diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 4f732cf..e134722 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2965,7 +2965,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..4d8e35b 100644
+index 644d4d7..5be2ae6 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3226,7 +3226,7 @@ index 644d4d7..4d8e35b 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -321,8 +381,12 @@ ifdef(`distro_redhat', `
+@@ -321,20 +381,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -3239,7 +3239,10 @@ index 644d4d7..4d8e35b 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -332,9 +396,12 @@ ifdef(`distro_redhat', `
+ /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0)
++#/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -4962,7 +4965,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..030b246 100644
+index 4edc40d..49513c7 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5224,9 +5227,12 @@ index 4edc40d..030b246 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -259,6 +300,7 @@ network_port(telnetd, tcp,23,s0)
+@@ -257,8 +298,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+ network_port(tcs, tcp, 30003, s0)
+ network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
- network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
+-network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
++network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0, tcp,9150,s0)
network_port(traceroute, udp,64000-64010,s0)
+network_port(tram, tcp, 4567, s0)
network_port(transproxy, tcp,8081,s0)
@@ -7428,7 +7434,7 @@ index 6529bd9..cfec99c 100644
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..258c7cc 100644
+index 6a1e4d1..adafd25 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -7537,12 +7543,14 @@ index 6a1e4d1..258c7cc 100644
## Relabel to and from all entry point
## file types.
## </summary>
-@@ -1530,4 +1543,25 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1543,27 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
+
+ mcs_process_set_categories($1)
++
++ userdom_filetrans_home_content($1)
+')
+
+########################################
@@ -7564,7 +7572,7 @@ index 6a1e4d1..258c7cc 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..3980a24 100644
+index cf04cb5..8601a3e 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -7690,7 +7698,7 @@ index cf04cb5..3980a24 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +227,282 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +227,262 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -7724,7 +7732,6 @@ index cf04cb5..3980a24 100644
+optional_policy(`
+ auth_filetrans_named_content(unconfined_domain_type)
+ auth_filetrans_admin_home_content(unconfined_domain_type)
-+ auth_filetrans_home_content(unconfined_domain_type)
+')
+
+optional_policy(`
@@ -7768,14 +7775,6 @@ index cf04cb5..3980a24 100644
+')
+
+optional_policy(`
-+ gpg_filetrans_home_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
-+ irc_filetrans_home_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
+ kerberos_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -7788,10 +7787,6 @@ index cf04cb5..3980a24 100644
+')
+
+optional_policy(`
-+ mozilla_filetrans_home_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
+ mysql_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -7820,7 +7815,6 @@ index cf04cb5..3980a24 100644
+')
+
+optional_policy(`
-+ pulseaudio_filetrans_home_content(unconfined_domain_type)
+ pulseaudio_filetrans_admin_home_content(unconfined_domain_type)
+')
+
@@ -7844,21 +7838,15 @@ index cf04cb5..3980a24 100644
+')
+
+optional_policy(`
-+ thumb_filetrans_home_content(unconfined_domain_type)
-+')
-+
-+optional_policy(`
+ tftp_filetrans_named_content(unconfined_domain_type)
+')
+
+optional_policy(`
+ userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file })
-+ userdom_filetrans_home_content(unconfined_domain_type)
+')
+
+optional_policy(`
+ virt_filetrans_named_content(unconfined_domain_type)
-+ virt_filetrans_home_content(unconfined_domain_type)
+')
+
+optional_policy(`
@@ -10818,7 +10806,7 @@ index 148d87a..822f6be 100644
allow files_unconfined_type file_type:file execmod;
')
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index cda5588..91d1e25 100644
+index cda5588..91a633a 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -1,3 +1,7 @@
@@ -10829,7 +10817,7 @@ index cda5588..91d1e25 100644
/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
/cgroup/.* <<none>>
-@@ -14,3 +18,8 @@
+@@ -14,3 +18,10 @@
# for systemd systems:
/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
/sys/fs/cgroup/.* <<none>>
@@ -10838,6 +10826,8 @@ index cda5588..91d1e25 100644
+/usr/lib/udev/devices/hugepages/.* <<none>>
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
++/var/run/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0)
++/var/run/[^/]*/gvfs/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 8416beb..60b2ce1 100644
--- a/policy/modules/kernel/filesystem.if
@@ -17073,10 +17063,10 @@ index a26f84f..947af6c 100644
-/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
+#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
-index 9d2f311..c8a2637 100644
+index 9d2f311..9e87525 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
-@@ -10,7 +10,7 @@
+@@ -10,90 +10,21 @@
## </summary>
## </param>
## <param name="user_domain">
@@ -17085,10 +17075,49 @@ index 9d2f311..c8a2637 100644
## The type of the user domain.
## </summary>
## </param>
-@@ -54,15 +54,6 @@ interface(`postgresql_role',`
- # Client local policy
- #
-
+ #
+ interface(`postgresql_role',`
+ gen_require(`
+- class db_database all_db_database_perms;
+- class db_schema all_db_schema_perms;
+- class db_table all_db_table_perms;
+- class db_sequence all_db_sequence_perms;
+- class db_view all_db_view_perms;
+- class db_procedure all_db_procedure_perms;
+- class db_language all_db_language_perms;
+- class db_column all_db_column_perms;
+- class db_tuple all_db_tuple_perms;
+- class db_blob all_db_blob_perms;
+-
+- attribute sepgsql_client_type, sepgsql_database_type;
+- attribute sepgsql_schema_type, sepgsql_sysobj_table_type;
+-
+- type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t;
+- type sepgsql_ranged_proc_exec_t, sepgsql_ranged_proc_t;
+- type user_sepgsql_blob_t, user_sepgsql_proc_exec_t;
+- type user_sepgsql_schema_t, user_sepgsql_seq_t;
+- type user_sepgsql_sysobj_t, user_sepgsql_table_t;
+- type user_sepgsql_view_t;
+- type sepgsql_temp_object_t;
++ attribute sepgsql_client_type;
++ type sepgsql_trusted_proc_t;
++ type sepgsql_ranged_proc_t;
+ ')
+
+- ########################################
+- #
+- # Declarations
+- #
+-
+ typeattribute $2 sepgsql_client_type;
+ role $1 types sepgsql_trusted_proc_t;
+ role $1 types sepgsql_ranged_proc_t;
+-
+- ##############################
+- #
+- # Client local policy
+- #
+-
- tunable_policy(`sepgsql_enable_users_ddl',`
- allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
- allow $2 user_sepgsql_table_t:db_table { create drop setattr };
@@ -17098,27 +17127,41 @@ index 9d2f311..c8a2637 100644
- allow $2 user_sepgsql_view_t:db_view { create drop setattr };
- allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
- ')
-
- allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
- type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
-@@ -94,6 +85,16 @@ interface(`postgresql_role',`
-
- allow $2 sepgsql_trusted_proc_t:process transition;
- type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
-+
-+ tunable_policy(`sepgsql_enable_users_ddl',`
-+ allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
-+ allow $2 user_sepgsql_table_t:db_table { create drop setattr };
-+ allow $2 user_sepgsql_table_t:db_column { create drop setattr };
-+ allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
-+ allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
-+ allow $2 user_sepgsql_view_t:db_view { create drop setattr };
-+ allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
-+ ')
+-
+- allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
+- type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
+- type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
+-
+- allow $2 user_sepgsql_table_t:db_table { getattr select update insert delete lock };
+- allow $2 user_sepgsql_table_t:db_column { getattr select update insert };
+- allow $2 user_sepgsql_table_t:db_tuple { select update insert delete };
+- type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t;
+-
+- allow $2 user_sepgsql_sysobj_t:db_tuple { use select };
+- type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
+-
+- allow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value };
+- type_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t;
+-
+- allow $2 user_sepgsql_view_t:db_view { getattr expand };
+- type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t;
+-
+- allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
+- type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t;
+-
+- allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
+- type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
+-
+- allow $2 sepgsql_ranged_proc_t:process transition;
+- type_transition $2 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t;
+- allow sepgsql_ranged_proc_t $2:process dyntransition;
+-
+- allow $2 sepgsql_trusted_proc_t:process transition;
+- type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
')
########################################
-@@ -312,7 +313,7 @@ interface(`postgresql_search_db',`
+@@ -312,7 +243,7 @@ interface(`postgresql_search_db',`
type postgresql_db_t;
')
@@ -17127,7 +17170,7 @@ index 9d2f311..c8a2637 100644
')
########################################
-@@ -324,14 +325,16 @@ interface(`postgresql_search_db',`
+@@ -324,14 +255,16 @@ interface(`postgresql_search_db',`
## Domain allowed access.
## </summary>
## </param>
@@ -17147,7 +17190,7 @@ index 9d2f311..c8a2637 100644
')
########################################
-@@ -354,6 +357,24 @@ interface(`postgresql_domtrans',`
+@@ -354,6 +287,24 @@ interface(`postgresql_domtrans',`
######################################
## <summary>
@@ -17172,7 +17215,7 @@ index 9d2f311..c8a2637 100644
## Allow domain to signal postgresql
## </summary>
## <param name="domain">
-@@ -421,7 +442,6 @@ interface(`postgresql_tcp_connect',`
+@@ -421,7 +372,6 @@ interface(`postgresql_tcp_connect',`
## Domain allowed access.
## </summary>
## </param>
@@ -17180,7 +17223,7 @@ index 9d2f311..c8a2637 100644
#
interface(`postgresql_stream_connect',`
gen_require(`
-@@ -432,6 +452,7 @@ interface(`postgresql_stream_connect',`
+@@ -432,6 +382,7 @@ interface(`postgresql_stream_connect',`
files_search_pids($1)
files_search_tmp($1)
@@ -17188,15 +17231,91 @@ index 9d2f311..c8a2637 100644
')
########################################
-@@ -514,7 +535,6 @@ interface(`postgresql_unpriv_client',`
- allow $1 unpriv_sepgsql_view_t:db_view { getattr expand };
- type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t;
-
+@@ -447,83 +398,10 @@ interface(`postgresql_stream_connect',`
+ #
+ interface(`postgresql_unpriv_client',`
+ gen_require(`
+- class db_database all_db_database_perms;
+- class db_schema all_db_schema_perms;
+- class db_table all_db_table_perms;
+- class db_sequence all_db_sequence_perms;
+- class db_view all_db_view_perms;
+- class db_procedure all_db_procedure_perms;
+- class db_language all_db_language_perms;
+- class db_column all_db_column_perms;
+- class db_tuple all_db_tuple_perms;
+- class db_blob all_db_blob_perms;
+-
+ attribute sepgsql_client_type;
+- attribute sepgsql_database_type, sepgsql_schema_type;
+- attribute sepgsql_sysobj_table_type;
+-
+- type sepgsql_ranged_proc_t, sepgsql_ranged_proc_exec_t;
+- type sepgsql_temp_object_t;
+- type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;
+- type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t;
+- type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t;
+- type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;
+- type unpriv_sepgsql_view_t;
+ ')
+
+- ########################################
+- #
+- # Declarations
+- #
+-
+ typeattribute $1 sepgsql_client_type;
+-
+- ########################################
+- #
+- # Client local policy
+- #
+-
+- type_transition $1 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t;
+- allow $1 sepgsql_ranged_proc_t:process transition;
+- allow sepgsql_ranged_proc_t $1:process dyntransition;
+-
+- type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
+- allow $1 sepgsql_trusted_proc_t:process transition;
+-
+- allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
+- type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
+-
+- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
+- type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t;
+-
+- allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name };
+- type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;
+- type_transition $1 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
-
- tunable_policy(`sepgsql_enable_users_ddl',`
- allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr };
- allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
-@@ -547,6 +567,29 @@ interface(`postgresql_unconfined',`
+- allow $1 unpriv_sepgsql_table_t:db_table { getattr select update insert delete lock };
+- allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert };
+- allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete };
+- type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t;
+-
+- allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value };
+- type_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t;
+-
+- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
+- type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
+-
+- allow $1 unpriv_sepgsql_view_t:db_view { getattr expand };
+- type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t;
+-
+-
+- tunable_policy(`sepgsql_enable_users_ddl',`
+- allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr };
+- allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
+- allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
+- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
+- allow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr };
+- allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr };
+- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+- ')
+ ')
+
+ ########################################
+@@ -547,6 +425,29 @@ interface(`postgresql_unconfined',`
########################################
## <summary>
@@ -17226,7 +17345,7 @@ index 9d2f311..c8a2637 100644
## All of the rules required to administrate an postgresql environment
## </summary>
## <param name="domain">
-@@ -563,35 +606,41 @@ interface(`postgresql_unconfined',`
+@@ -563,35 +464,41 @@ interface(`postgresql_unconfined',`
#
interface(`postgresql_admin',`
gen_require(`
@@ -17277,7 +17396,7 @@ index 9d2f311..c8a2637 100644
+ postgresql_filetrans_named_content($1)
')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 346d011..59ee2a5 100644
+index 346d011..d84cfd8 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(`
@@ -17290,15 +17409,15 @@ index 346d011..59ee2a5 100644
+## <p>
+## Allow postgresql to use ssh and rsync for point-in-time recovery
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(sepgsql_enable_users_ddl, false)
+gen_tunable(postgresql_can_rsync, false)
+
+## <desc>
+## <p>
+## Allow unprivileged users to execute DDL statement
+## </p>
- ## </desc>
--gen_tunable(sepgsql_enable_users_ddl, false)
++## </desc>
+gen_tunable(postgresql_selinux_users_ddl, true)
## <desc>
@@ -17386,16 +17505,64 @@ index 346d011..59ee2a5 100644
allow postgresql_t self:process execmem;
')
-@@ -488,7 +494,7 @@ allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db
- # Note that permission of creation/deletion are eventually controlled by
- # create or drop permission of individual objects within shared schemas.
- # So, it just allows to create/drop user specific types.
+@@ -485,10 +491,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
+ # It is always allowed to operate temporary objects for any database client.
+ allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
+
+-# Note that permission of creation/deletion are eventually controlled by
+-# create or drop permission of individual objects within shared schemas.
+-# So, it just allows to create/drop user specific types.
