe78..c4df4b9 100644
##
#
-interface(`gnome_stream_connect_gconf',`
-+interface(`gnome_read_gconf_home_files',`
++interface(`gnome_exec_keyringd',`
gen_require(`
- type gconfd_t, gconf_tmp_t;
-+ type gconf_home_t;
-+ type data_home_t;
++ type gkeyringd_exec_t;
')
- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
- allow $1 gconfd_t:unix_stream_socket connectto;
-+ userdom_search_user_home_dirs($1)
-+ allow $1 gconf_home_t:dir list_dir_perms;
-+ allow $1 data_home_t:dir list_dir_perms;
-+ read_files_pattern($1, gconf_home_t, gconf_home_t)
-+ read_files_pattern($1, data_home_t, data_home_t)
++ can_exec($1, gkeyringd_exec_t)
++ corecmd_search_bin($1)
')
########################################
##
-## Run gconfd in gconfd domain.
-+## search gconf homedir (.local)
++## Read gconf home files
##
##
##
-@@ -122,12 +423,13 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,12 +496,55 @@ interface(`gnome_stream_connect_gconf',`
##
##
#
-interface(`gnome_domtrans_gconfd',`
-+interface(`gnome_search_gconf',`
++interface(`gnome_read_gconf_home_files',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
+ type gconf_home_t;
++ type data_home_t;
')
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
++ userdom_search_user_home_dirs($1)
++ allow $1 gconf_home_t:dir list_dir_perms;
++ allow $1 data_home_t:dir list_dir_perms;
++ read_files_pattern($1, gconf_home_t, gconf_home_t)
++ read_files_pattern($1, data_home_t, data_home_t)
++')
++
++########################################
++##
++## Search gkeyringd temporary directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_search_gkeyringd_tmp_dirs',`
++ gen_require(`
++ type gkeyringd_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 gkeyringd_tmp_t:dir search_dir_perms;
++')
++
++########################################
++##
++## search gconf homedir (.local)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_search_gconf',`
++ gen_require(`
++ type gconf_home_t;
++ ')
++
+ allow $1 gconf_home_t:dir search_dir_perms;
+ userdom_search_user_home_dirs($1)
')
########################################
-@@ -151,40 +453,174 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +568,257 @@ interface(`gnome_setattr_config_dirs',`
########################################
##
-## Read gnome homedir content (.config)
-+## Append gconf home files
++## Manage generic gnome home files.
##
-##
+##
@@ -3184,21 +3364,61 @@ index f5afe78..c4df4b9 100644
##
#
-template(`gnome_read_config',`
-+interface(`gnome_append_gconf_home_files',`
++interface(`gnome_manage_generic_home_files',`
gen_require(`
-- type gnome_home_t;
-+ type gconf_home_t;
+ type gnome_home_t;
')
- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
- read_files_pattern($1, gnome_home_t, gnome_home_t)
- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
-+ append_files_pattern($1, gconf_home_t, gconf_home_t)
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, gnome_home_t, gnome_home_t)
')
########################################
##
-## manage gnome homedir content (.config)
++## Manage generic gnome home directories.
+ ##
+-##
++##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`gnome_manage_config',`
++interface(`gnome_manage_generic_home_dirs',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
++ userdom_search_user_home_dirs($1)
+ allow $1 gnome_home_t:dir manage_dir_perms;
+- allow $1 gnome_home_t:file manage_file_perms;
++')
++
++########################################
++##
++## Append gconf home files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_append_gconf_home_files',`
++ gen_require(`
++ type gconf_home_t;
++ ')
++
++ append_files_pattern($1, gconf_home_t, gconf_home_t)
++')
++
++########################################
++##
+## manage gconf home files
+##
+##
@@ -3219,14 +3439,14 @@ index f5afe78..c4df4b9 100644
+########################################
+##
+## Connect to gnome over an unix stream socket.
- ##
++##
+##
+##
+## Domain allowed access.
+##
+##
- ##
- ##
++##
++##
+## The type of the user domain.
+##
+##
@@ -3246,19 +3466,15 @@ index f5afe78..c4df4b9 100644
+##
+##
+##
- ## Domain allowed access.
- ##
- ##
- #
--interface(`gnome_manage_config',`
++## Domain allowed access.
++##
++##
++#
+interface(`gnome_list_home_config',`
- gen_require(`
-- type gnome_home_t;
++ gen_require(`
+ type config_home_t;
- ')
-
-- allow $1 gnome_home_t:dir manage_dir_perms;
-- allow $1 gnome_home_t:file manage_file_perms;
++ ')
++
+ allow $1 config_home_t:dir list_dir_perms;
+')
+
@@ -3278,8 +3494,8 @@ index f5afe78..c4df4b9 100644
+ ')
+
+ setattr_dirs_pattern($1, config_home_t, config_home_t)
- userdom_search_user_home_dirs($1)
- ')
++ userdom_search_user_home_dirs($1)
++')
+
+########################################
+##
@@ -3356,14 +3572,61 @@ index f5afe78..c4df4b9 100644
+ allow $1 gconfdefaultsm_t:dbus send_msg;
+ allow gconfdefaultsm_t $1:dbus send_msg;
+')
++
++########################################
++##
++## Send and receive messages from
++## gkeyringd over dbus.
