diff --git a/policy-F16.patch b/policy-F16.patch
index 24fcf61..8275a64 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -226,7 +226,7 @@ index 4705ab6..0f0bb47 100644
+gen_tunable(allow_console_login,false)
+
diff --git a/policy/mcs b/policy/mcs
-index df8e0fa..92b6177 100644
+index df8e0fa..09eea90 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -69,16 +69,32 @@ gen_levels(1,mcs_num_cats)
@@ -266,7 +266,23 @@ index df8e0fa..92b6177 100644
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
-@@ -101,6 +117,9 @@ mlsconstrain process { ptrace }
+@@ -87,10 +103,13 @@ mlsconstrain file { create relabelto }
+
+ # new file labels must be dominated by the relabeling subject clearance
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
+- ( h1 dom h2 );
++ (( h1 dom h2 ) or ( t1 == mcswriteall ));
++
++mlsconstrain { file lnk_file fifo_file } { create relabelto }
++ ( l2 eq h2 );
+
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+- (( h1 dom h2 ) and ( l2 eq h2 ));
++ ( h1 dom h2 );
+
+ mlsconstrain process { transition dyntransition }
+ (( h1 dom h2 ) or ( t1 == mcssetcats ));
+@@ -101,6 +120,9 @@ mlsconstrain process { ptrace }
mlsconstrain process { sigkill sigstop }
(( h1 dom h2 ) or ( t1 == mcskillall ));
@@ -276,7 +292,7 @@ index df8e0fa..92b6177 100644
#
# MCS policy for SELinux-enabled databases
#
-@@ -144,4 +163,21 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+@@ -144,4 +166,21 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
@@ -2790,7 +2806,7 @@ index d33daa8..8ba0f86 100644
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
-index 47a8f7d..17b5426 100644
+index 47a8f7d..a485d76 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,10 +1,11 @@
@@ -3002,17 +3018,15 @@ index 47a8f7d..17b5426 100644
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
-@@ -377,8 +417,9 @@ optional_policy(`
+@@ -377,7 +417,7 @@ optional_policy(`
')
optional_policy(`
- unconfined_domain(rpm_script_t)
+ unconfined_domain_noaudit(rpm_script_t)
unconfined_domtrans(rpm_script_t)
-+ unconfined_execmem_domtrans(rpm_script_t)
optional_policy(`
- java_domtrans_unconfined(rpm_script_t)
diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te
index c8ef84b..eb4bd05 100644
--- a/policy/modules/admin/sectoolm.te
@@ -3547,7 +3561,7 @@ index 7bddc02..2b59ed0 100644
+
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 975af1a..634c47a 100644
+index 975af1a..748db5b 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -3558,9 +3572,11 @@ index 975af1a..634c47a 100644
attribute sudodomain;
')
-@@ -47,26 +48,11 @@ template(`sudo_role_template',`
+@@ -46,27 +47,13 @@ template(`sudo_role_template',`
+ domain_role_change_exemption($1_sudo_t)
ubac_constrained($1_sudo_t)
role $2 types $1_sudo_t;
++ userdom_home_manager($1_sudo_t)
- ##############################
- #
@@ -3589,7 +3605,7 @@ index 975af1a..634c47a 100644
allow $1_sudo_t $3:key search;
-@@ -76,88 +62,19 @@ template(`sudo_role_template',`
+@@ -76,88 +63,19 @@ template(`sudo_role_template',`
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t, $3)
corecmd_bin_domtrans($1_sudo_t, $3)
@@ -3684,7 +3700,7 @@ index 975af1a..634c47a 100644
')
########################################
-@@ -177,3 +94,22 @@ interface(`sudo_sigchld',`
+@@ -177,3 +95,22 @@ interface(`sudo_sigchld',`
allow $1 sudodomain:process sigchld;
')
@@ -3708,10 +3724,10 @@ index 975af1a..634c47a 100644
+ can_exec($1, sudo_exec_t)
+')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index 2731fa1..71bf5e8 100644
+index 2731fa1..9ce39dd 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
-@@ -7,3 +7,112 @@ attribute sudodomain;
+@@ -7,3 +7,104 @@ attribute sudodomain;
type sudo_exec_t;
application_executable_file(sudo_exec_t)
@@ -3809,14 +3825,6 @@ index 2731fa1..71bf5e8 100644
+userdom_search_admin_dir(sudodomain)
+userdom_manage_all_users_keys(sudodomain)
+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_manage_nfs_files(sudodomain)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_files(sudodomain)
-+')
-+
+optional_policy(`
+ dbus_system_bus_client(sudodomain)
+')
@@ -4194,7 +4202,7 @@ index 81fb26f..66cf96c 100644
##
##
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..cc0406f 100644
+index 441cf22..6bcfc8c 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@@ -4421,7 +4429,15 @@ index 441cf22..cc0406f 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -498,21 +517,11 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -495,24 +514,19 @@ seutil_read_file_contexts(useradd_t)
+ seutil_read_default_contexts(useradd_t)
+ seutil_domtrans_semanage(useradd_t)
+ seutil_domtrans_setfiles(useradd_t)
++seutil_domtrans_loadpolicy(useradd_t)
++seutil_manage_bin_policy(useradd_t)
++seutil_manage_module_store(useradd_t)
++seutil_get_semanage_trans_lock(useradd_t)
++seutil_get_semanage_read_lock(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -4550,7 +4566,7 @@ index 283ff0d..53f9ba1 100644
##
##
diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
-index 46ea44f..f7183ef 100644
+index 46ea44f..49ce279 100644
--- a/policy/modules/apps/cdrecord.te
+++ b/policy/modules/apps/cdrecord.te
@@ -56,7 +56,7 @@ logging_send_syslog_msg(cdrecord_t)
@@ -4562,6 +4578,19 @@ index 46ea44f..f7183ef 100644
userdom_read_user_home_content_files(cdrecord_t)
# Handle nfs home dirs
+@@ -109,11 +109,7 @@ tunable_policy(`cdrecord_read_content',`
+ userdom_dontaudit_read_user_home_content_files(cdrecord_t)
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- files_search_mnt(cdrecord_t)
+- fs_read_nfs_files(cdrecord_t)
+- fs_read_nfs_symlinks(cdrecord_t)
+-')
++userdom_home_manager(cdrecord_t)
+
+ optional_policy(`
+ resmgr_stream_connect(cdrecord_t)
diff --git a/policy/modules/apps/chrome.fc b/policy/modules/apps/chrome.fc
new file mode 100644
index 0000000..5901e21
@@ -4715,10 +4744,10 @@ index 0000000..1553356
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..6c642a2
+index 0000000..acb325c
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,180 @@
+@@ -0,0 +1,175 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -4813,11 +4842,6 @@ index 0000000..6c642a2
+sysnet_dns_name_resolve(chrome_sandbox_t)
+
+optional_policy(`
-+ execmem_exec(chrome_sandbox_t)
-+ execmem_execmod(chrome_sandbox_t)
-+')
-+
-+optional_policy(`
+ gnome_rw_inherited_config(chrome_sandbox_t)
+ gnome_read_home_config(chrome_sandbox_t)
+')
@@ -5052,215 +5076,6 @@ index cd70958..e8c94b1 100644
-optional_policy(`
- nscd_socket_use(evolution_webcal_t)
-')
-diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
-new file mode 100644
-index 0000000..5e09952
---- /dev/null
-+++ b/policy/modules/apps/execmem.fc
-@@ -0,0 +1,49 @@
-+
-+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/dosbox -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/plasma-desktop -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+ifdef(`distro_gentoo',`
-+/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+')
-+/usr/lib/chromium-browser/chromium-browser gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/libexec/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/opt/secondlife-install/bin/SLPlugin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/opt/real/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/usr/lib/gimp/[^/]+/plug-ins/help-browser -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/thunderbird-[^/]+/thunderbird-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0)
-diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
-new file mode 100644
-index 0000000..e23f640
---- /dev/null
-+++ b/policy/modules/apps/execmem.if
-@@ -0,0 +1,132 @@
-+## execmem domain
-+
-+########################################
-+##
-+## Execute the execmem program
-+## in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`execmem_exec',`
-+ gen_require(`
-+ type execmem_exec_t;
-+ ')
-+
-+ can_exec($1, execmem_exec_t)
-+')
-+
-+#######################################
-+##
-+## The role template for the execmem module.
-+##
-+##
-+##
-+## This template creates a derived domains which are used
-+## for execmem applications.
-+##
-+##
-+##
-+##
-+## The prefix of the user domain (e.g., user
-+## is the prefix for user_t).
-+##
-+##
-+##
-+##
-+## The role associated with the user domain.
-+##
-+##
-+##
-+##
-+## The type of the user domain.
-+##
-+##
-+#
-+template(`execmem_role_template',`
-+ gen_require(`
-+ type execmem_exec_t;
-+ ')
-+
-+ type $1_execmem_t;
-+ domain_type($1_execmem_t)
-+ domain_entry_file($1_execmem_t, execmem_exec_t)
-+ role $2 types $1_execmem_t;
-+
-+ userdom_unpriv_usertype($1, $1_execmem_t)
-+ userdom_manage_tmp_role($2, $1_execmem_t)
-+ userdom_manage_tmpfs_role($2, $1_execmem_t)
-+
-+ allow $1_execmem_t self:process { execmem execstack };
-+ allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
-+ domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
-+
-+ files_execmod_tmp($1_execmem_t)
-+
-+ allow $3 execmem_exec_t:file execmod;
-+ allow $1_execmem_t execmem_exec_t:file execmod;
-+
-+ # needed by plasma-desktop
-+ optional_policy(`
-+ gnome_read_usr_config($1_execmem_t)
-+ ')
-+
-+ optional_policy(`
-+ mozilla_execmod_user_home_files($1_execmem_t)
-+ ')
-+
-+ optional_policy(`
-+ nsplugin_rw_shm($1_execmem_t)
-+ nsplugin_rw_semaphores($1_execmem_t)
-+ ')
-+
-+ optional_policy(`
-+ xserver_role($2, $1_execmem_t)
-+ ')
-+')
-+
-+########################################
-+##
-+## Execute a execmem_exec file
-+## in the specified domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the new process.
-+##
-+##
-+#
-+interface(`execmem_domtrans',`
-+ gen_require(`
-+ type execmem_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, execmem_exec_t, $2)
-+')
-+
-+########################################
-+##
-+## Execmod the execmem_exec applications
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`execmem_execmod',`
-+ gen_require(`
-+ type execmem_exec_t;
-+ ')
-+
-+ allow $1 execmem_exec_t:file execmod;
-+')
-+
-diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te
-new file mode 100644
-index 0000000..a7d37e2
---- /dev/null
-+++ b/policy/modules/apps/execmem.te
-@@ -0,0 +1,10 @@
-+policy_module(execmem, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type execmem_exec_t alias unconfined_execmem_exec_t;
-+application_executable_file(execmem_exec_t)
-+
diff --git a/policy/modules/apps/firewallgui.fc b/policy/modules/apps/firewallgui.fc
new file mode 100644
index 0000000..ce498b3
@@ -5409,18 +5224,47 @@ index ac4f509..4b7b763 100644
')
diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
-index 6e4add5..10a2ce4 100644
+index 6e4add5..5c81832 100644
--- a/policy/modules/apps/gift.te
+++ b/policy/modules/apps/gift.te
-@@ -132,7 +132,7 @@ miscfiles_read_localization(giftd_t)
+@@ -70,17 +70,7 @@ sysnet_read_config(gift_t)
+ # giftui looks in .icons, .themes.
+ userdom_dontaudit_read_user_home_content_files(gift_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(gift_t)
+- fs_manage_nfs_files(gift_t)
+- fs_manage_nfs_symlinks(gift_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(gift_t)
+- fs_manage_cifs_files(gift_t)
+- fs_manage_cifs_symlinks(gift_t)
+-')
++userdom_home_manager(gift_t)
+
+ optional_policy(`
+ nscd_socket_use(gift_t)
+@@ -132,16 +122,5 @@ miscfiles_read_localization(giftd_t)
sysnet_read_config(giftd_t)
-userdom_use_user_terminals(giftd_t)
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(giftd_t)
+- fs_manage_nfs_files(giftd_t)
+- fs_manage_nfs_symlinks(giftd_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(giftd_t)
+- fs_manage_cifs_files(giftd_t)
+- fs_manage_cifs_symlinks(giftd_t)
+-')
+userdom_use_inherited_user_terminals(giftd_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(giftd_t)
++userdom_home_manager(gitd_t)
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
index 00a19e3..9f6139c 100644
--- a/policy/modules/apps/gnome.fc
@@ -5474,10 +5318,10 @@ index 00a19e3..9f6139c 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..deab06c 100644
+index f5afe78..8fe4b66 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,786 @@
+@@ -1,44 +1,819 @@
## GNU network object model environment (GNOME)
-############################################################
@@ -5552,6 +5396,8 @@ index f5afe78..deab06c 100644
+ ubac_constrained($1_gkeyringd_t)
+ domain_user_exemption_target($1_gkeyringd_t)
+
++ userdom_home_manager($1_gkeyringd_t)
++
+ role $2 types $1_gkeyringd_t;
+
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
@@ -5780,6 +5626,37 @@ index f5afe78..deab06c 100644
+
+########################################
+##
++## Create objects in a Gnome cache home directory
++## with an automatic type transition to
++## a specified private type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to create.
++##
++##
++##
++##
++## The class of the object to be created.
++##
++##
++#
++interface(`gnome_config_filetrans',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ filetrans_pattern($1, config_home_t, $2, $3, $4)
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++##
+## Read generic cache home files (.cache)
+##
+##
@@ -6283,7 +6160,7 @@ index f5afe78..deab06c 100644
##
##
##
-@@ -46,37 +788,117 @@ interface(`gnome_role',`
+@@ -46,37 +821,117 @@ interface(`gnome_role',`
##
##
#
@@ -6411,7 +6288,7 @@ index f5afe78..deab06c 100644
##
##
##
-@@ -84,37 +906,53 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +939,53 @@ template(`gnome_read_gconf_config',`
##
##
#
@@ -6476,7 +6353,7 @@ index f5afe78..deab06c 100644
##
##
##
-@@ -122,17 +960,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +993,17 @@ interface(`gnome_stream_connect_gconf',`
##
##
#
@@ -6498,7 +6375,7 @@ index f5afe78..deab06c 100644
##
##
##
-@@ -140,51 +978,299 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1011,299 @@ interface(`gnome_domtrans_gconfd',`
##
##
#
@@ -6815,7 +6692,7 @@ index f5afe78..deab06c 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..45b4ca9 100644
+index 2505654..14d7e30 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -5,12 +5,29 @@ policy_module(gnome, 2.1.0)
@@ -6893,7 +6770,7 @@ index 2505654..45b4ca9 100644
##############################
#
# Local Policy
-@@ -75,3 +113,168 @@ optional_policy(`
+@@ -75,3 +113,151 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -6937,15 +6814,7 @@ index 2505654..45b4ca9 100644
+ policykit_read_reload(gconfdefaultsm_t)
+')
+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_manage_nfs_dirs(gconfdefaultsm_t)
-+ fs_manage_nfs_files(gconfdefaultsm_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_dirs(gconfdefaultsm_t)
-+ fs_manage_cifs_files(gconfdefaultsm_t)
-+')
++userdom_home_manager(gconfdefaultsm_t)
+
+#######################################
+#
@@ -7017,6 +6886,7 @@ index 2505654..45b4ca9 100644
+
+dev_read_rand(gkeyringd_domain)
+dev_read_urand(gkeyringd_domain)
++dev_read_sysfs(gkeyringd_domain)
+
+files_read_etc_files(gkeyringd_domain)
+files_read_usr_files(gkeyringd_domain)
@@ -7052,16 +6922,6 @@ index 2505654..45b4ca9 100644
+
+userdom_use_inherited_user_terminals(gnome_domain)
+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_getattr_nfs(gkeyringd_domain)
-+ fs_manage_nfs_dirs(gkeyringd_domain)
-+ fs_manage_nfs_files(gkeyringd_domain)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_dirs(gkeyringd_domain)
-+ fs_manage_cifs_files(gkeyringd_domain)
-+')
diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc
index e9853d4..6864b58 100644
--- a/policy/modules/apps/gpg.fc
@@ -7147,7 +7007,7 @@ index 40e0a2a..93d212c 100644
##
## Send generic signals to user gpg processes.
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
-index 9050e8c..401a4ec 100644
+index 9050e8c..80f8c31 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0)
@@ -7205,7 +7065,7 @@ index 9050e8c..401a4ec 100644
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
-@@ -123,11 +139,14 @@ logging_send_syslog_msg(gpg_t)
+@@ -123,22 +139,26 @@ logging_send_syslog_msg(gpg_t)
miscfiles_read_localization(gpg_t)
@@ -7222,21 +7082,25 @@ index 9050e8c..401a4ec 100644
mta_write_config(gpg_t)
-@@ -142,20 +161,33 @@ tunable_policy(`use_samba_home_dirs',`
- ')
-
- optional_policy(`
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(gpg_t)
+- fs_manage_nfs_files(gpg_t)
++userdom_home_manager(gpg_t)
++
++optional_policy(`
+ gnome_read_config(gpg_t)
+ gnome_stream_connect_gkeyringd(gpg_t)
-+')
-+
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(gpg_t)
+- fs_manage_cifs_files(gpg_t)
+optional_policy(`
+ mta_read_spool(gpg_t)
-+')
-+
-+optional_policy(`
- mozilla_read_user_home_files(gpg_t)
- mozilla_write_user_home_files(gpg_t)
+ ')
+
+ optional_policy(`
+@@ -147,15 +167,19 @@ optional_policy(`
')
optional_policy(`
@@ -7260,7 +7124,7 @@ index 9050e8c..401a4ec 100644
########################################
#
# GPG helper local policy
-@@ -191,7 +223,7 @@ files_read_etc_files(gpg_helper_t)
+@@ -191,7 +215,7 @@ files_read_etc_files(gpg_helper_t)
auth_use_nsswitch(gpg_helper_t)
@@ -7269,7 +7133,7 @@ index 9050e8c..401a4ec 100644
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -205,11 +237,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -205,11 +229,12 @@ tunable_policy(`use_samba_home_dirs',`
#
# GPG agent local policy
#
@@ -7283,7 +7147,7 @@ index 9050e8c..401a4ec 100644
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-@@ -239,19 +272,20 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
+@@ -239,34 +264,25 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
miscfiles_read_localization(gpg_agent_t)
# Write to the user domain tty.
@@ -7306,7 +7170,23 @@ index 9050e8c..401a4ec 100644
userdom_manage_user_home_content_dirs(gpg_agent_t)
userdom_manage_user_home_content_files(gpg_agent_t)
')
-@@ -332,6 +366,10 @@ miscfiles_read_localization(gpg_pinentry_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(gpg_agent_t)
+- fs_manage_nfs_files(gpg_agent_t)
+- fs_manage_nfs_symlinks(gpg_agent_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(gpg_agent_t)
+- fs_manage_cifs_files(gpg_agent_t)
+- fs_manage_cifs_symlinks(gpg_agent_t)
+-')
++userdom_home_manager(gpg_agent_t)
+
+ optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
+@@ -332,13 +348,15 @@ miscfiles_read_localization(gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
@@ -7315,18 +7195,19 @@ index 9050e8c..401a4ec 100644
+userdom_signull_unpriv_users(gpg_pinentry_t)
+userdom_use_user_terminals(gpg_pinentry_t)
- tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(gpg_pinentry_t)
-@@ -342,11 +380,21 @@ tunable_policy(`use_samba_home_dirs',`
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(gpg_pinentry_t)
+-')
++userdom_home_reader(gpg_pinentry_t)
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(gpg_pinentry_t)
++optional_policy(`
++ gnome_read_home_config(gpg_pinentry_t)
')
optional_policy(`
-+ gnome_read_home_config(gpg_pinentry_t)
-+')
-+
-+optional_policy(`
- dbus_session_bus_client(gpg_pinentry_t)
- dbus_system_bus_client(gpg_pinentry_t)
+@@ -347,6 +365,12 @@ optional_policy(`
')
optional_policy(`
@@ -7339,7 +7220,7 @@ index 9050e8c..401a4ec 100644
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -356,4 +404,28 @@ optional_policy(`
+@@ -356,4 +380,28 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -7422,7 +7303,7 @@ index 4f9dc90..81a0fc6 100644
+ relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
')
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
-index 66beb80..b69a628 100644
+index 66beb80..4bc18b6 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -24,6 +24,30 @@ userdom_user_home_content(irc_tmp_t)
@@ -7456,20 +7337,27 @@ index 66beb80..b69a628 100644
# Local policy
#
-@@ -84,7 +108,7 @@ seutil_use_newrole_fds(irc_t)
+@@ -84,20 +108,75 @@ seutil_use_newrole_fds(irc_t)
sysnet_read_config(irc_t)
# Write to the user domain tty.
-userdom_use_user_terminals(irc_t)
+userdom_use_inherited_user_terminals(irc_t)
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(irc_t)
-@@ -101,3 +125,78 @@ tunable_policy(`use_samba_home_dirs',`
- optional_policy(`
- nis_use_ypbind(irc_t)
- ')
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(irc_t)
+- fs_manage_nfs_files(irc_t)
+- fs_manage_nfs_symlinks(irc_t)
++userdom_home_manager(irc_t)
+
++optional_policy(`
++ nis_use_ypbind(irc_t)
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(irc_t)
+- fs_manage_cifs_files(irc_t)
+- fs_manage_cifs_symlinks(irc_t)
+########################################
+#
+# Irssi personal declarations.