-tunable_policy(`sepgsql_enable_users_ddl',`
++##############################
++#
++# Client local policy
++#
++allow sepgsql_client_type user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
++type_transition sepgsql_client_type sepgsql_database_type:db_schema user_sepgsql_schema_t;
++type_transition sepgsql_client_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
++
++allow sepgsql_client_type user_sepgsql_table_t:db_table { getattr select update insert delete lock };
++allow sepgsql_client_type user_sepgsql_table_t:db_column { getattr select update insert };
++allow sepgsql_client_type user_sepgsql_table_t:db_tuple { select update insert delete };
++type_transition sepgsql_client_type sepgsql_schema_type:db_table user_sepgsql_table_t;
++
++allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple { use select };
++type_transition sepgsql_client_type sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
++
++allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { getattr get_value next_value };
++type_transition sepgsql_client_type sepgsql_schema_type:db_sequence user_sepgsql_seq_t;
++
++allow sepgsql_client_type user_sepgsql_view_t:db_view { getattr expand };
++type_transition sepgsql_client_type sepgsql_schema_type:db_view user_sepgsql_view_t;
++
++allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { getattr execute };
++type_transition sepgsql_client_type sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t;
++
++allow sepgsql_client_type user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
++type_transition sepgsql_client_type sepgsql_database_type:db_blob user_sepgsql_blob_t;
++
++allow sepgsql_client_type sepgsql_ranged_proc_t:process transition;
++type_transition sepgsql_client_type sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t;
++allow sepgsql_ranged_proc_t sepgsql_client_type:process dyntransition;
++
++allow sepgsql_client_type sepgsql_trusted_proc_t:process transition;
++type_transition sepgsql_client_type sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
++
+tunable_policy(`postgresql_selinux_users_ddl',`
++ allow sepgsql_client_type user_sepgsql_schema_t:db_schema { create drop setattr };
++ allow sepgsql_client_type user_sepgsql_table_t:db_table { create drop setattr };
++ allow sepgsql_client_type user_sepgsql_table_t:db_column { create drop setattr };
++ allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple { update insert delete };
++ allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
++ allow sepgsql_client_type user_sepgsql_view_t:db_view { create drop setattr };
++ allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
++ # Note that permission of creation/deletion are eventually controlled by
++ # create or drop permission of individual objects within shared schemas.
++ # So, it just allows to create/drop user specific types.
allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
')
-@@ -536,7 +542,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+@@ -536,7 +584,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
@@ -17404,7 +17571,7 @@ index 346d011..59ee2a5 100644
allow sepgsql_admin_type sepgsql_database_type:db_database *;
allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
-@@ -589,3 +595,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+@@ -589,3 +637,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
@@ -18086,10 +18253,10 @@ index fe0c682..da12170 100644
+ allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..386c48c 100644
+index 5fc0391..8d190be 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
-@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.3)
+@@ -6,44 +6,52 @@ policy_module(ssh, 2.3.3)
#
## <desc>
@@ -18126,6 +18293,7 @@ index 5fc0391..386c48c 100644
+ssh_dyntransition_domain_template(chroot_user_t)
+ssh_dyntransition_domain_template(sshd_sandbox_t)
++ssh_dyntransition_domain_template(sshd_net_t)
+
type ssh_keygen_t;
type ssh_keygen_exec_t;
@@ -18156,7 +18324,7 @@ index 5fc0391..386c48c 100644
type ssh_t;
type ssh_exec_t;
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
-@@ -73,6 +80,11 @@ type ssh_home_t;
+@@ -73,6 +81,11 @@ type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
userdom_user_home_content(ssh_home_t)
@@ -18168,7 +18336,7 @@ index 5fc0391..386c48c 100644
##############################
#
-@@ -83,6 +95,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+@@ -83,6 +96,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
@@ -18176,7 +18344,7 @@ index 5fc0391..386c48c 100644
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
-@@ -90,15 +103,11 @@ allow ssh_t self:sem create_sem_perms;
+@@ -90,15 +104,11 @@ allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -18193,14 +18361,14 @@ index 5fc0391..386c48c 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -108,32 +117,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -107,33 +117,39 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
- userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
+-userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
+userdom_read_all_users_keys(ssh_t)
+userdom_stream_connect(ssh_t)
+userdom_search_admin_dir(sshd_t)
-+userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
@@ -18218,8 +18386,6 @@ index 5fc0391..386c48c 100644
-read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t)
+manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
-+userdom_user_home_dir_filetrans(ssh_server, ssh_home_t, dir)
-+userdom_admin_home_dir_filetrans(ssh_server, ssh_home_t, dir)
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
@@ -18240,7 +18406,7 @@ index 5fc0391..386c48c 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -156,38 +175,42 @@ logging_read_generic_logs(ssh_t)
+@@ -156,38 +172,42 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
@@ -18302,7 +18468,7 @@ index 5fc0391..386c48c 100644
')
optional_policy(`
-@@ -195,6 +218,7 @@ optional_policy(`
+@@ -195,6 +215,7 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -18310,7 +18476,7 @@ index 5fc0391..386c48c 100644
##############################
#
# ssh_keysign_t local policy
-@@ -206,6 +230,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -206,6 +227,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
allow ssh_keysign_t sshd_key_t:file { getattr read };
dev_read_urand(ssh_keysign_t)
@@ -18318,7 +18484,7 @@ index 5fc0391..386c48c 100644
files_read_etc_files(ssh_keysign_t)
-@@ -223,33 +248,50 @@ optional_policy(`
+@@ -223,33 +245,50 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -18378,7 +18544,7 @@ index 5fc0391..386c48c 100644
')
optional_policy(`
-@@ -257,11 +299,24 @@ optional_policy(`
+@@ -257,11 +296,24 @@ optional_policy(`
')
optional_policy(`
@@ -18404,7 +18570,7 @@ index 5fc0391..386c48c 100644
')
optional_policy(`
-@@ -269,6 +324,10 @@ optional_policy(`
+@@ -269,6 +321,10 @@ optional_policy(`
')
optional_policy(`
@@ -18415,7 +18581,7 @@ index 5fc0391..386c48c 100644
rpm_use_script_fds(sshd_t)
')
-@@ -279,6 +338,32 @@ optional_policy(`
+@@ -279,6 +335,32 @@ optional_policy(`
')
optional_policy(`
@@ -18448,7 +18614,7 @@ index 5fc0391..386c48c 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -286,6 +371,29 @@ optional_policy(`
+@@ -286,6 +368,29 @@ optional_policy(`
xserver_domtrans_xauth(sshd_t)
')
@@ -18478,7 +18644,7 @@ index 5fc0391..386c48c 100644
########################################
#
# ssh_keygen local policy
-@@ -294,19 +402,26 @@ optional_policy(`
+@@ -294,19 +399,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -18506,7 +18672,7 @@ index 5fc0391..386c48c 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +438,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +435,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -18519,7 +18685,7 @@ index 5fc0391..386c48c 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +452,123 @@ optional_policy(`
+@@ -331,3 +449,138 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -18549,6 +18715,20 @@ index 5fc0391..386c48c 100644
+
+logging_send_audit_msgs(sshd_sandbox_t)
+
++#####################################
++#
++# sshd [net] child local policy
++#
++
++allow sshd_t sshd_net_t:process signal;
++
++allow sshd_net_t self:process setrlimit;
++
++init_ioctl_stream_sockets(sshd_net_t)
++
++logging_send_audit_msgs(sshd_net_t)
++
++
+######################################
+#
+# chroot_user_t local policy
@@ -18571,10 +18751,11 @@ index 5fc0391..386c48c 100644
+
+tunable_policy(`ssh_chroot_rw_homedirs',`
+ files_list_home(chroot_user_t)
-+ userdom_manage_user_home_content(chroot_user_t)
-+', `
-+
-+ userdom_user_home_dir_filetrans_pattern(chroot_user_t, { dir file lnk_file })
++ userdom_manage_user_home_content_files(chroot_user_t)
++ userdom_manage_user_home_content_symlinks(chroot_user_t)
++ userdom_manage_user_home_content_pipes(chroot_user_t)
++ userdom_manage_user_home_content_sockets(chroot_user_t)
++ userdom_manage_user_home_content_dirs(chroot_user_t)
+')
+
+tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',`
@@ -20177,7 +20358,7 @@ index 6bf0ecc..8a8ed32 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..5a2bd5f 100644
+index 2696452..2964047 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -20373,7 +20554,11 @@ index 2696452..5a2bd5f 100644
userdom_user_tmpfs_file(xserver_tmpfs_t)
type xsession_exec_t;
-@@ -229,17 +280,30 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
+@@ -225,21 +276,33 @@ optional_policy(`
+ #
+
+ allow iceauth_t iceauth_home_t:file manage_file_perms;
+-userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
allow xdm_t iceauth_home_t:file read_file_perms;
@@ -20412,7 +20597,7 @@ index 2696452..5a2bd5f 100644
')
########################################
-@@ -247,48 +311,85 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,48 +310,83 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -20428,8 +20613,7 @@ index 2696452..5a2bd5f 100644
+corenet_tcp_connect_xserver_port(xauth_t)
allow xauth_t xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
-+userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file)
+-userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
+
+manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
+manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
@@ -20508,7 +20692,7 @@ index 2696452..5a2bd5f 100644
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -299,64 +400,108 @@ optional_policy(`
+@@ -299,64 +397,106 @@ optional_policy(`
# XDM Local policy
#
@@ -20544,8 +20728,6 @@ index 2696452..5a2bd5f 100644
+
+manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t)
+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
-+userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
-+userdom_admin_home_dir_filetrans(xdm_t, xdm_home_t, file)
+xserver_filetrans_home_content(xdm_t)
+xserver_filetrans_admin_home_content(xdm_t)
+
@@ -20627,7 +20809,7 @@ index 2696452..5a2bd5f 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +510,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +505,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -20657,7 +20839,7 @@ index 2696452..5a2bd5f 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +540,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +535,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -20710,7 +20892,7 @@ index 2696452..5a2bd5f 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +592,26 @@ files_list_mnt(xdm_t)
+@@ -430,9 +587,26 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -20737,7 +20919,7 @@ index 2696452..5a2bd5f 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +620,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +615,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -20781,7 +20963,7 @@ index 2696452..5a2bd5f 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +662,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +657,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -20831,7 +21013,7 @@ index 2696452..5a2bd5f 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +712,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +707,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -20858,7 +21040,7 @@ index 2696452..5a2bd5f 100644
')
optional_policy(`
-@@ -514,12 +739,72 @@ optional_policy(`
+@@ -514,12 +734,72 @@ optional_policy(`
')
optional_policy(`
@@ -20931,7 +21113,7 @@ index 2696452..5a2bd5f 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +822,78 @@ optional_policy(`
+@@ -537,28 +817,78 @@ optional_policy(`
')
optional_policy(`
@@ -21019,7 +21201,7 @@ index 2696452..5a2bd5f 100644
')
optional_policy(`
-@@ -570,6 +905,14 @@ optional_policy(`
+@@ -570,6 +900,14 @@ optional_policy(`
')
optional_policy(`
@@ -21034,7 +21216,7 @@ index 2696452..5a2bd5f 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +937,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +932,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -21047,7 +21229,7 @@ index 2696452..5a2bd5f 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +954,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +949,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -21063,7 +21245,7 @@ index 2696452..5a2bd5f 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +981,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +976,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -21085,7 +21267,7 @@ index 2696452..5a2bd5f 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1001,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +996,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -21099,7 +21281,7 @@ index 2696452..5a2bd5f 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1027,27 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1022,27 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -21130,7 +21312,7 @@ index 2696452..5a2bd5f 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,8 +1058,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1053,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -21144,7 +21326,7 @@ index 2696452..5a2bd5f 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -708,20 +1077,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1072,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -21168,7 +21350,7 @@ index 2696452..5a2bd5f 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1096,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1091,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -21177,7 +21359,7 @@ index 2696452..5a2bd5f 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1140,44 @@ optional_policy(`
+@@ -775,16 +1135,44 @@ optional_policy(`
')
optional_policy(`
@@ -21223,7 +21405,7 @@ index 2696452..5a2bd5f 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1186,10 @@ optional_policy(`
+@@ -793,6 +1181,10 @@ optional_policy(`
')
optional_policy(`
@@ -21234,7 +21416,7 @@ index 2696452..5a2bd5f 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1205,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1200,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -21248,7 +21430,7 @@ index 2696452..5a2bd5f 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1216,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1211,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -21257,7 +21439,7 @@ index 2696452..5a2bd5f 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1229,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1224,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -21292,7 +21474,7 @@ index 2696452..5a2bd5f 100644
')
optional_policy(`
-@@ -902,7 +1294,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1289,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -21301,7 +21483,7 @@ index 2696452..5a2bd5f 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1348,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1343,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -21333,7 +21515,7 @@ index 2696452..5a2bd5f 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1394,40 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1389,40 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -28471,7 +28653,7 @@ index 9fe8e01..d5fe55a 100644
/var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc3..e102068 100644
+index fc28bc3..2f33076 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
@@ -28534,7 +28716,7 @@ index fc28bc3..e102068 100644
')
########################################
-@@ -554,6 +577,10 @@ interface(`miscfiles_delete_man_pages',`
+@@ -554,6 +577,29 @@ interface(`miscfiles_delete_man_pages',`
delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
@@ -28542,10 +28724,29 @@ index fc28bc3..e102068 100644
+ mandb_setattr_cache_dirs($1)
+ mandb_delete_cache($1)
+ ')
++')
++#######################################
++## <summary>
++## Create, read, write, and delete man pages
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`miscfiles_setattr_man_pages',`
++ gen_require(`
++ type man_t;
++ ')
++
++ files_search_usr($1)
++
++ allow $1 man_t:dir setattr;
')