++##
++##
++##
++## Role prefix.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_dbus_chat_gkeyringd',`
++ gen_require(`
++ type gkeyringd_t;
++ class dbus send_msg;
++ ')
++
++ allow $2 gkeyringd_t:dbus send_msg;
++ allow gkeyringd_t $2:dbus send_msg;
++')
++########################################
++##
++## Create directories in user home directories
++## with the gnome home file type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_home_dir_filetrans',`
++ gen_require(`
++ type gnome_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
+ userdom_search_user_home_dirs($1)
+ ')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..c1f491f 100644
+index 2505654..8e83829 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
-@@ -6,11 +6,24 @@ policy_module(gnome, 2.1.0)
+@@ -5,12 +5,25 @@ policy_module(gnome, 2.1.0)
+ # Declarations
#
- attribute gnomedomain;
+-attribute gnomedomain;
++attribute gnome_domain;
+attribute gnome_home_type;
type gconf_etc_t;
@@ -3386,7 +3649,15 @@ index 2505654..c1f491f 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -30,12 +43,20 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
+@@ -23,19 +36,40 @@ typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
+ files_tmp_file(gconf_tmp_t)
+ ubac_constrained(gconf_tmp_t)
+
+-type gconfd_t, gnomedomain;
++type gconfd_t, gnome_domain;
+ type gconfd_exec_t;
+ typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
+ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
application_domain(gconfd_t, gconfd_exec_t)
ubac_constrained(gconfd_t)
@@ -3397,6 +3668,19 @@ index 2505654..c1f491f 100644
typealias gnome_home_t alias unconfined_gnome_home_t;
userdom_user_home_content(gnome_home_t)
++attribute gkeyringd_domain;
++type gkeyringd_t, gnome_domain, gkeyringd_domain;
++type gkeyringd_exec_t;
++application_domain(gkeyringd_t, gkeyringd_exec_t)
++ubac_constrained(gkeyringd_t)
++permissive gkeyringd_t;
++
++type gkeyringd_gnome_home_t;
++userdom_user_home_content(gkeyringd_gnome_home_t)
++
++type gkeyringd_tmp_t;
++userdom_user_tmp_content(gkeyringd_tmp_t)
++
+type gconfdefaultsm_t;
+type gconfdefaultsm_exec_t;
+dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
@@ -3408,21 +3692,11 @@ index 2505654..c1f491f 100644
##############################
#
# Local Policy
-@@ -75,3 +96,91 @@ optional_policy(`
+@@ -75,3 +109,148 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_manage_nfs_dirs(gconfdefaultsm_t)
-+ fs_manage_nfs_files(gconfdefaultsm_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_dirs(gconfdefaultsm_t)
-+ fs_manage_cifs_files(gconfdefaultsm_t)
-+')
-+
+#######################################
+#
+# gconf-defaults-mechanisms local policy
@@ -3462,6 +3736,16 @@ index 2505654..c1f491f 100644
+ policykit_read_reload(gconfdefaultsm_t)
+')
+
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_dirs(gconfdefaultsm_t)
++ fs_manage_nfs_files(gconfdefaultsm_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_dirs(gconfdefaultsm_t)
++ fs_manage_cifs_files(gconfdefaultsm_t)
++')
++
+#######################################
+#
+# gnome-system-monitor-mechanisms local policy
@@ -3500,6 +3784,63 @@ index 2505654..c1f491f 100644
+ policykit_read_lib(gnomesystemmm_t)
+ policykit_read_reload(gnomesystemmm_t)
+')
++
++allow gkeyringd_t self:capability ipc_lock;
++allow gkeyringd_t self:process { getcap getsched signal };
++allow gkeyringd_t self:fifo_file rw_fifo_file_perms;
++allow gkeyringd_t self:unix_stream_socket { connectto accept listen };
++
++userdom_user_home_dir_filetrans(gkeyringd_t, gnome_home_t, dir)
++
++manage_dirs_pattern(gkeyringd_t, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
++manage_files_pattern(gkeyringd_t, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
++filetrans_pattern(gkeyringd_t, gnome_home_t, gkeyringd_gnome_home_t, dir)
++
++manage_dirs_pattern(gkeyringd_t, gkeyringd_tmp_t, gkeyringd_tmp_t)
++manage_sock_files_pattern(gkeyringd_t, gkeyringd_tmp_t, gkeyringd_tmp_t)
++files_tmp_filetrans(gkeyringd_t, gkeyringd_tmp_t, dir)
++
++kernel_read_crypto_sysctls(gkeyringd_t)
++
++corecmd_search_bin(gkeyringd_t)
++
++dev_read_rand(gkeyringd_t)
++dev_read_urand(gkeyringd_t)
++
++files_read_etc_files(gkeyringd_t)
++files_read_usr_files(gkeyringd_t)
++# for nscd?
++files_search_pids(gkeyringd_t)
++
++fs_getattr_xattr_fs(gkeyringd_t)
++
++selinux_getattr_fs(gkeyringd_t)
++
++logging_send_syslog_msg(gkeyringd_t)
++
++miscfiles_read_localization(gkeyringd_t)
++
++xserver_append_xdm_home_files(gkeyringd_t)
++xserver_read_xdm_home_files(gkeyringd_t)
++xserver_use_xdm_fds(gkeyringd_t)
++
++optional_policy(`
++ dbus_session_domain(gkeyringd_t, gkeyringd_exec_t)
++
++ dbus_session_bus_client(gkeyringd_t)
++ gnome_home_dir_filetrans(gkeyringd_t)
++ gnome_manage_generic_home_dirs(gkeyringd_t)
++
++ optional_policy(`
++ telepathy_mission_control_read_state(gkeyringd_t)
++ ')
++')
++
++optional_policy(`
++ ssh_read_user_home_files(gkeyringd_t)
++')
++
++userdom_use_user_terminals(gnome_domain)
diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc
index e9853d4..717d163 100644
--- a/policy/modules/apps/gpg.fc
@@ -4160,10 +4501,10 @@ index 0000000..1c1d012
+')
diff --git a/policy/modules/apps/mediawiki.te b/policy/modules/apps/mediawiki.te
new file mode 100644
-index 0000000..b7f569d
+index 0000000..d9e51a3
--- /dev/null
+++ b/policy/modules/apps/mediawiki.te
-@@ -0,0 +1,35 @@
+@@ -0,0 +1,33 @@
+
+policy_module(mediawiki, 1.0.0)
+
@@ -4177,8 +4518,6 @@ index 0000000..b7f569d
+type httpd_mediawiki_tmp_t;
+files_tmp_file(httpd_mediawiki_tmp_t)
+
-+permissive httpd_mediawiki_script_t;
-+
+########################################
+#
+# mediawiki local policy
@@ -6147,10 +6486,10 @@ index 7cdac1e..6f9f6e6 100644
+ domtrans_pattern($1, rssh_chroot_helper_exec_t, rssh_chroot_helper_t)
+')
diff --git a/policy/modules/apps/rssh.te b/policy/modules/apps/rssh.te
-index c605046..15c17a0 100644
+index c605046..97b3df2 100644
--- a/policy/modules/apps/rssh.te
+++ b/policy/modules/apps/rssh.te
-@@ -31,6 +31,12 @@ typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t };
+@@ -31,6 +31,10 @@ typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t };
typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t };
userdom_user_home_content(rssh_rw_t)
@@ -6158,12 +6497,10 @@ index c605046..15c17a0 100644
+type rssh_chroot_helper_exec_t;
+init_system_domain(rssh_chroot_helper_t, rssh_chroot_helper_exec_t)
+
-+permissive rssh_chroot_helper_t;
-+
##############################
#
# Local policy
-@@ -78,3 +84,25 @@ ssh_rw_stream_sockets(rssh_t)
+@@ -78,3 +82,25 @@ ssh_rw_stream_sockets(rssh_t)
optional_policy(`
nis_use_ypbind(rssh_t)
')
@@ -7043,7 +7380,7 @@ index 1f2cde4..7bb3047 100644
#
# /usr
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
-index 320df26..3312145 100644
+index 320df26..174ca5e 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -64,6 +64,9 @@ template(`screen_role_template',`
@@ -7073,6 +7410,14 @@ index 320df26..3312145 100644
manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
kernel_read_system_state($1_screen_t)
+@@ -112,6 +114,7 @@ template(`screen_role_template',`
+ # for SSP
+ dev_read_urand($1_screen_t)
+
++ domain_sigchld_interactive_fds($1_screen_t)
+ domain_use_interactive_fds($1_screen_t)
+
+ files_search_tmp($1_screen_t)
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
index 1dc7a85..7455c19 100644
--- a/policy/modules/apps/seunshare.if
@@ -7229,10 +7574,10 @@ index 0000000..7866118
+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
new file mode 100644
-index 0000000..46368cc
+index 0000000..6878d68
--- /dev/null
+++ b/policy/modules/apps/telepathy.if
-@@ -0,0 +1,168 @@
+@@ -0,0 +1,193 @@
+
+## Telepathy framework.