@@ -7527,162 +7415,13 @@ index 66beb80..b69a628 100644
+ corenet_tcp_connect_all_ports(irssi_t)
+ corenet_sendrecv_generic_server_packets(irssi_t)
+ corenet_sendrecv_all_client_packets(irssi_t)
-+')
-+
-+tunable_policy(`use_nfs_home_dirs', `
-+ fs_manage_nfs_dirs(irssi_t)
-+ fs_manage_nfs_files(irssi_t)
-+ fs_manage_nfs_symlinks(irssi_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs', `
-+ fs_manage_cifs_dirs(irssi_t)
-+ fs_manage_cifs_files(irssi_t)
-+ fs_manage_cifs_symlinks(irssi_t)
-+')
-+
-+optional_policy(`
-+ automount_dontaudit_getattr_tmp_dirs(irssi_t)
-+')
-diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc
-index 86c1768..5d2130c 100644
---- a/policy/modules/apps/java.fc
-+++ b/policy/modules/apps/java.fc
-@@ -5,10 +5,13 @@
- /opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
- /opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
- /opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
-+/opt/local/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
-+/opt/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
-
- #
- # /usr
- #
-+/usr/Aptana[^/]*/AptanaStudio -- gen_context(system_u:object_r:java_exec_t,s0)
- /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
- /usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0)
- /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
-@@ -27,12 +30,14 @@
- /usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
- /usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
- /usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
--/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
-
- /usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
-
- /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
-
-+/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
-+/opt/ibm(/.*)?/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
-+
- ifdef(`distro_redhat',`
- /usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
- ')
-diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
-index e6d84e8..7c398c0 100644
---- a/policy/modules/apps/java.if
-+++ b/policy/modules/apps/java.if
-@@ -72,7 +72,8 @@ template(`java_role_template',`
-
- domain_interactive_fd($1_java_t)
-
-- userdom_manage_user_tmpfs_files($1_java_t)
-+ userdom_unpriv_usertype($1, $1_java_t)
-+ userdom_manage_tmpfs_role($2, $1_java_t)
-
- allow $1_java_t self:process { ptrace signal getsched execmem execstack };
-
-@@ -82,7 +83,7 @@ template(`java_role_template',`
-
- domtrans_pattern($3, java_exec_t, $1_java_t)
-
-- corecmd_bin_domtrans($1_java_t, $3)
-+ corecmd_bin_domtrans($1_java_t, $1_t)
-
- dev_dontaudit_append_rand($1_java_t)
-
-@@ -105,7 +106,7 @@ template(`java_role_template',`
- ##
- ##
- #
--template(`java_domtrans',`
-+interface(`java_domtrans',`
- gen_require(`
- type java_t, java_exec_t;
- ')
-@@ -179,6 +180,10 @@ interface(`java_run_unconfined',`
-
- java_domtrans_unconfined($1)
- role $2 types unconfined_java_t;
-+
-+ optional_policy(`
-+ nsplugin_role_notrans($2, unconfined_java_t)
-+ ')
')
- ########################################
-diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
-index 167950d..27d37b0 100644
---- a/policy/modules/apps/java.te
-+++ b/policy/modules/apps/java.te
-@@ -82,18 +82,20 @@ dev_read_urand(java_t)
- dev_read_rand(java_t)
- dev_dontaudit_append_rand(java_t)
-
-+files_read_etc_files(java_t)
- files_read_usr_files(java_t)
- files_search_home(java_t)
- files_search_var_lib(java_t)
- files_read_etc_runtime_files(java_t)
- # Read global fonts and font config
--files_read_etc_files(java_t)
-
- fs_getattr_xattr_fs(java_t)
- fs_dontaudit_rw_tmpfs_files(java_t)
-
- logging_send_syslog_msg(java_t)
-
-+auth_use_nsswitch(java_t)
++userdom_home_manager(irssi_t)
+
- miscfiles_read_localization(java_t)
- # Read global fonts and font config
- miscfiles_read_fonts(java_t)
-@@ -123,14 +125,6 @@ tunable_policy(`allow_java_execstack',`
- ')
-
optional_policy(`
-- nis_use_ypbind(java_t)
--')
--
--optional_policy(`
-- nscd_socket_use(java_t)
--')
--
--optional_policy(`
- xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
- ')
-
-@@ -143,14 +137,21 @@ optional_policy(`
- # execheap is needed for itanium/BEA jrocket
- allow unconfined_java_t self:process { execstack execmem execheap };
-
-+ init_dbus_chat_script(unconfined_java_t)
-+
- files_execmod_all_files(unconfined_java_t)
-
- init_dbus_chat_script(unconfined_java_t)
-
- unconfined_domain_noaudit(unconfined_java_t)
- unconfined_dbus_chat(unconfined_java_t)
-+ userdom_unpriv_usertype(unconfined, unconfined_java_t)
-
- optional_policy(`
- rpm_domtrans(unconfined_java_t)
- ')
-+
-+ optional_policy(`
-+ wine_domtrans(unconfined_java_t)
-+ ')
+- nis_use_ypbind(irc_t)
++ automount_dontaudit_getattr_tmp_dirs(irssi_t)
')
diff --git a/policy/modules/apps/kde.fc b/policy/modules/apps/kde.fc
new file mode 100644
@@ -7944,44 +7683,6 @@ index 0bac996..ca2388d 100644
-userdom_use_user_terminals(lockdev_t)
+userdom_use_inherited_user_terminals(lockdev_t)
-diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
-index 7b08e13..b2b83ad 100644
---- a/policy/modules/apps/mono.if
-+++ b/policy/modules/apps/mono.if
-@@ -40,16 +40,16 @@ template(`mono_role_template',`
- domain_interactive_fd($1_mono_t)
- application_type($1_mono_t)
-
-- allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
--
-- allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
-+ allow $1_mono_t self:process { signal getsched execheap execmem execstack };
-+ allow $3 $1_mono_t:process { getattr noatsecure signal_perms };
-
- domtrans_pattern($3, mono_exec_t, $1_mono_t)
-
- fs_dontaudit_rw_tmpfs_files($1_mono_t)
- corecmd_bin_domtrans($1_mono_t, $1_t)
-
-- userdom_manage_user_tmpfs_files($1_mono_t)
-+ userdom_unpriv_usertype($1, $1_mono_t)
-+ userdom_manage_tmpfs_role($2, $1_mono_t)
-
- optional_policy(`
- xserver_role($1_r, $1_mono_t)
-diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
-index dff0f12..ecab36d 100644
---- a/policy/modules/apps/mono.te
-+++ b/policy/modules/apps/mono.te
-@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t)
- # Local policy
- #
-
--allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
-+allow mono_t self:process { signal getsched execheap execmem execstack };
-
- init_dbus_chat_script(mono_t)
-
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
index 93ac529..35b51ab 100644
--- a/policy/modules/apps/mozilla.fc
@@ -8170,7 +7871,7 @@ index fbb5c5a..b9b8ac2 100644
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..69e2534 100644
+index 2e9318b..add01a5 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -8213,7 +7914,7 @@ index 2e9318b..69e2534 100644
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
-@@ -165,14 +172,18 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
+@@ -165,27 +172,21 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
@@ -8228,14 +7929,26 @@ index 2e9318b..69e2534 100644
- allow mozilla_t self:process { execmem execstack };
+tunable_policy(`allow_execstack',`
+ allow mozilla_t self:process execstack;
-+')
-+
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(mozilla_t)
+- fs_manage_nfs_files(mozilla_t)
+- fs_manage_nfs_symlinks(mozilla_t)
+tunable_policy(`deny_execmem',`',`
+ allow mozilla_t self:process execmem;
')
- tunable_policy(`use_nfs_home_dirs',`
-@@ -262,6 +273,7 @@ optional_policy(`
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mozilla_t)
+- fs_manage_cifs_files(mozilla_t)
+- fs_manage_cifs_symlinks(mozilla_t)
+-')
++userdom_home_manager(mozilla_t)
+
+ # Uploads, local html
+ tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
+@@ -262,6 +263,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -8243,7 +7956,7 @@ index 2e9318b..69e2534 100644
')
optional_policy(`
-@@ -278,7 +290,8 @@ optional_policy(`
+@@ -278,7 +280,8 @@ optional_policy(`
')
optional_policy(`
@@ -8253,7 +7966,7 @@ index 2e9318b..69e2534 100644
')
optional_policy(`
-@@ -296,16 +309,19 @@ optional_policy(`
+@@ -296,16 +299,19 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -8277,7 +7990,7 @@ index 2e9318b..69e2534 100644
can_exec(mozilla_plugin_t, mozilla_home_t)
read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
-@@ -313,8 +329,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+@@ -313,8 +319,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@@ -8290,7 +8003,7 @@ index 2e9318b..69e2534 100644
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -332,11 +350,9 @@ kernel_request_load_module(mozilla_plugin_t)
+@@ -332,11 +340,9 @@ kernel_request_load_module(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -8304,17 +8017,19 @@ index 2e9318b..69e2534 100644
corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-@@ -344,6 +360,9 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
+@@ -344,6 +350,11 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
+corenet_tcp_connect_streaming_port(mozilla_plugin_t)
++corenet_tcp_connect_ftp_port(mozilla_plugin_t)
++corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_udp_bind_generic_node(mozilla_plugin_t)
dev_read_rand(mozilla_plugin_t)
dev_read_urand(mozilla_plugin_t)
-@@ -385,20 +404,26 @@ term_getattr_all_ttys(mozilla_plugin_t)
+@@ -385,33 +396,29 @@ term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
userdom_rw_user_tmpfs_files(mozilla_plugin_t)
@@ -8343,8 +8058,22 @@ index 2e9318b..69e2534 100644
+ allow mozilla_plugin_t self:process execstack;
')
- tunable_policy(`use_nfs_home_dirs',`
-@@ -425,7 +450,13 @@ optional_policy(`
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(mozilla_plugin_t)
+- fs_manage_nfs_files(mozilla_plugin_t)
+- fs_manage_nfs_symlinks(mozilla_plugin_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mozilla_plugin_t)
+- fs_manage_cifs_files(mozilla_plugin_t)
+- fs_manage_cifs_symlinks(mozilla_plugin_t)
+-')
++userdom_home_manager(mozilla_plugin_t)
+
+ optional_policy(`
+ alsa_read_rw_config(mozilla_plugin_t)
+@@ -425,7 +432,13 @@ optional_policy(`
')
optional_policy(`
@@ -8358,7 +8087,7 @@ index 2e9318b..69e2534 100644
')
optional_policy(`
-@@ -438,7 +469,14 @@ optional_policy(`
+@@ -438,7 +451,14 @@ optional_policy(`
')
optional_policy(`
@@ -8374,7 +8103,7 @@ index 2e9318b..69e2534 100644
')
optional_policy(`
-@@ -446,10 +484,27 @@ optional_policy(`
+@@ -446,10 +466,27 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -8447,7 +8176,7 @@ index d8ea41d..8bdc526 100644
+ domtrans_pattern($1, mplayer_exec_t, $2)
+')
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
-index 072a210..8b1fa1b 100644
+index 072a210..320963b 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -32,6 +32,7 @@ files_config_file(mplayer_etc_t)
@@ -8458,7 +8187,7 @@ index 072a210..8b1fa1b 100644
userdom_user_home_content(mplayer_home_t)
type mplayer_tmpfs_t;
-@@ -76,7 +77,7 @@ storage_raw_read_removable_device(mencoder_t)
+@@ -76,13 +77,14 @@ storage_raw_read_removable_device(mencoder_t)
miscfiles_read_localization(mencoder_t)
@@ -8467,7 +8196,14 @@ index 072a210..8b1fa1b 100644
# Handle removable media, /tmp, and /home
userdom_list_user_tmp(mencoder_t)
userdom_read_user_tmp_files(mencoder_t)
-@@ -91,7 +92,7 @@ ifndef(`enable_mls',`
+ userdom_read_user_tmp_symlinks(mencoder_t)
+ userdom_read_user_home_content_files(mencoder_t)
+ userdom_read_user_home_content_symlinks(mencoder_t)
++userdom_home_manager(mencoder_t)
+
+ # Read content to encode
+ ifndef(`enable_mls',`
+@@ -91,7 +93,7 @@ ifndef(`enable_mls',`
fs_read_removable_symlinks(mencoder_t)
')
@@ -8476,7 +8212,54 @@ index 072a210..8b1fa1b 100644
allow mencoder_t self:process execmem;
')
-@@ -159,6 +160,7 @@ manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+@@ -103,46 +105,6 @@ tunable_policy(`allow_mplayer_execstack',`
+ allow mencoder_t self:process { execmem execstack };
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(mencoder_t)
+- fs_manage_nfs_files(mencoder_t)
+- fs_manage_nfs_symlinks(mencoder_t)
+-
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mencoder_t)
+- fs_manage_cifs_files(mencoder_t)
+- fs_manage_cifs_symlinks(mencoder_t)
+-
+-')
+-
+-# Read content to encode
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_list_auto_mountpoints(mencoder_t)
+- files_list_home(mencoder_t)
+- fs_read_nfs_files(mencoder_t)
+- fs_read_nfs_symlinks(mencoder_t)
+-
+-',`
+- files_dontaudit_list_home(mencoder_t)
+- fs_dontaudit_list_auto_mountpoints(mencoder_t)
+- fs_dontaudit_read_nfs_files(mencoder_t)
+- fs_dontaudit_list_nfs(mencoder_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_list_auto_mountpoints(mencoder_t)
+- files_list_home(mencoder_t)
+- fs_read_cifs_files(mencoder_t)
+- fs_read_cifs_symlinks(mencoder_t)
+-',`
+- files_dontaudit_list_home(mencoder_t)
+- fs_dontaudit_list_auto_mountpoints(mencoder_t)
+- fs_dontaudit_read_cifs_files(mencoder_t)
+- fs_dontaudit_list_cifs(mencoder_t)
+-')
+-
+ ########################################
+ #
+ # mplayer local policy
+@@ -159,6 +121,7 @@ manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir)
@@ -8484,7 +8267,7 @@ index 072a210..8b1fa1b 100644
manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
-@@ -225,10 +227,14 @@ fs_dontaudit_getattr_all_fs(mplayer_t)
+@@ -225,10 +188,14 @@ fs_dontaudit_getattr_all_fs(mplayer_t)
fs_search_auto_mountpoints(mplayer_t)
fs_list_inotifyfs(mplayer_t)
@@ -8500,7 +8283,15 @@ index 072a210..8b1fa1b 100644
# Read media files
userdom_list_user_tmp(mplayer_t)
userdom_read_user_tmp_files(mplayer_t)
-@@ -246,7 +252,7 @@ ifdef(`enable_mls',`',`
+@@ -236,6 +203,7 @@ userdom_read_user_tmp_symlinks(mplayer_t)
+ userdom_read_user_home_content_files(mplayer_t)
+ userdom_read_user_home_content_symlinks(mplayer_t)
+ userdom_write_user_tmp_sockets(mplayer_t)
++userdom_home_manager(mplayer_t)
+
+ xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+
+@@ -246,7 +214,7 @@ ifdef(`enable_mls',`',`
fs_read_removable_symlinks(mplayer_t)
')
@@ -8509,7 +8300,55 @@ index 072a210..8b1fa1b 100644
allow mplayer_t self:process execmem;
')
-@@ -305,7 +311,7 @@ optional_policy(`
+@@ -258,54 +226,19 @@ tunable_policy(`allow_mplayer_execstack',`
+ allow mplayer_t self:process { execmem execstack };
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(mplayer_t)
+- fs_manage_nfs_files(mplayer_t)
+- fs_manage_nfs_symlinks(mplayer_t)
+-')
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mplayer_t)
+- fs_manage_cifs_files(mplayer_t)
+- fs_manage_cifs_symlinks(mplayer_t)
+-')
+-
+ # Legacy domain issues
+ tunable_policy(`allow_mplayer_execstack',`
+ allow mplayer_t mplayer_tmpfs_t:file execute;
+ ')
+
+-# Read songs
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_list_auto_mountpoints(mplayer_t)
+- files_list_home(mplayer_t)
+- fs_read_nfs_files(mplayer_t)
+- fs_read_nfs_symlinks(mplayer_t)
+-
+-',`
+- files_dontaudit_list_home(mplayer_t)
+- fs_dontaudit_list_auto_mountpoints(mplayer_t)
+- fs_dontaudit_read_nfs_files(mplayer_t)
+- fs_dontaudit_list_nfs(mplayer_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_list_auto_mountpoints(mplayer_t)
+- files_list_home(mplayer_t)
+- fs_read_cifs_files(mplayer_t)
+- fs_read_cifs_symlinks(mplayer_t)
+-',`
+- files_dontaudit_list_home(mplayer_t)
+- fs_dontaudit_list_auto_mountpoints(mplayer_t)
+- fs_dontaudit_read_cifs_files(mplayer_t)
+- fs_dontaudit_list_cifs(mplayer_t)
+-')
++userdom_home_manager(mplayer_t)
+
+ optional_policy(`
+ alsa_read_rw_config(mplayer_t)
')
optional_policy(`
@@ -9122,10 +8961,10 @@ index 0000000..fce899a
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..3b6b4cb
+index 0000000..cc6b555
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,335 @@
+@@ -0,0 +1,327 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -9336,10 +9175,6 @@ index 0000000..3b6b4cb
+')
+
+optional_policy(`
-+ unconfined_execmem_signull(nsplugin_t)
-+')
-+
-+optional_policy(`
+ sandbox_read_tmpfs_files(nsplugin_t)
+')
+
@@ -9457,171 +9292,6 @@ index 0000000..3b6b4cb
+ pulseaudio_manage_home_files(nsplugin_t)
+ pulseaudio_setattr_home_dir(nsplugin_t)
+')
-+
-+optional_policy(`
-+ unconfined_execmem_exec(nsplugin_t)
-+')
-diff --git a/policy/modules/apps/openoffice.fc b/policy/modules/apps/openoffice.fc
-new file mode 100644
-index 0000000..4428be4
---- /dev/null
-+++ b/policy/modules/apps/openoffice.fc
-@@ -0,0 +1,3 @@
-+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
-+/opt/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
-+
-diff --git a/policy/modules/apps/openoffice.if b/policy/modules/apps/openoffice.if
-new file mode 100644
-index 0000000..792bf9c
---- /dev/null
-+++ b/policy/modules/apps/openoffice.if
-@@ -0,0 +1,124 @@
-+## Openoffice
-+
-+#######################################
-+##
-+## The per role template for the openoffice module.
-+##
-+##
-+##
-+## The type of the user domain.
-+##
-+##
-+#
-+interface(`openoffice_plugin_role',`
-+ gen_require(`
-+ type openoffice_exec_t;
-+ type openoffice_t;
-+ ')
-+
-+ ########################################
-+ #
-+ # Local policy
-+ #
-+
-+ domtrans_pattern($1, openoffice_exec_t, openoffice_t)
-+ allow $1 openoffice_t:process { signal sigkill };
-+')
-+
-+#######################################
-+##
-+## role for openoffice
-+##
-+##
-+##
-+## This template creates a derived domains which are used
-+## for java applications.
-+##
-+##
-+##
-+##
-+## The prefix of the user domain (e.g., user
-+## is the prefix for user_t).
-+##
-+##
-+##
-+##
-+## The role associated with the user domain.
-+##
-+##
-+##
-+##
-+## The type of the user domain.
-+##
-+##
-+#
-+interface(`openoffice_role_template',`
-+ gen_require(`
-+ type openoffice_exec_t;
-+ ')
-+
-+ role $2 types $1_openoffice_t;
-+
-+ type $1_openoffice_t;
-+ domain_type($1_openoffice_t)
-+ domain_entry_file($1_openoffice_t, openoffice_exec_t)
-+ domain_interactive_fd($1_openoffice_t)
-+
-+ userdom_unpriv_usertype($1, $1_openoffice_t)
-+ userdom_exec_user_home_content_files($1_openoffice_t)
-+
-+ allow $1_openoffice_t self:process { getsched sigkill execmem execstack };
-+
-+ allow $3 $1_openoffice_t:process { getattr signal_perms noatsecure siginh rlimitinh };
-+ allow $1_openoffice_t $3:tcp_socket { read write };
-+
-+ domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t)
-+
-+ dev_read_urand($1_openoffice_t)
-+ dev_read_rand($1_openoffice_t)
-+
-+ fs_dontaudit_rw_tmpfs_files($1_openoffice_t)
-+
-+ allow $3 $1_openoffice_t:process { signal sigkill };
-+ allow $1_openoffice_t $3:unix_stream_socket connectto;
-+
-+ optional_policy(`
-+ xserver_role($2, $1_openoffice_t)
-+ ')
-+')
-+
-+########################################
-+##
-+## Execute openoffice_exec_t
-+## in the specified domain.
-+##
-+##
-+##
-+## Execute a openoffice_exec_t
-+## in the specified domain.
-+##
-+##
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the new process.
-+##
-+##
-+#
-+interface(`openoffice_exec_domtrans',`
-+ gen_require(`
-+ type openoffice_exec_t;
-+ ')
-+
-+ allow $2 openoffice_exec_t:file entrypoint;
-+ domtrans_pattern($1, openoffice_exec_t, $2)
-+')
-diff --git a/policy/modules/apps/openoffice.te b/policy/modules/apps/openoffice.te
-new file mode 100644
-index 0000000..a842371
---- /dev/null
-+++ b/policy/modules/apps/openoffice.te
-@@ -0,0 +1,16 @@
-+policy_module(openoffice, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type openoffice_t;
-+type openoffice_exec_t;
-+application_domain(openoffice_t, openoffice_exec_t)
-+
-+########################################
-+#
-+# Unconfined java local policy
-+#
-+
diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
index ccc15ab..9f88c3a 100644
--- a/policy/modules/apps/podsleuth.te
@@ -9733,18 +9403,24 @@ index f40c64d..aa9e8e2 100644
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
-index d1eace5..5314e57 100644
+index d1eace5..3411497 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
-@@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -43,8 +43,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
+
manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
++manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
userdom_search_user_home_dirs(pulseaudio_t)
-+userdom_search_admin_dir(pulseaudio_t)
++# ~/.esd_auth - maybe we should label this pulseaudit_home_t?
++userdom_read_user_home_content_files(pulseaudio_t)
++userdom_search_admin_dir(pulseaudio_t)
++
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
-@@ -53,7 +54,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
+ manage_lnk_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+@@ -53,7 +58,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
@@ -9753,7 +9429,7 @@ index d1eace5..5314e57 100644
can_exec(pulseaudio_t, pulseaudio_exec_t)
-@@ -85,8 +86,8 @@ fs_rw_anon_inodefs_files(pulseaudio_t)
+@@ -85,8 +90,8 @@ fs_rw_anon_inodefs_files(pulseaudio_t)
fs_getattr_tmpfs(pulseaudio_t)
fs_list_inotifyfs(pulseaudio_t)
@@ -9764,7 +9440,7 @@ index d1eace5..5314e57 100644
auth_use_nsswitch(pulseaudio_t)
-@@ -94,10 +95,29 @@ logging_send_syslog_msg(pulseaudio_t)
+@@ -94,10 +99,29 @@ logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t)
@@ -9798,7 +9474,7 @@ index d1eace5..5314e57 100644
optional_policy(`
bluetooth_stream_connect(pulseaudio_t)
-@@ -127,10 +147,24 @@ optional_policy(`
+@@ -127,10 +151,24 @@ optional_policy(`
')
optional_policy(`
@@ -9823,7 +9499,7 @@ index d1eace5..5314e57 100644
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
-@@ -148,3 +182,7 @@ optional_policy(`
+@@ -148,3 +186,7 @@ optional_policy(`
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
@@ -11010,7 +10686,7 @@ index c8254dd..340a2d7 100644
/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
-index a57e81e..f9fbc60 100644
+index a57e81e..b0b3ce6 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -25,6 +25,7 @@ template(`screen_role_template',`
@@ -11021,7 +10697,7 @@ index a57e81e..f9fbc60 100644
')
########################################
-@@ -32,51 +33,18 @@ template(`screen_role_template',`
+@@ -32,51 +33,20 @@ template(`screen_role_template',`
# Declarations
#
@@ -11066,7 +10742,8 @@ index a57e81e..f9fbc60 100644
- read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
-
- allow $1_screen_t $3:process signal;
--
++ userdom_home_reader($1_screen_t)
+
domtrans_pattern($3, screen_exec_t, $1_screen_t)
allow $3 $1_screen_t:process { signal sigchld };
dontaudit $3 $1_screen_t:unix_stream_socket { read write };
@@ -11076,7 +10753,7 @@ index a57e81e..f9fbc60 100644
manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_home_t, screen_home_t)
-@@ -87,77 +55,22 @@ template(`screen_role_template',`
+@@ -87,77 +57,22 @@ template(`screen_role_template',`
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
@@ -11155,7 +10832,7 @@ index a57e81e..f9fbc60 100644
')
')
diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
-index 553bc73..b3b144c 100644
+index 553bc73..0bd13e3 100644
--- a/policy/modules/apps/screen.te
+++ b/policy/modules/apps/screen.te
@@ -5,6 +5,8 @@ policy_module(screen, 2.3.1)
@@ -11167,7 +10844,7 @@ index 553bc73..b3b144c 100644
type screen_exec_t;
application_executable_file(screen_exec_t)
-@@ -24,3 +26,101 @@ typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t
+@@ -24,3 +26,92 @@ typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t
typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
files_pid_file(screen_var_run_t)
ubac_constrained(screen_var_run_t)
@@ -11260,15 +10937,6 @@ index 553bc73..b3b144c 100644
+userdom_setattr_user_ptys(screen_domain)
+userdom_setattr_user_ttys(screen_domain)
+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_read_cifs_symlinks(screen_domain)
-+ fs_list_cifs(screen_domain)
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_list_nfs(screen_domain)
-+ fs_read_nfs_symlinks(screen_domain)
-+')
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
index 1dc7a85..a01511f 100644
--- a/policy/modules/apps/seunshare.if
@@ -11627,7 +11295,7 @@ index 3cfb128..d49274d 100644
+ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..546f5a5 100644
+index 2533ea0..7942965 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -26,12 +26,18 @@ attribute telepathy_executable;
@@ -11675,18 +11343,30 @@ index 2533ea0..546f5a5 100644
corenet_all_recvfrom_netlabel(telepathy_gabble_t)
corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
-@@ -112,6 +130,10 @@ optional_policy(`
- dbus_system_bus_client(telepathy_gabble_t)
+@@ -98,18 +116,14 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+ corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
')
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(telepathy_gabble_t)
+- fs_manage_nfs_files(telepathy_gabble_t)
+-')
++userdom_home_manager(telepathy_gabble_t)
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(telepathy_gabble_t)
+- fs_manage_cifs_files(telepathy_gabble_t)
+optional_policy(`
++ dbus_system_bus_client(telepathy_gabble_t)
+ ')
+
+ optional_policy(`
+- dbus_system_bus_client(telepathy_gabble_t)
+ gnome_manage_home_config(telepathy_gabble_t)
-+')
-+
+ ')
+
#######################################
- #
- # Telepathy Idle local policy.
-@@ -147,10 +169,13 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -147,10 +161,13 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
@@ -11700,19 +11380,26 @@ index 2533ea0..546f5a5 100644
files_read_etc_files(telepathy_logger_t)
files_read_usr_files(telepathy_logger_t)
-@@ -168,6 +193,11 @@ tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files(telepathy_logger_t)
- ')
+@@ -158,14 +175,11 @@ files_search_pids(telepathy_logger_t)
+
+ fs_getattr_all_fs(telepathy_logger_t)
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(telepathy_logger_t)
+- fs_manage_nfs_files(telepathy_logger_t)
+-')
++userdom_home_manager(telepathy_logger_t)
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(telepathy_logger_t)
+- fs_manage_cifs_files(telepathy_logger_t)
+optional_policy(`
+ # ~/.config/dconf/user
+ gnome_manage_home_config(telepathy_logger_t)
-+')
-+
+ ')
+
#######################################
- #
- # Telepathy Mission-Control local policy.
-@@ -176,6 +206,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -176,6 +190,12 @@ tunable_policy(`use_samba_home_dirs',`
manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
@@ -11725,10 +11412,15 @@ index 2533ea0..546f5a5 100644
dev_read_rand(telepathy_mission_control_t)
-@@ -194,6 +230,26 @@ tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files(telepathy_mission_control_t)
- ')
+@@ -184,14 +204,26 @@ fs_getattr_all_fs(telepathy_mission_control_t)
+ files_read_etc_files(telepathy_mission_control_t)
+ files_read_usr_files(telepathy_mission_control_t)
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(telepathy_mission_control_t)
+- fs_manage_nfs_files(telepathy_mission_control_t)
++userdom_home_manager(telepathy_mission_control_t)
++
+optional_policy(`
+ dbus_system_bus_client(telepathy_mission_control_t)
+
@@ -11741,18 +11433,19 @@ index 2533ea0..546f5a5 100644
+ optional_policy(`
+ networkmanager_dbus_chat(telepathy_mission_control_t)
+ ')
-+')
-+
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(telepathy_mission_control_t)
+- fs_manage_cifs_files(telepathy_mission_control_t)
+# ~/.cache/.mc_connections.
+optional_policy(`
+ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
+ gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file)
-+')
-+
+ ')
+
#######################################
- #
- # Telepathy Butterfly and Haze local policy.
