diff --git a/Changelog b/Changelog
index e0f065b..c87f076 100644
--- a/Changelog
+++ b/Changelog
@@ -95,6 +95,7 @@
games
gatekeeper
gift
+ gnome (James Carter)
imaze
ircd
jabber
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
new file mode 100644
index 0000000..0146bd4
--- /dev/null
+++ b/policy/modules/apps/gnome.fc
@@ -0,0 +1,9 @@
+/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
+
+/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+ifdef(`strict_policy',`
+HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0)
+
+/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:ROLE_gconf_tmp_t,s0)
+')
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
new file mode 100644
index 0000000..46ee2da
--- /dev/null
+++ b/policy/modules/apps/gnome.if
@@ -0,0 +1,129 @@
+## GNU network object model environment (GNOME)
+
+########################################
+##
+## The per role template for the gnome module.
+##
+##
+##
+## This template creates a derived domain which is used
+## for gconf sessions.
+##
+##
+## This template is invoked automatically for each role, and
+## generally does not need to be invoked directly
+## by policy writers.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
+template(`gnome_per_role_template',`
+ gen_require(`
+ type gconfd_exec_t;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+ type $1_gconfd_t;
+ domain_type($1_gconfd_t)
+ domain_entry_file($1_gconfd_t, gconfd_exec_t)
+ role $3 types $1_gconfd_t;
+
+ type $1_gconf_home_t;
+ files_type($1_gconf_home_t)
+
+ type $1_gconf_tmp_t;
+ files_tmp_file($1_gconf_tmp_t)
+
+ ##############################
+ #
+ # Local Policy
+ #
+
+ allow $1_gconfd_t self:process getsched;
+
+ allow $1_gconfd_t $1_gconf_home_t:dir manage_dir_perms;
+ allow $1_gconfd_t $1_gconf_home_t:file manage_file_perms;
+ userdom_user_home_dir_filetrans($1, $1_gconfd_t, $1_gconf_home_t, dir)
+
+ allow $1_gconfd_t $1_gconf_tmp_t:dir manage_dir_perms;
+ allow $1_gconfd_t $1_gconf_tmp_t:file manage_file_perms;
+ userdom_user_tmp_filetrans($1,$1_gconfd_t,$1_gconf_tmp_t,{ dir file })
+
+ domain_auto_trans($2, gconfd_exec_t, $1_gconfd_t)
+ allow $1_gconfd_t $2:fd use;
+ allow $1_gconfd_t $2:fifo_file write;
+ allow $1_gconfd_t $2:unix_stream_socket connectto;
+
+ allow $1_gconfd_t gconf_etc_t:dir list_dir_perms;
+ allow $1_gconfd_t gconf_etc_t:file read_file_perms;
+
+ dev_read_urand($1_gconfd_t)
+
+ files_read_etc_files($1_gconfd_t)
+
+ libs_use_ld_so($1_gconfd_t)
+ libs_use_shared_libs($1_gconfd_t)
+
+ miscfiles_read_localization($1_gconfd_t)
+
+ logging_send_syslog_msg($1_gconfd_t)
+
+ userdom_manage_user_tmp_sockets($1, $1_gconfd_t)
+ userdom_manage_user_tmp_dirs($1,$1_gconfd_t)
+ userdom_tmp_filetrans_user_tmp($1,$1_gconfd_t,dir)
+
+ gnome_stream_connect_gconf_template($1,$2)
+
+ optional_policy(`
+ nscd_dontaudit_search_pid($1_gconfd_t)
+ ')
+
+ optional_policy(`
+ xserver_use_xdm_fds($1_gconfd_t)
+ xserver_rw_xdm_pipes($1_gconfd_t)
+ ')
+')
+
+########################################
+##
+## gconf connection template.
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+template(`gnome_stream_connect_gconf_template',`
+ gen_require(`
+ type $1_gconfd_t;
+ type $1_gconf_tmp_t;
+ ')
+
+ allow $2 $1_gconfd_t:unix_stream_socket connectto;
+ allow $2 $1_gconf_tmp_t:file r_file_perms;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
new file mode 100644
index 0000000..996809a
--- /dev/null
+++ b/policy/modules/apps/gnome.te
@@ -0,0 +1,13 @@
+
+policy_module(gnome,1.0.0)
+
+##############################
+#
+# Declarations
+#
+
+type gconf_etc_t;
+files_type(gconf_etc_t)
+
+type gconfd_exec_t;
+corecmd_executable_file(gconfd_exec_t)
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index 58d0e2d..177b096 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -1,9 +1,11 @@
+ifdef(`strict_policy',`
+HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-s15:c0.c255)
+HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
+
+/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
+')
-# temporary hack till genhomedircon is fixed
ifdef(`targeted_policy',`
-HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0)
+HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
-',`
-HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-s15:c0.c255)
-HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e98a911..713adba 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2678,7 +2678,7 @@ template(`userdom_manage_user_tmp_dirs',`
')
files_search_tmp($2)
- allow $2 $1_tmp_t:dir create_dir_perms;
+ allow $2 $1_tmp_t:dir manage_dir_perms;
')
########################################
@@ -2831,6 +2831,99 @@ template(`userdom_manage_user_tmp_sockets',`
########################################
##
+## Create objects in a user temporary directory
+## with an automatic type transition to
+## a specified private type.
+##
+##
+##
+## Create objects in a user temporary directory
+## with an automatic type transition to
+## a specified private type.
+##
+##
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to create.
+##
+##
+##
+##
+## The class of the object to be created. If not
+## specified, file is used.
+##
+##
+#
+template(`userdom_user_tmp_filetrans',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ allow $2 $1_tmp_t:dir rw_dir_perms;
+ type_transition $2 $1_tmp_t:$4 $3;
+ files_search_tmp($2)
+')
+
+########################################
+##
+## Create objects in the temporary directory
+## with an automatic type transition to
+## the user temporary type.
+##
+##
+##
+## Create objects in the temporary directory
+## with an automatic type transition to
+## the user temporary type.
+##
+##
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object to be created. If not
+## specified, file is used.
+##
+##
+#
+template(`userdom_tmp_filetrans_user_tmp',`
+ gen_require(`
+ type $1_home_dir_t;
+ ')
+
+ files_tmp_filetrans($2,$1_tmp_t,$3)
+')
+
+########################################
+##
## Read user tmpfs files.
##
##
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 6f96406..b07abb6 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.3.35)
+policy_module(userdomain,1.3.36)
gen_require(`
role sysadm_r, staff_r, user_r;