+
@@ -7401,6 +7746,31 @@ index 0000000..46368cc
+ stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
+ files_search_tmp($1)
+')
++
++########################################
++##
++## Read telepathy mission control state.
++##
++##
++##
++## Prefix to be used.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`telepathy_mission_control_read_state',`
++ gen_require(`
++ type telepathy_mission_control_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, telepathy_mission_control_t)
++')
++
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
index 0000000..d4e5e9e
@@ -8128,7 +8498,7 @@ index 82842a0..4111a1d 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..aecd1ff 100644
+index 34c9d01..b25eac7 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -8137,7 +8507,7 @@ index 34c9d01..aecd1ff 100644
/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
-/etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
+/etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
-+/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
+etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -11775,7 +12145,7 @@ index be4de58..cce681a 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..5728fc1 100644
+index 2be17d2..dd62b91 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,48 @@ policy_module(staff, 2.2.0)
@@ -11827,7 +12197,7 @@ index 2be17d2..5728fc1 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,25 +63,112 @@ optional_policy(`
+@@ -27,25 +63,116 @@ optional_policy(`
')
optional_policy(`
@@ -11844,6 +12214,10 @@ index 2be17d2..5728fc1 100644
+')
+
+optional_policy(`
++ gnome_role(staff_r, staff_t)
++')
++
++optional_policy(`
+ lpd_list_spool(staff_t)
+')
+
@@ -11942,6 +12316,17 @@ index 2be17d2..5728fc1 100644
optional_policy(`
vlock_run(staff_t, staff_r)
+@@ -89,10 +216,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- gnome_role(staff_r, staff_t)
+- ')
+-
+- optional_policy(`
+ gpg_role(staff_r, staff_t)
+ ')
+
@@ -137,10 +260,6 @@ ifndef(`distro_redhat',`
')
@@ -13479,10 +13864,10 @@ index 0000000..ec21f9a
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..f8785a0 100644
+index e5bfdd4..60cc0d5 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,51 @@ role user_r;
+@@ -12,15 +12,55 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -13493,6 +13878,10 @@ index e5bfdd4..f8785a0 100644
')
optional_policy(`
++ gnome_role(user_r, user_t)
++')
++
++optional_policy(`
+ oident_manage_user_content(user_t)
+ oident_relabel_user_content(user_t)
+')
@@ -13534,6 +13923,17 @@ index e5bfdd4..f8785a0 100644
vlock_run(user_t, user_r)
')
+@@ -62,10 +102,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- gnome_role(user_r, user_t)
+- ')
+-
+- optional_policy(`
+ gpg_role(user_r, user_t)
+ ')
+
@@ -118,7 +154,7 @@ ifndef(`distro_redhat',`
')
@@ -13561,7 +13961,7 @@ index 0ecc786..dbf2710 100644
userdom_dontaudit_search_user_home_dirs(webadm_t)
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
-index e88b95f..8929065 100644
+index e88b95f..06b0e48 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true)
@@ -13630,7 +14030,7 @@ index e88b95f..8929065 100644
')
')
-@@ -76,23 +84,95 @@ optional_policy(`
+@@ -76,23 +84,99 @@ optional_policy(`
')
optional_policy(`
@@ -13648,11 +14048,14 @@ index e88b95f..8929065 100644
+')
+
+optional_policy(`
++ gnome_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
+ gnomeclock_dontaudit_dbus_chat(xguest_t)
- ')
-
- optional_policy(`
-- mozilla_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
+ java_role_template(xguest, xguest_r, xguest_t)
+')
+
@@ -13666,9 +14069,10 @@ index e88b95f..8929065 100644
+
+optional_policy(`
+ nsplugin_role(xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- mozilla_role(xguest_r, xguest_t)
+ pcscd_read_pub_files(xguest_usertype)
+ pcscd_stream_connect(xguest_usertype)
')
@@ -13713,7 +14117,7 @@ index e88b95f..8929065 100644
+ corenet_tcp_connect_speech_port(xguest_usertype)
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
-+ ')
+ ')
+
+ optional_policy(`
+ telepathy_dbus_session_role(xguest_r, xguest_t)
@@ -13723,7 +14127,7 @@ index e88b95f..8929065 100644
+optional_policy(`
+ gen_require(`
+ type mozilla_t;
- ')
++ ')
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
@@ -14461,10 +14865,10 @@ index 0000000..8e6e2c3
+')
diff --git a/policy/modules/services/ajaxterm.te b/policy/modules/services/ajaxterm.te
new file mode 100644
-index 0000000..cf6af13
+index 0000000..cee49e3
--- /dev/null
+++ b/policy/modules/services/ajaxterm.te
-@@ -0,0 +1,56 @@
+@@ -0,0 +1,54 @@
+policy_module(ajaxterm, 1.0.0)
+
+########################################
@@ -14485,8 +14889,6 @@ index 0000000..cf6af13
+type ajaxterm_devpts_t;
+term_login_pty(ajaxterm_devpts_t)
+
-+permissive ajaxterm_t;
-+
+########################################
+#
+# ajaxterm local policy
@@ -16868,10 +17270,10 @@ index 0000000..fa9b95a
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..6d8fdeb
+index 0000000..11ad49a
--- /dev/null
+++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,173 @@
+@@ -0,0 +1,171 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -16899,8 +17301,6 @@ index 0000000..6d8fdeb
+domain_type(boinc_project_t)
+role system_r types boinc_project_t;
+
-+permissive boinc_project_t;
-+
+type boinc_project_tmp_t;
+files_tmp_file(boinc_project_tmp_t)
+
@@ -17985,6 +18385,18 @@ index fa82327..db20d26 100644
optional_policy(`
gpsd_rw_shm(chronyd_t)
')
+diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc
+index e8e9a21..0af0260 100644
+--- a/policy/modules/services/clamav.fc
++++ b/policy/modules/services/clamav.fc
+@@ -10,6 +10,7 @@
+
+ /var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+ /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
++/var/lib/clamd.* gen_context(system_u:object_r:clamd_var_lib_t,s0)
+ /var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
+ /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
+ /var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 1f11572..7f6a7ab 100644
--- a/policy/modules/services/clamav.if
@@ -18426,7 +18838,7 @@ index 1cf6c4e..e4bac67 100644