-@@ -205,8 +261,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+@@ -205,8 +237,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
@@ -11764,7 +11457,7 @@ index 2533ea0..546f5a5 100644
corenet_all_recvfrom_netlabel(telepathy_msn_t)
corenet_all_recvfrom_unlabeled(telepathy_msn_t)
-@@ -228,6 +287,8 @@ corecmd_read_bin_symlinks(telepathy_msn_t)
+@@ -228,6 +263,8 @@ corecmd_read_bin_symlinks(telepathy_msn_t)
files_read_etc_files(telepathy_msn_t)
files_read_usr_files(telepathy_msn_t)
@@ -11773,7 +11466,7 @@ index 2533ea0..546f5a5 100644
libs_exec_ldconfig(telepathy_msn_t)
logging_send_syslog_msg(telepathy_msn_t)
-@@ -246,6 +307,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -246,6 +283,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
')
optional_policy(`
@@ -11784,7 +11477,7 @@ index 2533ea0..546f5a5 100644
dbus_system_bus_client(telepathy_msn_t)
optional_policy(`
-@@ -361,14 +426,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+@@ -361,14 +402,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
allow telepathy_domain self:tcp_socket create_socket_perms;
allow telepathy_domain self:udp_socket create_socket_perms;
@@ -11803,7 +11496,7 @@ index 2533ea0..546f5a5 100644
miscfiles_read_localization(telepathy_domain)
optional_policy(`
-@@ -376,5 +443,23 @@ optional_policy(`
+@@ -376,5 +419,23 @@ optional_policy(`
')
optional_policy(`
@@ -12014,11 +11707,34 @@ index 0000000..01584ce
+ gnome_read_generic_data_home_files(thumb_t)
+ gnome_manage_gstreamer_home_files(thumb_t)
+')
+diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
+index f50789e..9ba6da8 100644
+--- a/policy/modules/apps/thunderbird.te
++++ b/policy/modules/apps/thunderbird.te
+@@ -114,17 +114,7 @@ xserver_read_xdm_tmp_files(thunderbird_t)
+ xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
+
+ # Access ~/.thunderbird
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(thunderbird_t)
+- fs_manage_nfs_files(thunderbird_t)
+- fs_manage_nfs_symlinks(thunderbird_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(thunderbird_t)
+- fs_manage_cifs_files(thunderbird_t)
+- fs_manage_cifs_symlinks(thunderbird_t)
+-')
++userdom_home_manager(thunderbird_t)
+
+ tunable_policy(`mail_read_content && use_nfs_home_dirs',`
+ files_list_home(thunderbird_t)
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
-index 11fe4f2..98bfbf3 100644
+index 11fe4f2..38318b9 100644
--- a/policy/modules/apps/tvtime.te
+++ b/policy/modules/apps/tvtime.te
-@@ -73,7 +73,7 @@ fs_search_auto_mountpoints(tvtime_t)
+@@ -73,20 +73,11 @@ fs_search_auto_mountpoints(tvtime_t)
miscfiles_read_localization(tvtime_t)
miscfiles_read_fonts(tvtime_t)
@@ -12027,6 +11743,20 @@ index 11fe4f2..98bfbf3 100644
userdom_read_user_home_content_files(tvtime_t)
# X access, Home files
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(tvtime_t)
+- fs_manage_nfs_files(tvtime_t)
+- fs_manage_nfs_symlinks(tvtime_t)
+-')
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(tvtime_t)
+- fs_manage_cifs_files(tvtime_t)
+- fs_manage_cifs_symlinks(tvtime_t)
+-')
++userdom_home_manager(tvtime_t)
+
+ optional_policy(`
+ xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t)
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
index d2ab7cb..ddb34f1 100644
--- a/policy/modules/apps/uml.if
@@ -12554,7 +12284,7 @@ index be9246b..e3de8fa 100644
tunable_policy(`wine_mmap_zero_ignore',`
dontaudit wine_t self:memprotect mmap_zero;
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
-index 8bfe97d..95a3d06 100644
+index 8bfe97d..356e2a1 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -15,6 +15,7 @@ ubac_constrained(wireshark_t)
@@ -12583,17 +12313,29 @@ index 8bfe97d..95a3d06 100644
miscfiles_read_fonts(wireshark_t)
miscfiles_read_localization(wireshark_t)
-@@ -106,10 +109,6 @@ tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_symlinks(wireshark_t)
- ')
+@@ -94,21 +97,7 @@ sysnet_read_config(wireshark_t)
+
+ userdom_manage_user_home_content_files(wireshark_t)
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(wireshark_t)
+- fs_manage_nfs_files(wireshark_t)
+- fs_manage_nfs_symlinks(wireshark_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(wireshark_t)
+- fs_manage_cifs_files(wireshark_t)
+- fs_manage_cifs_symlinks(wireshark_t)
+-')
+-
-optional_policy(`
- nscd_socket_use(wireshark_t)
-')
--
++userdom_home_manager(wireshark_t)
+
# Manual transition from userhelper
optional_policy(`
- userhelper_use_fd(wireshark_t)
diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
index b3efef7..50c1a74 100644
--- a/policy/modules/apps/wm.if
@@ -12660,7 +12402,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..7bcafea 100644
+index 3fae11a..0b0896b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -97,8 +97,6 @@ ifdef(`distro_redhat',`
@@ -12830,7 +12572,7 @@ index 3fae11a..7bcafea 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -286,6 +295,7 @@ ifdef(`distro_gentoo',`
+@@ -286,15 +295,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -12838,9 +12580,10 @@ index 3fae11a..7bcafea 100644
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -293,8 +303,10 @@ ifdef(`distro_gentoo',`
+ /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/tucan.*/tucan.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/virtualbox/.*\.sh gen_context(system_u:object_r:bin_t,s0)
+/usr/share/wicd/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -12850,7 +12593,7 @@ index 3fae11a..7bcafea 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +318,11 @@ ifdef(`distro_redhat', `
+@@ -306,10 +319,11 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -12864,7 +12607,7 @@ index 3fae11a..7bcafea 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +332,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +333,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -12876,7 +12619,7 @@ index 3fae11a..7bcafea 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,7 +378,7 @@ ifdef(`distro_redhat', `
+@@ -363,7 +379,7 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -12885,7 +12628,7 @@ index 3fae11a..7bcafea 100644
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
-@@ -375,8 +390,9 @@ ifdef(`distro_suse', `
+@@ -375,8 +391,9 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -12896,7 +12639,7 @@ index 3fae11a..7bcafea 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +401,4 @@ ifdef(`distro_suse', `
+@@ -385,3 +402,4 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -12972,19 +12715,6 @@ index 9e9263a..650e796 100644
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
-diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
-index 23a1c3c..9527971 100644
---- a/policy/modules/kernel/corecommands.te
-+++ b/policy/modules/kernel/corecommands.te
-@@ -13,7 +13,7 @@ attribute exec_type;
- #
- # bin_t is the type of files in the system bin/sbin directories.
- #
--type bin_t alias { ls_exec_t sbin_t };
-+type bin_t alias { ls_exec_t sbin_t java_exec_t execmem_exec_t mono_exec_t };
- corecmd_executable_file(bin_t)
- dev_associate(bin_t) #For /dev/MAKEDEV
-
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 4f3b542..cf422f4 100644
--- a/policy/modules/kernel/corenetwork.if.in
@@ -14147,7 +13877,7 @@ index 4f3b542..cf422f4 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..1541989 100644
+index 99b71cb..9c48de6 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -14287,7 +14017,7 @@ index 99b71cb..1541989 100644
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +172,25 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +172,26 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -14311,12 +14041,13 @@ index 99b71cb..1541989 100644
+network_port(matahari, tcp,49000,s0, udp,49000,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
++network_port(mongod, tcp,27017,s0)
network_port(monopd, tcp,1234,s0)
+network_port(movaz_ssc, tcp,5252,s0)
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,21 +200,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,21 +201,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -14349,7 +14080,7 @@ index 99b71cb..1541989 100644
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
-@@ -179,30 +237,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+@@ -179,30 +238,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
@@ -14389,7 +14120,7 @@ index 99b71cb..1541989 100644
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -215,9 +278,11 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +279,11 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -14402,7 +14133,7 @@ index 99b71cb..1541989 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -229,6 +294,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +295,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -14410,7 +14141,7 @@ index 99b71cb..1541989 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +304,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +305,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -14423,7 +14154,7 @@ index 99b71cb..1541989 100644
########################################
#
-@@ -282,9 +354,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +355,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -14487,7 +14218,7 @@ index 35fed4f..51ad69a 100644
#
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 6cf8784..12bd6fc 100644
+index 6cf8784..b48524e 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,11 +15,13 @@
@@ -14515,7 +14246,7 @@ index 6cf8784..12bd6fc 100644
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -126,6 +130,7 @@ ifdef(`distro_suse', `
+@@ -126,12 +130,14 @@ ifdef(`distro_suse', `
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -14523,7 +14254,14 @@ index 6cf8784..12bd6fc 100644
/dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
-@@ -187,8 +192,6 @@ ifdef(`distro_suse', `
+
+ /dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
+
++/dev/ati/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
+
+@@ -187,8 +193,6 @@ ifdef(`distro_suse', `
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -14532,7 +14270,7 @@ index 6cf8784..12bd6fc 100644
ifdef(`distro_redhat',`
# originally from named.fc
/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
-@@ -196,3 +199,8 @@ ifdef(`distro_redhat',`
+@@ -196,3 +200,8 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@@ -18493,7 +18231,7 @@ index 22821ff..20251b0 100644
########################################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..e5652a1 100644
+index 97fcdac..6342520 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -18739,7 +18477,32 @@ index 97fcdac..e5652a1 100644
#######################################
##
## Create, read, write, and delete dirs
-@@ -2080,6 +2222,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2025,6 +2167,24 @@ interface(`fs_read_fusefs_symlinks',`
+
+ ########################################
+ ##
++## Manage symbolic links on a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_manage_fusefs_symlinks',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++##
+ ## Get the attributes of an hugetlbfs
+ ## filesystem.
+ ##
+@@ -2080,6 +2240,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
########################################
##
@@ -18764,7 +18527,7 @@ index 97fcdac..e5652a1 100644
## Read and write hugetlbfs files.
##
##
-@@ -2148,6 +2308,7 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,6 +2326,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -18772,7 +18535,7 @@ index 97fcdac..e5652a1 100644
')
########################################
-@@ -2480,6 +2641,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2659,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -18780,7 +18543,7 @@ index 97fcdac..e5652a1 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2518,6 +2680,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2698,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -18788,7 +18551,7 @@ index 97fcdac..e5652a1 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2544,6 +2707,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2725,25 @@ interface(`fs_exec_nfs_files',`
########################################
##
@@ -18814,7 +18577,7 @@ index 97fcdac..e5652a1 100644
## Append files
## on a NFS filesystem.
##
-@@ -2584,6 +2766,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +2784,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
##
@@ -18857,7 +18620,7 @@ index 97fcdac..e5652a1 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
##
-@@ -2598,7 +2816,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +2834,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -18866,7 +18629,7 @@ index 97fcdac..e5652a1 100644
')
########################################
-@@ -2736,7 +2954,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +2972,7 @@ interface(`fs_search_removable',`
##
##
##
@@ -18875,7 +18638,7 @@ index 97fcdac..e5652a1 100644
##
##
#
-@@ -2772,7 +2990,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +3008,7 @@ interface(`fs_read_removable_files',`
##
##
##
@@ -18884,7 +18647,7 @@ index 97fcdac..e5652a1 100644
##
##
#
-@@ -2965,6 +3183,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3201,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -18892,7 +18655,7 @@ index 97fcdac..e5652a1 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3005,6 +3224,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3242,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -18900,7 +18663,7 @@ index 97fcdac..e5652a1 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3045,6 +3265,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3283,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -18908,7 +18671,7 @@ index 97fcdac..e5652a1 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3958,6 +4179,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4197,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
##
@@ -18951,7 +18714,7 @@ index 97fcdac..e5652a1 100644
## Create, read, write, and delete
## tmpfs directories
##
-@@ -4175,6 +4432,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4450,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
##
@@ -18976,7 +18739,7 @@ index 97fcdac..e5652a1 100644
## Relabel character nodes on tmpfs filesystems.
##
##
-@@ -4251,6 +4526,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4251,6 +4544,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
##
@@ -19002,7 +18765,7 @@ index 97fcdac..e5652a1 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
##
-@@ -4457,6 +4751,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4769,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -19011,7 +18774,7 @@ index 97fcdac..e5652a1 100644
')
########################################
-@@ -4503,7 +4799,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4817,7 @@ interface(`fs_unmount_all_fs',`
##
##
## Allow the specified domain to
@@ -19020,7 +18783,7 @@ index 97fcdac..e5652a1 100644
## Example attributes:
##
##
-@@ -4866,3 +5162,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5180,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -21209,7 +20972,7 @@ index be4de58..7e8b6ec 100644
init_exec(secadm_t)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..cfea862 100644
+index 2be17d2..de3c13e 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
@@ -21268,7 +21031,15 @@ index 2be17d2..cfea862 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,19 +70,107 @@ optional_policy(`
+@@ -23,23 +66,115 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ blueman_dbus_chat(staff_t)
++')
++
++optional_policy(`
+ dbadm_role_change(staff_r)
')
optional_policy(`
@@ -21378,7 +21149,7 @@ index 2be17d2..cfea862 100644
')
optional_policy(`
-@@ -48,10 +179,52 @@ optional_policy(`
+@@ -48,10 +183,52 @@ optional_policy(`
')
optional_policy(`
@@ -21431,17 +21202,6 @@ index 2be17d2..cfea862 100644
xserver_role(staff_r, staff_t)
')
-@@ -61,6 +234,10 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-+ blueman_dbus_chat(staff_t)
-+ ')
-+
-+ optional_policy(`
- bluetooth_role(staff_r, staff_t)
- ')
-
@@ -89,18 +266,10 @@ ifndef(`distro_redhat',`
')
@@ -22000,10 +21760,10 @@ index 0000000..0e8654b
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
new file mode 100644
-index 0000000..8b2cdf3
+index 0000000..bac0dc0
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,687 @@
+@@ -0,0 +1,595 @@
+## Unconfiend user role
+
+########################################
@@ -22226,42 +21986,6 @@ index 0000000..8b2cdf3
+
+########################################
+##
-+## Send a SIGNULL signal to the unconfined execmem domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_execmem_signull',`
-+ gen_require(`
-+ type unconfined_execmem_t;
-+ ')
-+
-+ allow $1 unconfined_execmem_t:process signull;
-+')
-+
-+########################################
-+##
-+## Send a signal to the unconfined execmem domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_execmem_signal',`
-+ gen_require(`
-+ type unconfined_execmem_t;
-+ ')
-+
-+ allow $1 unconfined_execmem_t:process signal;
-+')
-+
-+########################################
-+##
+## Send generic signals to the unconfined domain.
+##
+##
@@ -22563,62 +22287,6 @@ index 0000000..8b2cdf3
+
+########################################
+##
-+## Read and write to unconfined execmem shared memory.
-+##
-+##
-+##
-+## The type of the process performing this action.
-+##
-+##
-+#
-+interface(`unconfined_execmem_rw_shm',`
-+ gen_require(`
-+ type unconfined_execmem_t;
-+ ')
-+
-+ allow $1 unconfined_execmem_t:shm rw_shm_perms;
-+')
-+
-+########################################
-+##
-+## Transition to the unconfined_execmem domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_execmem_domtrans',`
-+
-+ gen_require(`
-+ type unconfined_execmem_t;
-+ ')
-+
-+ execmem_domtrans($1, unconfined_execmem_t)
-+')
-+
-+########################################
-+##
-+## execute the execmem applications
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`unconfined_execmem_exec',`
-+
-+ gen_require(`
-+ type execmem_exec_t;
-+ ')
-+
-+ can_exec($1, execmem_exec_t)
-+')
-+
-+########################################
-+##
+## Allow apps to set rlimits on userdomain
+##
+##
@@ -22693,10 +22361,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..4ce2685
+index 0000000..11ad8fb
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,401 @@
+@@ -0,0 +1,394 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -23019,13 +22687,6 @@ index 0000000..4ce2685
+')
+
+optional_policy(`
-+ mono_role_template(unconfined, unconfined_r, unconfined_t)
-+ unconfined_domain_noaudit(unconfined_mono_t)
-+ role system_r types unconfined_mono_t;
-+')
-+
-+
-+optional_policy(`
+ mozilla_role_plugin(unconfined_r)
+
+ tunable_policy(`unconfined_mozilla_plugin_transition', `
@@ -23099,10 +22760,10 @@ index 0000000..4ce2685
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..9db5ebd 100644
+index e5bfdd4..454e627 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,97 @@ role user_r;
+@@ -12,15 +12,101 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -23125,6 +22786,10 @@ index e5bfdd4..9db5ebd 100644
')
optional_policy(`
++ blueman_dbus_chat(user_t)
++')
++
++optional_policy(`
+ colord_dbus_chat(user_t)
+')
+
@@ -23200,17 +22865,6 @@ index e5bfdd4..9db5ebd 100644
vlock_run(user_t, user_r)
')
-@@ -34,6 +116,10 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-+ blueman_dbus_chat(staff_t)
-+ ')
-+
-+ optional_policy(`
- bluetooth_role(user_r, user_t)
- ')
-
@@ -62,19 +148,11 @@ ifndef(`distro_redhat',`
')
@@ -23283,7 +22937,7 @@ index 0ecc786..3e7e984 100644
userdom_dontaudit_search_user_home_dirs(webadm_t)
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
-index e88b95f..b1ea76e 100644
+index e88b95f..6f176f9 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true)
@@ -23353,10 +23007,17 @@ index e88b95f..b1ea76e 100644
')
')
-@@ -76,23 +86,98 @@ optional_policy(`
+@@ -76,23 +86,101 @@ optional_policy(`
')
optional_policy(`
++ tunable_policy(`xguest_use_bluetooth',`
++ blueman_dbus_chat(xguest_t)
++ ')
++')
++
++
++optional_policy(`
+ chrome_role(xguest_r, xguest_usertype)
+')
+
@@ -23371,15 +23032,10 @@ index e88b95f..b1ea76e 100644
+
+optional_policy(`
+ gnome_role(xguest_r, xguest_t)
- ')
-
- optional_policy(`
-- mozilla_role(xguest_r, xguest_t)
-+ gnomeclock_dontaudit_dbus_chat(xguest_t)
+')
+
+optional_policy(`
-+ mono_role_template(xguest, xguest_r, xguest_t)
++ gnomeclock_dontaudit_dbus_chat(xguest_t)
+')
+
+optional_policy(`
@@ -23388,9 +23044,10 @@ index e88b95f..b1ea76e 100644
+
+optional_policy(`
+ nsplugin_role(xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- mozilla_role(xguest_r, xguest_t)
+ pcscd_read_pub_files(xguest_usertype)
+ pcscd_stream_connect(xguest_usertype)
+')
@@ -23439,7 +23096,7 @@ index e88b95f..b1ea76e 100644
+ corenet_tcp_connect_speech_port(xguest_usertype)
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
- ')
++ ')
+
+ #optional_policy(`
+ # telepathy_dbus_session_role(xguest_r, xguest_t)
@@ -23449,7 +23106,7 @@ index e88b95f..b1ea76e 100644
+optional_policy(`
+ gen_require(`
+ type mozilla_t;
-+ ')
+ ')
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
@@ -24162,7 +23819,7 @@ index c0f858d..5770f1a 100644
accountsd_manage_lib_files($1)
')
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
-index 1632f10..a538582 100644
+index 1632f10..6ede64d 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0)
@@ -24184,7 +23841,13 @@ index 1632f10..a538582 100644
allow accountsd_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
-@@ -32,10 +35,12 @@ files_read_usr_files(accountsd_t)
+@@ -28,14 +31,18 @@ kernel_read_kernel_sysctls(accountsd_t)
+
+ corecmd_exec_bin(accountsd_t)
+
++dev_read_sysfs(accountsd_t)
++
+ files_read_usr_files(accountsd_t)
files_read_mnt_files(accountsd_t)
fs_list_inotifyfs(accountsd_t)
@@ -24197,7 +23860,7 @@ index 1632f10..a538582 100644
miscfiles_read_localization(accountsd_t)
-@@ -55,3 +60,8 @@ optional_policy(`
+@@ -55,3 +62,8 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(accountsd_t)
')
@@ -25490,7 +25153,7 @@ index 6480167..2ad693a 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..7cb2fe5 100644
+index 3136c6a..2ef8fef 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,136 +18,211 @@ policy_module(apache, 2.2.1)
@@ -26511,7 +26174,7 @@ index 3136c6a..7cb2fe5 100644
')
########################################
-@@ -891,11 +1269,137 @@ optional_policy(`
+@@ -891,11 +1269,135 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -26535,7 +26198,7 @@ index 3136c6a..7cb2fe5 100644
+ userdom_read_user_home_content_files(httpd_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
+ userdom_read_user_home_content_files(httpd_user_script_t)
- ')
++')
+
+########################################
+#
@@ -26649,9 +26312,7 @@ index 3136c6a..7cb2fe5 100644
+ allow httpd_t httpd_content_type:dir list_dir_perms;
+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
-+')
-+
-+
+ ')
diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
index cd07b96..9b7742f 100644
--- a/policy/modules/services/apcupsd.fc
@@ -26744,7 +26405,7 @@ index 1ea99b2..9427dd5 100644
+ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..f8de34e 100644
+index 1c8c27e..01d69d4 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -26833,7 +26494,20 @@ index 1c8c27e..f8de34e 100644
',`
# for ifconfig which is run all the time
kernel_dontaudit_search_sysctl(apmd_t)
-@@ -201,7 +213,8 @@ optional_policy(`
+@@ -181,6 +193,12 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ devicekit_manage_pid_files(apmd_t)
++ devicekit_manage_log_files(apmd_t)
++ devicekit_relabel_log_files(apmd_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(apmd_t)
+
+ optional_policy(`
+@@ -201,7 +219,8 @@ optional_policy(`
')
optional_policy(`
@@ -26843,7 +26517,7 @@ index 1c8c27e..f8de34e 100644
')
optional_policy(`
-@@ -209,8 +222,9 @@ optional_policy(`
+@@ -209,8 +228,9 @@ optional_policy(`
pcmcia_domtrans_cardctl(apmd_t)
')
@@ -26854,7 +26528,7 @@ index 1c8c27e..f8de34e 100644
')
optional_policy(`
-@@ -219,10 +233,6 @@ optional_policy(`
+@@ -219,10 +239,6 @@ optional_policy(`
')
optional_policy(`
@@ -27604,10 +27278,10 @@ index 0000000..d694c0a
+')
diff --git a/policy/modules/services/blueman.te b/policy/modules/services/blueman.te
new file mode 100644
-index 0000000..fde1531
+index 0000000..12ef44c
--- /dev/null
+++ b/policy/modules/services/blueman.te
-@@ -0,0 +1,37 @@
+@@ -0,0 +1,38 @@
+policy_module(blueman, 1.0.0)
+
+########################################
@@ -27636,6 +27310,7 @@ index 0000000..fde1531
+files_read_etc_files(blueman_t)
+files_read_usr_files(blueman_t)
+
++auth_use_nsswitch(blueman_t)
+auth_read_passwd(blueman_t)
+
+logging_send_syslog_msg(blueman_t)
@@ -29963,7 +29638,7 @@ index 1f11572..717fb8d 100644
init_labeled_script_domtrans($1, clamd_initrc_exec_t)
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..8cd02e2 100644
+index f758323..4bc077f 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,9 +1,16 @@
@@ -30023,30 +29698,42 @@ index f758323..8cd02e2 100644
corenet_sendrecv_clamd_server_packets(clamd_t)
dev_read_rand(clamd_t)
-@@ -127,12 +139,16 @@ logging_send_syslog_msg(clamd_t)
+@@ -127,13 +139,6 @@ logging_send_syslog_msg(clamd_t)
miscfiles_read_localization(clamd_t)
-cron_use_fds(clamd_t)
-cron_use_system_job_fds(clamd_t)
-cron_rw_pipes(clamd_t)
-+optional_policy(`
+-
+-mta_read_config(clamd_t)
+-mta_send_mail(clamd_t)
+-
+ optional_policy(`
+ amavis_read_lib_files(clamd_t)
+ amavis_read_spool_files(clamd_t)
+@@ -142,13 +147,30 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+ cron_use_fds(clamd_t)
+ cron_use_system_job_fds(clamd_t)
+ cron_rw_pipes(clamd_t)
+')
++
++optional_policy(`
+ exim_read_spool_files(clamd_t)
+ ')
--mta_read_config(clamd_t)
--mta_send_mail(clamd_t)
+optional_policy(`
+ mta_read_config(clamd_t)
+ mta_send_mail(clamd_t)
+')
-
- optional_policy(`
- amavis_read_lib_files(clamd_t)
-@@ -147,8 +163,10 @@ optional_policy(`
-
++
++optional_policy(`
++ spamd_stream_connect(clamd_t)
++')
++
tunable_policy(`clamd_use_jit',`
allow clamd_t self:process execmem;
-', `
@@ -30057,7 +29744,7 @@ index f758323..8cd02e2 100644
')
########################################
-@@ -178,10 +196,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,10 +200,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@@ -30076,7 +29763,7 @@ index f758323..8cd02e2 100644
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +213,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +217,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -30084,7 +29771,7 @@ index f758323..8cd02e2 100644
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,16 +232,18 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +236,18 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
@@ -30107,7 +29794,7 @@ index f758323..8cd02e2 100644
########################################
#
# clamscam local policy
-@@ -242,15 +269,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +273,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
@@ -30137,7 +29824,7 @@ index f758323..8cd02e2 100644
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +305,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +309,15 @@ miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