########################################
-@@ -622,6 +649,30 @@ interface(`miscfiles_manage_man_cache',`
+@@ -622,6 +668,30 @@ interface(`miscfiles_manage_man_cache',`
########################################
## <summary>
@@ -28576,7 +28777,7 @@ index fc28bc3..e102068 100644
## Read public files used for file
## transfer services.
## </summary>
-@@ -784,8 +835,11 @@ interface(`miscfiles_etc_filetrans_localization',`
+@@ -784,8 +854,11 @@ interface(`miscfiles_etc_filetrans_localization',`
type locale_t;
')
@@ -28590,7 +28791,7 @@ index fc28bc3..e102068 100644
')
########################################
-@@ -809,3 +863,60 @@ interface(`miscfiles_manage_localization',`
+@@ -809,3 +882,60 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t)
')
@@ -31994,10 +32195,10 @@ index 0000000..595f756
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..778b99b
+index 0000000..2961157
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1043 @@
+@@ -0,0 +1,1042 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -33040,13 +33241,12 @@ index 0000000..778b99b
+ allow systemd_hostnamed_t $1:dbus send_msg;
+ ps_process_pattern(systemd_hostnamed_t, $1)
+')
-+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..913fc52
+index 0000000..ac0a395
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,620 @@
+@@ -0,0 +1,624 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -33528,6 +33728,8 @@ index 0000000..913fc52
+miscfiles_manage_localization(systemd_localed_t)
+miscfiles_etc_filetrans_localization(systemd_localed_t)
+
++userdom_dbus_send_all_users(systemd_localed_t)
++
+optional_policy(`
+ dbus_connect_system_bus(systemd_localed_t)
+ dbus_system_bus_client(systemd_localed_t)
@@ -33552,6 +33754,8 @@ index 0000000..913fc52
+init_read_state(systemd_hostnamed_t)
+init_stream_connect(systemd_hostnamed_t)
+
++logging_send_syslog_msg(systemd_hostnamed_t)
++
+optional_policy(`
+ dbus_system_bus_client(systemd_hostnamed_t)
+ dbus_connect_system_bus(systemd_hostnamed_t)
@@ -35038,7 +35242,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..c270e54 100644
+index 3c5dba7..6c2548e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -35054,7 +35258,7 @@ index 3c5dba7..c270e54 100644
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
-@@ -44,79 +46,133 @@ template(`userdom_base_user_template',`
+@@ -44,79 +46,132 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -35206,7 +35410,6 @@ index 3c5dba7..c270e54 100644
+ miscfiles_read_public_files($1_usertype)
- tunable_policy(`allow_execmem',`
-+ systemd_dbus_chat_hostnamed($1_usertype)
+ systemd_dbus_chat_logind($1_usertype)
+ systemd_read_logind_sessions_files($1_usertype)
+ systemd_write_inhibit_pipes($1_usertype)
@@ -35240,7 +35443,7 @@ index 3c5dba7..c270e54 100644
')
#######################################
-@@ -150,6 +206,8 @@ interface(`userdom_ro_home_role',`
+@@ -150,6 +205,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -35249,7 +35452,7 @@ index 3c5dba7..c270e54 100644
##############################
#
# Domain access to home dir
-@@ -167,27 +225,6 @@ interface(`userdom_ro_home_role',`
+@@ -167,27 +224,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -35277,7 +35480,7 @@ index 3c5dba7..c270e54 100644
')
#######################################
-@@ -219,8 +256,11 @@ interface(`userdom_ro_home_role',`
+@@ -219,8 +255,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -35289,7 +35492,7 @@ index 3c5dba7..c270e54 100644
##############################
#
# Domain access to home dir
-@@ -229,43 +269,47 @@ interface(`userdom_manage_home_role',`
+@@ -229,43 +268,46 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -35305,6 +35508,7 @@ index 3c5dba7..c270e54 100644
- relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+
+ allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
+ allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
@@ -35318,7 +35522,6 @@ index 3c5dba7..c270e54 100644
+ relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
- filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+ userdom_filetrans_home_content($2)
+
files_list_home($2)
@@ -35353,7 +35556,7 @@ index 3c5dba7..c270e54 100644
')
')
-@@ -273,6 +317,25 @@ interface(`userdom_manage_home_role',`
+@@ -273,6 +315,25 @@ interface(`userdom_manage_home_role',`
## <summary>
## Manage user temporary files
## </summary>
@@ -35379,7 +35582,7 @@ index 3c5dba7..c270e54 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -287,17 +350,64 @@ interface(`userdom_manage_home_role',`
+@@ -287,17 +348,64 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
@@ -35449,7 +35652,7 @@ index 3c5dba7..c270e54 100644
')
#######################################
-@@ -317,11 +427,31 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -317,11 +425,31 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -35481,7 +35684,7 @@ index 3c5dba7..c270e54 100644
## Role access for the user tmpfs type
## that the user has full access.
## </summary>
-@@ -348,59 +478,60 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -348,59 +476,60 @@ interface(`userdom_exec_user_tmp_files',`
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
@@ -35572,7 +35775,7 @@ index 3c5dba7..c270e54 100644
')
#######################################
-@@ -431,6 +562,7 @@ template(`userdom_xwindows_client_template',`
+@@ -431,6 +560,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -35580,7 +35783,7 @@ index 3c5dba7..c270e54 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -463,8 +595,8 @@ template(`userdom_change_password_template',`
+@@ -463,8 +593,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
@@ -35591,7 +35794,7 @@ index 3c5dba7..c270e54 100644
')
')
-@@ -491,7 +623,8 @@ template(`userdom_common_user_template',`
+@@ -491,7 +621,8 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -35601,7 +35804,7 @@ index 3c5dba7..c270e54 100644
##############################
#
-@@ -501,41 +634,51 @@ template(`userdom_common_user_template',`
+@@ -501,41 +632,51 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -35676,7 +35879,7 @@ index 3c5dba7..c270e54 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,93 +689,121 @@ template(`userdom_common_user_template',`
+@@ -546,93 +687,120 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -35692,7 +35895,6 @@ index 3c5dba7..c270e54 100644
+ auth_run_pam_timestamp($1_t,$1_r)
+ auth_run_utempter($1_t,$1_r)
+ auth_filetrans_admin_home_content($1_t)
-+ auth_filetrans_home_content($1_t)
- init_read_utmp($1_t)
+ init_read_utmp($1_usertype)
@@ -35836,7 +36038,7 @@ index 3c5dba7..c270e54 100644
')
optional_policy(`
-@@ -646,19 +817,17 @@ template(`userdom_common_user_template',`
+@@ -646,19 +814,16 @@ template(`userdom_common_user_template',`
# for running depmod as part of the kernel packaging process
optional_policy(`
@@ -35848,7 +36050,6 @@ index 3c5dba7..c270e54 100644
- mta_rw_spool($1_t)
+ mta_rw_spool($1_usertype)
+ mta_manage_queue($1_usertype)
-+ mta_filetrans_home_content($1_usertype)
')
optional_policy(`
@@ -35861,7 +36062,7 @@ index 3c5dba7..c270e54 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +840,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +836,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -35870,7 +36071,7 @@ index 3c5dba7..c270e54 100644
')
optional_policy(`
-@@ -680,9 +849,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +845,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -35883,7 +36084,7 @@ index 3c5dba7..c270e54 100644
')
')
-@@ -693,32 +862,36 @@ template(`userdom_common_user_template',`
+@@ -693,32 +858,36 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -35931,7 +36132,7 @@ index 3c5dba7..c270e54 100644
')
')
-@@ -743,17 +916,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +912,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -35940,13 +36141,12 @@ index 3c5dba7..c270e54 100644
userdom_base_user_template($1)
-- userdom_manage_home_role($1_r, $1_t)
+ typeattribute $1_t login_userdomain;
++
+ userdom_manage_home_role($1_r, $1_t)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
-+ userdom_manage_home_role($1_r, $1_usertype)
-+
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
+
@@ -35970,7 +36170,7 @@ index 3c5dba7..c270e54 100644
userdom_change_password_template($1)
-@@ -761,82 +950,100 @@ template(`userdom_login_user_template', `
+@@ -761,82 +946,99 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -36073,7 +36273,6 @@ index 3c5dba7..c270e54 100644
- seutil_read_config($1_t)
+ optional_policy(`
+ kerberos_use($1_usertype)
-+ kerberos_filetrans_home_content($1_usertype)
+ ')
optional_policy(`
@@ -36107,7 +36306,7 @@ index 3c5dba7..c270e54 100644
')
')
-@@ -868,6 +1075,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1070,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -36120,7 +36319,7 @@ index 3c5dba7..c270e54 100644
##############################
#
# Local policy
-@@ -908,41 +1121,97 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -908,41 +1116,97 @@ template(`userdom_restricted_xwindows_user_template',`
# Local policy
#
@@ -36231,7 +36430,7 @@ index 3c5dba7..c270e54 100644
')
optional_policy(`
-@@ -951,12 +1220,30 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,12 +1215,29 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
@@ -36242,7 +36441,6 @@ index 3c5dba7..c270e54 100644
+ optional_policy(`
+ pulseaudio_role($1_r, $1_usertype)
+ pulseaudio_filetrans_admin_home_content($1_usertype)
-+ pulseaudio_filetrans_home_content($1_usertype)
+ ')
+
+ optional_policy(`
@@ -36263,7 +36461,7 @@ index 3c5dba7..c270e54 100644
')
#######################################
-@@ -990,27 +1277,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1271,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -36301,7 +36499,7 @@ index 3c5dba7..c270e54 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1314,57 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1308,59 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -36311,6 +36509,8 @@ index 3c5dba7..c270e54 100644
- kernel_dontaudit_read_ring_buffer($1_t)
- ')
+ miscfiles_read_hwdata($1_usertype)
++
++ fs_mounton_fusefs($1_usertype)
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
@@ -36350,26 +36550,26 @@ index 3c5dba7..c270e54 100644
+
+ optional_policy(`
+ gpm_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
+ ')
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1046,7 +1373,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1369,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -36380,7 +36580,7 @@ index 3c5dba7..c270e54 100644
')
')
-@@ -1082,7 +1411,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1407,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -36389,7 +36589,7 @@ index 3c5dba7..c270e54 100644
')
##############################
-@@ -1109,6 +1438,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1434,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -36397,7 +36597,7 @@ index 3c5dba7..c270e54 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1117,6 +1447,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1443,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -36407,7 +36607,7 @@ index 3c5dba7..c270e54 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1131,6 +1464,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1460,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -36415,7 +36615,7 @@ index 3c5dba7..c270e54 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1482,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1478,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -36430,7 +36630,7 @@ index 3c5dba7..c270e54 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,30 +1500,39 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1496,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -36466,16 +36666,14 @@ index 3c5dba7..c270e54 100644
logging_send_syslog_msg($1_t)
- modutils_domtrans_insmod($1_t)
--
+ optional_policy(`
+ modutils_domtrans_insmod($1_t)
+ modutils_domtrans_depmod($1_t)
+ ')
-+
+
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
- # cannot directly manipulate policy files with arbitrary programs.
-@@ -1194,6 +1541,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1537,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -36484,7 +36682,7 @@ index 3c5dba7..c270e54 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1550,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1546,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -36503,7 +36701,7 @@ index 3c5dba7..c270e54 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1253,6 +1606,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1602,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -36512,7 +36710,7 @@ index 3c5dba7..c270e54 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1620,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1616,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -36524,7 +36722,7 @@ index 3c5dba7..c270e54 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1634,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1630,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -36567,7 +36765,7 @@ index 3c5dba7..c270e54 100644
')
optional_policy(`
-@@ -1360,14 +1719,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1715,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -36586,7 +36784,7 @@ index 3c5dba7..c270e54 100644
')
########################################
-@@ -1408,6 +1770,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1766,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -36638,7 +36836,7 @@ index 3c5dba7..c270e54 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1512,11 +1919,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1915,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -36670,7 +36868,7 @@ index 3c5dba7..c270e54 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1558,6 +1985,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1981,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -36685,7 +36883,7 @@ index 3c5dba7..c270e54 100644
')
########################################
-@@ -1573,9 +2008,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2004,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -36697,7 +36895,7 @@ index 3c5dba7..c270e54 100644
')
########################################
-@@ -1632,6 +2069,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2065,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -36740,7 +36938,7 @@ index 3c5dba7..c270e54 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1711,6 +2184,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2180,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -36749,7 +36947,7 @@ index 3c5dba7..c270e54 100644
')
########################################
-@@ -1744,10 +2219,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2215,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -36764,7 +36962,7 @@ index 3c5dba7..c270e54 100644
')
########################################
-@@ -1772,7 +2249,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2245,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -36773,7 +36971,7 @@ index 3c5dba7..c270e54 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1780,19 +2257,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1780,19 +2253,17 @@ interface(`userdom_manage_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -36797,7 +36995,7 @@ index 3c5dba7..c270e54 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1800,31 +2275,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1800,31 +2271,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -36837,7 +37035,7 @@ index 3c5dba7..c270e54 100644
')
########################################
-@@ -1848,6 +2323,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2319,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -36863,7 +37061,7 @@ index 3c5dba7..c270e54 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1878,14 +2372,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2368,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -36901,7 +37099,7 @@ index 3c5dba7..c270e54 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1896,11 +2412,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2408,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -36919,7 +37117,7 @@ index 3c5dba7..c270e54 100644
')
########################################
-@@ -1941,7 +2460,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2456,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -36946,7 +37144,7 @@ index 3c5dba7..c270e54 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1951,17 +2488,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1951,17 +2484,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
#
interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
@@ -36967,7 +37165,7 @@ index 3c5dba7..c270e54 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1969,12 +2504,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2500,48 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -37018,7 +37216,7 @@ index 3c5dba7..c270e54 100644
')
########################################
-@@ -2010,8 +2581,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2577,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -37028,7 +37226,7 @@ index 3c5dba7..c270e54 100644
')
########################################
-@@ -2027,20 +2597,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2593,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -37053,7 +37251,7 @@ index 3c5dba7..c270e54 100644
########################################
## <summary>
-@@ -2123,7 +2687,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2683,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -37062,7 +37260,7 @@ index 3c5dba7..c270e54 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2131,19 +2695,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2691,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -37086,7 +37284,7 @@ index 3c5dba7..c270e54 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2151,12 +2713,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2709,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -37102,7 +37300,7 @@ index 3c5dba7..c270e54 100644
')
########################################
-@@ -2393,11 +2955,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2951,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -37117,7 +37315,7 @@ index 3c5dba7..c270e54 100644
files_search_tmp($1)
')
-@@ -2417,7 +2979,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +2975,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -37126,7 +37324,7 @@ index 3c5dba7..c270e54 100644
')
########################################
-@@ -2664,6 +3226,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3222,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -37152,7 +37350,7 @@ index 3c5dba7..c270e54 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2680,13 +3261,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3257,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -37168,7 +37366,7 @@ index 3c5dba7..c270e54 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2707,7 +3289,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3285,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -37177,7 +37375,7 @@ index 3c5dba7..c270e54 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2715,19 +3297,17 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,19 +3293,17 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -37200,7 +37398,7 @@ index 3c5dba7..c270e54 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2735,21 +3315,39 @@ interface(`userdom_manage_user_tmpfs_files',`
+@@ -2735,25 +3311,43 @@ interface(`userdom_manage_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -37224,9 +37422,10 @@ index 3c5dba7..c270e54 100644
## <summary>
-## Domain to not audit.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_dontaudit_getattr_user_ttys',`
+interface(`userdom_getattr_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
@@ -37242,10 +37441,14 @@ index 3c5dba7..c270e54 100644
+## <param name="domain">
+## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
-@@ -2817,6 +3415,24 @@ interface(`userdom_use_user_ttys',`
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_getattr_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+@@ -2817,6 +3411,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -37270,7 +37473,7 @@ index 3c5dba7..c270e54 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2835,22 +3451,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3447,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -37313,7 +37516,7 @@ index 3c5dba7..c270e54 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2859,14 +3487,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3483,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -37351,7 +37554,7 @@ index 3c5dba7..c270e54 100644
')
########################################
-@@ -2885,8 +3532,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3528,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -37381,7 +37584,7 @@ index 3c5dba7..c270e54 100644
')
########################################
-@@ -2958,69 +3624,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3620,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -37482,7 +37685,7 @@ index 3c5dba7..c270e54 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3028,12 +3693,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3689,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -37497,7 +37700,7 @@ index 3c5dba7..c270e54 100644
')
########################################
-@@ -3097,7 +3762,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3758,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -37506,7 +37709,7 @@ index 3c5dba7..c270e54 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3778,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3774,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -37540,7 +37743,7 @@ index 3c5dba7..c270e54 100644
')
########################################
-@@ -3217,7 +3866,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3862,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -37549,7 +37752,7 @@ index 3c5dba7..c270e54 100644
')
########################################
-@@ -3272,7 +3921,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3917,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -37615,7 +37818,7 @@ index 3c5dba7..c270e54 100644
')
########################################
-@@ -3290,7 +3996,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +3992,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -37624,7 +37827,7 @@ index 3c5dba7..c270e54 100644
')
########################################
-@@ -3309,6 +4015,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4011,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -37632,7 +37835,7 @@ index 3c5dba7..c270e54 100644
kernel_search_proc($1)
')
-@@ -3385,6 +4092,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4088,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -37675,7 +37878,7 @@ index 3c5dba7..c270e54 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4148,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4144,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -37700,7 +37903,7 @@ index 3c5dba7..c270e54 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3439,3 +4200,1365 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3439,3 +4196,1355 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -38947,21 +39150,10 @@ index 3c5dba7..c270e54 100644
+#
+interface(`userdom_filetrans_home_content',`
+ gen_require(`
-+ type home_bin_t, home_cert_t;
-+ type audio_home_t;
++ attribute userdom_filetrans_type;
+ ')
+
-+ userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin")
-+ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Audio")
-+ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music")
-+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
-+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
-+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
-+
-+ optional_policy(`
-+ gnome_config_filetrans($1, home_cert_t, dir, "certificates")
-+ #gnome_admin_home_gconf_filetrans($1, home_bin_t, dir, "bin")
-+ ')
++ typeattribute $1 userdom_filetrans_type;
+')
+
+########################################
@@ -38997,8 +39189,9 @@ index 3c5dba7..c270e54 100644
+ gen_require(`
+ attribute userdom_home_manager_type;
+ ')
-+
+ typeattribute $1 userdom_home_manager_type;
++
++ userdom_filetrans_home_content($1)
+')
+
+########################################
@@ -39067,7 +39260,7 @@ index 3c5dba7..c270e54 100644
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..069a8ea 100644
+index e2b538b..6371ed6 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
@@ -39130,12 +39323,13 @@ index e2b538b..069a8ea 100644
# all user domains
attribute userdomain;
-@@ -58,6 +52,22 @@ attribute unpriv_userdomain;
+@@ -58,6 +52,23 @@ attribute unpriv_userdomain;
attribute user_home_content_type;
+attribute userdom_home_reader_type;
+attribute userdom_home_manager_type;
++attribute userdom_filetrans_type;
+
+# unprivileged user domains
+attribute user_home_type;
@@ -39153,7 +39347,7 @@ index e2b538b..069a8ea 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +80,123 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +81,207 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -39279,6 +39473,90 @@ index e2b538b..069a8ea 100644
+')
+# vi /etc/mtab can cause an avc trying to relabel to self.