-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
-index 293e08d..e3787fb 100644
+index 293e08d..82306eb 100644
--- a/policy/modules/services/cobbler.if
+++ b/policy/modules/services/cobbler.if
@@ -1,12 +1,12 @@
@@ -18488,7 +18900,7 @@ index 293e08d..e3787fb 100644
')
- read_files_pattern($1, cobbler_etc_t, cobbler_etc_t);
-+ list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
files_search_etc($1)
')
@@ -20269,7 +20681,7 @@ index a8b93c0..831ce70 100644
type dante_var_run_t;
files_pid_file(dante_var_run_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 0d5711c..3874025 100644
+index 0d5711c..bbc1a8f 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -20373,7 +20785,51 @@ index 0d5711c..3874025 100644
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -431,14 +442,28 @@ interface(`dbus_system_domain',`
+@@ -197,6 +208,34 @@ interface(`dbus_system_bus_client',`
+
+ #######################################
+ ##
++## Creating connections to specified
++## DBUS sessions.
++##
++##
++##
++## The prefix of the user role (e.g., user
++## is the prefix for user_r).
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dbus_session_client',`
++ gen_require(`
++ class dbus send_msg;
++ type $1_dbusd_t;
++ ')
++
++ allow $2 $1_dbusd_t:fd use;
++ allow $2 { $1_dbusd_t self }:dbus send_msg;
++ allow $2 $1_dbusd_t:unix_stream_socket connectto;
++')
++
++#######################################
++##
+ ## Template for creating connections to
+ ## a user DBUS.
+ ##
+@@ -217,6 +256,8 @@ interface(`dbus_session_bus_client',`
+
+ # For connecting to the bus
+ allow $1 session_bus_type:unix_stream_socket connectto;
++
++ allow session_bus_type $1:process sigkill;
+ ')
+
+ ########################################
+@@ -431,14 +472,28 @@ interface(`dbus_system_domain',`
domtrans_pattern(system_dbusd_t, $2, $1)
@@ -20403,7 +20859,7 @@ index 0d5711c..3874025 100644
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
-@@ -497,3 +522,22 @@ interface(`dbus_unconfined',`
+@@ -497,3 +552,22 @@ interface(`dbus_unconfined',`
typeattribute $1 dbusd_unconfined;
')
@@ -22287,10 +22743,10 @@ index 0000000..63f11d9
+
diff --git a/policy/modules/services/drbd.te b/policy/modules/services/drbd.te
new file mode 100644
-index 0000000..19a27bc
+index 0000000..1453c54
--- /dev/null
+++ b/policy/modules/services/drbd.te
-@@ -0,0 +1,57 @@
+@@ -0,0 +1,55 @@
+
+policy_module(drbd,1.0.0)
+
@@ -22303,8 +22759,6 @@ index 0000000..19a27bc
+type drbd_exec_t;
+init_daemon_domain(drbd_t, drbd_exec_t)
+
-+permissive drbd_t;
-+
+type drbd_var_lib_t;
+files_type(drbd_var_lib_t)
+
@@ -24611,7 +25065,7 @@ index 9878499..9167dc9 100644
domain_system_change_exemption($1)
role_transition $2 jabberd_initrc_exec_t system_r;
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
-index da2127e..e184dff 100644
+index da2127e..e141bc5 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -5,13 +5,19 @@ policy_module(jabber, 1.8.0)
@@ -24635,14 +25089,11 @@ index da2127e..e184dff 100644
type jabberd_log_t;
logging_log_file(jabberd_log_t)
-@@ -21,74 +27,94 @@ files_type(jabberd_var_lib_t)
+@@ -21,74 +27,91 @@ files_type(jabberd_var_lib_t)
type jabberd_var_run_t;
files_pid_file(jabberd_var_run_t)
-########################################
-+permissive jabberd_router_t;
-+permissive jabberd_t;
-+
+######################################
#
-# Local policy
@@ -24683,34 +25134,34 @@ index da2127e..e184dff 100644
-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
-+
+
+-dev_read_sysfs(jabberd_t)
+-# For SSL
+-dev_read_rand(jabberd_t)
+corenet_tcp_bind_jabber_client_port(jabberd_router_t)
+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
+corenet_tcp_connect_jabber_router_port(jabberd_router_t)
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
--dev_read_sysfs(jabberd_t)
--# For SSL
--dev_read_rand(jabberd_t)
-+fs_getattr_all_fs(jabberd_router_t)
-
-domain_use_interactive_fds(jabberd_t)
-+miscfiles_read_certs(jabberd_router_t)
++fs_getattr_all_fs(jabberd_router_t)
-files_read_etc_files(jabberd_t)
-files_read_etc_runtime_files(jabberd_t)
-+optional_policy(`
-+ kerberos_use(jabberd_router_t)
-+')
++miscfiles_read_certs(jabberd_router_t)
-fs_getattr_all_fs(jabberd_t)
-fs_search_auto_mountpoints(jabberd_t)
+optional_policy(`
-+ nis_use_ypbind(jabberd_router_t)
++ kerberos_use(jabberd_router_t)
+')
-logging_send_syslog_msg(jabberd_t)
++optional_policy(`
++ nis_use_ypbind(jabberd_router_t)
++')
++
+#####################################
+#
+# Local policy for other jabberd components
@@ -26611,10 +27062,10 @@ index 0000000..311aaed
+')
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
new file mode 100644
-index 0000000..d87d442
+index 0000000..0b9257a
--- /dev/null
+++ b/policy/modules/services/mpd.te
-@@ -0,0 +1,143 @@
+@@ -0,0 +1,141 @@
+policy_module(mpd, 1.0.0)
+
+########################################
@@ -26626,8 +27077,6 @@ index 0000000..d87d442
+type mpd_exec_t;
+init_daemon_domain(mpd_t, mpd_exec_t)
+
-+permissive mpd_t;
-+
+type mpd_initrc_exec_t;
+init_script_file(mpd_initrc_exec_t)
+
@@ -28097,7 +28546,7 @@ index 2324d9e..8069487 100644
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..5428249 100644
+index 0619395..cd5c974 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -28184,7 +28633,7 @@ index 0619395..5428249 100644
')
optional_policy(`
-@@ -172,12 +198,14 @@ optional_policy(`
+@@ -172,14 +198,17 @@ optional_policy(`
')
optional_policy(`
@@ -28199,8 +28648,11 @@ index 0619395..5428249 100644
+
optional_policy(`
consolekit_dbus_chat(NetworkManager_t)
++ consolekit_read_pid_files(NetworkManager_t)
')
-@@ -202,6 +230,17 @@ optional_policy(`
+ ')
+
+@@ -202,6 +231,17 @@ optional_policy(`
')
optional_policy(`
@@ -28218,7 +28670,7 @@ index 0619395..5428249 100644
iptables_domtrans(NetworkManager_t)
')
-@@ -219,6 +258,7 @@ optional_policy(`
+@@ -219,6 +259,7 @@ optional_policy(`
')
optional_policy(`
@@ -28226,7 +28678,7 @@ index 0619395..5428249 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -263,6 +303,7 @@ optional_policy(`