@@ -30236,10 +29923,10 @@ index 0000000..f2968f8
+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
diff --git a/policy/modules/services/cloudform.if b/policy/modules/services/cloudform.if
new file mode 100644
-index 0000000..917f8d4
+index 0000000..6451167
--- /dev/null
+++ b/policy/modules/services/cloudform.if
-@@ -0,0 +1,23 @@
+@@ -0,0 +1,40 @@
+## cloudform policy
+
+#######################################
@@ -30261,14 +29948,31 @@ index 0000000..917f8d4
+ type $1_t, cloudform_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
++')
+
++######################################
++##
++## Execute mongod in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++template(`cloudform_exec_mongod',`
++ gen_require(`
++ type mogod_exec_t;
++ ')
++
++ can_exec($1, mogod_exec_t)
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..5c0c84f
+index 0000000..4f0bd8d
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,223 @@
+@@ -0,0 +1,218 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -30408,12 +30112,7 @@ index 0000000..5c0c84f
+dev_read_rand(iwhd_t)
+dev_read_urand(iwhd_t)
+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_list_auto_mountpoints(iwhd_t)
-+ fs_manage_nfs_dirs(iwhd_t)
-+ fs_manage_nfs_files(iwhd_t)
-+ fs_manage_nfs_symlinks(iwhd_t)
-+')
++userdom_home_manager(iwhd_t)
+
+########################################
+#
@@ -30443,7 +30142,7 @@ index 0000000..5c0c84f
+files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
+
+corenet_tcp_bind_generic_node(mongod_t)
-+corenet_tcp_bind_generic_port(mongod_t)
++corenet_tcp_bind_mongod_port(mongod_t)
+
+files_read_usr_files(mongod_t)
+
@@ -31279,7 +30978,7 @@ index 0000000..2ee2be0
+')
+
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..6ff206b 100644
+index 74505cc..e7c70b5 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -23,6 +23,7 @@ files_type(colord_var_lib_t)
@@ -31314,7 +31013,7 @@ index 74505cc..6ff206b 100644
dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
-@@ -65,19 +73,31 @@ files_list_mnt(colord_t)
+@@ -65,21 +73,23 @@ files_list_mnt(colord_t)
files_read_etc_files(colord_t)
files_read_usr_files(colord_t)
@@ -31332,21 +31031,21 @@ index 74505cc..6ff206b 100644
miscfiles_read_localization(colord_t)
- sysnet_dns_name_resolve(colord_t)
-
+-sysnet_dns_name_resolve(colord_t)
+userdom_rw_user_tmpfs_files(colord_t)
-+
- tunable_policy(`use_nfs_home_dirs',`
-+ fs_getattr_nfs(colord_t)
- fs_read_nfs_files(colord_t)
- ')
- tunable_policy(`use_samba_home_dirs',`
-+ fs_getattr_cifs(colord_t)
- fs_read_cifs_files(colord_t)
- ')
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(colord_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(colord_t)
+-')
++userdom_home_reader(colord_t)
-@@ -89,6 +109,10 @@ optional_policy(`
+ optional_policy(`
+ cups_read_config(colord_t)
+@@ -89,6 +99,10 @@ optional_policy(`
')
optional_policy(`
@@ -31357,8 +31056,15 @@ index 74505cc..6ff206b 100644
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)
-@@ -98,3 +122,9 @@ optional_policy(`
+@@ -96,5 +110,16 @@ optional_policy(`
+ ')
+
optional_policy(`
++ sysnet_exec_ifconfig(colord_t)
++ sysnet_dns_name_resolve(colord_t)
++')
++
++optional_policy(`
udev_read_db(colord_t)
')
+
@@ -31479,7 +31185,7 @@ index fd15dfe..d33cc41 100644
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
-index e67a003..5b322ca 100644
+index e67a003..d45381d 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -15,12 +15,16 @@ logging_log_file(consolekit_log_t)
@@ -31500,7 +31206,7 @@ index e67a003..5b322ca 100644
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
-@@ -69,11 +73,15 @@ logging_send_audit_msgs(consolekit_t)
+@@ -69,17 +73,23 @@ logging_send_audit_msgs(consolekit_t)
miscfiles_read_localization(consolekit_t)
@@ -31514,26 +31220,22 @@ index e67a003..5b322ca 100644
userdom_read_user_tmp_files(consolekit_t)
-hal_ptrace(consolekit_t)
--
- tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(consolekit_t)
- ')
-@@ -83,6 +91,14 @@ tunable_policy(`use_samba_home_dirs',`
- ')
++userdom_home_reader(consolekit_t)
- optional_policy(`
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(consolekit_t)
++optional_policy(`
+ cron_read_system_job_lib_files(consolekit_t)
-+')
-+
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(consolekit_t)
+optional_policy(`
+ hal_ptrace(consolekit_t)
-+')
-+
-+optional_policy(`
- dbus_system_domain(consolekit_t, consolekit_exec_t)
+ ')
- optional_policy(`
-@@ -99,6 +115,10 @@ optional_policy(`
+ optional_policy(`
+@@ -99,6 +109,10 @@ optional_policy(`
')
optional_policy(`
@@ -31544,7 +31246,7 @@ index e67a003..5b322ca 100644
policykit_dbus_chat(consolekit_t)
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
-@@ -106,9 +126,10 @@ optional_policy(`
+@@ -106,9 +120,10 @@ optional_policy(`
')
optional_policy(`
@@ -31557,7 +31259,7 @@ index e67a003..5b322ca 100644
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
xserver_non_drawing_client(consolekit_t)
-@@ -125,5 +146,8 @@ optional_policy(`
+@@ -125,5 +140,8 @@ optional_policy(`
optional_policy(`
#reading .Xauthity
@@ -32445,7 +32147,7 @@ index 35241ed..7a0913c 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..258a3d7 100644
+index f7583ab..a2e960c 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -32647,7 +32349,7 @@ index f7583ab..258a3d7 100644
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
-@@ -250,11 +279,31 @@ tunable_policy(`fcron_crond', `
+@@ -250,11 +279,27 @@ tunable_policy(`fcron_crond', `
')
optional_policy(`
@@ -32672,14 +32374,10 @@ index f7583ab..258a3d7 100644
+')
+
+optional_policy(`
-+ mono_domtrans(crond_t)
-+')
-+
-+optional_policy(`
amanda_search_var_lib(crond_t)
')
-@@ -264,6 +313,8 @@ optional_policy(`
+@@ -264,6 +309,8 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(crond_t)
@@ -32688,7 +32386,7 @@ index f7583ab..258a3d7 100644
')
optional_policy(`
-@@ -286,15 +337,25 @@ optional_policy(`
+@@ -286,15 +333,25 @@ optional_policy(`
')
optional_policy(`
@@ -32714,7 +32412,7 @@ index f7583ab..258a3d7 100644
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -306,10 +367,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -306,10 +363,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -32735,7 +32433,7 @@ index f7583ab..258a3d7 100644
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -329,6 +399,7 @@ allow crond_t system_cronjob_t:fd use;
+@@ -329,6 +395,7 @@ allow crond_t system_cronjob_t:fd use;
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -32743,7 +32441,7 @@ index f7583ab..258a3d7 100644
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -340,9 +411,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -340,9 +407,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -32758,7 +32456,7 @@ index f7583ab..258a3d7 100644
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -365,6 +440,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -365,6 +436,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -32766,7 +32464,7 @@ index f7583ab..258a3d7 100644
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -391,6 +467,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -391,6 +463,7 @@ files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -32774,7 +32472,7 @@ index f7583ab..258a3d7 100644
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -413,8 +490,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+@@ -413,8 +486,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
@@ -32786,7 +32484,7 @@ index f7583ab..258a3d7 100644
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -439,6 +518,8 @@ optional_policy(`
+@@ -439,6 +514,8 @@ optional_policy(`
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -32795,7 +32493,7 @@ index f7583ab..258a3d7 100644
')
optional_policy(`
-@@ -446,6 +527,14 @@ optional_policy(`
+@@ -446,6 +523,14 @@ optional_policy(`
')
optional_policy(`
@@ -32810,7 +32508,7 @@ index f7583ab..258a3d7 100644
ftp_read_log(system_cronjob_t)
')
-@@ -456,15 +545,25 @@ optional_policy(`
+@@ -456,6 +541,10 @@ optional_policy(`
')
optional_policy(`
@@ -32821,12 +32519,7 @@ index f7583ab..258a3d7 100644
lpd_list_spool(system_cronjob_t)
')
- optional_policy(`
-+ mono_domtrans(system_cronjob_t)
-+')
-+
-+optional_policy(`
- mrtg_append_create_logs(system_cronjob_t)
+@@ -464,7 +553,9 @@ optional_policy(`
')
optional_policy(`
@@ -32836,7 +32529,7 @@ index f7583ab..258a3d7 100644
')
optional_policy(`
-@@ -480,7 +579,7 @@ optional_policy(`
+@@ -480,7 +571,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -32845,7 +32538,7 @@ index f7583ab..258a3d7 100644
')
optional_policy(`
-@@ -495,6 +594,7 @@ optional_policy(`
+@@ -495,6 +586,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -32853,7 +32546,7 @@ index f7583ab..258a3d7 100644
')
optional_policy(`
-@@ -502,7 +602,13 @@ optional_policy(`
+@@ -502,7 +594,13 @@ optional_policy(`
')
optional_policy(`
@@ -32867,7 +32560,7 @@ index f7583ab..258a3d7 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -595,9 +701,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +693,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -33406,7 +33099,7 @@ index 305ddf4..2746e6f 100644
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..825cafb 100644
+index 0f28095..3bc4cfd 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -33570,7 +33263,7 @@ index 0f28095..825cafb 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -587,13 +613,17 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,23 +613,22 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -33584,24 +33277,26 @@ index 0f28095..825cafb 100644
-lpd_manage_spool(cups_pdf_t)
-
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_search_auto_mountpoints(cups_pdf_t)
+- fs_manage_nfs_dirs(cups_pdf_t)
+- fs_manage_nfs_files(cups_pdf_t)
+optional_policy(`
+ lpd_manage_spool(cups_pdf_t)
-+')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_search_auto_mountpoints(cups_pdf_t)
-@@ -606,6 +636,10 @@ tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files(cups_pdf_t)
')
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(cups_pdf_t)
+- fs_manage_cifs_files(cups_pdf_t)
++userdom_home_manager(cups_pdf_t)
++
+optional_policy(`
+ gnome_read_config(cups_pdf_t)
-+')
-+
+ ')
+
########################################
- #
- # HPLIP local policy
-@@ -639,7 +673,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +664,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -33610,7 +33305,7 @@ index 0f28095..825cafb 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +719,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +710,7 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -33618,7 +33313,7 @@ index 0f28095..825cafb 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +731,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +722,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -33832,7 +33527,7 @@ index 81eba14..d0ab56c 100644
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 1a1becd..3558f18 100644
+index 1a1becd..115133d 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -33847,7 +33542,7 @@ index 1a1becd..3558f18 100644
')
##############################
-@@ -52,8 +52,7 @@ template(`dbus_role_template',`
+@@ -52,117 +52,41 @@ template(`dbus_role_template',`
#
type $1_dbusd_t, session_bus_type;
@@ -33857,7 +33552,10 @@ index 1a1becd..3558f18 100644
ubac_constrained($1_dbusd_t)
role $2 types $1_dbusd_t;
-@@ -62,107 +61,30 @@ template(`dbus_role_template',`
++ userdom_home_manager($1_dbusd_t)
++
+ ##############################
+ #
# Local policy
#
@@ -33956,9 +33654,9 @@ index 1a1becd..3558f18 100644
- seutil_read_default_contexts($1_dbusd_t)
-
- term_use_all_terms($1_dbusd_t)
--
-- userdom_read_user_home_content_files($1_dbusd_t)
+- userdom_read_user_home_content_files($1_dbusd_t)
+-
- ifdef(`hide_broken_symptoms', `
- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
- ')
@@ -33975,7 +33673,7 @@ index 1a1becd..3558f18 100644
')
#######################################
-@@ -181,11 +103,12 @@ interface(`dbus_system_bus_client',`
+@@ -181,11 +105,12 @@ interface(`dbus_system_bus_client',`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@@ -33989,7 +33687,7 @@ index 1a1becd..3558f18 100644
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -198,6 +121,34 @@ interface(`dbus_system_bus_client',`
+@@ -198,6 +123,34 @@ interface(`dbus_system_bus_client',`
#######################################
##
@@ -34024,7 +33722,7 @@ index 1a1becd..3558f18 100644
## Template for creating connections to
## a user DBUS.
##
-@@ -218,6 +169,8 @@ interface(`dbus_session_bus_client',`
+@@ -218,6 +171,8 @@ interface(`dbus_session_bus_client',`
# For connecting to the bus
allow $1 session_bus_type:unix_stream_socket connectto;
@@ -34033,7 +33731,7 @@ index 1a1becd..3558f18 100644
')
########################################
-@@ -322,6 +275,11 @@ interface(`dbus_connect_session_bus',`
+@@ -322,6 +277,11 @@ interface(`dbus_connect_session_bus',`
## Allow a application domain to be started
## by the session dbus.
##
@@ -34045,7 +33743,7 @@ index 1a1becd..3558f18 100644
##
##
## Type to be used as a domain.
-@@ -336,13 +294,13 @@ interface(`dbus_connect_session_bus',`
+@@ -336,13 +296,13 @@ interface(`dbus_connect_session_bus',`
#
interface(`dbus_session_domain',`
gen_require(`
@@ -34063,7 +33761,7 @@ index 1a1becd..3558f18 100644
')
########################################
-@@ -421,27 +379,16 @@ interface(`dbus_system_bus_unconfined',`
+@@ -421,27 +381,16 @@ interface(`dbus_system_bus_unconfined',`
#
interface(`dbus_system_domain',`
gen_require(`
@@ -34093,7 +33791,7 @@ index 1a1becd..3558f18 100644
')
########################################
-@@ -464,26 +411,25 @@ interface(`dbus_use_system_bus_fds',`
+@@ -464,26 +413,25 @@ interface(`dbus_use_system_bus_fds',`
########################################
##
@@ -34126,7 +33824,7 @@ index 1a1becd..3558f18 100644
##
##
##
-@@ -491,10 +437,51 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -491,10 +439,51 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
##
##
#
@@ -34182,7 +33880,7 @@ index 1a1becd..3558f18 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..f0266a9 100644
+index 1bff6ee..c9396db 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -34244,17 +33942,11 @@ index 1bff6ee..f0266a9 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -136,11 +143,33 @@ seutil_sigchld_newrole(system_dbusd_t)
+@@ -136,11 +143,27 @@ seutil_sigchld_newrole(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_read_nfs_files(system_dbusd_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_read_cifs_files(system_dbusd_t)
-+')
++userdom_home_reader(system_dbusd_t)
+
optional_policy(`
bind_domtrans(system_dbusd_t)
@@ -34278,7 +33970,7 @@ index 1bff6ee..f0266a9 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -151,12 +180,166 @@ optional_policy(`
+@@ -151,12 +174,156 @@ optional_policy(`
')
optional_policy(`
@@ -34334,9 +34026,9 @@ index 1bff6ee..f0266a9 100644
+')
+
+########################################
- #
-+# session_bus_type rules
+#
++# session_bus_type rules
+ #
+dontaudit session_bus_type self:capability sys_resource;
+allow session_bus_type self:process { getattr sigkill signal };
+dontaudit session_bus_type self:process { ptrace setrlimit };
@@ -34411,17 +34103,7 @@ index 1bff6ee..f0266a9 100644
+userdom_manage_user_home_content_dirs(session_bus_type)
+userdom_manage_user_home_content_files(session_bus_type)
+userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_manage_nfs_dirs(session_bus_type)
-+ fs_manage_nfs_files(session_bus_type)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_dirs(session_bus_type)
-+ fs_manage_cifs_files(session_bus_type)
-+')
-+
+
+optional_policy(`
+ gnome_read_gconf_home_files(session_bus_type)
+')
@@ -34429,7 +34111,7 @@ index 1bff6ee..f0266a9 100644
+optional_policy(`
+ hal_dbus_chat(session_bus_type)
+')
-
++
+optional_policy(`
+ xserver_search_xdm_lib(session_bus_type)
+ xserver_use_xdm_fds(session_bus_type)
@@ -34717,7 +34399,7 @@ index 418a5a0..c25fbdc 100644
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..b62f5a9 100644
+index f706b99..7cdc0f5 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@@ -34866,7 +34548,7 @@ index f706b99..b62f5a9 100644
########################################
##
## Read devicekit PID files.
-@@ -139,22 +252,52 @@ interface(`devicekit_read_pid_files',`
+@@ -139,22 +252,92 @@ interface(`devicekit_read_pid_files',`
########################################
##
@@ -34874,27 +34556,65 @@ index f706b99..b62f5a9 100644
-## an devicekit environment
+## Do not audit attempts to read
+## devicekit PID files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`devicekit_dontaudit_read_pid_files',`
++ gen_require(`
++ type devicekit_var_run_t;
++ ')
++
++ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
++')
++
++
++########################################
++##
++## Manage devicekit PID files.
##
##
##
--## Domain allowed access.
-+## Domain to not audit.
+ ## Domain allowed access.
##
##
-##
+#
-+interface(`devicekit_dontaudit_read_pid_files',`
-+ gen_require(`
++interface(`devicekit_manage_pid_files',`
++ gen_require(`
+ type devicekit_var_run_t;
+ ')
+
-+ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
++ files_search_pids($1)
++ rw_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
++ manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+')
+
++#######################################
++##
++## Relabel devicekit LOG files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`devicekit_relabel_log_files',`
++ gen_require(`
++ type devicekit_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
++')
+
+########################################
+##
-+## Manage devicekit PID files.
++## Manage devicekit LOG files.
+##
+##
##
@@ -34904,14 +34624,15 @@ index f706b99..b62f5a9 100644
##
-##
+#
-+interface(`devicekit_manage_pid_files',`
++interface(`devicekit_manage_log_files',`
+ gen_require(`
-+ type devicekit_var_run_t;
++ type devicekit_var_log_t;
+ ')
+
-+ files_search_pids($1)
-+ rw_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
-+ manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
++ logging_search_logs($1)
++ manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
++ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
++ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
+')
+
+########################################
@@ -34926,7 +34647,7 @@ index f706b99..b62f5a9 100644
##
##
##
-@@ -165,21 +308,44 @@ interface(`devicekit_admin',`
+@@ -165,21 +348,46 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
@@ -34972,10 +34693,12 @@ index f706b99..b62f5a9 100644
+#
+interface(`devicekit_filetrans_named_content',`
+ gen_require(`
-+ type devicekit_var_run_t;
++ type devicekit_var_run_t, devicekit_var_log_t;
+ ')
+
+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
++ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
++ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index f231f17..f277ea6 100644
@@ -36573,7 +36296,7 @@ index e1d7dc5..0557be0 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index acf6d4f..2fbb869 100644
+index acf6d4f..194f170 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -36648,7 +36371,23 @@ index acf6d4f..2fbb869 100644
corenet_tcp_bind_sieve_port(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
-@@ -160,6 +167,15 @@ optional_policy(`
+@@ -135,6 +142,7 @@ files_dontaudit_list_default(dovecot_t)
+ # Dovecot now has quota support and it uses getmntent() to find the mountpoints.
+ files_read_etc_runtime_files(dovecot_t)
+ files_search_all_mountpoints(dovecot_t)
++files_read_var_lib_files(dovecot_t)
+
+ init_getattr_utmp(dovecot_t)
+
+@@ -145,6 +153,7 @@ logging_send_syslog_msg(dovecot_t)
+ miscfiles_read_generic_certs(dovecot_t)
+ miscfiles_read_localization(dovecot_t)
+
++userdom_home_manager(dovecot_t)
+ userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+ userdom_manage_user_home_content_dirs(dovecot_t)
+ userdom_manage_user_home_content_files(dovecot_t)
+@@ -160,6 +169,15 @@ optional_policy(`
')
optional_policy(`
@@ -36664,7 +36403,7 @@ index acf6d4f..2fbb869 100644
postgresql_stream_connect(dovecot_t)
')
-@@ -180,8 +196,8 @@ optional_policy(`
+@@ -180,8 +198,8 @@ optional_policy(`
# dovecot auth local policy
#
@@ -36675,7 +36414,7 @@ index acf6d4f..2fbb869 100644
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -190,6 +206,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -190,6 +208,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -36685,7 +36424,7 @@ index acf6d4f..2fbb869 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -201,9 +220,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -201,9 +222,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
@@ -36698,16 +36437,17 @@ index acf6d4f..2fbb869 100644
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
-@@ -218,6 +240,8 @@ files_read_var_lib_files(dovecot_auth_t)
+@@ -216,7 +240,8 @@ files_read_usr_files(dovecot_auth_t)
+ files_read_usr_symlinks(dovecot_auth_t)
+ files_read_var_lib_files(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
- files_read_var_lib_files(dovecot_t)
-
-+fs_getattr_xattr_fs(dovecot_auth_t)
+-files_read_var_lib_files(dovecot_t)
+
++fs_getattr_xattr_fs(dovecot_auth_t)
+
init_rw_utmp(dovecot_auth_t)
- miscfiles_read_localization(dovecot_auth_t)
-@@ -236,6 +260,8 @@ optional_policy(`
+@@ -236,6 +261,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -36716,7 +36456,7 @@ index acf6d4f..2fbb869 100644
')
optional_policy(`
-@@ -243,6 +269,8 @@ optional_policy(`
+@@ -243,6 +270,8 @@ optional_policy(`
')
optional_policy(`
@@ -36725,7 +36465,7 @@ index acf6d4f..2fbb869 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -250,23 +278,42 @@ optional_policy(`
+@@ -250,23 +279,42 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -36770,14 +36510,32 @@ index acf6d4f..2fbb869 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -302,5 +349,19 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -283,24 +331,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+ userdom_manage_user_home_content_sockets(dovecot_deliver_t)
+ userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(dovecot_deliver_t)
+- fs_manage_nfs_files(dovecot_deliver_t)
+- fs_manage_nfs_symlinks(dovecot_deliver_t)
+- fs_manage_nfs_dirs(dovecot_t)
+- fs_manage_nfs_files(dovecot_t)
+- fs_manage_nfs_symlinks(dovecot_t)
+-')
++userdom_home_manager(dovecot_deliver_t)
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(dovecot_deliver_t)
+- fs_manage_cifs_files(dovecot_deliver_t)
+- fs_manage_cifs_symlinks(dovecot_deliver_t)
+- fs_manage_cifs_dirs(dovecot_t)
+- fs_manage_cifs_files(dovecot_t)
+- fs_manage_cifs_symlinks(dovecot_t)
++optional_policy(`
++ gnome_manage_data(dovecot_deliver_t)
')
optional_policy(`
-+ gnome_manage_data(dovecot_deliver_t)
-+')
-+
-+optional_policy(`
mta_manage_spool(dovecot_deliver_t)
+ mta_read_queue(dovecot_deliver_t)
+')
@@ -37774,7 +37532,7 @@ index f590a1f..18bdd33 100644
+ admin_pattern($1, fail2ban_tmp_t)
')
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..2599f96 100644
+index 2a69e5e..c7a0911 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t)
@@ -37828,7 +37586,17 @@ index 2a69e5e..2599f96 100644
files_read_etc_files(fail2ban_t)
files_read_etc_runtime_files(fail2ban_t)
-@@ -94,5 +107,38 @@ optional_policy(`
+@@ -85,6 +98,9 @@ miscfiles_read_localization(fail2ban_t)
+
+ mta_send_mail(fail2ban_t)
+
++sysnet_manage_config(fail2ban_t)
++sysnet_filetrans_named_content(fail2ban_t)
++
+ optional_policy(`
+ apache_read_log(fail2ban_t)
+ ')
+@@ -94,5 +110,38 @@ optional_policy(`
')
optional_policy(`
@@ -38461,7 +38229,7 @@ index 9d3201b..41c2c99 100644
+ ftp_systemctl($1)
')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..3bc14c3 100644
+index 8a74a83..6c4a30d 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -38704,15 +38472,28 @@ index 8a74a83..3bc14c3 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,7 +455,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,19 +455,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
- auth_manage_all_files_except_shadow(sftpd_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- # allow read access to /home by default
+- fs_list_cifs(sftpd_t)
+- fs_read_cifs_files(sftpd_t)
+- fs_read_cifs_symlinks(sftpd_t)
+ files_manage_non_security_files(sftpd_t)
')
- tunable_policy(`use_samba_home_dirs',`
+-tunable_policy(`use_nfs_home_dirs',`
+- # allow read access to /home by default
+- fs_list_nfs(sftpd_t)
+- fs_read_nfs_files(sftpd_t)
+- fs_read_nfs_symlinks(ftpd_t)
+-')
++userdom_home_reader(sftpd_t)
diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
index 99a94de..6dbc203 100644
--- a/policy/modules/services/gatekeeper.te
@@ -38750,10 +38531,10 @@ index 54f0737..44a9663 100644
+/var/www/git/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/gitweb-caching/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
-index 458aac6..27945d1 100644
+index 458aac6..9077b2d 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
-@@ -1 +1,542 @@
+@@ -1 +1,515 @@
-## GIT revision control system
+## Fast Version Control System.
+##
@@ -38966,17 +38747,7 @@ index 458aac6..27945d1 100644
+ userdom_search_user_home_dirs($1)
+ files_search_var_lib($1)
+
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_exec_nfs_files($1)
-+ fs_manage_nfs_dirs($1)
-+ fs_manage_nfs_files($1)
-+ ')
-+
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_exec_cifs_files($1)
-+ fs_manage_cifs_dirs($1)
-+ fs_manage_cifs_files($1)
-+ ')
++ userdom_home_manager($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
@@ -39080,15 +38851,7 @@ index 458aac6..27945d1 100644
+ userdom_search_user_home_dirs($1)
+ files_search_var_lib($1)
+
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_list_nfs($1)
-+ fs_read_nfs_files($1)
-+ ')
-+
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_list_cifs($1)
-+ fs_read_cifs_files($1)
-+ ')
++ userdom_home_reader($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs($1)
@@ -39120,16 +38883,7 @@ index 458aac6..27945d1 100644
+ list_dirs_pattern($1, git_session_content_t, git_session_content_t)
+ read_files_pattern($1, git_session_content_t, git_session_content_t)
+ userdom_search_user_home_dirs($1)
-+
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_list_nfs($1)
-+ fs_read_nfs_files($1)
-+ ')
-+
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_list_cifs($1)
-+ fs_read_cifs_files($1)
-+ ')
++ userdom_home_reader($1)
+')
+
+#######################################
@@ -39298,10 +39052,10 @@ index 458aac6..27945d1 100644
+ userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
-index 7382f85..2ef543c 100644
+index 7382f85..fa32fcf 100644
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
-@@ -1,8 +1,197 @@
+@@ -1,8 +1,189 @@
-policy_module(git, 1.0)
+policy_module(git, 1.0.3)
+
@@ -39325,10 +39079,9 @@ index 7382f85..2ef543c 100644
+##
+##
+gen_tunable(git_system_use_nfs, false)
-
- ########################################
- #
--# Declarations
++
++########################################
++#
+# Git daemon global private declarations.
+#
+
@@ -39342,7 +39095,7 @@ index 7382f85..2ef543c 100644
+role git_shell_r;
+
+########################################
- #
++#
+# Git daemon system private declarations.