+dontaudit userdomain self:file relabelto;
++
++userdom_user_home_dir_filetrans_user_home_content(userdom_filetrans_type, { dir file lnk_file fifo_file sock_file })
++userdom_user_home_dir_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, audio_home_t, dir, "Audio")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, audio_home_t, dir, "Music")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".cert")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".pki")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
++
++optional_policy(`
++ gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
++ #gnome_admin_home_gconf_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin")
++')
++
++#optional_policy(`
++# alsa_home_filetrans_alsa_home(userdom_filetrans_type)
++#')
++
++optional_policy(`
++ apache_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ auth_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ gnome_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ gpg_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ irc_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ kerberos_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ mozilla_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ mta_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ pulseaudio_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ spamassassin_filetrans_home_content(userdom_filetrans_type)
++ spamassassin_filetrans_admin_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ ssh_filetrans_admin_home_content(userdom_filetrans_type)
++ ssh_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ telepathy_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ thumb_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ tvtime_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ virt_filetrans_home_content(userdom_filetrans_type)
++')
++
++optional_policy(`
++ xserver_filetrans_home_content(userdom_filetrans_type)
++ xserver_filetrans_admin_home_content(userdom_filetrans_type)
++')
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index e79d545..101086d 100644
--- a/policy/support/misc_patterns.spt
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index cb0c0a9..0c2bc63 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1692,7 +1692,7 @@ index 5de1e01..3aa9abb 100644
+
+/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
diff --git a/alsa.if b/alsa.if
-index 708b743..a482fed 100644
+index 708b743..c2edd9a 100644
--- a/alsa.if
+++ b/alsa.if
@@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',`
@@ -1703,6 +1703,15 @@ index 708b743..a482fed 100644
')
########################################
+@@ -235,7 +236,7 @@ interface(`alsa_home_filetrans_alsa_home',`
+ type alsa_home_t;
+ ')
+
+- userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3)
++ userdom_user_home_dir_filetrans($1, alsa_home_t, dir, $3)
+ ')
+
+ ########################################
@@ -256,3 +257,69 @@ interface(`alsa_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
@@ -2031,7 +2040,7 @@ index c960f92..486e9ed 100644
optional_policy(`
nscd_dontaudit_search_pid(amtu_t)
diff --git a/anaconda.te b/anaconda.te
-index 6f1384c..e9c715d 100644
+index 6f1384c..9f23456 100644
--- a/anaconda.te
+++ b/anaconda.te
@@ -4,6 +4,10 @@ gen_require(`
@@ -2045,14 +2054,17 @@ index 6f1384c..e9c715d 100644
########################################
#
# Declarations
-@@ -34,6 +38,7 @@ modutils_domtrans_insmod(anaconda_t)
+@@ -34,8 +38,9 @@ modutils_domtrans_insmod(anaconda_t)
modutils_domtrans_depmod(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
+seutil_domtrans_setsebool(anaconda_t)
- userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
+-userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
++userdom_filetrans_home_content(anaconda_t)
+ optional_policy(`
+ rpm_domtrans(anaconda_t)
diff --git a/antivirus.fc b/antivirus.fc
new file mode 100644
index 0000000..e44bff0
@@ -2432,10 +2444,10 @@ index 0000000..3929b7e
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..bd752cd
+index 0000000..b334e9a
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,244 @@
+@@ -0,0 +1,245 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -2513,6 +2525,7 @@ index 0000000..bd752cd
+
+manage_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
++manage_lnk_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+
+manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
@@ -7020,11 +7033,11 @@ index 5439f1c..0be374d 100644
diff --git a/authconfig.fc b/authconfig.fc
new file mode 100644
-index 0000000..86bbf21
+index 0000000..4579cfe
--- /dev/null
+++ b/authconfig.fc
@@ -0,0 +1,3 @@
-+/usr/share/authconfig/authconfig.py -- gen_context(system_u:object_r:authconfig_exec_t,s0)
++/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:authconfig_exec_t,s0)
+
+/var/lib/authconfig(/.*)? gen_context(system_u:object_r:authconfig_var_lib_t,s0)
diff --git a/authconfig.if b/authconfig.if
@@ -10068,10 +10081,10 @@ index 0000000..efebae7
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..45057f8
+index 0000000..2cce501
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,200 @@
+@@ -0,0 +1,203 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -10154,9 +10167,14 @@ index 0000000..45057f8
+dev_rwx_zero(chrome_sandbox_t)
+dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t)
+
-+
+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
+
++libs_legacy_use_shared_libs(chrome_sandbox_t)
++
++miscfiles_read_fonts(chrome_sandbox_t)
++
++sysnet_dns_name_resolve(chrome_sandbox_t)
++
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
+userdom_execute_user_tmpfs_files(chrome_sandbox_t)
+
@@ -10168,10 +10186,6 @@ index 0000000..45057f8
+# This one we should figure a way to make it more secure
+userdom_manage_home_certs(chrome_sandbox_t)
+
-+miscfiles_read_fonts(chrome_sandbox_t)
-+
-+sysnet_dns_name_resolve(chrome_sandbox_t)
-+
+optional_policy(`
+ gnome_rw_inherited_config(chrome_sandbox_t)
+ gnome_read_home_config(chrome_sandbox_t)
@@ -10262,6 +10276,8 @@ index 0000000..45057f8
+
+init_read_state(chrome_sandbox_nacl_t)
+
++libs_legacy_use_shared_libs(chrome_sandbox_nacl_t)
++
+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
@@ -14348,7 +14364,7 @@ index 1303b30..058864e 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 28e1b86..5f68577 100644
+index 28e1b86..0c0f4f2 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
@@ -15061,6 +15077,7 @@ index 28e1b86..5f68577 100644
')
optional_policy(`
+- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+ systemd_dbus_chat_logind(system_cronjob_t)
+ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+')
@@ -15073,7 +15090,7 @@ index 28e1b86..5f68577 100644
+optional_policy(`
+ unconfined_shell_domtrans(crond_t)
+ unconfined_dbus_send(crond_t)
- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
++ userdom_filetrans_home_content(crond_t)
')
########################################
@@ -15117,7 +15134,7 @@ index 28e1b86..5f68577 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -639,84 +661,149 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -639,84 +661,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -15170,7 +15187,6 @@ index 28e1b86..5f68577 100644
userdom_manage_user_home_content_symlinks(cronjob_t)
userdom_manage_user_home_content_pipes(cronjob_t)
userdom_manage_user_home_content_sockets(cronjob_t)
-+#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
-tunable_policy(`cron_userdomain_transition',`
- dontaudit cronjob_t crond_t:fd use;
@@ -17557,7 +17573,7 @@ index afcf3a2..0730306 100644
+ dontaudit system_bus_type $1:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index 2c2e7e1..4c346e6 100644
+index 2c2e7e1..4a56f17 100644
--- a/dbus.te
+++ b/dbus.te
@@ -1,20 +1,18 @@
@@ -17882,7 +17898,7 @@ index 2c2e7e1..4c346e6 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
-@@ -225,18 +300,37 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +300,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@@ -17899,7 +17915,6 @@ index 2c2e7e1..4c346e6 100644
+userdom_dontaudit_search_admin_dir(session_bus_type)
+userdom_manage_user_home_content_dirs(session_bus_type)
+userdom_manage_user_home_content_files(session_bus_type)
-+userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
+userdom_manage_tmpfs_files(session_bus_type, file)
+userdom_tmpfs_filetrans(session_bus_type, file)
@@ -17925,7 +17940,7 @@ index 2c2e7e1..4c346e6 100644
')
########################################
-@@ -244,5 +338,6 @@ optional_policy(`
+@@ -244,5 +337,6 @@ optional_policy(`
# Unconfined access to this module
#
@@ -20571,7 +20586,7 @@ index dbcac59..66d42bb 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..412f08d 100644
+index a7bfaf0..9697f9d 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
@@ -20784,7 +20799,7 @@ index a7bfaf0..412f08d 100644
+userdom_manage_user_home_content_symlinks(dovecot_t)
+userdom_manage_user_home_content_pipes(dovecot_t)
+userdom_manage_user_home_content_sockets(dovecot_t)
-+userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
++userdom_filetrans_home_content(dovecot_t)
optional_policy(`
- kerberos_keytab_template(dovecot, dovecot_t)
@@ -20953,7 +20968,7 @@ index a7bfaf0..412f08d 100644
+userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
+userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+userdom_manage_user_home_content_sockets(dovecot_deliver_t)
-+userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
++userdom_filetrans_home_content(dovecot_deliver_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(dovecot_deliver_t)
@@ -21514,7 +21529,7 @@ index a0da189..d8bc9d5 100644
userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
userdom_dontaudit_search_user_home_dirs(entropyd_t)
diff --git a/evolution.te b/evolution.te
-index 94fb625..b94a09d 100644
+index 94fb625..3742ee1 100644
--- a/evolution.te
+++ b/evolution.te
@@ -168,7 +168,6 @@ dev_read_urand(evolution_t)
@@ -21525,6 +21540,15 @@ index 94fb625..b94a09d 100644
fs_search_auto_mountpoints(evolution_t)
+@@ -187,7 +186,7 @@ userdom_manage_user_tmp_files(evolution_t)
+
+ userdom_manage_user_home_content_dirs(evolution_t)
+ userdom_manage_user_home_content_files(evolution_t)
+-userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file })
++userdom_filetrans_home_content(evolution_t)
+
+ userdom_write_user_tmp_sockets(evolution_t)
+
@@ -286,7 +285,6 @@ stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolutio
dev_read_urand(evolution_alarm_t)
@@ -22615,7 +22639,7 @@ index 280f875..f3a67c9 100644
## <param name="domain">
## <summary>
diff --git a/firstboot.te b/firstboot.te
-index c12c067..3b01d01 100644
+index c12c067..a415012 100644
--- a/firstboot.te
+++ b/firstboot.te
@@ -1,7 +1,7 @@
@@ -22703,7 +22727,7 @@ index c12c067..3b01d01 100644
init_domtrans_script(firstboot_t)
init_rw_utmp(firstboot_t)
-@@ -73,11 +76,11 @@ locallogin_use_fds(firstboot_t)
+@@ -73,18 +76,18 @@ locallogin_use_fds(firstboot_t)
logging_send_syslog_msg(firstboot_t)
@@ -22718,6 +22742,14 @@ index c12c067..3b01d01 100644
userdom_manage_user_home_content_dirs(firstboot_t)
userdom_manage_user_home_content_files(firstboot_t)
userdom_manage_user_home_content_symlinks(firstboot_t)
+ userdom_manage_user_home_content_pipes(firstboot_t)
+ userdom_manage_user_home_content_sockets(firstboot_t)
+ userdom_home_filetrans_user_home_dir(firstboot_t)
+-userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
++userdom_filetrans_home_content(firstboot_t)
+
+ optional_policy(`
+ dbus_system_bus_client(firstboot_t)
@@ -102,20 +105,18 @@ optional_policy(`
')
@@ -22885,7 +22917,7 @@ index d062080..e098a40 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index e50f33c..ee708c7 100644
+index e50f33c..2f7de33 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
@@ -22982,9 +23014,11 @@ index e50f33c..ee708c7 100644
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
-@@ -255,31 +262,40 @@ sysnet_use_ldap(ftpd_t)
+@@ -254,32 +261,42 @@ sysnet_use_ldap(ftpd_t)
+
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)
++userdom_filetrans_home_content(ftpd_t)
-tunable_policy(`allow_ftpd_anon_write',`
+tunable_policy(`ftpd_anon_write',`
@@ -23030,7 +23064,7 @@ index e50f33c..ee708c7 100644
')
tunable_policy(`ftpd_use_passive_mode',`
-@@ -299,9 +315,9 @@ tunable_policy(`ftpd_connect_db',`
+@@ -299,9 +316,9 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -23043,7 +23077,20 @@ index e50f33c..ee708c7 100644
')
tunable_policy(`ftp_home_dir',`
-@@ -360,7 +376,7 @@ optional_policy(`
+@@ -309,12 +326,9 @@ tunable_policy(`ftp_home_dir',`
+
+ userdom_manage_user_home_content_dirs(ftpd_t)
+ userdom_manage_user_home_content_files(ftpd_t)
+- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
+ userdom_manage_user_tmp_dirs(ftpd_t)
+ userdom_manage_user_tmp_files(ftpd_t)
+- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
+ ',`
+- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
+ userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
+ ')
+
+@@ -360,7 +374,7 @@ optional_policy(`
selinux_validate_context(ftpd_t)
kerberos_keytab_template(ftpd, ftpd_t)
@@ -23052,7 +23099,7 @@ index e50f33c..ee708c7 100644
')
optional_policy(`
-@@ -410,21 +426,20 @@ optional_policy(`
+@@ -410,21 +424,20 @@ optional_policy(`
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -23076,7 +23123,7 @@ index e50f33c..ee708c7 100644
miscfiles_read_public_files(anon_sftpd_t)
-@@ -437,10 +452,23 @@ tunable_policy(`sftpd_anon_write',`
+@@ -437,23 +450,34 @@ tunable_policy(`sftpd_anon_write',`
# Sftpd local policy
#
@@ -23098,10 +23145,26 @@ index e50f33c..ee708c7 100644
+ ssh_manage_home_files(sftpd_t)
+ ')
+')
++
++userdom_filetrans_home_content(sftpd_t)
++userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
tunable_policy(`sftpd_enable_homedirs',`
allow sftpd_t self:capability { dac_override dac_read_search };
-@@ -475,21 +503,11 @@ tunable_policy(`sftpd_anon_write',`
+
+ userdom_manage_user_home_content_dirs(sftpd_t)
+ userdom_manage_user_home_content_files(sftpd_t)
+- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
+ userdom_manage_user_tmp_dirs(sftpd_t)
+ userdom_manage_user_tmp_files(sftpd_t)
+- userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
+-',`
+- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
+- userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
+ ')
+
+ tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -475,21 +499,11 @@ tunable_policy(`sftpd_anon_write',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -23699,10 +23762,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..9cfc035
+index 0000000..643f4bd
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,145 @@
+@@ -0,0 +1,146 @@
+policy_module(glusterfs, 1.0.1)
+
+## <desc>
@@ -23726,7 +23789,7 @@ index 0000000..9cfc035
+## Allow glusterfsd to share any file/directory read/write.