+@@ -263,6 +304,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -36120,7 +36572,7 @@ index c954f31..7f57f22 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..9948efa 100644
+index ec1eb1e..3c0c8c8 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -6,54 +6,93 @@ policy_module(spamassassin, 2.4.0)
@@ -36280,7 +36732,7 @@ index ec1eb1e..9948efa 100644
')
########################################
-@@ -206,15 +251,30 @@ allow spamc_t self:unix_stream_socket connectto;
+@@ -206,15 +251,32 @@ allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
@@ -36308,10 +36760,12 @@ index ec1eb1e..9948efa 100644
kernel_read_kernel_sysctls(spamc_t)
+kernel_read_system_state(spamc_t)
++
++corecmd_exec_bin(spamc_t)
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -226,6 +286,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
+@@ -226,6 +288,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
corenet_udp_sendrecv_all_ports(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)
corenet_sendrecv_all_client_packets(spamc_t)
@@ -36319,7 +36773,7 @@ index ec1eb1e..9948efa 100644
fs_search_auto_mountpoints(spamc_t)
-@@ -244,9 +305,14 @@ files_read_usr_files(spamc_t)
+@@ -244,9 +307,14 @@ files_read_usr_files(spamc_t)
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -36334,7 +36788,7 @@ index ec1eb1e..9948efa 100644
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -254,27 +320,40 @@ seutil_read_config(spamc_t)
+@@ -254,27 +322,40 @@ seutil_read_config(spamc_t)
sysnet_read_config(spamc_t)
@@ -36381,7 +36835,7 @@ index ec1eb1e..9948efa 100644
')
########################################
-@@ -286,7 +365,7 @@ optional_policy(`
+@@ -286,7 +367,7 @@ optional_policy(`
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -36390,7 +36844,7 @@ index ec1eb1e..9948efa 100644
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -302,10 +381,17 @@ allow spamd_t self:unix_dgram_socket sendto;
+@@ -302,10 +383,17 @@ allow spamd_t self:unix_dgram_socket sendto;
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -36409,7 +36863,7 @@ index ec1eb1e..9948efa 100644
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -314,11 +400,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -314,11 +402,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -36427,7 +36881,7 @@ index ec1eb1e..9948efa 100644
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-@@ -367,22 +457,27 @@ files_read_var_lib_files(spamd_t)
+@@ -367,22 +459,27 @@ files_read_var_lib_files(spamd_t)
init_dontaudit_rw_utmp(spamd_t)
@@ -36459,7 +36913,7 @@ index ec1eb1e..9948efa 100644
fs_manage_cifs_files(spamd_t)
')
-@@ -399,7 +494,9 @@ optional_policy(`
+@@ -399,7 +496,9 @@ optional_policy(`
')
optional_policy(`
@@ -36469,7 +36923,7 @@ index ec1eb1e..9948efa 100644
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -408,25 +505,17 @@ optional_policy(`
+@@ -408,25 +507,17 @@ optional_policy(`
')
optional_policy(`
@@ -36497,7 +36951,7 @@ index ec1eb1e..9948efa 100644
postgresql_stream_connect(spamd_t)
')
-@@ -437,6 +526,10 @@ optional_policy(`
+@@ -437,6 +528,10 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
@@ -38185,10 +38639,10 @@ index 0000000..83336ab
+
diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te
new file mode 100644
-index 0000000..324365e
+index 0000000..9fb3ea7
--- /dev/null
+++ b/policy/modules/services/vdagent.te
-@@ -0,0 +1,50 @@
+@@ -0,0 +1,48 @@
+policy_module(vdagent,1.0.0)
+
+########################################
@@ -38200,8 +38654,6 @@ index 0000000..324365e
+type vdagent_exec_t;
+init_daemon_domain(vdagent_t, vdagent_exec_t)
+
-+permissive vdagent_t;
-+
+type vdagent_var_run_t;
+files_pid_file(vdagent_var_run_t)
+
@@ -39382,10 +39834,10 @@ index 0000000..b9104b7
+')
diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
new file mode 100644
-index 0000000..d861cf6
+index 0000000..ff32e95
--- /dev/null
+++ b/policy/modules/services/vnstatd.te
-@@ -0,0 +1,72 @@
+@@ -0,0 +1,70 @@
+policy_module(vnstatd, 1.0.0)
+
+########################################
@@ -39397,8 +39849,6 @@ index 0000000..d861cf6
+type vnstatd_exec_t;
+init_daemon_domain(vnstatd_t, vnstatd_exec_t)
+
-+permissive vnstatd_t;
-+
+type vnstatd_var_lib_t;
+files_type(vnstatd_var_lib_t)
+
@@ -39624,7 +40074,7 @@ index 6f1e3c7..ecfe665 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..61bce48 100644
+index da2601a..06e7dd4 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -39992,7 +40442,7 @@ index da2601a..61bce48 100644
')
########################################
-@@ -724,11 +787,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +787,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -40004,10 +40454,29 @@ index da2601a..61bce48 100644
- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
+ files_search_pids($1)
+ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
++')
++
++########################################
++##
++## Read XDM files in user home directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_read_xdm_home_files',`
++ gen_require(`
++ type xdm_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ allow $1 xdm_home_t:file read_file_perms;
')
########################################
-@@ -765,7 +829,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +848,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -40016,7 +40485,7 @@ index da2601a..61bce48 100644
')
########################################
-@@ -805,7 +869,25 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +888,25 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -40043,7 +40512,7 @@ index da2601a..61bce48 100644
')
########################################
-@@ -897,7 +979,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +998,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -40052,7 +40521,7 @@ index da2601a..61bce48 100644
')
########################################
-@@ -916,7 +998,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1017,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -40061,7 +40530,7 @@ index da2601a..61bce48 100644
')
########################################
-@@ -963,6 +1045,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1064,45 @@ interface(`xserver_read_xkb_libs',`