+#
+
@@ -39412,8 +39165,7 @@ index 7382f85..2ef543c 100644
+optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(git_domains)
+')
-
--apache_content_template(git)
++
+optional_policy(`
+ nis_use_ypbind(git_domains)
+')
@@ -39473,21 +39225,15 @@ index 7382f85..2ef543c 100644
+ corenet_sendrecv_generic_server_packets(git_session_t)
+')
+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_list_nfs(git_session_t)
-+ fs_read_nfs_files(git_session_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_list_cifs(git_session_t)
-+ fs_read_cifs_files(git_session_t)
-+')
-+
-+########################################
-+#
++userdom_home_reader(git_session_t)
+
+ ########################################
+ #
+-# Declarations
+# cgi git Declarations
-+#
-+
+ #
+
+-apache_content_template(git)
+optional_policy(`
+ apache_content_template(git)
+ git_read_all_content_files(httpd_git_script_t)
@@ -40695,6 +40441,28 @@ index c234b32..6c0a73d 100644
+optional_policy(`
+ sysnet_dns_name_resolve(hddtemp_t)
+')
+diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te
+index 5fc89c4..738c3e2 100644
+--- a/policy/modules/services/i18n_input.te
++++ b/policy/modules/services/i18n_input.te
+@@ -74,16 +74,7 @@ sysnet_read_config(i18n_input_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
+ userdom_read_user_home_content_files(i18n_input_t)
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(i18n_input_t)
+- fs_read_nfs_symlinks(i18n_input_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(i18n_input_t)
+- fs_read_cifs_symlinks(i18n_input_t)
+-')
++userdom_home_reader(i18n_input_t)
+
+ optional_policy(`
+ canna_stream_connect(i18n_input_t)
diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if
index ecab47a..6ba84cf 100644
--- a/policy/modules/services/icecast.if
@@ -43062,7 +42830,7 @@ index a4f32f5..32824fb 100644
type lpr_t, lpr_exec_t;
')
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
-index 93c14ca..f28acd2 100644
+index 93c14ca..27d96e1 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0)
@@ -43150,21 +42918,25 @@ index 93c14ca..f28acd2 100644
# Send SIGHUP to lpd.
allow lpr_t lpd_t:process signal;
-@@ -308,12 +309,14 @@ tunable_policy(`use_lpd_server',`
+@@ -307,17 +308,7 @@ tunable_policy(`use_lpd_server',`
+ read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
')
- tunable_policy(`use_nfs_home_dirs',`
-+ files_list_home(lpr_t)
- fs_list_auto_mountpoints(lpr_t)
- fs_read_nfs_files(lpr_t)
- fs_read_nfs_symlinks(lpr_t)
- ')
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_list_auto_mountpoints(lpr_t)
+- fs_read_nfs_files(lpr_t)
+- fs_read_nfs_symlinks(lpr_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_list_auto_mountpoints(lpr_t)
+- fs_read_cifs_files(lpr_t)
+- fs_read_cifs_symlinks(lpr_t)
+-')
++userdom_home_reader(lpr_t)
- tunable_policy(`use_samba_home_dirs',`
-+ files_list_home(lpr_t)
- fs_list_auto_mountpoints(lpr_t)
- fs_read_cifs_files(lpr_t)
- fs_read_cifs_symlinks(lpr_t)
+ optional_policy(`
+ cups_read_config(lpr_t)
diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc
index 14ad189..2b8efd8 100644
--- a/policy/modules/services/mailman.fc
@@ -44529,10 +44301,10 @@ index 0000000..1d76fb8
+')
diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
new file mode 100644
-index 0000000..b1107b5
+index 0000000..4389219
--- /dev/null
+++ b/policy/modules/services/mock.te
-@@ -0,0 +1,250 @@
+@@ -0,0 +1,251 @@
+policy_module(mock,1.0.0)
+
+##
@@ -44662,6 +44434,7 @@ index 0000000..b1107b5
+files_search_home(mock_t)
+
+tunable_policy(`mock_enable_homedirs',`
++ userdom_manage_user_home_content_dirs(mock_t)
+ userdom_manage_user_home_content_files(mock_t)
+')
+
@@ -44919,7 +44692,7 @@ index d72276f..cb8c563 100644
mpd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
-index 7f68872..e4ac35e 100644
+index 7f68872..36ff69d 100644
--- a/policy/modules/services/mpd.te
+++ b/policy/modules/services/mpd.te
@@ -44,6 +44,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -44932,27 +44705,18 @@ index 7f68872..e4ac35e 100644
manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
-@@ -103,6 +106,19 @@ logging_send_syslog_msg(mpd_t)
+@@ -103,6 +106,10 @@ logging_send_syslog_msg(mpd_t)
miscfiles_read_localization(mpd_t)
+userdom_read_home_audio_files(mpd_t)
+userdom_read_user_tmpfs_files(mpd_t)
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_read_cifs_files(mpd_t)
-+ fs_read_cifs_symlinks(mpd_t)
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_read_nfs_files(mpd_t)
-+ fs_read_nfs_symlinks(mpd_t)
-+')
++userdom_home_reader(mpd_t)
+
optional_policy(`
alsa_read_rw_config(mpd_t)
')
-@@ -122,5 +138,14 @@ optional_policy(`
+@@ -122,5 +129,14 @@ optional_policy(`
')
optional_policy(`
@@ -45011,7 +44775,7 @@ index 256166a..2320c87 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..e5519fd 100644
+index 343cee3..867dfac 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -45097,7 +44861,7 @@ index 343cee3..e5519fd 100644
########################################
##
## Make the specified type by a system MTA.
-@@ -306,7 +337,6 @@ interface(`mta_mailserver_sender',`
+@@ -306,10 +337,11 @@ interface(`mta_mailserver_sender',`
interface(`mta_mailserver_delivery',`
gen_require(`
attribute mailserver_delivery;
@@ -45105,7 +44869,12 @@ index 343cee3..e5519fd 100644
')
typeattribute $1 mailserver_delivery;
-@@ -330,12 +360,6 @@ interface(`mta_mailserver_user_agent',`
++
++ userdom_home_manager($1)
+ ')
+
+ #######################################
+@@ -330,12 +362,6 @@ interface(`mta_mailserver_user_agent',`
')
typeattribute $1 mta_user_agent;
@@ -45118,7 +44887,7 @@ index 343cee3..e5519fd 100644
')
########################################
-@@ -350,9 +374,8 @@ interface(`mta_mailserver_user_agent',`
+@@ -350,9 +376,8 @@ interface(`mta_mailserver_user_agent',`
#
interface(`mta_send_mail',`
gen_require(`
@@ -45129,7 +44898,7 @@ index 343cee3..e5519fd 100644
')
allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
-@@ -391,12 +414,17 @@ interface(`mta_send_mail',`
+@@ -391,12 +416,17 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -45149,7 +44918,7 @@ index 343cee3..e5519fd 100644
')
########################################
-@@ -409,7 +437,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -409,7 +439,6 @@ interface(`mta_sendmail_domtrans',`
##
##
#
@@ -45157,7 +44926,7 @@ index 343cee3..e5519fd 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -420,6 +447,24 @@ interface(`mta_signal_system_mail',`
+@@ -420,6 +449,24 @@ interface(`mta_signal_system_mail',`
########################################
##
@@ -45182,7 +44951,7 @@ index 343cee3..e5519fd 100644
## Execute sendmail in the caller domain.
##
##
-@@ -438,6 +483,26 @@ interface(`mta_sendmail_exec',`
+@@ -438,6 +485,26 @@ interface(`mta_sendmail_exec',`
########################################
##
@@ -45209,7 +44978,7 @@ index 343cee3..e5519fd 100644
## Read mail server configuration.
##
##
-@@ -474,7 +539,8 @@ interface(`mta_write_config',`
+@@ -474,7 +541,8 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -45219,7 +44988,7 @@ index 343cee3..e5519fd 100644
')
########################################
-@@ -494,6 +560,7 @@ interface(`mta_read_aliases',`
+@@ -494,6 +562,7 @@ interface(`mta_read_aliases',`
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
@@ -45227,7 +44996,7 @@ index 343cee3..e5519fd 100644
')
########################################
-@@ -532,7 +599,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -532,7 +601,7 @@ interface(`mta_etc_filetrans_aliases',`
type etc_aliases_t;
')
@@ -45236,7 +45005,7 @@ index 343cee3..e5519fd 100644
')
########################################
-@@ -552,7 +619,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +621,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -45245,7 +45014,7 @@ index 343cee3..e5519fd 100644
')
#######################################
-@@ -646,8 +713,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +715,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -45256,7 +45025,7 @@ index 343cee3..e5519fd 100644
')
#######################################
-@@ -677,7 +744,26 @@ interface(`mta_spool_filetrans',`
+@@ -677,7 +746,26 @@ interface(`mta_spool_filetrans',`
')
files_search_spool($1)
@@ -45284,7 +45053,7 @@ index 343cee3..e5519fd 100644
')
########################################
-@@ -697,8 +783,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +785,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -45295,7 +45064,7 @@ index 343cee3..e5519fd 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +924,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +926,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -45304,7 +45073,7 @@ index 343cee3..e5519fd 100644
')
########################################
-@@ -864,6 +950,36 @@ interface(`mta_manage_queue',`
+@@ -864,6 +952,36 @@ interface(`mta_manage_queue',`
#######################################
##
@@ -45341,7 +45110,7 @@ index 343cee3..e5519fd 100644
## Read sendmail binary.
##
##
-@@ -899,3 +1015,114 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +1017,114 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -45457,7 +45226,7 @@ index 343cee3..e5519fd 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..65fd01f 100644
+index 64268e4..7f55b85 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
@@ -45646,7 +45415,7 @@ index 64268e4..65fd01f 100644
########################################
#
# Mailserver delivery local policy
-@@ -220,7 +228,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,28 +228,21 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -45656,7 +45425,21 @@ index 64268e4..65fd01f 100644
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -242,6 +251,10 @@ optional_policy(`
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mailserver_delivery)
+- fs_manage_cifs_files(mailserver_delivery)
+- fs_manage_cifs_symlinks(mailserver_delivery)
+-')
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(mailserver_delivery)
+- fs_manage_nfs_files(mailserver_delivery)
+- fs_manage_nfs_symlinks(mailserver_delivery)
+-')
+-
+ optional_policy(`
+ dovecot_manage_spool(mailserver_delivery)
+ dovecot_domtrans_deliver(mailserver_delivery)
')
optional_policy(`
@@ -45667,7 +45450,7 @@ index 64268e4..65fd01f 100644
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
-@@ -249,16 +262,25 @@ optional_policy(`
+@@ -249,16 +250,25 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -45695,7 +45478,7 @@ index 64268e4..65fd01f 100644
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files(user_mail_t)
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -277,6 +299,8 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
+@@ -277,6 +287,8 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
# files in an appropriate place for mta_user_agent
userdom_read_user_tmp_files(mta_user_agent)
@@ -45704,7 +45487,7 @@ index 64268e4..65fd01f 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(user_mail_t)
fs_manage_cifs_symlinks(user_mail_t)
-@@ -292,3 +316,47 @@ optional_policy(`
+@@ -292,3 +304,47 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -46214,7 +45997,7 @@ index e9c0982..ac7e846 100644
+ mysql_stream_connect($1)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..d19d2d2 100644
+index 0a0d63c..8fcabd8 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -46282,7 +46065,13 @@ index 0a0d63c..d19d2d2 100644
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-@@ -175,21 +179,27 @@ dev_list_sysfs(mysqld_safe_t)
+@@ -170,26 +174,33 @@ kernel_read_system_state(mysqld_safe_t)
+ kernel_read_kernel_sysctls(mysqld_safe_t)
+
+ corecmd_exec_bin(mysqld_safe_t)
++corecmd_exec_shell(mysqld_safe_t)
+
+ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
@@ -46723,7 +46512,7 @@ index 74da57f..b94bb3b 100644
/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
-index 386543b..47e1b41 100644
+index 386543b..8e8f911 100644
--- a/policy/modules/services/networkmanager.fc
+++ b/policy/modules/services/networkmanager.fc
@@ -1,6 +1,15 @@
@@ -46743,7 +46532,7 @@ index 386543b..47e1b41 100644
/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-@@ -16,7 +25,8 @@
+@@ -16,11 +25,13 @@
/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
@@ -46753,6 +46542,11 @@ index 386543b..47e1b41 100644
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ /var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
index 2324d9e..8666a3c 100644
--- a/policy/modules/services/networkmanager.if
@@ -48529,7 +48323,7 @@ index bb4fae5..044486c 100644
+ admin_pattern($1, oidentd_config_t)
+')
diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te
-index 8845174..98f541f 100644
+index 8845174..58148ed 100644
--- a/policy/modules/services/oident.te
+++ b/policy/modules/services/oident.te
@@ -26,10 +26,10 @@ files_config_file(oidentd_config_t)
@@ -48547,6 +48341,25 @@ index 8845174..98f541f 100644
allow oidentd_t self:unix_dgram_socket { create connect };
allow oidentd_t oidentd_config_t:file read_file_perms;
+@@ -59,17 +59,8 @@ miscfiles_read_localization(oidentd_t)
+ sysnet_read_config(oidentd_t)
+
+ oident_read_user_content(oidentd_t)
++userdom_home_reader(oidentd_t)
+
+ optional_policy(`
+ nis_use_ypbind(oidentd_t)
+ ')
+-
+-tunable_policy(`use_samba_home_dirs', `
+- fs_list_cifs(oidentd_t)
+- fs_read_cifs_files(oidentd_t)
+-')
+-
+-tunable_policy(`use_nfs_home_dirs', `
+- fs_list_nfs(oidentd_t)
+- fs_read_nfs_files(oidentd_t)
+-')
diff --git a/policy/modules/services/openct.if b/policy/modules/services/openct.if
index 9d0a67b..9197ef0 100644
--- a/policy/modules/services/openct.if
@@ -48575,6 +48388,36 @@ index 9d0a67b..9197ef0 100644
##
#
interface(`openct_domtrans',`
+diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te
+index 7f8fdc2..047d985 100644
+--- a/policy/modules/services/openct.te
++++ b/policy/modules/services/openct.te
+@@ -23,12 +23,13 @@ allow openct_t self:process signal_perms;
+ manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+ manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+-files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
+
+ kernel_read_kernel_sysctls(openct_t)
+ kernel_list_proc(openct_t)
+ kernel_read_proc_symlinks(openct_t)
+
++can_exec(openct_t, openct_exec_t)
++
+ dev_read_sysfs(openct_t)
+ # openct asks for this
+ dev_rw_usbfs(openct_t)
+@@ -50,7 +51,9 @@ miscfiles_read_localization(openct_t)
+ userdom_dontaudit_use_unpriv_user_fds(openct_t)
+ userdom_dontaudit_search_user_home_dirs(openct_t)
+
+-openct_exec(openct_t)
++optional_policy(`
++ pcscd_stream_connect(openct_t)
++')
+
+ optional_policy(`
+ seutil_sigchld_newrole(openct_t)
diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if
index d883214..d6afa87 100644
--- a/policy/modules/services/openvpn.if
@@ -50054,10 +49897,39 @@ index 48ff1e8..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
-index 1e7169d..9cdbfa8 100644
+index 1e7169d..a16f7d7 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
-@@ -24,6 +24,9 @@ init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
+@@ -5,47 +5,69 @@ policy_module(policykit, 1.1.0)
+ # Declarations
+ #
+
+-type policykit_t alias polkit_t;
+-type policykit_exec_t alias polkit_exec_t;
++attribute policykit_domain;
++
++type policykit_t, policykit_domain;
++type policykit_exec_t;
+ init_daemon_domain(policykit_t, policykit_exec_t)
+
+-type policykit_auth_t alias polkit_auth_t;
+-type policykit_auth_exec_t alias polkit_auth_exec_t;
++type policykit_auth_t, policykit_domain;
++type policykit_auth_exec_t;
+ init_daemon_domain(policykit_auth_t, policykit_auth_exec_t)
+
+-type policykit_grant_t alias polkit_grant_t;
+-type policykit_grant_exec_t alias polkit_grant_exec_t;
++type policykit_grant_t, policykit_domain;
++type policykit_grant_exec_t;
+ init_system_domain(policykit_grant_t, policykit_grant_exec_t)
+
+-type policykit_resolve_t alias polkit_resolve_t;
+-type policykit_resolve_exec_t alias polkit_resolve_exec_t;
++type policykit_resolve_t, policykit_domain;
++type policykit_resolve_exec_t;
+ init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
+
type policykit_reload_t alias polkit_reload_t;
files_type(policykit_reload_t)
@@ -50067,7 +49939,27 @@ index 1e7169d..9cdbfa8 100644
type policykit_var_lib_t alias polkit_var_lib_t;
files_type(policykit_var_lib_t)
-@@ -35,11 +38,11 @@ files_pid_file(policykit_var_run_t)
+ type policykit_var_run_t alias polkit_var_run_t;
+ files_pid_file(policykit_var_run_t)
+
++#######################################
++#
++# policykit_domain local policy
++#
++
++allow policykit_domain self:process getattr;
++allow policykit_domain self:fifo_file rw_fifo_file_perms;
++
++dev_read_sysfs(policykit_domain)
++
++#auth_use_nsswitch(policykit_domain)
++
++logging_send_syslog_msg(policykit_domain)
++
++miscfiles_read_localization(policykit_domain)
++
+ ########################################
+ #
# policykit local policy
#
@@ -50075,15 +49967,22 @@ index 1e7169d..9cdbfa8 100644
-allow policykit_t self:process getattr;
-allow policykit_t self:fifo_file rw_file_perms;
+allow policykit_t self:capability { dac_override dac_read_search setgid setuid };
-+allow policykit_t self:process { getsched getattr signal };
-+allow policykit_t self:fifo_file rw_fifo_file_perms;
++allow policykit_t self:process { getsched signal };
allow policykit_t self:unix_dgram_socket create_socket_perms;
-allow policykit_t self:unix_stream_socket create_stream_socket_perms;
+allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
policykit_domtrans_auth(policykit_t)
-@@ -56,10 +59,16 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+ can_exec(policykit_t, policykit_exec_t)
+ corecmd_exec_bin(policykit_t)
+
++dev_read_sysfs(policykit_t)
++
+ rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
+
+ policykit_domtrans_resolve(policykit_t)
+@@ -56,56 +78,101 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
@@ -50100,19 +49999,18 @@ index 1e7169d..9cdbfa8 100644
auth_use_nsswitch(policykit_t)
-@@ -67,45 +76,92 @@ logging_send_syslog_msg(policykit_t)
-
- miscfiles_read_localization(policykit_t)
-
+-logging_send_syslog_msg(policykit_t)
+userdom_getattr_all_users(policykit_t)
- userdom_read_all_users_state(policykit_t)
++userdom_read_all_users_state(policykit_t)
+userdom_dontaudit_search_admin_dir(policykit_t)
+
+optional_policy(`
+ dbus_system_domain(policykit_t, policykit_exec_t)
-+
+
+-miscfiles_read_localization(policykit_t)
+ init_dbus_chat(policykit_t)
-+
+
+-userdom_read_all_users_state(policykit_t)
+ optional_policy(`
+ consolekit_dbus_chat(policykit_t)
+ ')
@@ -50141,8 +50039,7 @@ index 1e7169d..9cdbfa8 100644
-allow policykit_auth_t self:fifo_file rw_file_perms;
+allow policykit_auth_t self:capability { ipc_lock setgid setuid };
+dontaudit policykit_auth_t self:capability sys_tty_config;
-+allow policykit_auth_t self:process { getattr getsched signal };
-+allow policykit_auth_t self:fifo_file rw_fifo_file_perms;
++allow policykit_auth_t self:process { getsched signal };
+
allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
@@ -50175,17 +50072,17 @@ index 1e7169d..9cdbfa8 100644
files_read_etc_files(policykit_auth_t)
files_read_usr_files(policykit_auth_t)
+files_search_home(policykit_auth_t)
-+
-+fs_getattr_all_fs(polkit_auth_t)
-+fs_search_tmpfs(polkit_auth_t)
- auth_use_nsswitch(policykit_auth_t)
+-auth_use_nsswitch(policykit_auth_t)
++fs_getattr_all_fs(policykit_auth_t)
++fs_search_tmpfs(policykit_auth_t)
+
+-logging_send_syslog_msg(policykit_auth_t)
+auth_rw_var_auth(policykit_auth_t)
++auth_use_nsswitch(policykit_auth_t)
+auth_domtrans_chk_passwd(policykit_auth_t)
- logging_send_syslog_msg(policykit_auth_t)
-
- miscfiles_read_localization(policykit_auth_t)
+-miscfiles_read_localization(policykit_auth_t)
+miscfiles_read_fonts(policykit_auth_t)
+miscfiles_setattr_fonts_cache_dirs(policykit_auth_t)
@@ -50199,7 +50096,7 @@ index 1e7169d..9cdbfa8 100644
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -118,6 +174,14 @@ optional_policy(`
+@@ -118,14 +185,21 @@ optional_policy(`
hal_read_state(policykit_auth_t)
')
@@ -50214,17 +50111,27 @@ index 1e7169d..9cdbfa8 100644
########################################
#
# polkit_grant local policy
-@@ -125,7 +189,8 @@ optional_policy(`
+ #
allow policykit_grant_t self:capability setuid;
- allow policykit_grant_t self:process getattr;
+-allow policykit_grant_t self:process getattr;
-allow policykit_grant_t self:fifo_file rw_file_perms;
-+allow policykit_grant_t self:fifo_file rw_fifo_file_perms;
+
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -155,9 +220,12 @@ miscfiles_read_localization(policykit_grant_t)
+@@ -145,19 +219,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
+ files_read_etc_files(policykit_grant_t)
+ files_read_usr_files(policykit_grant_t)
+
+-auth_use_nsswitch(policykit_grant_t)
+ auth_domtrans_chk_passwd(policykit_grant_t)
+-
+-logging_send_syslog_msg(policykit_grant_t)
+-
+-miscfiles_read_localization(policykit_grant_t)
++auth_use_nsswitch(policykit_grant_t)
+
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -50238,20 +50145,34 @@ index 1e7169d..9cdbfa8 100644
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -167,9 +235,10 @@ optional_policy(`
+@@ -167,9 +240,8 @@ optional_policy(`
# polkit_resolve local policy
#
-allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
-+allow policykit_resolve_t self:capability { setuid sys_nice };
- allow policykit_resolve_t self:process getattr;
+-allow policykit_resolve_t self:process getattr;
-allow policykit_resolve_t self:fifo_file rw_file_perms;
-+allow policykit_resolve_t self:fifo_file rw_fifo_file_perms;
++allow policykit_resolve_t self:capability { setuid sys_nice };
+
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
-@@ -207,4 +276,3 @@ optional_policy(`
+@@ -185,13 +257,9 @@ corecmd_search_bin(policykit_resolve_t)
+ files_read_etc_files(policykit_resolve_t)
+ files_read_usr_files(policykit_resolve_t)
+
+-mcs_ptrace_all(policykit_resolve_t)
+-
+ auth_use_nsswitch(policykit_resolve_t)
+
+-logging_send_syslog_msg(policykit_resolve_t)
+-
+-miscfiles_read_localization(policykit_resolve_t)
++mcs_ptrace_all(policykit_resolve_t)
+
+ userdom_read_all_users_state(policykit_resolve_t)
+
+@@ -207,4 +275,3 @@ optional_policy(`
kernel_search_proc(policykit_resolve_t)
hal_read_state(policykit_resolve_t)
')
@@ -50475,10 +50396,10 @@ index 0000000..7dc2c0c
+')
diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te
new file mode 100644
-index 0000000..89ab1b6
+index 0000000..d958b53
--- /dev/null
+++ b/policy/modules/services/polipo.te
-@@ -0,0 +1,159 @@
+@@ -0,0 +1,149 @@
+policy_module(polipo, 1.0.0)
+
+########################################
@@ -50627,17 +50548,7 @@ index 0000000..89ab1b6
+ logging_send_syslog_msg(polipo_session_t)
+')
+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_manage_nfs_files(polipo_session_t)
-+',`
-+ fs_dontaudit_manage_nfs_files(polipo_session_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_files(polipo_session_t)
-+',`
-+ fs_dontaudit_manage_cifs_files(polipo_session_t)
-+')
++userdom_home_manager(polipo_session_t)
diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
index 333a1fe..e599723 100644
--- a/policy/modules/services/portmap.te
@@ -50804,7 +50715,7 @@ index a3e85c9..c0e0959 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..e50a72c 100644
+index 46bee12..2216f6a 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
@@ -51049,7 +50960,7 @@ index 46bee12..e50a72c 100644
')
########################################
-@@ -621,3 +701,136 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +701,154 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@@ -51169,6 +51080,24 @@ index 46bee12..e50a72c 100644
+
+########################################
+##
++## Execute postfix exec in the users domain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`postfix_exec',`
++ gen_require(`
++ type postfix_exec_t;
++ ')
++
++ can_exec($1, postfix_exec_t)
++')
++
++########################################
++##
+## Transition to postfix named content
+##
+##
@@ -51187,7 +51116,7 @@ index 46bee12..e50a72c 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..3a59bac 100644
+index a32c4b3..94e68b2 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -51294,7 +51223,15 @@ index a32c4b3..3a59bac 100644
manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-@@ -150,6 +164,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -138,6 +152,7 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_
+
+ delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+ rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+ setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
+ kernel_read_all_sysctls(postfix_master_t)
+@@ -150,6 +165,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -51304,7 +51241,7 @@ index a32c4b3..3a59bac 100644
corenet_tcp_bind_generic_node(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -167,6 +184,10 @@ corecmd_exec_bin(postfix_master_t)
+@@ -167,6 +185,10 @@ corecmd_exec_bin(postfix_master_t)
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
@@ -51315,7 +51252,7 @@ index a32c4b3..3a59bac 100644
term_dontaudit_search_ptys(postfix_master_t)
-@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search;
+@@ -220,13 +242,17 @@ allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t self:tcp_socket create_socket_perms;
allow postfix_bounce_t postfix_public_t:sock_file write;
@@ -51334,7 +51271,7 @@ index a32c4b3..3a59bac 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -243,12 +268,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t,
+@@ -243,12 +269,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t,
rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
@@ -51352,7 +51289,7 @@ index a32c4b3..3a59bac 100644
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
-@@ -264,8 +294,8 @@ optional_policy(`
+@@ -264,8 +295,8 @@ optional_policy(`
# Postfix local local policy
#
@@ -51362,7 +51299,7 @@ index a32c4b3..3a59bac 100644
# connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-@@ -273,6 +303,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,6 +304,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@@ -51371,7 +51308,7 @@ index a32c4b3..3a59bac 100644
allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t)
-@@ -286,10 +318,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +319,15 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -51390,7 +51327,7 @@ index a32c4b3..3a59bac 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -297,6 +334,10 @@ optional_policy(`
+@@ -297,6 +335,10 @@ optional_policy(`
')
optional_policy(`
@@ -51401,7 +51338,7 @@ index a32c4b3..3a59bac 100644
# for postalias
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
-@@ -304,9 +345,22 @@ optional_policy(`
+@@ -304,9 +346,22 @@ optional_policy(`
')
optional_policy(`
@@ -51424,7 +51361,7 @@ index a32c4b3..3a59bac 100644
########################################
#
# Postfix map local policy
-@@ -372,6 +426,7 @@ optional_policy(`
+@@ -372,6 +427,7 @@ optional_policy(`
# Postfix pickup local policy
#
@@ -51432,7 +51369,7 @@ index a32c4b3..3a59bac 100644
allow postfix_pickup_t self:tcp_socket create_socket_perms;
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
-@@ -379,19 +434,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,19 +435,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -51460,7 +51397,7 @@ index a32c4b3..3a59bac 100644
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +463,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +464,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -51469,7 +51406,7 @@ index a32c4b3..3a59bac 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +484,7 @@ optional_policy(`
+@@ -420,6 +485,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -51477,7 +51414,7 @@ index a32c4b3..3a59bac 100644
')
optional_policy(`
-@@ -436,11 +501,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +502,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -51495,7 +51432,7 @@ index a32c4b3..3a59bac 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +558,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +559,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -51506,7 +51443,7 @@ index a32c4b3..3a59bac 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -507,6 +578,8 @@ optional_policy(`
+@@ -507,6 +579,8 @@ optional_policy(`
# Postfix qmgr local policy
#
@@ -51515,7 +51452,7 @@ index a32c4b3..3a59bac 100644
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +592,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +593,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -51528,7 +51465,7 @@ index a32c4b3..3a59bac 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +616,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +617,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -51539,7 +51476,16 @@ index a32c4b3..3a59bac 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -565,6 +644,14 @@ optional_policy(`
+@@ -558,6 +638,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+
+ allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
+
++rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++
+ files_search_all_mountpoints(postfix_smtp_t)
+
+ optional_policy(`
+@@ -565,6 +647,14 @@ optional_policy(`
')
optional_policy(`
@@ -51554,7 +51500,7 @@ index a32c4b3..3a59bac 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -588,10 +675,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +678,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -51571,7 +51517,7 @@ index a32c4b3..3a59bac 100644
')
optional_policy(`
-@@ -599,6 +692,10 @@ optional_policy(`
+@@ -599,6 +695,10 @@ optional_policy(`
')
optional_policy(`
@@ -51582,7 +51528,7 @@ index a32c4b3..3a59bac 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,8 +708,8 @@ optional_policy(`
+@@ -611,8 +711,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -51592,7 +51538,7 @@ index a32c4b3..3a59bac 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +727,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +730,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -52492,7 +52438,7 @@ index b64b02f..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..6451f82 100644
+index 29b9295..4c188f9 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -52546,7 +52492,26 @@ index 29b9295..6451f82 100644
mta_manage_spool(procmail_t)
mta_read_queue(procmail_t)
-@@ -125,6 +138,11 @@ optional_policy(`
+@@ -97,17 +110,7 @@ ifdef(`hide_broken_symptoms',`
+ mta_dontaudit_rw_queue(procmail_t)
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(procmail_t)
+- fs_manage_nfs_files(procmail_t)
+- fs_manage_nfs_symlinks(procmail_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(procmail_t)
+- fs_manage_cifs_files(procmail_t)
+- fs_manage_cifs_symlinks(procmail_t)
+-')
++userdom_home_manager(procmail_t)
+
+ optional_policy(`
+ clamav_domtrans_clamscan(procmail_t)
+@@ -125,6 +128,11 @@ optional_policy(`
postfix_read_spool_files(procmail_t)
postfix_read_local_state(procmail_t)
postfix_read_master_state(procmail_t)
@@ -54321,10 +54286,10 @@ index f04a595..d6a6e1a 100644
+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
+')
diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
-index 852840b..cc1775e 100644
+index 852840b..9405f78 100644
--- a/policy/modules/services/razor.te
+++ b/policy/modules/services/razor.te
-@@ -5,118 +5,135 @@ policy_module(razor, 2.2.0)
+@@ -5,118 +5,125 @@ policy_module(razor, 2.2.0)
# Declarations
#
@@ -54440,34 +54405,22 @@ index 852840b..cc1775e 100644
+ files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
+
+ auth_use_nsswitch(razor_t)
-+
-+ logging_send_syslog_msg(razor_t)
-+
-+ userdom_search_user_home_dirs(razor_t)
-+ userdom_use_inherited_user_terminals(razor_t)
-+
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_manage_nfs_dirs(razor_t)
-+ fs_manage_nfs_files(razor_t)
-+ fs_manage_nfs_symlinks(razor_t)
-+ ')
-type razor_etc_t;
-files_config_file(razor_etc_t)
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_dirs(razor_t)
-+ fs_manage_cifs_files(razor_t)
-+ fs_manage_cifs_symlinks(razor_t)
-+ ')
++ logging_send_syslog_msg(razor_t)
-type razor_home_t;
-typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
-typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
-userdom_user_home_content(razor_home_t)
--
++ userdom_search_user_home_dirs(razor_t)
++ userdom_use_inherited_user_terminals(razor_t)
+
-type razor_log_t;
-logging_log_file(razor_log_t)
--
++ userdom_home_manager(razor_t)
+
-type razor_tmp_t;
-typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
-typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
@@ -54573,7 +54526,7 @@ index 852840b..cc1775e 100644
+ ')
')
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
-index 0a76027..adc198d 100644
+index 0a76027..a475797 100644
--- a/policy/modules/services/remotelogin.te
+++ b/policy/modules/services/remotelogin.te
@@ -10,9 +10,6 @@ domain_interactive_fd(remote_login_t)
@@ -54615,7 +54568,7 @@ index 0a76027..adc198d 100644
miscfiles_read_localization(remote_login_t)
-@@ -87,9 +82,11 @@ userdom_search_user_home_content(remote_login_t)
+@@ -87,34 +82,28 @@ userdom_search_user_home_content(remote_login_t)