+## </p>
+## </desc>
-+gen_tunable(gluster_export_all_rw, false)
++gen_tunable(gluster_export_all_rw, true)
+
+########################################
+#
@@ -23833,6 +23896,7 @@ index 0000000..9cfc035
+miscfiles_read_public_files(glusterd_t)
+
+userdom_manage_user_home_dirs(glusterd_t)
++userdom_filetrans_home_content(glusterd_t)
+
+tunable_policy(`gluster_anon_write',`
+ miscfiles_manage_public_files(glusterd_t)
@@ -24127,10 +24191,10 @@ index e39de43..52e5a3a 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..f73c152 100644
+index d03fd43..0a785a3 100644
--- a/gnome.if
+++ b/gnome.if
-@@ -1,123 +1,155 @@
+@@ -1,123 +1,154 @@
-## <summary>GNU network object model environment.</summary>
+## <summary>GNU network object model environment (GNOME)</summary>
@@ -24315,7 +24379,6 @@ index d03fd43..f73c152 100644
- dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_session_bus_client($1_gkeyringd_t)
-+ gnome_home_dir_filetrans($1_gkeyringd_t)
+ gnome_manage_generic_home_dirs($1_gkeyringd_t)
+ gnome_read_generic_data_home_files($1_gkeyringd_t)
+ gnome_read_generic_data_home_dirs($1_gkeyringd_t)
@@ -24363,7 +24426,7 @@ index d03fd43..f73c152 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -125,18 +157,18 @@ template(`gnome_role_template',`
+@@ -125,18 +156,18 @@ template(`gnome_role_template',`
## </summary>
## </param>
#
@@ -24387,7 +24450,7 @@ index d03fd43..f73c152 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -144,119 +176,114 @@ interface(`gnome_exec_gconf',`
+@@ -144,119 +175,114 @@ interface(`gnome_exec_gconf',`
## </summary>
## </param>
#
@@ -24544,7 +24607,7 @@ index d03fd43..f73c152 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -264,15 +291,21 @@ interface(`gnome_create_generic_home_dirs',`
+@@ -264,15 +290,21 @@ interface(`gnome_create_generic_home_dirs',`
## </summary>
## </param>
#
@@ -24571,7 +24634,7 @@ index d03fd43..f73c152 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -280,57 +313,89 @@ interface(`gnome_setattr_config_dirs',`
+@@ -280,57 +312,89 @@ interface(`gnome_setattr_config_dirs',`
## </summary>
## </param>
#
@@ -24679,7 +24742,7 @@ index d03fd43..f73c152 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -338,15 +403,18 @@ interface(`gnome_read_generic_home_content',`
+@@ -338,15 +402,18 @@ interface(`gnome_read_generic_home_content',`
## </summary>
## </param>
#
@@ -24703,7 +24766,7 @@ index d03fd43..f73c152 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -354,22 +422,18 @@ interface(`gnome_manage_config',`
+@@ -354,22 +421,18 @@ interface(`gnome_manage_config',`
## </summary>
## </param>
#
@@ -24730,7 +24793,7 @@ index d03fd43..f73c152 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -377,53 +441,37 @@ interface(`gnome_manage_generic_home_content',`
+@@ -377,53 +440,37 @@ interface(`gnome_manage_generic_home_content',`
## </summary>
## </param>
#
@@ -24792,7 +24855,7 @@ index d03fd43..f73c152 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -431,17 +479,18 @@ interface(`gnome_home_filetrans',`
+@@ -431,17 +478,18 @@ interface(`gnome_home_filetrans',`
## </summary>
## </param>
#
@@ -24815,7 +24878,7 @@ index d03fd43..f73c152 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -449,46 +498,36 @@ interface(`gnome_create_generic_gconf_home_dirs',`
+@@ -449,46 +497,36 @@ interface(`gnome_create_generic_gconf_home_dirs',`
## </summary>
## </param>
#
@@ -24871,7 +24934,7 @@ index d03fd43..f73c152 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -496,29 +535,35 @@ interface(`gnome_manage_generic_gconf_home_content',`
+@@ -496,29 +534,35 @@ interface(`gnome_manage_generic_gconf_home_content',`
## </summary>
## </param>
#
@@ -24915,7 +24978,7 @@ index d03fd43..f73c152 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -527,62 +572,125 @@ interface(`gnome_search_generic_gconf_home',`
+@@ -527,62 +571,125 @@ interface(`gnome_search_generic_gconf_home',`
## </summary>
## </param>
#
@@ -25060,7 +25123,7 @@ index d03fd43..f73c152 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -591,65 +699,76 @@ interface(`gnome_home_filetrans_gnome_home',`
+@@ -591,65 +698,76 @@ interface(`gnome_home_filetrans_gnome_home',`
## </summary>
## </param>
#
@@ -25161,7 +25224,7 @@ index d03fd43..f73c152 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -657,46 +776,36 @@ interface(`gnome_dbus_chat_gkeyringd',`
+@@ -657,46 +775,36 @@ interface(`gnome_dbus_chat_gkeyringd',`
## </summary>
## </param>
#
@@ -25217,7 +25280,7 @@ index d03fd43..f73c152 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -704,12 +813,773 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +812,773 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary>
## </param>
#
@@ -26839,7 +26902,7 @@ index 180f1b7..951b790 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
-index 44cf341..8424d09 100644
+index 44cf341..b04d02c 100644
--- a/gpg.te
+++ b/gpg.te
@@ -1,47 +1,47 @@
@@ -27039,8 +27102,9 @@ index 44cf341..8424d09 100644
+userdom_manage_all_user_tmp_content(gpg_t)
+#userdom_manage_user_home_content(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
+-userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
+userdom_manage_user_home_content_dirs(gpg_t)
- userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
++userdom_filetrans_home_content(gpg_t)
+userdom_stream_connect(gpg_t)
-tunable_policy(`use_nfs_home_dirs',`
@@ -27192,6 +27256,7 @@ index 44cf341..8424d09 100644
+userdom_use_inherited_user_terminals(gpg_agent_t)
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
userdom_search_user_home_dirs(gpg_agent_t)
++userdom_filetrans_home_content(gpg_agent_t)
ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -27202,7 +27267,6 @@ index 44cf341..8424d09 100644
+ # write ~/.gpg-agent-info or a similar to the users home dir
+ # or subdir (gpg-agent --write-env-file option)
+ #
-+ userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, { dir file })
userdom_manage_user_home_content_dirs(gpg_agent_t)
userdom_manage_user_home_content_files(gpg_agent_t)
- userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
@@ -27948,7 +28012,7 @@ index ac00fb0..06cb083 100644
+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, "irclogs")
')
diff --git a/irc.te b/irc.te
-index ecad9c7..f8d4f1d 100644
+index ecad9c7..56e2b35 100644
--- a/irc.te
+++ b/irc.te
@@ -37,7 +37,32 @@ userdom_user_home_content(irc_log_home_t)
@@ -28016,7 +28080,7 @@ index ecad9c7..f8d4f1d 100644
fs_getattr_all_fs(irc_t)
fs_search_auto_mountpoints(irc_t)
-@@ -106,7 +123,6 @@ auth_use_nsswitch(irc_t)
+@@ -106,13 +123,15 @@ auth_use_nsswitch(irc_t)
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
@@ -28024,16 +28088,16 @@ index ecad9c7..f8d4f1d 100644
userdom_use_user_terminals(irc_t)
-@@ -114,6 +130,9 @@ userdom_manage_user_home_content_dirs(irc_t)
+ userdom_manage_user_home_content_dirs(irc_t)
userdom_manage_user_home_content_files(irc_t)
- userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file })
-
+-userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file })
++userdom_filetrans_home_content(irc_t)
++
+# Write to the user domain tty.
+userdom_use_inherited_user_terminals(irc_t)
-+
+
tunable_policy(`irc_use_any_tcp_ports',`
corenet_sendrecv_all_server_packets(irc_t)
- corenet_tcp_bind_all_unreserved_ports(irc_t)
@@ -122,18 +141,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
corenet_tcp_sendrecv_all_ports(irc_t)
')
@@ -28233,7 +28297,7 @@ index 1a35420..1d27695 100644
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
-index 57304e4..74153ec 100644
+index 57304e4..e7080f8 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -9,8 +9,8 @@ type iscsid_t;
@@ -28268,7 +28332,7 @@ index 57304e4..74153ec 100644
corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_generic_if(iscsid_t)
corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -85,10 +84,12 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
+@@ -85,10 +84,13 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
corenet_tcp_sendrecv_isns_port(iscsid_t)
@@ -28277,13 +28341,14 @@ index 57304e4..74153ec 100644
+corenet_tcp_connect_winshadow_port(iscsid_t)
+corenet_tcp_sendrecv_winshadow_port(iscsid_t)
+
++dev_read_urand(iscsid_t)
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
-dev_write_raw_memory(iscsid_t)
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
-@@ -99,8 +100,6 @@ init_stream_connect_script(iscsid_t)
+@@ -99,8 +101,6 @@ init_stream_connect_script(iscsid_t)
logging_send_syslog_msg(iscsid_t)
@@ -28776,7 +28841,7 @@ index bb12c90..ff69343 100644
-auth_use_nsswitch(jabberd_router_t)
+sysnet_read_config(jabberd_domain)
diff --git a/java.te b/java.te
-index b3fcfbb..98cbfb4 100644
+index b3fcfbb..5459aa3 100644
--- a/java.te
+++ b/java.te
@@ -11,7 +11,7 @@ policy_module(java, 2.6.3)
@@ -28796,7 +28861,12 @@ index b3fcfbb..98cbfb4 100644
files_read_etc_runtime_files(java_domain)
fs_getattr_all_fs(java_domain)
-@@ -112,7 +111,7 @@ userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file s
+@@ -108,11 +107,11 @@ userdom_manage_user_home_content_files(java_domain)
+ userdom_manage_user_home_content_symlinks(java_domain)
+ userdom_manage_user_home_content_pipes(java_domain)
+ userdom_manage_user_home_content_sockets(java_domain)
+-userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file })
++userdom_filetrans_home_content(java_domain_t)
userdom_write_user_tmp_sockets(java_domain)
@@ -30586,7 +30656,7 @@ index f9de9fc..138e1e2 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
')
diff --git a/kerberos.te b/kerberos.te
-index 3465a9a..fe2c2da 100644
+index 3465a9a..353c4ce 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -1,4 +1,4 @@
@@ -30700,7 +30770,7 @@ index 3465a9a..fe2c2da 100644
corenet_all_recvfrom_netlabel(kadmind_t)
corenet_tcp_sendrecv_generic_if(kadmind_t)
corenet_udp_sendrecv_generic_if(kadmind_t)
-@@ -119,31 +128,39 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
+@@ -119,31 +128,41 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
corenet_udp_sendrecv_all_ports(kadmind_t)
corenet_tcp_bind_generic_node(kadmind_t)
corenet_udp_bind_generic_node(kadmind_t)
@@ -30733,6 +30803,8 @@ index 3465a9a..fe2c2da 100644
selinux_validate_context(kadmind_t)
++auth_read_passwd(kadmind_t)
++
logging_send_syslog_msg(kadmind_t)
-miscfiles_read_localization(kadmind_t)
@@ -30745,7 +30817,7 @@ index 3465a9a..fe2c2da 100644
sysnet_use_ldap(kadmind_t)
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
-@@ -154,6 +171,10 @@ optional_policy(`
+@@ -154,6 +173,10 @@ optional_policy(`
')
optional_policy(`
@@ -30756,7 +30828,7 @@ index 3465a9a..fe2c2da 100644
nis_use_ypbind(kadmind_t)
')
-@@ -174,24 +195,27 @@ optional_policy(`
+@@ -174,24 +197,27 @@ optional_policy(`
# Krb5kdc local policy
#
@@ -30788,7 +30860,7 @@ index 3465a9a..fe2c2da 100644
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
-@@ -203,42 +227,39 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
+@@ -203,54 +229,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
@@ -30839,7 +30911,10 @@ index 3465a9a..fe2c2da 100644
files_read_usr_symlinks(krb5kdc_t)
files_read_var_files(krb5kdc_t)
-@@ -247,10 +268,10 @@ selinux_validate_context(krb5kdc_t)
+ selinux_validate_context(krb5kdc_t)
+
++auth_read_passwd(krb5kdc_t)
++
logging_send_syslog_msg(krb5kdc_t)
miscfiles_read_generic_certs(krb5kdc_t)
@@ -30851,7 +30926,7 @@ index 3465a9a..fe2c2da 100644
sysnet_use_ldap(krb5kdc_t)
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
-@@ -261,11 +282,11 @@ optional_policy(`
+@@ -261,11 +286,11 @@ optional_policy(`
')
optional_policy(`
@@ -30865,7 +30940,7 @@ index 3465a9a..fe2c2da 100644
')
optional_policy(`
-@@ -273,6 +294,10 @@ optional_policy(`
+@@ -273,6 +298,10 @@ optional_policy(`
')
optional_policy(`
@@ -30876,7 +30951,7 @@ index 3465a9a..fe2c2da 100644
udev_read_db(krb5kdc_t)
')
-@@ -281,10 +306,12 @@ optional_policy(`
+@@ -281,10 +310,12 @@ optional_policy(`
# kpropd local policy
#
@@ -30892,7 +30967,7 @@ index 3465a9a..fe2c2da 100644
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
-@@ -303,26 +330,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+@@ -303,26 +334,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
corecmd_exec_bin(kpropd_t)
@@ -32582,7 +32657,7 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..3124cab 100644
+index 7bab8e5..ed36684 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -1,20 +1,18 @@
@@ -32644,7 +32719,7 @@ index 7bab8e5..3124cab 100644
allow logrotate_t self:shm create_shm_perms;
allow logrotate_t self:sem create_sem_perms;
allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,79 +52,93 @@ allow logrotate_t self:msg { send receive };
+@@ -48,79 +52,94 @@ allow logrotate_t self:msg { send receive };
allow logrotate_t logrotate_lock_t:file manage_file_perms;
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
@@ -32666,9 +32741,10 @@ index 7bab8e5..3124cab 100644
kernel_read_kernel_sysctls(logrotate_t)
+dev_read_urand(logrotate_t)
++dev_read_sysfs(logrotate_t)
+
+fs_search_auto_mountpoints(logrotate_t)
-+fs_getattr_xattr_fs(logrotate_t)
++fs_getattr_all_fs(logrotate_t)
+fs_list_inotifyfs(logrotate_t)
+
+mls_file_read_all_levels(logrotate_t)
@@ -32765,7 +32841,7 @@ index 7bab8e5..3124cab 100644
')
optional_policy(`
-@@ -140,11 +158,11 @@ optional_policy(`
+@@ -140,11 +159,11 @@ optional_policy(`
')
optional_policy(`
@@ -32779,7 +32855,7 @@ index 7bab8e5..3124cab 100644
')
optional_policy(`
-@@ -178,7 +196,7 @@ optional_policy(`
+@@ -178,7 +197,7 @@ optional_policy(`
')
optional_policy(`
@@ -32788,7 +32864,7 @@ index 7bab8e5..3124cab 100644
')
optional_policy(`
-@@ -198,21 +216,22 @@ optional_policy(`
+@@ -198,21 +217,22 @@ optional_policy(`
')
optional_policy(`
@@ -32815,7 +32891,7 @@ index 7bab8e5..3124cab 100644
')
optional_policy(`
-@@ -228,10 +247,20 @@ optional_policy(`
+@@ -228,10 +248,20 @@ optional_policy(`
')
optional_policy(`
@@ -32836,7 +32912,7 @@ index 7bab8e5..3124cab 100644
su_exec(logrotate_t)
')
-@@ -241,13 +270,11 @@ optional_policy(`
+@@ -241,13 +271,11 @@ optional_policy(`
#######################################
#
@@ -34150,10 +34226,10 @@ index 327f3f7..8d5841f 100644
+ ')
')
diff --git a/mandb.te b/mandb.te
-index 5a414e0..e2f4ce0 100644
+index 5a414e0..fd54e2b 100644
--- a/mandb.te
+++ b/mandb.te
-@@ -10,25 +10,40 @@ roleattribute system_r mandb_roles;
+@@ -10,28 +10,45 @@ roleattribute system_r mandb_roles;
type mandb_t;