########################################
##
@@ -40107,7 +40576,7 @@ index da2601a..61bce48 100644
## Read xdm temporary files.
##
##
-@@ -976,7 +1097,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1116,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -40116,7 +40585,7 @@ index da2601a..61bce48 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1159,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1178,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
##
@@ -40159,7 +40628,7 @@ index da2601a..61bce48 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
##
-@@ -1052,7 +1209,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1228,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -40168,7 +40637,7 @@ index da2601a..61bce48 100644
')
########################################
-@@ -1070,8 +1227,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1246,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -40180,7 +40649,7 @@ index da2601a..61bce48 100644
')
########################################
-@@ -1185,6 +1344,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1363,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -40207,7 +40676,7 @@ index da2601a..61bce48 100644
')
########################################
-@@ -1210,7 +1389,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1408,7 @@ interface(`xserver_read_tmp_files',`
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -40216,7 +40685,7 @@ index da2601a..61bce48 100644
##
##
##
-@@ -1220,13 +1399,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1418,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -40241,7 +40710,7 @@ index da2601a..61bce48 100644
')
########################################
-@@ -1243,10 +1432,393 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1451,393 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -40638,7 +41107,7 @@ index da2601a..61bce48 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 145fc4b..f596720 100644
+index 145fc4b..bfb9c7a 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -41280,7 +41749,7 @@ index 145fc4b..f596720 100644
')
optional_policy(`
-@@ -516,12 +737,49 @@ optional_policy(`
+@@ -516,12 +737,50 @@ optional_policy(`
')
optional_policy(`
@@ -41320,6 +41789,7 @@ index 145fc4b..f596720 100644
')
optional_policy(`
++ gnome_exec_keyringd(xdm_t)
+ gnome_manage_config(xdm_t)
+ gnome_manage_gconf_home_files(xdm_t)
+ gnome_read_config(xdm_t)
@@ -41330,7 +41800,7 @@ index 145fc4b..f596720 100644
hostname_exec(xdm_t)
')
-@@ -539,28 +797,64 @@ optional_policy(`
+@@ -539,28 +798,64 @@ optional_policy(`
')
optional_policy(`
@@ -41404,7 +41874,7 @@ index 145fc4b..f596720 100644
')
optional_policy(`
-@@ -572,6 +866,10 @@ optional_policy(`
+@@ -572,6 +867,10 @@ optional_policy(`
')
optional_policy(`
@@ -41415,7 +41885,7 @@ index 145fc4b..f596720 100644
xfs_stream_connect(xdm_t)
')
-@@ -596,7 +894,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -596,7 +895,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -41424,7 +41894,7 @@ index 145fc4b..f596720 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,6 +908,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -610,6 +909,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -41439,7 +41909,7 @@ index 145fc4b..f596720 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +935,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -629,12 +936,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -41461,7 +41931,7 @@ index 145fc4b..f596720 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +955,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -642,6 +956,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -41469,7 +41939,7 @@ index 145fc4b..f596720 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -668,7 +982,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -668,7 +983,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -41477,7 +41947,7 @@ index 145fc4b..f596720 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -678,11 +991,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -678,11 +992,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -41495,7 +41965,7 @@ index 145fc4b..f596720 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -693,8 +1012,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -693,8 +1013,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -41509,7 +41979,7 @@ index 145fc4b..f596720 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1040,14 @@ logging_send_audit_msgs(xserver_t)
+@@ -716,11 +1041,14 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -41524,7 +41994,7 @@ index 145fc4b..f596720 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1100,28 @@ optional_policy(`
+@@ -773,12 +1101,28 @@ optional_policy(`
')
optional_policy(`
@@ -41554,7 +42024,7 @@ index 145fc4b..f596720 100644
unconfined_domtrans(xserver_t)
')
-@@ -787,6 +1130,10 @@ optional_policy(`
+@@ -787,6 +1131,10 @@ optional_policy(`
')
optional_policy(`
@@ -41565,7 +42035,7 @@ index 145fc4b..f596720 100644
xfs_stream_connect(xserver_t)
')
-@@ -802,10 +1149,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -802,10 +1150,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -41579,7 +42049,7 @@ index 145fc4b..f596720 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -813,7 +1160,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -813,7 +1161,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -41588,7 +42058,7 @@ index 145fc4b..f596720 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -826,6 +1173,9 @@ init_use_fds(xserver_t)
+@@ -826,6 +1174,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -41598,7 +42068,7 @@ index 145fc4b..f596720 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -833,6 +1183,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -833,6 +1184,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -41610,7 +42080,7 @@ index 145fc4b..f596720 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -841,11 +1196,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -841,11 +1197,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -41627,7 +42097,7 @@ index 145fc4b..f596720 100644
')
optional_policy(`
-@@ -853,6 +1211,10 @@ optional_policy(`
+@@ -853,6 +1212,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -41638,7 +42108,7 @@ index 145fc4b..f596720 100644
########################################
#
# Rules common to all X window domains
-@@ -896,7 +1258,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -896,7 +1259,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -41647,7 +42117,7 @@ index 145fc4b..f596720 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -950,11 +1312,31 @@ allow x_domain self:x_resource { read write };
+@@ -950,11 +1313,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -41679,7 +42149,7 @@ index 145fc4b..f596720 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -976,18 +1358,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -976,18 +1359,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -41936,10 +42406,10 @@ index 0000000..8a909f5
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
new file mode 100644
-index 0000000..d7c3f51
+index 0000000..6b80580
--- /dev/null
+++ b/policy/modules/services/zarafa.te
-@@ -0,0 +1,134 @@
+@@ -0,0 +1,127 @@
+policy_module(zarafa, 1.0.0)
+
+########################################
@@ -41965,13 +42435,6 @@ index 0000000..d7c3f51
+type zarafa_share_t;
+files_type(zarafa_share_t)
+
-+permissive zarafa_server_t;
-+permissive zarafa_spooler_t;
-+permissive zarafa_gateway_t;
-+permissive zarafa_deliver_t;
-+permissive zarafa_ical_t;
-+permissive zarafa_monitor_t;
-+
+########################################
+#
+# zarafa-deliver local policy
@@ -46798,7 +47261,7 @@ index 2cc4bda..9e81136 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 170e2c7..bbaa8cf 100644
+index 170e2c7..d95624d 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -85,6 +85,10 @@ interface(`seutil_domtrans_loadpolicy',`
@@ -46812,7 +47275,18 @@ index 170e2c7..bbaa8cf 100644
')
########################################
-@@ -361,6 +365,27 @@ interface(`seutil_exec_restorecon',`
+@@ -199,6 +203,10 @@ interface(`seutil_run_newrole',`
+ role $2 types newrole_t;
+
+ auth_run_upd_passwd(newrole_t, $2)
++
++ optional_policy(`
++ namespace_init_run(newrole_t, $2)
++ ')
+ ')