# since very weak authentication is used.
userdom_signal_unpriv_users(remote_login_t)
userdom_spec_domtrans_unpriv_users(remote_login_t)
@@ -54627,9 +54580,19 @@ index 0a76027..adc198d 100644
+userdom_manage_user_tmp_files(remote_login_t)
+userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir })
- tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(remote_login_t)
-@@ -106,15 +103,15 @@ optional_policy(`
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(remote_login_t)
+- fs_read_nfs_symlinks(remote_login_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(remote_login_t)
+- fs_read_cifs_symlinks(remote_login_t)
+-')
++userdom_home_reader(remote_login_t)
+
+ optional_policy(`
+ alsa_domtrans(remote_login_t)
')
optional_policy(`
@@ -56503,7 +56466,7 @@ index 63e78c6..fdd8228 100644
type rlogind_home_t;
')
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
-index 779fa44..4bcaacc 100644
+index 779fa44..91c8ee8 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
@@ -56543,7 +56506,7 @@ index 779fa44..4bcaacc 100644
files_read_etc_files(rlogind_t)
files_read_etc_runtime_files(rlogind_t)
-@@ -88,9 +88,10 @@ seutil_read_config(rlogind_t)
+@@ -88,29 +88,24 @@ seutil_read_config(rlogind_t)
userdom_setattr_user_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_user_home_content_files(rlogind_t)
@@ -56554,10 +56517,25 @@ index 779fa44..4bcaacc 100644
+userdom_manage_user_tmp_files(rlogind_t)
+userdom_tmp_filetrans_user_tmp(rlogind_t, file)
+userdom_use_user_terminals(rlogind_t)
++userdom_home_reader(rlogind_t)
rlogin_read_home_content(rlogind_t)
-@@ -112,5 +113,10 @@ optional_policy(`
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_list_nfs(rlogind_t)
+- fs_read_nfs_files(rlogind_t)
+- fs_read_nfs_symlinks(rlogind_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_list_cifs(rlogind_t)
+- fs_read_cifs_files(rlogind_t)
+- fs_read_cifs_symlinks(rlogind_t)
+-')
+-
+ optional_policy(`
+ kerberos_keytab_template(rlogind, rlogind_t)
+ kerberos_manage_host_rcache(rlogind_t)
')
optional_policy(`
@@ -57049,17 +57027,28 @@ index d6d76e1..9cb5e25 100644
+ nis_use_ypbind(rpcbind_t)
+')
diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
-index 0b405d1..49a4283 100644
+index 0b405d1..cdf9184 100644
--- a/policy/modules/services/rshd.te
+++ b/policy/modules/services/rshd.te
-@@ -66,6 +66,7 @@ seutil_read_config(rshd_t)
+@@ -66,16 +66,9 @@ seutil_read_config(rshd_t)
seutil_read_default_contexts(rshd_t)
userdom_search_user_home_content(rshd_t)
+userdom_manage_tmp_role(system_r, rshd_t)
- tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(rshd_t)
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(rshd_t)
+- fs_read_nfs_symlinks(rshd_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(rshd_t)
+- fs_read_cifs_symlinks(rshd_t)
+-')
++userdom_home_reader(rshd_t)
+
+ optional_policy(`
+ kerberos_keytab_template(rshd, rshd_t)
diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if
index 3386f29..b28cae5 100644
--- a/policy/modules/services/rsync.if
@@ -59541,7 +59530,7 @@ index c954f31..85e8212 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..a370364 100644
+index ec1eb1e..fdb471a 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -6,56 +6,101 @@ policy_module(spamassassin, 2.4.0)
@@ -59683,7 +59672,14 @@ index ec1eb1e..a370364 100644
type spamd_tmp_t;
files_tmp_file(spamd_tmp_t)
-@@ -108,6 +153,7 @@ kernel_read_kernel_sysctls(spamassassin_t)
+@@ -102,12 +147,14 @@ manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+ manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+ manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+ userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
++userdom_home_manager(spamassassin_t)
+
+ kernel_read_kernel_sysctls(spamassassin_t)
+
dev_read_urand(spamassassin_t)
fs_search_auto_mountpoints(spamassassin_t)
@@ -59691,7 +59687,7 @@ index ec1eb1e..a370364 100644
# this should probably be removed
corecmd_list_bin(spamassassin_t)
-@@ -148,6 +194,9 @@ tunable_policy(`spamassassin_can_network',`
+@@ -148,6 +195,9 @@ tunable_policy(`spamassassin_can_network',`
corenet_udp_sendrecv_all_ports(spamassassin_t)
corenet_tcp_connect_all_ports(spamassassin_t)
corenet_sendrecv_all_client_packets(spamassassin_t)
@@ -59701,7 +59697,26 @@ index ec1eb1e..a370364 100644
sysnet_read_config(spamassassin_t)
')
-@@ -184,6 +233,8 @@ optional_policy(`
+@@ -158,18 +208,6 @@ tunable_policy(`spamd_enable_home_dirs',`
+ userdom_manage_user_home_content_symlinks(spamd_t)
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(spamassassin_t)
+- fs_manage_nfs_files(spamassassin_t)
+- fs_manage_nfs_symlinks(spamassassin_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(spamassassin_t)
+- fs_manage_cifs_files(spamassassin_t)
+- fs_manage_cifs_symlinks(spamassassin_t)
+-')
+-
+ optional_policy(`
+ # Write pid file and socket in ~/.evolution/cache/tmp
+ evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
+@@ -184,6 +222,8 @@ optional_policy(`
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
@@ -59710,7 +59725,7 @@ index ec1eb1e..a370364 100644
')
########################################
-@@ -206,15 +257,32 @@ allow spamc_t self:unix_stream_socket connectto;
+@@ -206,15 +246,32 @@ allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
@@ -59743,7 +59758,7 @@ index ec1eb1e..a370364 100644
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -226,6 +294,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
+@@ -226,6 +283,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
corenet_udp_sendrecv_all_ports(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)
corenet_sendrecv_all_client_packets(spamc_t)
@@ -59751,7 +59766,7 @@ index ec1eb1e..a370364 100644
fs_search_auto_mountpoints(spamc_t)
-@@ -244,9 +313,14 @@ files_read_usr_files(spamc_t)
+@@ -244,9 +302,14 @@ files_read_usr_files(spamc_t)
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -59766,22 +59781,11 @@ index ec1eb1e..a370364 100644
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -254,27 +328,46 @@ seutil_read_config(spamc_t)
+@@ -254,27 +317,35 @@ seutil_read_config(spamc_t)
sysnet_read_config(spamc_t)
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_manage_nfs_dirs(spamc_t)
-+ fs_manage_nfs_files(spamc_t)
-+ fs_manage_nfs_symlinks(spamc_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_dirs(spamc_t)
-+ fs_manage_cifs_files(spamc_t)
-+ fs_manage_cifs_symlinks(spamc_t)
-+')
-+
++userdom_home_manager(spamc_t)
+
optional_policy(`
- # Allow connection to spamd socket above
@@ -59819,7 +59823,7 @@ index ec1eb1e..a370364 100644
')
########################################
-@@ -286,7 +379,7 @@ optional_policy(`
+@@ -286,7 +357,7 @@ optional_policy(`
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -59828,7 +59832,7 @@ index ec1eb1e..a370364 100644
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -302,10 +395,17 @@ allow spamd_t self:unix_dgram_socket sendto;
+@@ -302,10 +373,17 @@ allow spamd_t self:unix_dgram_socket sendto;
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -59847,7 +59851,7 @@ index ec1eb1e..a370364 100644
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -314,11 +414,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -314,11 +392,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -59865,7 +59869,7 @@ index ec1eb1e..a370364 100644
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-@@ -367,22 +471,27 @@ files_read_var_lib_files(spamd_t)
+@@ -367,23 +449,23 @@ files_read_var_lib_files(spamd_t)
init_dontaudit_rw_utmp(spamd_t)
@@ -59881,23 +59885,23 @@ index ec1eb1e..a370364 100644
-
userdom_use_unpriv_users_fds(spamd_t)
userdom_search_user_home_dirs(spamd_t)
++userdom_home_manager(spamd_t)
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_files(spamd_t)
+optional_policy(`
-+ exim_manage_spool_dirs(spamd_t)
-+ exim_manage_spool_files(spamd_t)
-+')
-+
- tunable_policy(`use_nfs_home_dirs',`
-+ fs_manage_nfs_dirs(spamd_t)
- fs_manage_nfs_files(spamd_t)
++ clamav_stream_connect(spamd_t)
')
- tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_dirs(spamd_t)
- fs_manage_cifs_files(spamd_t)
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files(spamd_t)
++optional_policy(`
++ exim_manage_spool_dirs(spamd_t)
++ exim_manage_spool_files(spamd_t)
')
-@@ -399,7 +508,9 @@ optional_policy(`
+ optional_policy(`
+@@ -399,7 +481,9 @@ optional_policy(`
')
optional_policy(`
@@ -59907,7 +59911,7 @@ index ec1eb1e..a370364 100644
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -408,25 +519,17 @@ optional_policy(`
+@@ -408,25 +492,17 @@ optional_policy(`
')
optional_policy(`
@@ -59935,7 +59939,7 @@ index ec1eb1e..a370364 100644
postgresql_stream_connect(spamd_t)
')
-@@ -437,6 +540,10 @@ optional_policy(`
+@@ -437,6 +513,10 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
@@ -59946,7 +59950,7 @@ index ec1eb1e..a370364 100644
')
optional_policy(`
-@@ -451,3 +558,51 @@ optional_policy(`
+@@ -451,3 +531,51 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
@@ -60137,7 +60141,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..5439f7e 100644
+index 22adaca..d6a4b77 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -60289,7 +60293,7 @@ index 22adaca..5439f7e 100644
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
-@@ -243,13 +271,17 @@ template(`ssh_server_template', `
+@@ -243,21 +271,13 @@ template(`ssh_server_template', `
miscfiles_read_localization($1_t)
@@ -60301,15 +60305,19 @@ index 22adaca..5439f7e 100644
# Allow checking users mail at login
mta_getattr_spool($1_t)
-+ tunable_policy(`use_fusefs_home_dirs',`
-+ fs_manage_fusefs_dirs($1_t)
-+ fs_manage_fusefs_files($1_t)
-+ ')
-+
- tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files($1_t)
- fs_read_nfs_symlinks($1_t)
-@@ -268,6 +300,14 @@ template(`ssh_server_template', `
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files($1_t)
+- fs_read_nfs_symlinks($1_t)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files($1_t)
+- ')
++ userdom_home_manager($1_t)
+
+ optional_policy(`
+ kerberos_use($1_t)
+@@ -268,6 +288,14 @@ template(`ssh_server_template', `
files_read_var_lib_symlinks($1_t)
nx_spec_domtrans_server($1_t)
')
@@ -60324,7 +60332,7 @@ index 22adaca..5439f7e 100644
')
########################################
-@@ -290,11 +330,11 @@ template(`ssh_server_template', `
+@@ -290,11 +318,11 @@ template(`ssh_server_template', `
## User domain for the role
##
##
@@ -60337,7 +60345,7 @@ index 22adaca..5439f7e 100644
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
type ssh_agent_tmp_t;
-@@ -327,17 +367,20 @@ template(`ssh_role_template',`
+@@ -327,17 +355,20 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
@@ -60359,7 +60367,7 @@ index 22adaca..5439f7e 100644
##############################
#
-@@ -359,7 +402,7 @@ template(`ssh_role_template',`
+@@ -359,7 +390,7 @@ template(`ssh_role_template',`
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
@@ -60368,7 +60376,7 @@ index 22adaca..5439f7e 100644
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
-@@ -381,7 +424,6 @@ template(`ssh_role_template',`
+@@ -381,7 +412,6 @@ template(`ssh_role_template',`
files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
@@ -60376,7 +60384,7 @@ index 22adaca..5439f7e 100644
libs_read_lib_files($1_ssh_agent_t)
-@@ -393,14 +435,13 @@ template(`ssh_role_template',`
+@@ -393,28 +423,15 @@ template(`ssh_role_template',`
seutil_dontaudit_read_config($1_ssh_agent_t)
# Write to the user domain tty.
@@ -60389,18 +60397,32 @@ index 22adaca..5439f7e 100644
- allow $3 $1_ssh_agent_t:fd use;
- allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
- allow $3 $1_ssh_agent_t:process sigchld;
-+
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_files($1_ssh_agent_t)
+
+- # transition back to normal privs upon exec
+- fs_nfs_domtrans($1_ssh_agent_t, $3)
+- ')
+ ssh_exec_keygen($3)
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_ssh_agent_t)
-@@ -477,8 +518,27 @@ interface(`ssh_read_pipes',`
+- tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files($1_ssh_agent_t)
+-
+- # transition back to normal privs upon exec
+- fs_cifs_domtrans($1_ssh_agent_t, $3)
+- ')
++ userdom_home_manager($1_ssh_agent_t)
+
+ optional_policy(`
+ nis_use_ypbind($1_ssh_agent_t)
+@@ -477,8 +494,27 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
- allow $1 sshd_t:fifo_file { getattr read };
+ allow $1 sshd_t:fifo_file read_fifo_file_perms;
-+')
+ ')
+
+######################################
+##
@@ -60418,12 +60440,12 @@ index 22adaca..5439f7e 100644
+ ')
+
+ allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms;
- ')
++')
+
########################################
##
## Read and write a ssh server unnamed pipe.
-@@ -494,7 +554,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +530,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -60432,7 +60454,7 @@ index 22adaca..5439f7e 100644
')
########################################
-@@ -586,6 +646,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +622,24 @@ interface(`ssh_domtrans',`
########################################
##
@@ -60457,7 +60479,7 @@ index 22adaca..5439f7e 100644
## Execute the ssh client in the caller domain.
##
##
-@@ -618,7 +696,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +672,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -60466,7 +60488,7 @@ index 22adaca..5439f7e 100644
files_search_pids($1)
')
-@@ -643,6 +721,24 @@ interface(`ssh_agent_exec',`
+@@ -643,6 +697,42 @@ interface(`ssh_agent_exec',`
########################################
##
@@ -60488,10 +60510,28 @@ index 22adaca..5439f7e 100644
+
+########################################
+##
++## Dontaudit search ssh home directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_dontaudit_search_user_home_dir',`
++ gen_require(`
++ type ssh_home_t;
++ ')
++
++ dontaudit $1 ssh_home_t:dir search_dir_perms;
++')
++
++########################################
++##
## Read ssh home directory content
##
##
-@@ -682,6 +778,50 @@ interface(`ssh_domtrans_keygen',`
+@@ -682,6 +772,50 @@ interface(`ssh_domtrans_keygen',`
########################################
##
@@ -60542,7 +60582,7 @@ index 22adaca..5439f7e 100644
## Read ssh server keys
##
##
-@@ -695,7 +835,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +829,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -60551,7 +60591,7 @@ index 22adaca..5439f7e 100644
')
######################################
-@@ -735,3 +875,81 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +869,81 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -60634,7 +60674,7 @@ index 22adaca..5439f7e 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..02e70c9 100644
+index 2dad3c8..e93db05 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0)
@@ -60790,7 +60830,7 @@ index 2dad3c8..02e70c9 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -162,21 +186,28 @@ logging_read_generic_logs(ssh_t)
+@@ -162,31 +186,29 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
miscfiles_read_localization(ssh_t)
@@ -60810,22 +60850,31 @@ index 2dad3c8..02e70c9 100644
+userdom_write_user_tmp_files(ssh_t)
+userdom_read_user_home_content_symlinks(ssh_t)
+userdom_read_home_certs(ssh_t)
++userdom_home_manager(ssh_t)
tunable_policy(`allow_ssh_keysign',`
- domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
- allow ssh_keysign_t ssh_t:fd use;
- allow ssh_keysign_t ssh_t:process sigchld;
- allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
+-')
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(ssh_t)
+- fs_manage_nfs_files(ssh_t)
+ domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-+')
-+
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(ssh_t)
+- fs_manage_cifs_files(ssh_t)
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_manage_fusefs_dirs(ssh_t)
+ fs_manage_fusefs_files(ssh_t)
')
- tunable_policy(`use_nfs_home_dirs',`
-@@ -196,10 +227,15 @@ tunable_policy(`user_tcp_server',`
+ # for port forwarding
+@@ -196,10 +218,15 @@ tunable_policy(`user_tcp_server',`
')
optional_policy(`
@@ -60841,7 +60890,7 @@ index 2dad3c8..02e70c9 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,19 +245,14 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,19 +236,14 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -60863,7 +60912,7 @@ index 2dad3c8..02e70c9 100644
#################################
#
# sshd local policy
-@@ -232,33 +263,44 @@ optional_policy(`
+@@ -232,33 +254,44 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -60917,7 +60966,7 @@ index 2dad3c8..02e70c9 100644
')
optional_policy(`
-@@ -266,11 +308,24 @@ optional_policy(`
+@@ -266,11 +299,24 @@ optional_policy(`
')
optional_policy(`
@@ -60943,7 +60992,7 @@ index 2dad3c8..02e70c9 100644
')
optional_policy(`
-@@ -284,6 +339,15 @@ optional_policy(`
+@@ -284,6 +330,15 @@ optional_policy(`
')
optional_policy(`
@@ -60959,7 +61008,7 @@ index 2dad3c8..02e70c9 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +356,26 @@ optional_policy(`
+@@ -292,26 +347,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -61005,7 +61054,7 @@ index 2dad3c8..02e70c9 100644
') dnl endif TODO
########################################
-@@ -322,19 +386,26 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +377,26 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -61033,7 +61082,7 @@ index 2dad3c8..02e70c9 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,15 +422,91 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,15 +413,84 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -61116,14 +61165,7 @@ index 2dad3c8..02e70c9 100644
+ fs_read_cifs_symlinks(chroot_user_t)
+')
+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_read_nfs_files(chroot_user_t)
-+ fs_read_nfs_symlinks(chroot_user_t)
-+')
-+
-+tunable_policy(`use_fusefs_home_dirs',`
-+ fs_read_fusefs_files(chroot_user_t)
-+')
++userdom_home_manager(chroot_user_t)
+
+optional_policy(`
+ ssh_rw_dgram_sockets(chroot_user_t)
@@ -61205,7 +61247,7 @@ index 941380a..4afc698 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..5c32a99 100644
+index 8ffa257..eb8979d 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -17,6 +17,7 @@ files_pid_file(sssd_public_t)
@@ -61292,7 +61334,7 @@ index 8ffa257..5c32a99 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -87,4 +106,28 @@ optional_policy(`
+@@ -87,4 +106,18 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
@@ -61301,23 +61343,13 @@ index 8ffa257..5c32a99 100644
+
+optional_policy(`
+ dirsrv_stream_connect(sssd_t)
-+')
+ ')
+
+optional_policy(`
+ ldap_stream_connect(sssd_t)
- ')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_read_nfs_files(sssd_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_read_cifs_files(sssd_t)
+')
+
-+tunable_policy(`use_fusefs_home_dirs',`
-+ fs_read_fusefs_files(sssd_t)
-+')
++userdom_home_reader(sssd_t)
+
+
+
@@ -63409,7 +63441,7 @@ index 7c5d8d8..3fd8f12 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..3619ec3 100644
+index 3eca020..30c47b0 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,84 @@ policy_module(virt, 1.4.0)
@@ -63853,16 +63885,22 @@ index 3eca020..3619ec3 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -329,16 +485,23 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ dmidecode_domtrans(virtd_t)
+@@ -326,6 +482,14 @@ optional_policy(`
+ optional_policy(`
+ hal_dbus_chat(virtd_t)
+ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat(virtd_t)
++ ')
+')
+
+optional_policy(`
- dnsmasq_domtrans(virtd_t)
- dnsmasq_signal(virtd_t)
++ dmidecode_domtrans(virtd_t)
+ ')
+
+ optional_policy(`
+@@ -334,11 +498,14 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_read_pid_files(virtd_t)
dnsmasq_signull(virtd_t)
@@ -63877,7 +63915,7 @@ index 3eca020..3619ec3 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -360,11 +523,11 @@ optional_policy(`
+@@ -360,11 +527,11 @@ optional_policy(`
')
optional_policy(`
@@ -63894,7 +63932,7 @@ index 3eca020..3619ec3 100644
')
optional_policy(`
-@@ -394,20 +557,36 @@ optional_policy(`
+@@ -394,20 +561,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -63934,7 +63972,7 @@ index 3eca020..3619ec3 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +597,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +601,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -63947,7 +63985,7 @@ index 3eca020..3619ec3 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +609,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +613,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -63960,7 +63998,7 @@ index 3eca020..3619ec3 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +622,362 @@ files_search_all(virt_domain)
+@@ -440,25 +626,358 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -64187,10 +64225,6 @@ index 3eca020..3619ec3 100644
+
+sysnet_domtrans_ifconfig(virtd_lxc_t)
+
-+optional_policy(`
-+ execmem_exec(virtd_lxc_t)
-+')
-+
+#optional_policy(`
+# unconfined_shell_domtrans(virtd_lxc_t)
+# unconfined_signal(virtd_t)
@@ -65945,7 +65979,7 @@ index 130ced9..b6fb17a 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..743ea2b 100644
+index 143c893..ab908aa 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -66131,7 +66165,7 @@ index 143c893..743ea2b 100644
files_tmpfs_file(xserver_tmpfs_t)
ubac_constrained(xserver_tmpfs_t)
-@@ -234,10 +279,17 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
+@@ -234,17 +279,30 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
allow xdm_t iceauth_home_t:file read_file_perms;
@@ -66142,18 +66176,16 @@ index 143c893..743ea2b 100644
-userdom_use_user_terminals(iceauth_t)
+userdom_use_inherited_user_terminals(iceauth_t)
userdom_read_user_tmp_files(iceauth_t)
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_files(iceauth_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files(iceauth_t)
+userdom_read_all_users_state(iceauth_t)
++userdom_home_manager(iceauth_t)
+
-+tunable_policy(`use_fusefs_home_dirs',`
-+ fs_manage_fusefs_files(iceauth_t)
-+')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files(iceauth_t)
-@@ -247,52 +299,113 @@ tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files(iceauth_t)
- ')
-
+ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_read_urand(iceauth_t)
+ dev_dontaudit_rw_dri(iceauth_t)
@@ -66169,10 +66201,10 @@ index 143c893..743ea2b 100644
+ optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(iceauth_t)
+ ')
-+')
-+
+ ')
+
########################################
- #
+@@ -252,45 +310,82 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -66236,6 +66268,8 @@ index 143c893..743ea2b 100644
xserver_rw_xdm_tmp_files(xauth_t)
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_files(xauth_t)
+ifdef(`hide_broken_symptoms',`
+ fs_dontaudit_rw_anon_inodefs_files(xauth_t)
+ fs_dontaudit_list_inotifyfs(xauth_t)
@@ -66243,21 +66277,16 @@ index 143c893..743ea2b 100644
+ userdom_manage_user_tmp_files(xauth_t)
+ dev_dontaudit_rw_generic_dev_nodes(xauth_t)
+ miscfiles_read_fonts(xauth_t)
-+')
-+
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files(xauth_t)
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_manage_fusefs_files(xauth_t)
+')
+
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files(xauth_t)
-+ fs_read_nfs_symlinks(xauth_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files(xauth_t)
- ')
-
++userdom_home_manager(xauth_t)
++
+ifdef(`hide_broken_symptoms',`
+ term_dontaudit_use_unallocated_ttys(xauth_t)
+ dev_dontaudit_rw_dri(xauth_t)
@@ -66265,12 +66294,10 @@ index 143c893..743ea2b 100644
+
+optional_policy(`
+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
-+')
-+
+ ')
+
optional_policy(`
- ssh_sigchld(xauth_t)
- ssh_read_pipes(xauth_t)
-@@ -305,19 +418,40 @@ optional_policy(`
+@@ -305,19 +400,40 @@ optional_policy(`
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
@@ -66314,7 +66341,7 @@ index 143c893..743ea2b 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -325,43 +459,63 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -325,43 +441,63 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -66384,7 +66411,7 @@ index 143c893..743ea2b 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -370,18 +524,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -370,18 +506,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -66412,7 +66439,7 @@ index 143c893..743ea2b 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -393,38 +555,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -393,38 +537,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -66466,7 +66493,7 @@ index 143c893..743ea2b 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -435,9 +608,24 @@ files_list_mnt(xdm_t)
+@@ -435,9 +590,25 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -66476,6 +66503,7 @@ index 143c893..743ea2b 100644
+files_dontaudit_getattr_all_dirs(xdm_t)
+files_dontaudit_getattr_all_symlinks(xdm_t)
+files_dontaudit_getattr_all_tmp_sockets(xdm_t)
++files_dontaudit_all_access_check(xdm_t)
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
@@ -66491,7 +66519,7 @@ index 143c893..743ea2b 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +634,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +617,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -66531,7 +66559,7 @@ index 143c893..743ea2b 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -476,9 +673,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,24 +656,48 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -66540,6 +66568,7 @@ index 143c893..743ea2b 100644
+userdom_manage_user_tmp_files(xdm_t)
+userdom_manage_user_tmp_sockets(xdm_t)
+userdom_manage_tmpfs_role(system_r, xdm_t)
++userdom_home_manager(xdm_t)
+
+application_signal(xdm_t)
@@ -66561,8 +66590,16 @@ index 143c893..743ea2b 100644
+')
tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(xdm_t)
-@@ -494,6 +712,14 @@ tunable_policy(`use_samba_home_dirs',`
+- fs_manage_nfs_dirs(xdm_t)
+- fs_manage_nfs_files(xdm_t)
+- fs_manage_nfs_symlinks(xdm_t)
+ fs_exec_nfs_files(xdm_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(xdm_t)
+- fs_manage_cifs_files(xdm_t)
+- fs_manage_cifs_symlinks(xdm_t)
fs_exec_cifs_files(xdm_t)
')
@@ -66577,7 +66614,7 @@ index 143c893..743ea2b 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -507,11 +733,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +711,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -66599,7 +66636,7 @@ index 143c893..743ea2b 100644
')
optional_policy(`
-@@ -519,12 +755,63 @@ optional_policy(`
+@@ -519,12 +733,63 @@ optional_policy(`
')
optional_policy(`
@@ -66663,7 +66700,7 @@ index 143c893..743ea2b 100644
hostname_exec(xdm_t)
')
-@@ -542,28 +829,69 @@ optional_policy(`
+@@ -542,28 +807,69 @@ optional_policy(`
')
optional_policy(`
@@ -66742,7 +66779,7 @@ index 143c893..743ea2b 100644
')
optional_policy(`
-@@ -575,6 +903,14 @@ optional_policy(`
+@@ -575,6 +881,14 @@ optional_policy(`
')
optional_policy(`
@@ -66757,7 +66794,7 @@ index 143c893..743ea2b 100644
xfs_stream_connect(xdm_t)
')
-@@ -600,6 +936,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -600,6 +914,7 @@ allow xserver_t input_xevent_t:x_event send;
# NVIDIA Needs execstack
allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
@@ -66765,7 +66802,7 @@ index 143c893..743ea2b 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -613,8 +950,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +928,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -66781,7 +66818,7 @@ index 143c893..743ea2b 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +977,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +955,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -66803,7 +66840,7 @@ index 143c893..743ea2b 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +997,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +975,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -66811,7 +66848,7 @@ index 143c893..743ea2b 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,21 +1024,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,21 +1002,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -66842,7 +66879,7 @@ index 143c893..743ea2b 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1056,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1034,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -66856,7 +66893,7 @@ index 143c893..743ea2b 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1075,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1053,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -66865,7 +66902,7 @@ index 143c893..743ea2b 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1082,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1060,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -66880,7 +66917,7 @@ index 143c893..743ea2b 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1141,40 @@ optional_policy(`
+@@ -778,16 +1119,40 @@ optional_policy(`
')
optional_policy(`
@@ -66922,7 +66959,7 @@ index 143c893..743ea2b 100644
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1183,10 @@ optional_policy(`
+@@ -796,6 +1161,10 @@ optional_policy(`
')
optional_policy(`
@@ -66933,7 +66970,7 @@ index 143c893..743ea2b 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1202,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1180,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -66947,7 +66984,7 @@ index 143c893..743ea2b 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1213,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1191,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -66956,29 +66993,25 @@ index 143c893..743ea2b 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,6 +1226,9 @@ init_use_fds(xserver_t)
+@@ -835,26 +1204,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
+userdom_read_all_users_state(xserver_t)
-+
-+xserver_use_user_fonts(xserver_t)
++userdom_home_manager(xserver_t)
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(xserver_t)
-@@ -842,6 +1236,11 @@ tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_symlinks(xserver_t)