type mandb_exec_t;
@@ -34196,7 +34272,12 @@ index 5a414e0..e2f4ce0 100644
+files_search_locks(mandb_t)
miscfiles_manage_man_cache(mandb_t)
++miscfiles_setattr_man_pages(mandb_t)
+ optional_policy(`
+ cron_system_entry(mandb_t, mandb_exec_t)
+ ')
++
diff --git a/mcelog.if b/mcelog.if
index 9dbe694..f89651e 100644
--- a/mcelog.if
@@ -35691,6 +35772,19 @@ index 4de8949..5c237c3 100644
fs_getattr_all_fs(mongod_t)
-miscfiles_read_localization(mongod_t)
+diff --git a/mono.te b/mono.te
+index d287fe9..3dc493c 100644
+--- a/mono.te
++++ b/mono.te
+@@ -28,7 +28,7 @@ allow mono_domain self:process { signal getsched execheap execmem execstack };
+ # local policy
+ #
+
+-userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file })
++userdom_filetrans_home_content(mono_t)
+
+ init_dbus_chat_script(mono_t)
+
diff --git a/monop.te b/monop.te
index 4462c0e..84944d1 100644
--- a/monop.te
@@ -36515,7 +36609,7 @@ index 6194b80..97b8462 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..de62123 100644
+index 6a306ee..7131f6f 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -36524,7 +36618,7 @@ index 6a306ee..de62123 100644
########################################
#
-@@ -6,17 +6,34 @@ policy_module(mozilla, 2.7.4)
+@@ -6,17 +6,27 @@ policy_module(mozilla, 2.7.4)
#
## <desc>
@@ -36545,13 +36639,6 @@ index 6a306ee..de62123 100644
+## </p>
+## </desc>
+gen_tunable(mozilla_read_content, false)
-+
-+## <desc>
-+## <p>
-+## Allow mozilla_plugins to create random content in the users home directory
-+## </p>
-+## </desc>
-+gen_tunable(mozilla_plugin_enable_homedirs, false)
attribute_role mozilla_roles;
attribute_role mozilla_plugin_roles;
@@ -36564,7 +36651,7 @@ index 6a306ee..de62123 100644
type mozilla_t;
type mozilla_exec_t;
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
-@@ -24,6 +41,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+@@ -24,6 +34,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
role mozilla_roles types mozilla_t;
@@ -36574,7 +36661,7 @@ index 6a306ee..de62123 100644
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
-@@ -31,29 +51,24 @@ userdom_user_home_content(mozilla_home_t)
+@@ -31,29 +44,24 @@ userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
type mozilla_plugin_exec_t;
@@ -36609,7 +36696,7 @@ index 6a306ee..de62123 100644
type mozilla_tmp_t;
userdom_user_tmp_file(mozilla_tmp_t)
-@@ -63,10 +78,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
+@@ -63,10 +71,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
userdom_user_tmpfs_file(mozilla_tmpfs_t)
@@ -36620,7 +36707,7 @@ index 6a306ee..de62123 100644
########################################
#
# Local policy
-@@ -75,23 +86,26 @@ optional_policy(`
+@@ -75,23 +79,25 @@ optional_policy(`
allow mozilla_t self:capability { sys_nice setgid setuid };
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow mozilla_t self:fifo_file rw_fifo_file_perms;
@@ -36651,7 +36738,6 @@ index 6a306ee..de62123 100644
+manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+userdom_search_user_home_dirs(mozilla_t)
-+userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
-filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+# Mozpluggerrc
@@ -36659,7 +36745,7 @@ index 6a306ee..de62123 100644
manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
-@@ -103,76 +117,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+@@ -103,76 +109,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -36767,7 +36853,7 @@ index 6a306ee..de62123 100644
term_dontaudit_getattr_pty_dirs(mozilla_t)
-@@ -181,56 +188,73 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,56 +180,73 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
@@ -36775,15 +36861,15 @@ index 6a306ee..de62123 100644
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
-userdom_use_user_ptys(mozilla_t)
-+userdom_use_inherited_user_ptys(mozilla_t)
-
+-
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
-
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
--
++userdom_use_inherited_user_ptys(mozilla_t)
+
-userdom_write_user_tmp_sockets(mozilla_t)
-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -36878,7 +36964,7 @@ index 6a306ee..de62123 100644
')
optional_policy(`
-@@ -244,19 +268,12 @@ optional_policy(`
+@@ -244,19 +260,12 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(mozilla_t)
@@ -36900,7 +36986,7 @@ index 6a306ee..de62123 100644
optional_policy(`
networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +282,32 @@ optional_policy(`
+@@ -265,33 +274,32 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
@@ -36913,34 +36999,34 @@ index 6a306ee..de62123 100644
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
++')
++
++optional_policy(`
++ java_domtrans(mozilla_t)
')
optional_policy(`
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+ java_domtrans(mozilla_t)
++ lpd_domtrans_lpr(mozilla_t)
')
optional_policy(`
- lpd_run_lpr(mozilla_t, mozilla_roles)
-+ lpd_domtrans_lpr(mozilla_t)
++ mplayer_domtrans(mozilla_t)
++ mplayer_read_user_home_files(mozilla_t)
')
optional_policy(`
- mplayer_exec(mozilla_t)
- mplayer_manage_generic_home_content(mozilla_t)
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+ mplayer_domtrans(mozilla_t)
-+ mplayer_read_user_home_files(mozilla_t)
++ nscd_socket_use(mozilla_t)
')
optional_policy(`
- pulseaudio_run(mozilla_t, mozilla_roles)
-+ nscd_socket_use(mozilla_t)
-+')
-+
-+optional_policy(`
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
@@ -36948,7 +37034,7 @@ index 6a306ee..de62123 100644
')
optional_policy(`
-@@ -300,221 +316,171 @@ optional_policy(`
+@@ -300,221 +308,171 @@ optional_policy(`
########################################
#
@@ -37007,7 +37093,6 @@ index 6a306ee..de62123 100644
+manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
-+mozilla_filetrans_home_content(mozilla_plugin_t)
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@@ -37187,6 +37272,7 @@ index 6a306ee..de62123 100644
+
libs_exec_ld_so(mozilla_plugin_t)
libs_exec_lib_files(mozilla_plugin_t)
++libs_legacy_use_shared_libs(mozilla_plugin_t)
logging_send_syslog_msg(mozilla_plugin_t)
@@ -37263,7 +37349,7 @@ index 6a306ee..de62123 100644
')
optional_policy(`
-@@ -523,36 +489,43 @@ optional_policy(`
+@@ -523,36 +481,43 @@ optional_policy(`
')
optional_policy(`
@@ -37301,18 +37387,18 @@ index 6a306ee..de62123 100644
optional_policy(`
- lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles)
+ lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
-+')
-+
-+optional_policy(`
-+ mplayer_exec(mozilla_plugin_t)
-+ mplayer_manage_generic_home_content(mozilla_plugin_t)
-+ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
')
optional_policy(`
- mplayer_exec(mozilla_plugin_t)
- mplayer_manage_generic_home_content(mozilla_plugin_t)
- mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
++ mplayer_exec(mozilla_plugin_t)
++ mplayer_manage_generic_home_content(mozilla_plugin_t)
++ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
++')
++
++optional_policy(`
+ pulseaudio_exec(mozilla_plugin_t)
+ pulseaudio_stream_connect(mozilla_plugin_t)
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
@@ -37321,7 +37407,7 @@ index 6a306ee..de62123 100644
')
optional_policy(`
-@@ -560,7 +533,7 @@ optional_policy(`
+@@ -560,7 +525,7 @@ optional_policy(`
')
optional_policy(`
@@ -37330,7 +37416,7 @@ index 6a306ee..de62123 100644
')
optional_policy(`
-@@ -568,108 +541,108 @@ optional_policy(`
+@@ -568,108 +533,108 @@ optional_policy(`
')
optional_policy(`
@@ -37358,12 +37444,12 @@ index 6a306ee..de62123 100644
-allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
-allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
-allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
-
+-
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
--
++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
+
-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
@@ -37485,16 +37571,17 @@ index 6a306ee..de62123 100644
-optional_policy(`
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
-+tunable_policy(`mozilla_plugin_enable_homedirs',`
-+ userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
-+', `
-+
-+ userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, file)
-+ userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, dir)
- ')
+-')
++#tunable_policy(`mozilla_plugin_enable_homedirs',`
++# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
++#', `
-optional_policy(`
- xserver_use_user_fonts(mozilla_plugin_config_t)
++ #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, file)
++ #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, dir)
++#')
++
+tunable_policy(`selinuxuser_execmod',`
+ userdom_execmod_user_home_files(mozilla_plugin_t)
')
@@ -37574,7 +37661,7 @@ index 7c8afcc..200cec1 100644
')
diff --git a/mplayer.te b/mplayer.te
-index 9aca704..5db9491 100644
+index 9aca704..f92829c 100644
--- a/mplayer.te
+++ b/mplayer.te
@@ -11,7 +11,7 @@ policy_module(mplayer, 2.4.4)
@@ -37594,6 +37681,15 @@ index 9aca704..5db9491 100644
fs_search_auto_mountpoints(mencoder_t)
+@@ -82,7 +81,7 @@ userdom_manage_user_tmp_files(mencoder_t)
+
+ userdom_manage_user_home_content_dirs(mencoder_t)
+ userdom_manage_user_home_content_files(mencoder_t)
+-userdom_user_home_dir_filetrans_user_home_content(mencoder_t, { dir file })
++userdom_filetrans_home_content(mencoder_t)
+
+ ifndef(`enable_mls',`
+ fs_list_dos(mencoder_t)
@@ -95,15 +94,15 @@ ifndef(`enable_mls',`
fs_read_iso9660_files(mencoder_t)
')
@@ -37622,6 +37718,15 @@ index 9aca704..5db9491 100644
fs_getattr_all_fs(mplayer_t)
fs_search_auto_mountpoints(mplayer_t)
+@@ -194,7 +192,7 @@ userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
+
+ userdom_manage_user_home_content_dirs(mplayer_t)
+ userdom_manage_user_home_content_files(mplayer_t)
+-userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file })
++userdom_filetrans_home_content(mplayer_t)
+
+ userdom_write_user_tmp_sockets(mplayer_t)
+
@@ -211,15 +209,15 @@ ifndef(`enable_mls',`
fs_read_iso9660_files(mplayer_t)
')
@@ -37747,7 +37852,7 @@ index f42896c..8654c3c 100644
-/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index ed81cac..7d1522c 100644
+index ed81cac..566684a 100644
--- a/mta.if
+++ b/mta.if
@@ -1,4 +1,4 @@
@@ -38033,7 +38138,7 @@ index ed81cac..7d1522c 100644
typeattribute $1 mailserver_domain;
')
-@@ -374,6 +264,12 @@ interface(`mta_mailserver_delivery',`
+@@ -374,6 +264,15 @@ interface(`mta_mailserver_delivery',`
')
typeattribute $1 mailserver_delivery;
@@ -38043,10 +38148,13 @@ index ed81cac..7d1522c 100644
+ optional_policy(`
+ mta_rw_delivery_tcp_sockets($1)
+ ')
++
++ userdom_filetrans_home_content($1)
++
')
#######################################
-@@ -394,6 +290,12 @@ interface(`mta_mailserver_user_agent',`
+@@ -394,6 +293,12 @@ interface(`mta_mailserver_user_agent',`
')
typeattribute $1 mta_user_agent;
@@ -38059,7 +38167,7 @@ index ed81cac..7d1522c 100644
')
########################################
-@@ -408,14 +310,19 @@ interface(`mta_mailserver_user_agent',`
+@@ -408,14 +313,19 @@ interface(`mta_mailserver_user_agent',`
#
interface(`mta_send_mail',`
gen_require(`
@@ -38081,7 +38189,7 @@ index ed81cac..7d1522c 100644
')
########################################
-@@ -445,18 +352,24 @@ interface(`mta_send_mail',`
+@@ -445,18 +355,24 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -38111,7 +38219,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -464,7 +377,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -464,7 +380,6 @@ interface(`mta_sendmail_domtrans',`
## </summary>
## </param>
#
@@ -38119,7 +38227,7 @@ index ed81cac..7d1522c 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -475,7 +387,43 @@ interface(`mta_signal_system_mail',`
+@@ -475,7 +390,43 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
@@ -38164,7 +38272,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -506,13 +454,32 @@ interface(`mta_sendmail_exec',`
+@@ -506,13 +457,32 @@ interface(`mta_sendmail_exec',`
type sendmail_exec_t;
')
@@ -38199,7 +38307,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -528,13 +495,13 @@ interface(`mta_read_config',`
+@@ -528,13 +498,13 @@ interface(`mta_read_config',`
files_search_etc($1)
allow $1 etc_mail_t:dir list_dir_perms;
@@ -38216,7 +38324,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -548,33 +515,31 @@ interface(`mta_write_config',`
+@@ -548,33 +518,31 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -38256,7 +38364,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -582,84 +547,66 @@ interface(`mta_read_aliases',`
+@@ -582,84 +550,66 @@ interface(`mta_read_aliases',`
## </summary>
## </param>
#
@@ -38357,7 +38465,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -674,14 +621,13 @@ interface(`mta_rw_aliases',`
+@@ -674,14 +624,13 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -38375,7 +38483,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -697,6 +643,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+@@ -697,6 +646,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
dontaudit $1 mailserver_delivery:tcp_socket { read write };
')
@@ -38401,7 +38509,7 @@ index ed81cac..7d1522c 100644
#######################################
## <summary>
## Connect to all mail servers over TCP. (Deprecated)
-@@ -713,8 +678,8 @@ interface(`mta_tcp_connect_all_mailservers',`
+@@ -713,8 +681,8 @@ interface(`mta_tcp_connect_all_mailservers',`
#######################################
## <summary>
@@ -38412,7 +38520,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -732,7 +697,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
+@@ -732,7 +700,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
########################################
## <summary>
@@ -38421,7 +38529,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -753,8 +718,8 @@ interface(`mta_getattr_spool',`
+@@ -753,8 +721,8 @@ interface(`mta_getattr_spool',`
########################################
## <summary>
@@ -38432,7 +38540,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -775,9 +740,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -775,9 +743,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
#######################################
## <summary>
@@ -38444,7 +38552,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -811,7 +775,7 @@ interface(`mta_spool_filetrans',`
+@@ -811,7 +778,7 @@ interface(`mta_spool_filetrans',`
#######################################