+
+ ########################################
+@@ -361,6 +369,27 @@ interface(`seutil_exec_restorecon',`
########################################
##
@@ -46840,7 +47314,7 @@ index 170e2c7..bbaa8cf 100644
## Execute run_init in the run_init domain.
##
##
-@@ -514,6 +539,10 @@ interface(`seutil_domtrans_setfiles',`
+@@ -514,6 +543,10 @@ interface(`seutil_domtrans_setfiles',`
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, setfiles_exec_t, setfiles_t)
@@ -46851,7 +47325,7 @@ index 170e2c7..bbaa8cf 100644
')
########################################
-@@ -545,6 +574,53 @@ interface(`seutil_run_setfiles',`
+@@ -545,6 +578,53 @@ interface(`seutil_run_setfiles',`
########################################
##
@@ -46905,7 +47379,7 @@ index 170e2c7..bbaa8cf 100644
## Execute setfiles in the caller domain.
##
##
-@@ -690,6 +766,7 @@ interface(`seutil_manage_config',`
+@@ -690,6 +770,7 @@ interface(`seutil_manage_config',`
')
files_search_etc($1)
@@ -46913,7 +47387,7 @@ index 170e2c7..bbaa8cf 100644
manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
-@@ -1005,6 +1082,30 @@ interface(`seutil_domtrans_semanage',`
+@@ -1005,6 +1086,30 @@ interface(`seutil_domtrans_semanage',`
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, semanage_exec_t, semanage_t)
@@ -46944,7 +47418,7 @@ index 170e2c7..bbaa8cf 100644
')
########################################
-@@ -1038,6 +1139,54 @@ interface(`seutil_run_semanage',`
+@@ -1038,6 +1143,54 @@ interface(`seutil_run_semanage',`
########################################
##
@@ -46999,7 +47473,7 @@ index 170e2c7..bbaa8cf 100644
## Full management of the semanage
## module store.
##
-@@ -1149,3 +1298,194 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1149,3 +1302,194 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -48190,10 +48664,10 @@ index 0000000..5f0352b
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..85d3b7a
+index 0000000..dae5641
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,104 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -48223,6 +48697,7 @@ index 0000000..85d3b7a
+#
+type systemd_device_t;
+files_type(systemd_device_t)
++dev_associate(systemd_device_t)
+
+#######################################
+#
@@ -49269,7 +49744,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <>
+HOME_DIR/\.debug(/.*)? <>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..10340bc 100644
+index 28b88de..4a3297c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -50480,7 +50955,7 @@ index 28b88de..10340bc 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1279,12 +1514,15 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1514,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -50489,15 +50964,36 @@ index 28b88de..10340bc 100644
allow $1 user_home_t:filesystem associate;
files_type($1)
-- files_poly_member($1)
- ubac_constrained($1)
++ ubac_constrained($1)
+
-+ files_poly_member($1)
+ files_poly_member($1)
+ typeattribute $1 user_home_type;
++')
++
++########################################
++##
++## Make the specified type usable in a
++## generic temporary directory.
++##
++##
++##
++## Type to be used as a file in the
++## generic temporary directory.
++##
++##
++#
++interface(`userdom_user_tmp_content',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ typeattribute $1 user_tmp_type;
++
++ files_tmp_file($1)
+ ubac_constrained($1)
')
- ########################################
-@@ -1395,6 +1633,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1656,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -50505,7 +51001,7 @@ index 28b88de..10340bc 100644
files_search_home($1)
')
-@@ -1441,6 +1680,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1703,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -50520,7 +51016,7 @@ index 28b88de..10340bc 100644
')
########################################
-@@ -1456,9 +1703,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1726,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -50532,7 +51028,7 @@ index 28b88de..10340bc 100644
')
########################################
-@@ -1515,6 +1764,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1787,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -50575,7 +51071,7 @@ index 28b88de..10340bc 100644
########################################
##
## Create directories in the home dir root with
-@@ -1589,6 +1874,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +1897,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -50584,7 +51080,7 @@ index 28b88de..10340bc 100644
')
########################################
-@@ -1603,10 +1890,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1913,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -50599,64 +51095,33 @@ index 28b88de..10340bc 100644
')
########################################
-@@ -1649,30 +1938,49 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1961,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
##
--## Do not audit attempts to set the
--## attributes of user home files.
+## Set the attributes of user home files.
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`userdom_dontaudit_setattr_user_home_content_files',`
-+interface(`userdom_setattr_user_home_content_files',`
- gen_require(`
- type user_home_t;
- ')
-
-- dontaudit $1 user_home_t:file setattr_file_perms;
-+ allow $1 user_home_t:file setattr;
- ')
-
- ########################################
- ##
--## Mmap user home files.
-+## Do not audit attempts to set the
-+## attributes of user home files.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
+##
+##
++##
+#
-+interface(`userdom_dontaudit_setattr_user_home_content_files',`
++interface(`userdom_setattr_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
-+ dontaudit $1 user_home_t:file setattr_file_perms;
++ allow $1 user_home_t:file setattr;
+')
+
+########################################
+##
-+## Mmap user home files.