- ')
-
-+tunable_policy(`use_fusefs_home_dirs',`
-+ fs_manage_fusefs_dirs(xserver_t)
-+ fs_manage_fusefs_files(xserver_t)
-+')
-+
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(xserver_t)
- fs_manage_cifs_files(xserver_t)
-@@ -850,11 +1249,14 @@ tunable_policy(`use_samba_home_dirs',`
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(xserver_t)
+- fs_manage_nfs_files(xserver_t)
+- fs_manage_nfs_symlinks(xserver_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(xserver_t)
+- fs_manage_cifs_files(xserver_t)
+- fs_manage_cifs_symlinks(xserver_t)
+-')
++xserver_use_user_fonts(xserver_t)
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -66995,7 +67028,7 @@ index 143c893..743ea2b 100644
')
optional_policy(`
-@@ -862,6 +1264,10 @@ optional_policy(`
+@@ -862,6 +1226,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -67006,7 +67039,7 @@ index 143c893..743ea2b 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1311,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1273,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -67015,7 +67048,7 @@ index 143c893..743ea2b 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1365,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1327,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -67047,7 +67080,7 @@ index 143c893..743ea2b 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1411,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1373,31 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -67089,7 +67122,6 @@ index 143c893..743ea2b 100644
+
+optional_policy(`
+ unconfined_rw_shm(xserver_t)
-+ unconfined_execmem_rw_shm(xserver_t)
+
+ # xserver signals unconfined user on startx
+ unconfined_signal(xserver_t)
@@ -67517,22 +67549,23 @@ index c6fdab7..41198a4 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..02a592a 100644
+index 28ad538..bb64dec 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
-@@ -5,7 +5,11 @@
+@@ -5,7 +5,12 @@
/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/passwd-? -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/passwd\.OLD -- gen_context(system_u:object_r:passwd_file_t,s0)
+/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0)
+/etc/group-? -- gen_context(system_u:object_r:passwd_file_t,s0)
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
-@@ -30,6 +34,7 @@ ifdef(`distro_gentoo', `
+@@ -30,6 +35,7 @@ ifdef(`distro_gentoo', `
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
@@ -67540,14 +67573,14 @@ index 28ad538..02a592a 100644
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
-@@ -45,5 +50,4 @@ ifdef(`distro_gentoo', `
+@@ -45,5 +51,4 @@ ifdef(`distro_gentoo', `
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..6355d14 100644
+index 73554ec..131195d 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -67964,7 +67997,7 @@ index 73554ec..6355d14 100644
##
##
##
-@@ -1575,87 +1795,149 @@ interface(`auth_relabel_login_records',`
+@@ -1575,87 +1795,150 @@ interface(`auth_relabel_login_records',`
## Domain allowed access.
##
##
@@ -68019,6 +68052,7 @@ index 73554ec..6355d14 100644
+ files_etc_filetrans($1, passwd_file_t, file, "group-")
+ files_etc_filetrans($1, passwd_file_t, file, "passwd")
+ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd.OLD")
+ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
+ files_etc_filetrans($1, shadow_t, file, "shadow")
+ files_etc_filetrans($1, shadow_t, file, "shadow-")
@@ -68751,7 +68785,7 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..5a963ef 100644
+index 94fd8dd..2409206 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -69064,7 +69098,7 @@ index 94fd8dd..5a963ef 100644
+ type init_t;
+ ')
+
-+ dontaudit $1 init_t:unix_stream_socket { read write };
++ dontaudit $1 init_t:unix_stream_socket { getattr read write };
')
########################################
@@ -69681,7 +69715,7 @@ index 94fd8dd..5a963ef 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..75f6d6b 100644
+index 29a9565..5ee6a57 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -69875,7 +69909,7 @@ index 29a9565..75f6d6b 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,16 +251,139 @@ tunable_policy(`init_upstart',`
+@@ -186,16 +251,144 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -69885,6 +69919,11 @@ index 29a9565..75f6d6b 100644
+ modutils_domtrans_insmod(init_t)
+')
+
++optional_policy(`
++ postfix_exec(init_t)
++ mta_read_aliases(init_t)
++')
++
+tunable_policy(`init_systemd',`
+ allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow init_t self:process { setsockcreate setfscreate setrlimit };
@@ -69987,16 +70026,16 @@ index 29a9565..75f6d6b 100644
+auth_use_nsswitch(init_t)
+auth_rw_login_records(init_t)
+
-+optional_policy(`
-+ lvm_rw_pipes(init_t)
-+')
-+
optional_policy(`
- auth_rw_login_records(init_t)
-+ consolekit_manage_log(init_t)
++ lvm_rw_pipes(init_t)
')
optional_policy(`
++ consolekit_manage_log(init_t)
++')
++
++optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -70017,7 +70056,7 @@ index 29a9565..75f6d6b 100644
')
optional_policy(`
-@@ -203,6 +391,17 @@ optional_policy(`
+@@ -203,6 +396,17 @@ optional_policy(`
')
optional_policy(`
@@ -70035,7 +70074,7 @@ index 29a9565..75f6d6b 100644
unconfined_domain(init_t)
')
-@@ -212,7 +411,8 @@ optional_policy(`
+@@ -212,7 +416,8 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -70045,7 +70084,7 @@ index 29a9565..75f6d6b 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +441,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +446,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -70061,7 +70100,7 @@ index 29a9565..75f6d6b 100644
init_write_initctl(initrc_t)
-@@ -258,20 +461,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +466,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -70098,7 +70137,7 @@ index 29a9565..75f6d6b 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +494,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +499,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -70106,7 +70145,7 @@ index 29a9565..75f6d6b 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +505,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +510,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -70117,7 +70156,7 @@ index 29a9565..75f6d6b 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +516,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +521,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -70133,7 +70172,7 @@ index 29a9565..75f6d6b 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +534,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +539,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -70141,7 +70180,7 @@ index 29a9565..75f6d6b 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +542,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +547,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -70153,7 +70192,7 @@ index 29a9565..75f6d6b 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +561,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +566,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -70167,7 +70206,7 @@ index 29a9565..75f6d6b 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,8 +576,12 @@ fs_mount_all_fs(initrc_t)
+@@ -351,8 +581,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -70180,7 +70219,7 @@ index 29a9565..75f6d6b 100644
mcs_ptrace_all(initrc_t)
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -363,6 +592,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +597,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -70188,7 +70227,7 @@ index 29a9565..75f6d6b 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +604,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +609,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -70196,7 +70235,7 @@ index 29a9565..75f6d6b 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +625,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +630,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -70218,7 +70257,7 @@ index 29a9565..75f6d6b 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +688,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +693,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -70229,7 +70268,7 @@ index 29a9565..75f6d6b 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +712,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +717,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -70238,7 +70277,7 @@ index 29a9565..75f6d6b 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +727,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +732,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -70246,7 +70285,7 @@ index 29a9565..75f6d6b 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +757,34 @@ ifdef(`distro_redhat',`
+@@ -522,8 +762,34 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -70281,7 +70320,7 @@ index 29a9565..75f6d6b 100644
')
optional_policy(`
-@@ -531,10 +792,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +797,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -70304,7 +70343,7 @@ index 29a9565..75f6d6b 100644
')
optional_policy(`
-@@ -549,6 +822,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +827,39 @@ ifdef(`distro_suse',`
')
')
@@ -70344,7 +70383,7 @@ index 29a9565..75f6d6b 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +867,8 @@ optional_policy(`
+@@ -561,6 +872,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -70353,7 +70392,7 @@ index 29a9565..75f6d6b 100644
')
optional_policy(`
-@@ -577,6 +885,7 @@ optional_policy(`
+@@ -577,6 +890,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -70361,7 +70400,7 @@ index 29a9565..75f6d6b 100644
')
optional_policy(`
-@@ -589,6 +898,17 @@ optional_policy(`
+@@ -589,6 +903,17 @@ optional_policy(`
')
optional_policy(`
@@ -70379,7 +70418,7 @@ index 29a9565..75f6d6b 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +925,13 @@ optional_policy(`
+@@ -605,9 +930,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -70393,7 +70432,7 @@ index 29a9565..75f6d6b 100644
')
optional_policy(`
-@@ -632,6 +956,10 @@ optional_policy(`
+@@ -632,6 +961,10 @@ optional_policy(`
')
optional_policy(`
@@ -70404,7 +70443,7 @@ index 29a9565..75f6d6b 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +977,11 @@ optional_policy(`
+@@ -649,6 +982,11 @@ optional_policy(`
')
optional_policy(`
@@ -70416,7 +70455,7 @@ index 29a9565..75f6d6b 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1022,7 @@ optional_policy(`
+@@ -689,6 +1027,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -70424,7 +70463,7 @@ index 29a9565..75f6d6b 100644
')
optional_policy(`
-@@ -706,7 +1040,13 @@ optional_policy(`
+@@ -706,7 +1045,13 @@ optional_policy(`
')
optional_policy(`
@@ -70438,7 +70477,7 @@ index 29a9565..75f6d6b 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1069,10 @@ optional_policy(`
+@@ -729,6 +1074,10 @@ optional_policy(`
')
optional_policy(`
@@ -70449,7 +70488,7 @@ index 29a9565..75f6d6b 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1082,20 @@ optional_policy(`
+@@ -738,10 +1087,20 @@ optional_policy(`
')
optional_policy(`
@@ -70470,7 +70509,7 @@ index 29a9565..75f6d6b 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1104,10 @@ optional_policy(`
+@@ -750,6 +1109,10 @@ optional_policy(`
')
optional_policy(`
@@ -70481,7 +70520,7 @@ index 29a9565..75f6d6b 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1129,6 @@ optional_policy(`
+@@ -771,8 +1134,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -70490,7 +70529,7 @@ index 29a9565..75f6d6b 100644
')
optional_policy(`
-@@ -790,10 +1146,12 @@ optional_policy(`
+@@ -790,10 +1151,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -70503,7 +70542,7 @@ index 29a9565..75f6d6b 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1163,6 @@ optional_policy(`
+@@ -805,7 +1168,6 @@ optional_policy(`
')
optional_policy(`
@@ -70511,7 +70550,7 @@ index 29a9565..75f6d6b 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1172,26 @@ optional_policy(`
+@@ -815,11 +1177,26 @@ optional_policy(`
')
optional_policy(`
@@ -70539,7 +70578,7 @@ index 29a9565..75f6d6b 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1201,25 @@ optional_policy(`
+@@ -829,6 +1206,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -70548,13 +70587,6 @@ index 29a9565..75f6d6b 100644
+ rpm_transition_script(initrc_t)
+
+ optional_policy(`
-+ gen_require(`
-+ type unconfined_execmem_t, execmem_exec_t;
-+ ')
-+ init_system_domain(unconfined_execmem_t, execmem_exec_t)
-+ ')
-+
-+ optional_policy(`
+ rtkit_scheduled(initrc_t)
+ ')
+')
@@ -70565,7 +70597,7 @@ index 29a9565..75f6d6b 100644
')
optional_policy(`
-@@ -844,6 +1235,10 @@ optional_policy(`
+@@ -844,6 +1233,10 @@ optional_policy(`
')
optional_policy(`
@@ -70576,7 +70608,7 @@ index 29a9565..75f6d6b 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1249,160 @@ optional_policy(`
+@@ -854,3 +1247,160 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -71175,10 +71207,20 @@ index ddbd8be..65b5762 100644
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 560dc48..4986f1b 100644
+index 560dc48..ffb8797 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
-@@ -37,17 +37,12 @@ ifdef(`distro_redhat',`
+@@ -28,7 +28,9 @@ ifdef(`distro_redhat',`
+ # /etc
+ #
+ /etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0)
++/etc/ld\.so\.cache~ -- gen_context(system_u:object_r:ld_so_cache_t,s0)
+ /etc/ld\.so\.preload -- gen_context(system_u:object_r:ld_so_cache_t,s0)
++/etc/ld\.so\.preload~ -- gen_context(system_u:object_r:ld_so_cache_t,s0)
+
+ /etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:lib_t,s0)
+
+@@ -37,17 +39,12 @@ ifdef(`distro_redhat',`
#
/lib -d gen_context(system_u:object_r:lib_t,s0)
/lib/.* gen_context(system_u:object_r:lib_t,s0)
@@ -71196,7 +71238,7 @@ index 560dc48..4986f1b 100644
')
ifdef(`distro_gentoo',`
-@@ -62,7 +57,6 @@ ifdef(`distro_gentoo',`
+@@ -62,7 +59,6 @@ ifdef(`distro_gentoo',`
#
/opt/.*\.so gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
@@ -71204,7 +71246,7 @@ index 560dc48..4986f1b 100644
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
-@@ -119,64 +113,62 @@ ifdef(`distro_redhat',`
+@@ -119,64 +115,62 @@ ifdef(`distro_redhat',`
/usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0)
/usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
@@ -71303,7 +71345,7 @@ index 560dc48..4986f1b 100644
')
ifdef(`distro_gentoo',`
-@@ -195,7 +187,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
+@@ -195,7 +189,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -71311,7 +71353,7 @@ index 560dc48..4986f1b 100644
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -203,86 +194,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
+@@ -203,86 +196,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/VBoxVMM\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -71456,7 +71498,7 @@ index 560dc48..4986f1b 100644
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -303,8 +295,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -303,8 +297,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -71466,7 +71508,7 @@ index 560dc48..4986f1b 100644
') dnl end distro_redhat
#
-@@ -312,17 +303,154 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -312,17 +305,154 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -71628,7 +71670,7 @@ index 560dc48..4986f1b 100644
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93..eb621fd 100644
+index 808ba93..4ff705d 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -207,6 +207,23 @@ interface(`libs_search_lib',`
@@ -71711,7 +71753,7 @@ index 808ba93..eb621fd 100644
')
########################################
-@@ -534,3 +533,22 @@ interface(`lib_filetrans_shared_lib',`
+@@ -534,3 +533,24 @@ interface(`lib_filetrans_shared_lib',`
interface(`files_lib_filetrans_shared_lib',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -71732,7 +71774,9 @@ index 808ba93..eb621fd 100644
+ ')
+
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload")
++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index e5836d3..eae9427 100644
@@ -71881,7 +71925,7 @@ index 0e3c2a9..40adf5a 100644
+')
+
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index a0b379d..37a5bb4 100644
+index a0b379d..2291a13 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -17,6 +17,9 @@ type local_login_tmp_t;
@@ -71935,20 +71979,27 @@ index a0b379d..37a5bb4 100644
miscfiles_read_localization(local_login_t)
-@@ -156,6 +164,12 @@ tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_symlinks(local_login_t)
+@@ -146,14 +154,12 @@ tunable_policy(`console_login',`
+ term_relabel_console(local_login_t)
')
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(local_login_t)
+- fs_read_nfs_symlinks(local_login_t)
+-')
++userdom_home_reader(local_login_t)
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(local_login_t)
+- fs_read_cifs_symlinks(local_login_t)
+tunable_policy(`allow_console_login',`
+ term_use_console(local_login_t)
+ term_relabel_console(local_login_t)
+ term_setattr_console(local_login_t)
-+')
-+
- optional_policy(`
- alsa_domtrans(local_login_t)
')
-@@ -177,14 +191,6 @@ optional_policy(`
+
+ optional_policy(`
+@@ -177,14 +183,6 @@ optional_policy(`
')
optional_policy(`
@@ -71963,7 +72014,7 @@ index a0b379d..37a5bb4 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -215,6 +221,7 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,6 +213,7 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
@@ -71971,7 +72022,7 @@ index a0b379d..37a5bb4 100644
kernel_read_system_state(sulogin_t)
fs_search_auto_mountpoints(sulogin_t)
-@@ -223,13 +230,17 @@ fs_rw_tmpfs_chr_files(sulogin_t)
+@@ -223,13 +222,17 @@ fs_rw_tmpfs_chr_files(sulogin_t)
files_read_etc_files(sulogin_t)
# because file systems are not mounted:
files_dontaudit_search_isid_type_dirs(sulogin_t)
@@ -71989,7 +72040,7 @@ index a0b379d..37a5bb4 100644
seutil_read_config(sulogin_t)
seutil_read_default_contexts(sulogin_t)
-@@ -238,14 +249,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -238,14 +241,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@@ -72016,7 +72067,7 @@ index a0b379d..37a5bb4 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +277,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +269,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -73080,7 +73131,7 @@ index 9c0faab..91360ac 100644
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index a0eef20..2273e1a 100644
+index a0eef20..6b39756 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,9 +1,5 @@
@@ -73133,7 +73184,7 @@ index a0eef20..2273e1a 100644
fs_getattr_xattr_fs(depmod_t)
-@@ -70,10 +73,11 @@ init_use_fds(depmod_t)
+@@ -70,10 +73,12 @@ init_use_fds(depmod_t)
init_use_script_fds(depmod_t)
init_use_script_ptys(depmod_t)
@@ -73143,19 +73194,26 @@ index a0eef20..2273e1a 100644
files_list_home(depmod_t)
userdom_read_user_home_content_files(depmod_t)
+userdom_manage_user_tmp_files(depmod_t)
++userdom_home_reader(depmod_t)
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -90,12 +94,15 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -81,12 +86,8 @@ ifdef(`distro_ubuntu',`
+ ')
')
- optional_policy(`
-+ bootloader_rw_tmp_files(insmod_t)
-+')
-+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(depmod_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(depmod_t)
+optional_policy(`
- rpm_rw_pipes(depmod_t)
- rpm_manage_script_tmp_files(depmod_t)
++ bootloader_rw_tmp_files(insmod_t)
+ ')
+
+ optional_policy(`
+@@ -95,7 +96,6 @@ optional_policy(`
')
optional_policy(`
@@ -73163,7 +73221,7 @@ index a0eef20..2273e1a 100644
unconfined_domain(depmod_t)
')
-@@ -104,11 +111,12 @@ optional_policy(`
+@@ -104,11 +104,12 @@ optional_policy(`
# insmod local policy
#
@@ -73177,7 +73235,7 @@ index a0eef20..2273e1a 100644
# Read module config and dependency information
list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
-@@ -118,6 +126,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+@@ -118,6 +119,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
can_exec(insmod_t, insmod_exec_t)
@@ -73187,7 +73245,7 @@ index a0eef20..2273e1a 100644
kernel_load_module(insmod_t)
kernel_request_load_module(insmod_t)
kernel_read_system_state(insmod_t)
-@@ -126,6 +137,7 @@ kernel_write_proc_files(insmod_t)
+@@ -126,6 +130,7 @@ kernel_write_proc_files(insmod_t)
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
kernel_read_debugfs(insmod_t)
@@ -73195,7 +73253,7 @@ index a0eef20..2273e1a 100644
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
-@@ -143,6 +155,7 @@ dev_rw_agp(insmod_t)
+@@ -143,6 +148,7 @@ dev_rw_agp(insmod_t)
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -73203,7 +73261,7 @@ index a0eef20..2273e1a 100644
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -161,11 +174,18 @@ files_write_kernel_modules(insmod_t)
+@@ -161,11 +167,18 @@ files_write_kernel_modules(insmod_t)
fs_getattr_xattr_fs(insmod_t)
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -73222,7 +73280,7 @@ index a0eef20..2273e1a 100644
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -174,41 +194,38 @@ miscfiles_read_localization(insmod_t)
+@@ -174,41 +187,38 @@ miscfiles_read_localization(insmod_t)
seutil_read_file_contexts(insmod_t)
@@ -73273,7 +73331,7 @@ index a0eef20..2273e1a 100644
')
optional_policy(`
-@@ -236,6 +253,10 @@ optional_policy(`
+@@ -236,6 +246,10 @@ optional_policy(`
')
optional_policy(`
@@ -73284,7 +73342,7 @@ index a0eef20..2273e1a 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
-@@ -296,7 +317,7 @@ logging_send_syslog_msg(update_modules_t)
+@@ -296,7 +310,7 @@ logging_send_syslog_msg(update_modules_t)
miscfiles_read_localization(update_modules_t)
@@ -74574,7 +74632,7 @@ index 170e2c7..b85fc73 100644
+ ')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..3ee9ea8 100644
+index 7ed9819..ac8b214 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -74837,7 +74895,7 @@ index 7ed9819..3ee9ea8 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -420,61 +470,22 @@ optional_policy(`
+@@ -420,67 +470,29 @@ optional_policy(`
# semodule local policy
#
@@ -74845,13 +74903,9 @@ index 7ed9819..3ee9ea8 100644
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
-allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-+seutil_semanage_policy(semanage_t)
-+allow semanage_t self:fifo_file rw_fifo_file_perms;
-
+-
-allow semanage_t policy_config_t:file rw_file_perms;
-+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-
+-
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
@@ -74864,12 +74918,16 @@ index 7ed9819..3ee9ea8 100644
-dev_read_urand(semanage_t)
-
-domain_use_interactive_fds(semanage_t)
--
++seutil_semanage_policy(semanage_t)
++allow semanage_t self:fifo_file rw_fifo_file_perms;
+
-files_read_etc_files(semanage_t)
-files_read_etc_runtime_files(semanage_t)
-files_read_usr_files(semanage_t)
-files_list_pids(semanage_t)
--
++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+
-mls_file_write_all_levels(semanage_t)
-mls_file_read_all_levels(semanage_t)
-
@@ -74884,15 +74942,15 @@ index 7ed9819..3ee9ea8 100644
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
-+# Admins are creating pp files in random locations
-+files_read_non_security_files(semanage_t)
-
+-
-locallogin_use_fds(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
--
++# Admins are creating pp files in random locations
++files_read_non_security_files(semanage_t)
+
-seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
@@ -74907,22 +74965,14 @@ index 7ed9819..3ee9ea8 100644
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -482,6 +493,14 @@ seutil_manage_default_contexts(semanage_t)
+ # Handle pp files created in homedir and /tmp
userdom_read_user_home_content_files(semanage_t)
userdom_read_user_tmp_files(semanage_t)
++userdom_home_reader(semanage_t)
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_read_nfs_files(semanage_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_read_cifs_files(semanage_t)
-+')
-+
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
- files_read_var_lib_symlinks(semanage_t)
-@@ -493,112 +512,60 @@ ifdef(`distro_ubuntu',`
+@@ -493,112 +505,60 @@ ifdef(`distro_ubuntu',`
')
')
@@ -74981,20 +75031,20 @@ index 7ed9819..3ee9ea8 100644
-selinux_compute_create_context(setfiles_t)
-selinux_compute_relabel_context(setfiles_t)
-selinux_compute_user_contexts(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
-
+-
-term_use_all_ttys(setfiles_t)
-term_use_all_ptys(setfiles_t)
-term_use_unallocated_ttys(setfiles_t)
++init_dontaudit_use_fds(setsebool_t)
+
+-# this is to satisfy the assertion:
+-auth_relabelto_shadow(setfiles_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
--# this is to satisfy the assertion:
--auth_relabelto_shadow(setfiles_t)
--
-init_use_fds(setfiles_t)
-init_use_script_fds(setfiles_t)
-init_use_script_ptys(setfiles_t)
@@ -77813,10 +77863,10 @@ index eae5001..71e46b2 100644
-')
+attribute unconfined_services;
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..494ec08 100644
+index db75976..ce61aed 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,19 @@
+@@ -1,4 +1,20 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -77832,13 +77882,14 @@ index db75976..494ec08 100644
+HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
+HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
++HOME_DIR/.kde/share/apps/networkmanagement/certificates(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs/.* <>
+HOME_DIR/\.debug(/.*)? <>
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..31047e8 100644
+index 4b2878a..0b3811d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -78838,7 +78889,7 @@ index 4b2878a..31047e8 100644
##############################
#
# Local policy
-@@ -874,45 +1059,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1059,114 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -78938,10 +78989,6 @@ index 4b2878a..31047e8 100644
optional_policy(`
- java_role($1_r, $1_t)
-+ openoffice_role_template($1, $1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
+ policykit_role($1_r, $1_usertype)
+ ')
+
@@ -78968,7 +79015,7 @@ index 4b2878a..31047e8 100644
')
')
-@@ -947,7 +1205,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1201,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -78977,7 +79024,7 @@ index 4b2878a..31047e8 100644
userdom_common_user_template($1)
##############################
-@@ -956,12 +1214,15 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1210,15 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -78995,7 +79042,7 @@ index 4b2878a..31047e8 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -978,23 +1239,64 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1235,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -79049,27 +79096,23 @@ index 4b2878a..31047e8 100644
+ ')
+
+ optional_policy(`
-+ mono_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
+ ')
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1003,7 +1305,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1297,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -79080,7 +79123,7 @@ index 4b2878a..31047e8 100644
')
')
-@@ -1039,7 +1343,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1335,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -79089,7 +79132,7 @@ index 4b2878a..31047e8 100644
')
##############################
-@@ -1065,7 +1369,11 @@ template(`userdom_admin_user_template',`
+@@ -1065,7 +1361,11 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -79102,7 +79145,7 @@ index 4b2878a..31047e8 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1382,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1374,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -79112,7 +79155,7 @@ index 4b2878a..31047e8 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1399,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1391,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -79120,7 +79163,7 @@ index 4b2878a..31047e8 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1417,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1409,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -79134,7 +79177,7 @@ index 4b2878a..31047e8 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,29 +1434,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1426,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -79177,7 +79220,7 @@ index 4b2878a..31047e8 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1475,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1467,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -79186,7 +79229,7 @@ index 4b2878a..31047e8 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1536,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1528,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -79195,7 +79238,7 @@ index 4b2878a..31047e8 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1550,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1542,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -79206,7 +79249,7 @@ index 4b2878a..31047e8 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1563,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1555,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -79235,7 +79278,7 @@ index 4b2878a..31047e8 100644
')
optional_policy(`
-@@ -1251,12 +1591,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1583,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -79251,7 +79294,7 @@ index 4b2878a..31047e8 100644
')
optional_policy(`
-@@ -1279,54 +1619,66 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1611,60 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -79260,133 +79303,59 @@ index 4b2878a..31047e8 100644
allow $1 user_home_t:filesystem associate;
files_type($1)
-- files_poly_member($1)
- ubac_constrained($1)
-+
-+ files_poly_member($1)
-+ typeattribute $1 user_home_type;
- ')
-
- ########################################
- ##
--## Allow domain to attach to TUN devices created by administrative users.