## <summary>
@@ -38453,7 +38561,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -819,10 +783,10 @@ interface(`mta_spool_filetrans',`
+@@ -819,10 +786,10 @@ interface(`mta_spool_filetrans',`
## </summary>
## </param>
#
@@ -38468,7 +38576,7 @@ index ed81cac..7d1522c 100644
files_search_spool($1)
read_files_pattern($1, mail_spool_t, mail_spool_t)
-@@ -830,7 +794,7 @@ interface(`mta_read_spool_files',`
+@@ -830,7 +797,7 @@ interface(`mta_read_spool_files',`
########################################
## <summary>
@@ -38477,7 +38585,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -845,13 +809,14 @@ interface(`mta_rw_spool',`
+@@ -845,13 +812,14 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -38495,7 +38603,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -866,13 +831,14 @@ interface(`mta_append_spool',`
+@@ -866,13 +834,14 @@ interface(`mta_append_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -38513,7 +38621,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -891,8 +857,7 @@ interface(`mta_delete_spool',`
+@@ -891,8 +860,7 @@ interface(`mta_delete_spool',`
########################################
## <summary>
@@ -38523,7 +38631,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -911,45 +876,9 @@ interface(`mta_manage_spool',`
+@@ -911,45 +879,9 @@ interface(`mta_manage_spool',`
manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
@@ -38570,7 +38678,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -968,7 +897,7 @@ interface(`mta_search_queue',`
+@@ -968,7 +900,7 @@ interface(`mta_search_queue',`
#######################################
## <summary>
@@ -38579,7 +38687,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -981,13 +910,13 @@ interface(`mta_list_queue',`
+@@ -981,13 +913,13 @@ interface(`mta_list_queue',`
type mqueue_spool_t;
')
@@ -38595,7 +38703,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1000,14 +929,14 @@ interface(`mta_read_queue',`
+@@ -1000,14 +932,14 @@ interface(`mta_read_queue',`
type mqueue_spool_t;
')
@@ -38612,7 +38720,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1027,7 +956,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -1027,7 +959,7 @@ interface(`mta_dontaudit_rw_queue',`
########################################
## <summary>
## Create, read, write, and delete
@@ -38621,7 +38729,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1047,6 +976,41 @@ interface(`mta_manage_queue',`
+@@ -1047,6 +979,41 @@ interface(`mta_manage_queue',`
#######################################
## <summary>
@@ -38663,7 +38771,7 @@ index ed81cac..7d1522c 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -1055,6 +1019,7 @@ interface(`mta_manage_queue',`
+@@ -1055,6 +1022,7 @@ interface(`mta_manage_queue',`
## </summary>
## </param>
#
@@ -38671,7 +38779,7 @@ index ed81cac..7d1522c 100644
interface(`mta_read_sendmail_bin',`
gen_require(`
type sendmail_exec_t;
-@@ -1065,8 +1030,8 @@ interface(`mta_read_sendmail_bin',`
+@@ -1065,8 +1033,8 @@ interface(`mta_read_sendmail_bin',`
#######################################
## <summary>
@@ -38682,7 +38790,7 @@ index ed81cac..7d1522c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1081,3 +1046,175 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1049,175 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -38859,7 +38967,7 @@ index ed81cac..7d1522c 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index afd2fad..af79d2b 100644
+index afd2fad..a270fd4 100644
--- a/mta.te
+++ b/mta.te
@@ -1,4 +1,4 @@
@@ -39275,7 +39383,7 @@ index afd2fad..af79d2b 100644
files_search_var_lib(mailserver_delivery)
mailman_domtrans(mailserver_delivery)
-@@ -387,24 +276,166 @@ optional_policy(`
+@@ -387,24 +276,165 @@ optional_policy(`
########################################
#
@@ -39295,7 +39403,7 @@ index afd2fad..af79d2b 100644
+userdom_use_inherited_user_terminals(mta_user_agent)
+# Create dead.letter in user home directories.
+userdom_manage_user_home_content_files(user_mail_t)
-+userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
++userdom_filetrans_home_content(user_mail_t)
+# for reading .forward - maybe we need a new type for it?
+# also for delivering mail to maildir
+userdom_manage_user_home_content_dirs(mailserver_delivery)
@@ -39303,7 +39411,6 @@ index afd2fad..af79d2b 100644
+userdom_manage_user_home_content_symlinks(mailserver_delivery)
+userdom_manage_user_home_content_pipes(mailserver_delivery)
+userdom_manage_user_home_content_sockets(mailserver_delivery)
-+userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file })
+allow mailserver_delivery mailserver_delivery:fifo_file rw_inherited_fifo_file_perms;
+
+# Read user temporary files.
@@ -41646,7 +41753,7 @@ index 0000000..8d7c751
+')
diff --git a/namespace.te b/namespace.te
new file mode 100644
-index 0000000..f6ffaa3
+index 0000000..bac253c
--- /dev/null
+++ b/namespace.te
@@ -0,0 +1,40 @@
@@ -41689,7 +41796,7 @@ index 0000000..f6ffaa3
+userdom_manage_user_home_content_files(namespace_init_t)
+userdom_relabelto_user_home_dirs(namespace_init_t)
+userdom_relabelto_user_home_files(namespace_init_t)
-+userdom_user_home_dir_filetrans_user_home_content(namespace_init_t, { dir file lnk_file fifo_file sock_file })
++userdom_filetrans_home_content(namespace_init_t)
diff --git a/ncftool.if b/ncftool.if
index db9578f..4309e3d 100644
--- a/ncftool.if
@@ -52100,7 +52207,7 @@ index 032a84d..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index 49694e8..e426304 100644
+index 49694e8..3ad3019 100644
--- a/policykit.te
+++ b/policykit.te
@@ -1,4 +1,4 @@
@@ -52278,7 +52385,13 @@ index 49694e8..e426304 100644
kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
dev_read_video_dev(policykit_auth_t)
-@@ -162,48 +169,58 @@ auth_rw_var_auth(policykit_auth_t)
+@@ -157,53 +164,64 @@ files_search_home(policykit_auth_t)
+
+ fs_getattr_all_fs(policykit_auth_t)
+ fs_search_tmpfs(policykit_auth_t)
++fs_dontaudit_append_ecryptfs_files(policykit_auth_t)
+
+ auth_rw_var_auth(policykit_auth_t)
auth_use_nsswitch(policykit_auth_t)
auth_domtrans_chk_passwd(policykit_auth_t)
@@ -52347,7 +52460,7 @@ index 49694e8..e426304 100644
rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
-@@ -211,23 +228,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
+@@ -211,23 +229,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
@@ -52374,7 +52487,7 @@ index 49694e8..e426304 100644
optional_policy(`
consolekit_dbus_chat(policykit_grant_t)
')
-@@ -235,26 +249,28 @@ optional_policy(`
+@@ -235,26 +250,28 @@ optional_policy(`
########################################
#
@@ -52409,7 +52522,7 @@ index 49694e8..e426304 100644
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
-@@ -266,6 +282,7 @@ optional_policy(`
+@@ -266,6 +283,7 @@ optional_policy(`
')
optional_policy(`
@@ -54016,7 +54129,7 @@ index 2e23946..41da729 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..2178086 100644
+index 191a66f..b11469c 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -54862,7 +54975,7 @@ index 191a66f..2178086 100644
+userdom_manage_user_home_content(postfix_virtual_t)
userdom_home_filetrans_user_home_dir(postfix_virtual_t)
-userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir })
-+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
++userdom_filetrans_home_content(postfix_virtual_t)
+
+########################################
+#
@@ -56797,7 +56910,7 @@ index 00edeab..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
')
diff --git a/procmail.te b/procmail.te
-index d447152..c166238 100644
+index d447152..6f83f03 100644
--- a/procmail.te
+++ b/procmail.te
@@ -1,4 +1,4 @@
@@ -56905,7 +57018,7 @@ index d447152..c166238 100644
+userdom_manage_user_home_content_symlinks(procmail_t)
+userdom_manage_user_home_content_pipes(procmail_t)
+userdom_manage_user_home_content_sockets(procmail_t)
-+userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
++userdom_filetrans_home_content(procmail_t)
+
+# Execute user executables
+userdom_exec_user_bin_files(procmail_t)
@@ -65986,7 +66099,7 @@ index 3bd6446..a61764b 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index e5212e6..66ec108 100644
+index e5212e6..37860b7 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
@@ -66251,7 +66364,7 @@ index e5212e6..66ec108 100644
miscfiles_read_public_files(nfsd_t)
-tunable_policy(`allow_nfsd_anon_write',`
-+userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
++userdom_filetrans_home_content(nfsd_t)
+userdom_list_user_tmp(nfsd_t)
+
+# Write access to public_content_t and public_content_rw_t
@@ -66515,10 +66628,10 @@ index c49828c..a323332 100644
sysnet_dns_name_resolve(rpcbind_t)
diff --git a/rpm.fc b/rpm.fc
-index ebe91fc..db87bca 100644
+index ebe91fc..cba31f2 100644
--- a/rpm.fc
+++ b/rpm.fc
-@@ -1,61 +1,67 @@
+@@ -1,61 +1,68 @@
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
@@ -66540,6 +66653,7 @@ index ebe91fc..db87bca 100644
+
+/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -67773,17 +67887,19 @@ index d1fd97f..7ee8502 100644
-
-miscfiles_read_localization(rssh_chroot_helper_t)
diff --git a/rsync.fc b/rsync.fc
-index d25301b..2d77839 100644
+index d25301b..d92f567 100644
--- a/rsync.fc
+++ b/rsync.fc
-@@ -1,6 +1,6 @@
+@@ -1,7 +1,7 @@
/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0)
-/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
+/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
- /var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0)
+-/var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0)
++/var/log/rsync.* gen_context(system_u:object_r:rsync_log_t,s0)
+ /var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
diff --git a/rsync.if b/rsync.if
index f1140ef..c5bd83a 100644
--- a/rsync.if
@@ -69321,7 +69437,7 @@ index aee75af..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 57c034b..055c3c5 100644
+index 57c034b..b2eac61 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
@@ -69854,7 +69970,7 @@ index 57c034b..055c3c5 100644
lpd_exec_lpr(smbd_t)
')
-@@ -493,9 +476,34 @@ optional_policy(`
+@@ -493,9 +476,33 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -69880,8 +69996,7 @@ index 57c034b..055c3c5 100644
+ fs_manage_noxattr_fs_files(nmbd_t)
+ files_manage_non_security_files(nmbd_t)
+')
-+
-+userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
++userdom_filetrans_home_content(nmbd_t)
+
########################################
#
@@ -69890,7 +70005,7 @@ index 57c034b..055c3c5 100644
#
dontaudit nmbd_t self:capability sys_tty_config;
-@@ -506,9 +514,11 @@ allow nmbd_t self:msg { send receive };
+@@ -506,9 +513,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -69905,7 +70020,7 @@ index 57c034b..055c3c5 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -520,20 +530,14 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -520,20 +529,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -69914,8 +70029,9 @@ index 57c034b..055c3c5 100644
-setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)
+manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
- manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
++manage_dirs_pattern(nmbd_t, samba_var_t, samba_var_t)
+ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
@@ -70013,11 +70129,11 @@ index 57c034b..055c3c5 100644
-read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t })
+allow smbcontrol_t nmbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
-+
+
+allow smbcontrol_t smbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
+allow smbcontrol_t winbind_t:process { signal signull };
-
++
+files_search_var_lib(smbcontrol_t)
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
@@ -70374,7 +70490,7 @@ index 57c034b..055c3c5 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -917,11 +912,17 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,18 +912,24 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -70393,6 +70509,14 @@ index 57c034b..055c3c5 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
userdom_manage_user_home_content_files(winbind_t)
+ userdom_manage_user_home_content_symlinks(winbind_t)
+ userdom_manage_user_home_content_pipes(winbind_t)
+ userdom_manage_user_home_content_sockets(winbind_t)
+-userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
++userdom_filetrans_home_content(winbind_t)
+
+ optional_policy(`
+ ctdbd_stream_connect(winbind_t)
@@ -936,6 +937,10 @@ optional_policy(`
')
@@ -75307,7 +75431,7 @@ index e9bd097..80c9e56 100644
+/usr/bin/pyzor -- gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/pyzord -- gen_context(system_u:object_r:spamd_exec_t,s0)
diff --git a/spamassassin.if b/spamassassin.if
-index 1499b0b..82fc7f6 100644
+index 1499b0b..3052bd2 100644
--- a/spamassassin.if
+++ b/spamassassin.if
@@ -2,39 +2,45 @@
@@ -75659,7 +75783,7 @@ index 1499b0b..82fc7f6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -348,19 +323,19 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+@@ -348,19 +323,60 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
## </summary>
## </param>
#
@@ -75675,6 +75799,47 @@ index 1499b0b..82fc7f6 100644
+ read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
')
++######################################
++## <summary>
++## Transition to spamassassin named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`spamassassin_filetrans_home_content',`
++ gen_require(`
++ type spamc_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor")
++ userdom_user_home_dir_filetrans($1, spamc_home_t, file, ".spamassassin")
++ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".spamd")
++')
++
++######################################
++## <summary>
++## Transition to spamassassin named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`spamassassin_filetrans_admin_home_content',`
++ gen_require(`
++ type spamc_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor")
++ userdom_admin_home_dir_filetrans($1, spamc_home_t, file, ".spamassassin")
++ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".spamd")
++')
++
++
########################################
## <summary>
-## All of the rules required to
@@ -75684,7 +75849,7 @@ index 1499b0b..82fc7f6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -369,20 +344,23 @@ interface(`spamassassin_stream_connect_spamd',`
+@@ -369,20 +385,22 @@ interface(`spamassassin_stream_connect_spamd',`
## </param>
## <param name="role">
## <summary>
@@ -75692,7 +75857,7 @@ index 1499b0b..82fc7f6 100644
+## The role to be allowed to manage the spamassassin domain.