-+##
-+##
-+##
-+## Domain allowed access.
- ##
- ##
- #
-@@ -1700,12 +2008,32 @@ interface(`userdom_read_user_home_content_files',`
+ ## Do not audit attempts to set the
+ ## attributes of user home files.
+ ##
+@@ -1700,12 +2031,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -50689,7 +51154,7 @@ index 28b88de..10340bc 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1716,11 +2044,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2067,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -50707,7 +51172,7 @@ index 28b88de..10340bc 100644
')
########################################
-@@ -1810,8 +2141,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2164,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -50717,7 +51182,7 @@ index 28b88de..10340bc 100644
')
########################################
-@@ -1827,20 +2157,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2180,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -50742,7 +51207,7 @@ index 28b88de..10340bc 100644
########################################
##
-@@ -2182,7 +2506,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2529,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -50751,7 +51216,7 @@ index 28b88de..10340bc 100644
')
########################################
-@@ -2435,13 +2759,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2782,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -50767,7 +51232,7 @@ index 28b88de..10340bc 100644
##
##
##
-@@ -2462,26 +2787,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2810,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -50794,7 +51259,7 @@ index 28b88de..10340bc 100644
## Get the attributes of a user domain tty.
##
##
-@@ -2815,7 +3120,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3143,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -50803,7 +51268,7 @@ index 28b88de..10340bc 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3136,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3159,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -50819,7 +51284,7 @@ index 28b88de..10340bc 100644
')
########################################
-@@ -2917,7 +3224,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3247,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -50828,7 +51293,7 @@ index 28b88de..10340bc 100644
')
########################################
-@@ -2972,7 +3279,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3302,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -50875,7 +51340,7 @@ index 28b88de..10340bc 100644
')
########################################
-@@ -3009,6 +3354,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3377,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -50883,7 +51348,7 @@ index 28b88de..10340bc 100644
kernel_search_proc($1)
')
-@@ -3139,3 +3485,873 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3508,1041 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -51459,6 +51924,137 @@ index 28b88de..10340bc 100644
+
+########################################
+##
++## Do not audit attempts to write all user home content files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_write_all_user_home_content_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ dontaudit $1 user_home_type:file write_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to write all user tmp content files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_write_all_user_tmp_content_files',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ dontaudit $1 user_tmp_type:file write_file_perms;
++')
++
++########################################
++##
++## Manage all user temporary content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_all_user_tmp_content',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ manage_dirs_pattern($1, user_tmp_type, user_tmp_type)
++ manage_files_pattern($1, user_tmp_type, user_tmp_type)
++ manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
++ manage_sock_files_pattern($1, user_tmp_type, user_tmp_type)
++ manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
++ files_search_tmp($1)
++')
++
++########################################
++##
++## List all user temporary content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_list_all_user_tmp_content',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ list_dirs_pattern($1, user_tmp_type, user_tmp_type)
++ getattr_files_pattern($1, user_tmp_type, user_tmp_type)
++ read_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
++ getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type)
++ getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
++ files_search_var($1)
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Manage all user tmpfs content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_all_user_tmpfs_content',`
++ gen_require(`
++ attribute user_tmpfs_type;
++ ')
++
++ manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
++ manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
++ manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
++ manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
++ manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
++ fs_search_tmpfs($1)
++')
++
++########################################
++##
++## Delete all user temporary content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_all_user_tmp_content',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ delete_dirs_pattern($1, user_tmp_type, user_tmp_type)
++ delete_files_pattern($1, user_tmp_type, user_tmp_type)
++ delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
++ delete_sock_files_pattern($1, user_tmp_type, user_tmp_type)
++ delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
++ # /var/tmp
++ files_search_var($1)
++ files_delete_tmp_dir_entry($1)
++')
++
++########################################
++##
+## Read system SSL certificates in the users homedir.
+##
+##
@@ -51757,8 +52353,45 @@ index 28b88de..10340bc 100644
+ domain_transition_pattern($1, user_tmp_t, $2)
+ type_transition $1 user_tmp_t:process $2;
+')
++
++########################################
++##
++## Do not audit attempts to read all user home content files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_read_all_user_home_content_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ dontaudit $1 user_home_type:file read_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read all user tmp content files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_read_all_user_tmp_content_files',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ dontaudit $1 user_tmp_type:file read_file_perms;
++')
++
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index df29ca1..b13e0f3 100644
+index df29ca1..2333dd8 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.0)
@@ -51784,23 +52417,27 @@ index df29ca1..b13e0f3 100644
## Allow w to display everyone
##
##
-@@ -59,6 +66,15 @@ attribute unpriv_userdomain;
+@@ -59,6 +66,19 @@ attribute unpriv_userdomain;
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
+# unprivileged user domains
+attribute user_home_type;
++attribute user_tmp_type;
++attribute user_tmpfs_type;
+
+type admin_home_t;
+files_type(admin_home_t)
+files_associate_tmp(admin_home_t)
+fs_associate_tmpfs(admin_home_t)
+files_mountpoint(admin_home_t)
++files_poly_member(admin_home_t)
++files_poly_parent(admin_home_t)
+
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,21 +87,25 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +91,54 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -51819,15 +52456,19 @@ index df29ca1..b13e0f3 100644
ubac_constrained(user_devpts_t)
-type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
-+type user_tmp_t alias { winbind_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
++type user_tmp_t, user_tmp_type;
++typealias user_tmp_t alias { winbind_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
files_tmp_file(user_tmp_t)
userdom_user_home_content(user_tmp_t)
+files_poly_parent(user_tmp_t)
- type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
+-type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
++type user_tmpfs_t, user_tmpfs_type;
++typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
files_tmpfs_file(user_tmpfs_t)
-@@ -94,3 +114,25 @@ userdom_user_home_content(user_tmpfs_t)
+ userdom_user_home_content(user_tmpfs_t)
+
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a65d6d1..6412873 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -472,8 +472,11 @@ exit 0
%endif
%changelog
-* Tue Jan 18 2011 Dan Walsh 3.9.13-3
-- Add Dgrift policy for gnome-keyring-daemon
+* Wed Jan 19 2011 Miroslav Grepl 3.9.13-3
+- NetworkManager wants to read consolekit_var_run_t
+- Allow readahead to create /dev/.systemd/readahead
+- Remove permissive domains
+- Allow newrole to run namespace_init
* Tue Jan 18 2011 Miroslav Grepl 3.9.13-2
- Add sepgsql_contexts file