-+## Make the specified type usable in a
-+## generic temporary directory.
- ##
--##
-+##
- ##
--## Domain allowed access.
-+## Type to be used as a file in the
-+## generic temporary directory.
- ##
- ##
- #
--interface(`userdom_attach_admin_tun_iface',`
-+interface(`userdom_user_tmp_content',`
- gen_require(`
-- attribute admindomain;
-+ attribute user_tmp_type;
- ')
-
-- allow $1 admindomain:tun_socket relabelfrom;
-- allow $1 self:tun_socket relabelto;
-+ typeattribute $1 user_tmp_type;
-+
-+ files_tmp_file($1)
+ ubac_constrained($1)
- ')
-
- ########################################
- ##
--## Set the attributes of a user pty.
-+## Make the specified type usable in a
-+## generic tmpfs_t directory.
- ##
--##
-+##
- ##
--## Domain allowed access.
-+## Type to be used as a file in the
-+## generic temporary directory.
- ##
- ##
- #
--interface(`userdom_setattr_user_ptys',`
-+interface(`userdom_user_tmpfs_content',`
- gen_require(`
-- type user_devpts_t;
-+ attribute user_tmpfs_type;
- ')
-
-- allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
-+ typeattribute $1 user_tmpfs_type;
+
-+ files_tmpfs_file($1)
-+ ubac_constrained($1)
- ')
-
- ########################################
- ##
--## Create a user pty.
-+## Allow domain to attach to TUN devices created by administrative users.
- ##
- ##
- ##
-@@ -1334,12 +1686,49 @@ interface(`userdom_setattr_user_ptys',`
- ##
- ##
- #
--interface(`userdom_create_user_pty',`
-+interface(`userdom_attach_admin_tun_iface',`
- gen_require(`
-- type user_devpts_t;
-+ attribute admindomain;
- ')
-
-- term_create_pty($1, user_devpts_t)
-+ allow $1 admindomain:tun_socket relabelfrom;
-+ allow $1 self:tun_socket relabelto;
+ files_poly_member($1)
++ typeattribute $1 user_home_type;
+')
+
+########################################
+##
-+## Set the attributes of a user pty.
++## Make the specified type usable in a
++## generic temporary directory.
+##
-+##
++##
+##
-+## Domain allowed access.
++## Type to be used as a file in the
++## generic temporary directory.
+##
+##
+#
-+interface(`userdom_setattr_user_ptys',`
++interface(`userdom_user_tmp_content',`
+ gen_require(`
-+ type user_devpts_t;
++ attribute user_tmp_type;
+ ')
+
-+ allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
++ typeattribute $1 user_tmp_type;
++
++ files_tmp_file($1)
++ ubac_constrained($1)
+')
+
+########################################
+##
-+## Create a user pty.
++## Make the specified type usable in a
++## generic tmpfs_t directory.
+##
-+##
++##
+##
-+## Domain allowed access.
++## Type to be used as a file in the
++## generic temporary directory.
+##
+##
+#
-+interface(`userdom_create_user_pty',`
++interface(`userdom_user_tmpfs_content',`
+ gen_require(`
-+ type user_devpts_t;
++ attribute user_tmpfs_type;
+ ')
+
-+ term_create_pty($1, user_devpts_t)
++ typeattribute $1 user_tmpfs_type;
++
++ files_tmpfs_file($1)
+ ubac_constrained($1)
')
- ########################################
-@@ -1395,6 +1784,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1776,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -79394,11 +79363,15 @@ index 4b2878a..31047e8 100644
files_search_home($1)
')
-@@ -1441,6 +1831,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,11 +1823,19 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
-+
+-')
+
+-########################################
+-##
+-## Do not audit attempts to list user home subdirectories.
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ ')
@@ -79406,10 +79379,15 @@ index 4b2878a..31047e8 100644
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ ')
- ')
-
- ########################################
-@@ -1456,9 +1854,11 @@ interface(`userdom_list_user_home_dirs',`
++')
++
++########################################
++##
++## Do not audit attempts to list user home subdirectories.
+ ##
+ ##
+ ##
+@@ -1456,9 +1846,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -79421,7 +79399,7 @@ index 4b2878a..31047e8 100644
')
########################################
-@@ -1515,6 +1915,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1907,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -79464,7 +79442,7 @@ index 4b2878a..31047e8 100644
########################################
##
## Create directories in the home dir root with
-@@ -1589,6 +2025,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2017,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -79473,7 +79451,7 @@ index 4b2878a..31047e8 100644
')
########################################
-@@ -1603,10 +2041,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2033,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -79488,7 +79466,7 @@ index 4b2878a..31047e8 100644
')
########################################
-@@ -1649,6 +2089,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2081,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
##
@@ -79532,7 +79510,7 @@ index 4b2878a..31047e8 100644
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1668,6 +2145,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2137,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
##
@@ -79558,7 +79536,7 @@ index 4b2878a..31047e8 100644
## Mmap user home files.
##
##
-@@ -1700,12 +2196,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2188,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -79591,7 +79569,7 @@ index 4b2878a..31047e8 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1716,11 +2232,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2224,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -79609,7 +79587,7 @@ index 4b2878a..31047e8 100644
')
########################################
-@@ -1779,6 +2298,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2290,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
##
@@ -79670,7 +79648,7 @@ index 4b2878a..31047e8 100644
## Do not audit attempts to write user home files.
##
##
-@@ -1810,8 +2383,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2375,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -79680,7 +79658,7 @@ index 4b2878a..31047e8 100644
')
########################################
-@@ -1827,20 +2399,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2391,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -79694,18 +79672,19 @@ index 4b2878a..31047e8 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
##
-@@ -1941,6 +2507,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+ ## Do not audit attempts to execute user home files.
+@@ -1941,6 +2499,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
##
@@ -79730,7 +79709,7 @@ index 4b2878a..31047e8 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
##
-@@ -2008,7 +2592,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2584,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -79739,7 +79718,7 @@ index 4b2878a..31047e8 100644
files_search_home($1)
')
-@@ -2039,7 +2623,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2615,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -79748,7 +79727,7 @@ index 4b2878a..31047e8 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2182,7 +2766,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2758,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -79757,7 +79736,7 @@ index 4b2878a..31047e8 100644
')
########################################
-@@ -2390,7 +2974,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +2966,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -79766,7 +79745,7 @@ index 4b2878a..31047e8 100644
files_search_tmp($1)
')
-@@ -2419,6 +3003,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +2995,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2)
')
@@ -79792,7 +79771,7 @@ index 4b2878a..31047e8 100644
########################################
##
## Read user tmpfs files.
-@@ -2435,13 +3038,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3030,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -79808,7 +79787,7 @@ index 4b2878a..31047e8 100644
##
##
##
-@@ -2462,7 +3066,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3058,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -79817,7 +79796,7 @@ index 4b2878a..31047e8 100644
##
##
##
-@@ -2470,14 +3074,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,14 +3066,30 @@ interface(`userdom_rw_user_tmpfs_files',`
##
##
#
@@ -79852,71 +79831,36 @@ index 4b2878a..31047e8 100644
')
########################################
-@@ -2572,7 +3192,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,6 +3184,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
--## Read and write a user domain pty.
+## Read and write a inherited user domain tty.
- ##
- ##
- ##
-@@ -2580,48 +3200,97 @@ interface(`userdom_use_user_ttys',`
- ##
- ##
- #
--interface(`userdom_use_user_ptys',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`userdom_use_inherited_user_ttys',`
- gen_require(`
-- type user_devpts_t;
++ gen_require(`
+ type user_tty_device_t;
- ')
-
-- allow $1 user_devpts_t:chr_file rw_term_perms;
++ ')
++
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
- ')
-
- ########################################
- ##
--## Read and write a user TTYs and PTYs.
-+## Read and write a user domain pty.
- ##
--##
--##
--## Allow the specified domain to read and write user
--## TTYs and PTYs. This will allow the domain to
--## interact with the user via the terminal. Typically
--## all interactive applications will require this
--## access.
--##
--##
--## However, this also allows the applications to spy
--## on user sessions or inject information into the
--## user session. Thus, this access should likely
--## not be allowed for non-interactive domains.
--##
--##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`userdom_use_user_terminals',`
-+interface(`userdom_use_user_ptys',`
- gen_require(`
-- type user_tty_device_t, user_devpts_t;
-+ type user_devpts_t;
- ')
-
-- allow $1 user_tty_device_t:chr_file rw_term_perms;
- allow $1 user_devpts_t:chr_file rw_term_perms;
-- term_list_ptys($1)
+')
+
+########################################
+##
+ ## Read and write a user domain pty.
+ ##
+ ##
+@@ -2590,22 +3220,34 @@ interface(`userdom_use_user_ptys',`
+
+ ########################################
+ ##
+-## Read and write a user TTYs and PTYs.
+## Read and write a inherited user domain pty.
+##
+##
@@ -79936,28 +79880,38 @@ index 4b2878a..31047e8 100644
+########################################
+##
+## Read and write a inherited user TTYs and PTYs.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Allow the specified domain to read and write user
+## Allow the specified domain to read and write inherited user
-+## TTYs and PTYs. This will allow the domain to
-+## interact with the user via the terminal. Typically
-+## all interactive applications will require this
-+## access.
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
+ ## TTYs and PTYs. This will allow the domain to
+ ## interact with the user via the terminal. Typically
+ ## all interactive applications will require this
+ ## access.
+ ##
+-##
+-## However, this also allows the applications to spy
+-## on user sessions or inject information into the
+-## user session. Thus, this access should likely
+-## not be allowed for non-interactive domains.
+-##
+ ##
+ ##
+ ##
+@@ -2614,14 +3256,33 @@ interface(`userdom_use_user_ptys',`
+ ##
+ ##
+ #
+-interface(`userdom_use_user_terminals',`
+interface(`userdom_use_inherited_user_terminals',`
-+ gen_require(`
-+ type user_tty_device_t, user_devpts_t;
-+ ')
-+
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+- allow $1 user_tty_device_t:chr_file rw_term_perms;
+- allow $1 user_devpts_t:chr_file rw_term_perms;
+- term_list_ptys($1)
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
@@ -79983,7 +79937,7 @@ index 4b2878a..31047e8 100644
')
########################################
-@@ -2640,8 +3309,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2640,36 +3301,32 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -79991,105 +79945,193 @@ index 4b2878a..31047e8 100644
- dontaudit $1 user_devpts_t:chr_file rw_term_perms;
+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms;
-+')
-+
+ ')
+
+
-+########################################
-+##
+ ########################################
+ ##
+-## Execute a shell in all user domains. This
+-## is an explicit transition, requiring the
+-## caller to use setexeccon().
+## Get attributes of user domain tty and pty.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain allowed to transition.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`userdom_spec_domtrans_all_users',`
+interface(`userdom_getattr_user_terminals',`
-+ gen_require(`
+ gen_require(`
+- attribute userdomain;
+ type user_tty_device_t, user_devpts_t;
-+ ')
-+
+ ')
+
+- corecmd_shell_spec_domtrans($1, userdomain)
+- allow userdomain $1:fd use;
+- allow userdomain $1:fifo_file rw_file_perms;
+- allow userdomain $1:process sigchld;
+ allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
')
########################################
-@@ -2713,6 +3401,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
- allow unpriv_userdomain $1:process sigchld;
+ ##
+-## Execute an Xserver session in all unprivileged user domains. This
++## Execute a shell in all user domains. This
+ ## is an explicit transition, requiring the
+ ## caller to use setexeccon().
+ ##
+@@ -2679,12 +3336,12 @@ interface(`userdom_spec_domtrans_all_users',`
+ ##
+ ##
+ #
+-interface(`userdom_xsession_spec_domtrans_all_users',`
++interface(`userdom_spec_domtrans_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+- xserver_xsession_spec_domtrans($1, userdomain)
++ corecmd_shell_spec_domtrans($1, userdomain)
+ allow userdomain $1:fd use;
+ allow userdomain $1:fifo_file rw_file_perms;
+ allow userdomain $1:process sigchld;
+@@ -2692,7 +3349,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
+
+ ########################################
+ ##
+-## Execute a shell in all unprivileged user domains. This
++## Execute an Xserver session in all unprivileged user domains. This
+ ## is an explicit transition, requiring the
+ ## caller to use setexeccon().
+ ##
+@@ -2702,20 +3359,20 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
+ ##
+ ##
+ #
+-interface(`userdom_spec_domtrans_unpriv_users',`
++interface(`userdom_xsession_spec_domtrans_all_users',`
+ gen_require(`
+- attribute unpriv_userdomain;
++ attribute userdomain;
+ ')
+
+- corecmd_shell_spec_domtrans($1, unpriv_userdomain)
+- allow unpriv_userdomain $1:fd use;
+- allow unpriv_userdomain $1:fifo_file rw_file_perms;
+- allow unpriv_userdomain $1:process sigchld;
++ xserver_xsession_spec_domtrans($1, userdomain)
++ allow userdomain $1:fd use;
++ allow userdomain $1:fifo_file rw_file_perms;
++ allow userdomain $1:process sigchld;
')
-+#####################################
-+##
-+## Allow domain dyntrans to unpriv userdomain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_dyntransition_unpriv_users',`
-+ gen_require(`
-+ attribute unpriv_userdomain;
-+ ')
-+
-+ allow $1 unpriv_userdomain:process dyntransition;
-+')
-+
########################################
##
- ## Execute an Xserver session in all unprivileged user domains. This
-@@ -2736,24 +3442,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+-## Execute an Xserver session in all unprivileged user domains. This
++## Execute a shell in all unprivileged user domains. This
+ ## is an explicit transition, requiring the
+ ## caller to use setexeccon().
+ ##
+@@ -2725,57 +3382,61 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+ ##
+ ##
+ #
+-interface(`userdom_xsession_spec_domtrans_unpriv_users',`
++interface(`userdom_spec_domtrans_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+- xserver_xsession_spec_domtrans($1, unpriv_userdomain)
++ corecmd_shell_spec_domtrans($1, unpriv_userdomain)
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
')
-#######################################
--##
++#####################################
+ ##
-## Read and write unpriviledged user SysV sempaphores.
--##
--##
++## Allow domain dyntrans to unpriv userdomain.
+ ##
+ ##
-##
-## Domain allowed access.
-##
--##
--#
++##
++## Domain allowed access.
++##
+ ##
+ #
-interface(`userdom_rw_unpriv_user_semaphores',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
--
++interface(`userdom_dyntransition_unpriv_users',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
+
- allow $1 unpriv_userdomain:sem rw_sem_perms;
--')
--
++ allow $1 unpriv_userdomain:process dyntransition;
+ ')
+
########################################
##
- ## Manage unpriviledged user SysV sempaphores.
-@@ -2772,25 +3460,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
- allow $1 unpriv_userdomain:sem create_sem_perms;
+-## Manage unpriviledged user SysV sempaphores.
++## Execute an Xserver session in all unprivileged user domains. This
++## is an explicit transition, requiring the
++## caller to use setexeccon().
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain allowed to transition.
+ ##
+ ##
+ #
+-interface(`userdom_manage_unpriv_user_semaphores',`
++interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+- allow $1 unpriv_userdomain:sem create_sem_perms;
++ xserver_xsession_spec_domtrans($1, unpriv_userdomain)
++ allow unpriv_userdomain $1:fd use;
++ allow unpriv_userdomain $1:fifo_file rw_file_perms;
++ allow unpriv_userdomain $1:process sigchld;
')
-#######################################
--##
++########################################
+ ##
-## Read and write unpriviledged user SysV shared
-## memory segments.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
++## Manage unpriviledged user SysV sempaphores.
+ ##
+ ##
+ ##
+@@ -2783,12 +3444,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+ ##
+ ##
+ #
-interface(`userdom_rw_unpriv_user_shared_mem',`
-- gen_require(`
-- attribute unpriv_userdomain;
-- ')
--
++interface(`userdom_manage_unpriv_user_semaphores',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
- allow $1 unpriv_userdomain:shm rw_shm_perms;
--')
--
++ allow $1 unpriv_userdomain:sem create_sem_perms;
+ ')
+
########################################
- ##
- ## Manage unpriviledged user SysV shared
-@@ -2852,7 +3521,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3513,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -80098,7 +80140,7 @@ index 4b2878a..31047e8 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3537,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3529,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -80132,7 +80174,7 @@ index 4b2878a..31047e8 100644
')
########################################
-@@ -2972,7 +3625,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3617,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -80141,7 +80183,7 @@ index 4b2878a..31047e8 100644
')
########################################
-@@ -3027,7 +3680,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3672,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -80188,7 +80230,7 @@ index 4b2878a..31047e8 100644
')
########################################
-@@ -3045,7 +3736,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3728,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -80197,7 +80239,7 @@ index 4b2878a..31047e8 100644
')
########################################
-@@ -3064,6 +3755,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3747,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -80205,7 +80247,7 @@ index 4b2878a..31047e8 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3834,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3826,24 @@ interface(`userdom_signal_all_users',`
########################################
##
@@ -80230,7 +80272,7 @@ index 4b2878a..31047e8 100644
## Send a SIGCHLD signal to all user domains.
##
##
-@@ -3160,6 +3870,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3862,24 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -80255,7 +80297,7 @@ index 4b2878a..31047e8 100644
## Create keys for all user domains.
##
##
-@@ -3194,3 +3922,1146 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3914,1186 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -81397,13 +81439,53 @@ index 4b2878a..31047e8 100644
+ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music")
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
++ gnome_config_filetrans($1, home_cert_t, dir, "certificates")
+
+ #optional_policy(`
+ # gnome_admin_home_gconf_filetrans($1, home_bin_t, dir, "bin")
+ #')
+')
++
++########################################
++##
++## Make the specified type able to read content in user home dirs
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_home_reader',`
++ gen_require(`
++ attribute userdom_home_reader_type;
++ ')
++
++ typeattribute $1 userdom_home_reader_type;
++')
++
++
++########################################
++##
++## Make the specified type able to manage content in user home dirs
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_home_manager',`
++ gen_require(`
++ attribute userdom_home_manager_type;
++ ')
++
++ typeattribute $1 userdom_home_manager_type;
++')
++
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 9b4a930..d6c3860 100644
+index 9b4a930..ced52ff 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
@@ -81436,10 +81518,13 @@ index 9b4a930..d6c3860 100644
## Allow w to display everyone
##
##
-@@ -59,6 +73,19 @@ attribute unpriv_userdomain;
+@@ -59,6 +73,22 @@ attribute unpriv_userdomain;
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
++attribute userdom_home_reader_type;
++attribute userdom_home_manager_type;
++
+# unprivileged user domains
+attribute user_home_type;
+attribute user_tmp_type;
@@ -81456,7 +81541,7 @@ index 9b4a930..d6c3860 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +98,77 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +101,110 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -81536,6 +81621,39 @@ index 9b4a930..d6c3860 100644
+optional_policy(`
+ xserver_filetrans_home_content(userdomain)
+')
++
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_read_nfs_files(userdom_home_reader_type)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(userdom_home_reader_type)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_read_fusefs_files(userdom_home_reader_type)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_list_auto_mountpoints(userdom_home_manager_type)
++ fs_manage_nfs_dirs(userdom_home_manager_type)
++ fs_manage_nfs_files(userdom_home_manager_type)
++ fs_manage_nfs_symlinks(userdom_home_manager_type)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_dirs(userdom_home_manager_type)
++ fs_manage_cifs_files(userdom_home_manager_type)
++ fs_manage_cifs_symlinks(userdom_home_manager_type)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_manage_fusefs_dirs(userdom_home_manager_type)
++ fs_manage_fusefs_files(userdom_home_manager_type)
++ fs_manage_fusefs_symlinks(userdom_home_manager_type)
++')
++
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
index a865da7..a5ed06e 100644
--- a/policy/modules/system/xen.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 726dd6c..9b66cd0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 57%{?dist}
+Release: 58%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,24 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Nov 16 2011 Miroslav Grepl 3.10.0-58
+- Add ssh_dontaudit_search_home_dir
+- Changes to allow namespace_init_t to work
+- Add interface to allow exec of mongod, add port definition for mongod port, 27017
+- Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t
+- Allow spamd and clamd to steam connect to each other
+- Add policy label for passwd.OLD
+- More fixes for postfix and postfix maildro
+- Add ftp support for mozilla plugins
+- Useradd now needs to manage policy since it calls libsemanage
+- Fix devicekit_manage_log_files() interface
+- Allow colord to execute ifconfig
+- Allow accountsd to read /sys
+- Allow mysqld-safe to execute shell
+- Allow openct to stream connect to pcscd
+- Add label for /var/run/nm-dns-dnsmasq\.conf
+- Allow networkmanager to chat with virtd_t
+
* Fri Nov 11 2011 Dan Walsh 3.10.0-57
- Pulseaudio changes
- Merge patches