## </summary>
## </param>
- ## <rolecap/>
+-## <rolecap/>
#
-interface(`spamassassin_admin',`
+interface(`spamassassin_spamd_admin',`
@@ -75711,7 +75876,7 @@ index 1499b0b..82fc7f6 100644
init_labeled_script_domtrans($1, spamd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -403,6 +381,4 @@ interface(`spamassassin_admin',`
+@@ -403,6 +421,4 @@ interface(`spamassassin_admin',`
files_list_pids($1)
admin_pattern($1, spamd_var_run_t)
@@ -75719,7 +75884,7 @@ index 1499b0b..82fc7f6 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index 4faa7e0..3a3ac18 100644
+index 4faa7e0..1485a62 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -1,4 +1,4 @@
@@ -75798,7 +75963,7 @@ index 4faa7e0..3a3ac18 100644
type spamd_initrc_exec_t;
init_script_file(spamd_initrc_exec_t)
-@@ -72,87 +39,198 @@ type spamd_log_t;
+@@ -72,87 +39,196 @@ type spamd_log_t;
logging_log_file(spamd_log_t)
type spamd_spool_t;
@@ -75925,7 +76090,6 @@ index 4faa7e0..3a3ac18 100644
manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
-userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, dir, ".spamassassin")
-+userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
@@ -75936,7 +76100,6 @@ index 4faa7e0..3a3ac18 100644
+manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-+userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
+userdom_home_manager(spamassassin_t)
+
kernel_read_kernel_sysctls(spamassassin_t)
@@ -76019,7 +76182,7 @@ index 4faa7e0..3a3ac18 100644
nis_use_ypbind_uncond(spamassassin_t)
')
')
-@@ -160,6 +238,8 @@ optional_policy(`
+@@ -160,6 +236,8 @@ optional_policy(`
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
@@ -76028,7 +76191,7 @@ index 4faa7e0..3a3ac18 100644
')
########################################
-@@ -167,72 +247,87 @@ optional_policy(`
+@@ -167,72 +245,85 @@ optional_policy(`
# Client local policy
#
@@ -76067,11 +76230,9 @@ index 4faa7e0..3a3ac18 100644
+manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
-+userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
+userdom_append_user_home_content_files(spamc_t)
+# for /root/.pyzor
+allow spamc_t self:capability dac_override;
-+userdom_admin_home_dir_filetrans(spamc_t, spamc_home_t , dir, ".pyzor")
list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
@@ -76147,7 +76308,7 @@ index 4faa7e0..3a3ac18 100644
optional_policy(`
abrt_stream_connect(spamc_t)
-@@ -243,6 +338,7 @@ optional_policy(`
+@@ -243,6 +334,7 @@ optional_policy(`
')
optional_policy(`
@@ -76155,7 +76316,7 @@ index 4faa7e0..3a3ac18 100644
evolution_stream_connect(spamc_t)
')
-@@ -251,52 +347,55 @@ optional_policy(`
+@@ -251,52 +343,55 @@ optional_policy(`
')
optional_policy(`
@@ -76236,7 +76397,7 @@ index 4faa7e0..3a3ac18 100644
logging_log_filetrans(spamd_t, spamd_log_t, file)
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,6 +407,7 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,6 +403,7 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
@@ -76244,7 +76405,7 @@ index 4faa7e0..3a3ac18 100644
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-@@ -317,12 +417,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +413,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
@@ -76260,7 +76421,7 @@ index 4faa7e0..3a3ac18 100644
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +432,58 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +428,58 @@ corenet_udp_sendrecv_generic_node(spamd_t)
corenet_tcp_sendrecv_all_ports(spamd_t)
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_generic_node(spamd_t)
@@ -76363,7 +76524,7 @@ index 4faa7e0..3a3ac18 100644
')
optional_policy(`
-@@ -421,21 +502,13 @@ optional_policy(`
+@@ -421,21 +498,13 @@ optional_policy(`
')
optional_policy(`
@@ -76387,7 +76548,7 @@ index 4faa7e0..3a3ac18 100644
')
optional_policy(`
-@@ -443,8 +516,8 @@ optional_policy(`
+@@ -443,8 +512,8 @@ optional_policy(`
')
optional_policy(`
@@ -76397,7 +76558,7 @@ index 4faa7e0..3a3ac18 100644
')
optional_policy(`
-@@ -455,7 +528,12 @@ optional_policy(`
+@@ -455,7 +524,12 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
razor_read_lib_files(spamd_t)
@@ -76411,7 +76572,7 @@ index 4faa7e0..3a3ac18 100644
')
optional_policy(`
-@@ -463,9 +541,9 @@ optional_policy(`
+@@ -463,9 +537,9 @@ optional_policy(`
')
optional_policy(`
@@ -76422,7 +76583,7 @@ index 4faa7e0..3a3ac18 100644
')
optional_policy(`
-@@ -474,32 +552,32 @@ optional_policy(`
+@@ -474,32 +548,32 @@ optional_policy(`
########################################
#
@@ -76465,7 +76626,7 @@ index 4faa7e0..3a3ac18 100644
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +586,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +582,21 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
@@ -78635,7 +78796,7 @@ index 42946bc..95a9aa3 100644
+ can_exec($1, telepathy_executable)
')
diff --git a/telepathy.te b/telepathy.te
-index e9c0964..6e84ad8 100644
+index e9c0964..20a31da 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -1,29 +1,28 @@
@@ -78678,7 +78839,7 @@ index e9c0964..6e84ad8 100644
telepathy_domain_template(gabble)
-@@ -67,176 +66,145 @@ userdom_user_home_content(telepathy_sunshine_home_t)
+@@ -67,176 +66,144 @@ userdom_user_home_content(telepathy_sunshine_home_t)
#######################################
#
@@ -78868,7 +79029,6 @@ index e9c0964..6e84ad8 100644
manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
-userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control")
-+userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
+userdom_search_user_home_dirs(telepathy_mission_control_t)
-manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
@@ -78904,7 +79064,7 @@ index e9c0964..6e84ad8 100644
optional_policy(`
dbus_system_bus_client(telepathy_mission_control_t)
-@@ -245,59 +213,51 @@ optional_policy(`
+@@ -245,59 +212,51 @@ optional_policy(`
devicekit_dbus_chat_power(telepathy_mission_control_t)
')
optional_policy(`
@@ -78979,7 +79139,7 @@ index e9c0964..6e84ad8 100644
init_read_state(telepathy_msn_t)
-@@ -307,18 +267,19 @@ logging_send_syslog_msg(telepathy_msn_t)
+@@ -307,18 +266,19 @@ logging_send_syslog_msg(telepathy_msn_t)
miscfiles_read_all_certs(telepathy_msn_t)
@@ -79004,7 +79164,7 @@ index e9c0964..6e84ad8 100644
')
optional_policy(`
-@@ -329,43 +290,33 @@ optional_policy(`
+@@ -329,43 +289,33 @@ optional_policy(`
')
')
@@ -79053,7 +79213,7 @@ index e9c0964..6e84ad8 100644
')
optional_policy(`
-@@ -378,73 +329,53 @@ optional_policy(`
+@@ -378,73 +328,53 @@ optional_policy(`
#######################################
#
@@ -79137,7 +79297,7 @@ index e9c0964..6e84ad8 100644
optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t)
-@@ -452,31 +383,39 @@ optional_policy(`
+@@ -452,31 +382,39 @@ optional_policy(`
#######################################
#
@@ -80208,7 +80368,7 @@ index 0000000..aaf768a
+ corenet_dontaudit_udp_bind_generic_node(thumb_t)
+')
diff --git a/thunderbird.te b/thunderbird.te
-index 4257ede..5b3949a 100644
+index 4257ede..fc265b8 100644
--- a/thunderbird.te
+++ b/thunderbird.te
@@ -53,7 +53,6 @@ kernel_read_system_state(thunderbird_t)
@@ -80235,7 +80395,14 @@ index 4257ede..5b3949a 100644
userdom_write_user_tmp_sockets(thunderbird_t)
-@@ -113,17 +110,8 @@ xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
+@@ -107,23 +104,14 @@ userdom_manage_user_tmp_files(thunderbird_t)
+
+ userdom_manage_user_home_content_dirs(thunderbird_t)
+ userdom_manage_user_home_content_files(thunderbird_t)
+-userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file })
++userdom_filetrans_home_content(thunderbird_t)
+
+ xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
xserver_read_xdm_tmp_files(thunderbird_t)
xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
@@ -81185,11 +81352,47 @@ index 7116181..9815e42 100644
optional_policy(`
sysnet_domtrans_ifconfig(tuned_t)
')
+diff --git a/tvtime.if b/tvtime.if
+index 1bb0f7c..372be2f 100644
+--- a/tvtime.if
++++ b/tvtime.if
+@@ -1,5 +1,23 @@
+ ## <summary>High quality television application.</summary>
+
++#######################################
++## <summary>
++## Transition to alsa named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tvtime_filetrans_home_content',`
++ gen_require(`
++ type tvtime_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, tvtime_home_t, dir, ".tvtime")
++')
++
+ ########################################
+ ## <summary>
+ ## Role access for tvtime
diff --git a/tvtime.te b/tvtime.te
-index 3292fcc..3cc43ed 100644
+index 3292fcc..20099b0 100644
--- a/tvtime.te
+++ b/tvtime.te
-@@ -61,7 +61,6 @@ dev_read_realtime_clock(tvtime_t)
+@@ -42,7 +42,6 @@ allow tvtime_t self:unix_stream_socket rw_stream_socket_perms;
+ manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+ manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+ manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+-userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir)
+
+ manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
+ manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
+@@ -61,7 +60,6 @@ dev_read_realtime_clock(tvtime_t)
dev_read_sound(tvtime_t)
dev_read_urand(tvtime_t)
@@ -81197,7 +81400,7 @@ index 3292fcc..3cc43ed 100644
fs_getattr_all_fs(tvtime_t)
fs_search_auto_mountpoints(tvtime_t)
-@@ -69,21 +68,12 @@ fs_search_auto_mountpoints(tvtime_t)
+@@ -69,21 +67,12 @@ fs_search_auto_mountpoints(tvtime_t)
auth_use_nsswitch(tvtime_t)
miscfiles_read_fonts(tvtime_t)
@@ -86884,7 +87087,7 @@ index b51923c..bdbac3a 100644
tunable_policy(`wine_mmap_zero_ignore',`
dontaudit wine_t self:memprotect mmap_zero;
diff --git a/wireshark.te b/wireshark.te
-index cf5cab6..d379bd6 100644
+index cf5cab6..a2d910f 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -34,7 +34,7 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t)
@@ -86929,7 +87132,7 @@ index cf5cab6..d379bd6 100644
- fs_manage_cifs_files(wireshark_t)
- fs_manage_cifs_symlinks(wireshark_t)
-')
-+userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file)
++userdom_filetrans_home_content(wireshark_t)
-optional_policy(`
- seutil_use_newrole_fds(wireshark_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1e30a09..835adda 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 15%{?dist}
+Release: 16%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -526,6 +526,52 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Feb 27 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-16
+- Fix authconfig.py labeling
+- Make any domains that write homedir content do it correctly
+- Allow glusterd to read/write anyhwere on the file system by default
+- Be a little more liberal with the rsync log files
+- Fix iscsi_admin interface
+- Allow iscsid_t to read /dev/urand
+- Fix up iscsi domain for use with unit files
+- Add filename transition support for spamassassin policy
+- Allow web plugins to use badly formated libraries
+- Allow nmbd_t to create samba_var_t directories
+- Add filename transition support for spamassassin policy
+- Add filename transition support for tvtime
+- Fix alsa_home_filetrans_alsa_home() interface
+- Move all userdom_filetrans_home_content() calling out of booleans
+- Allow logrotote to getattr on all file sytems
+- Remove duplicate userdom_filetrans_home_content() calling
+- Allow kadmind to read /etc/passwd
+- Dontaudit append .xsession-errors file on ecryptfs for policykit-auth
+- Allow antivirus domain to manage antivirus db links
+- Allow logrotate to read /sys
+- Allow mandb to setattr on man dirs
+- Remove mozilla_plugin_enable_homedirs boolean
+- Fix ftp_home_dir boolean
+- homedir mozilla filetrans has been moved to userdom_home_manager
+- homedir telepathy filetrans has been moved to userdom_home_manager
+- Remove gnome_home_dir_filetrans() from gnome_role_gkeyringd()
+- Might want to eventually write a daemon on fusefsd.
+- Add policy fixes for sshd [net] child from plautrba@redhat.com
+- Tor uses a new port
+- Remove bin_t for authconfig.py
+- Fix so only one call to userdom_home_file_trans
+- Allow home_manager_types to create content with the correctl label
+- Fix all domains that write data into the homedir to do it with the correct label
+- Change the postgresql to use proper boolean names, which is causing httpd_t to
+- not get access to postgresql_var_run_t
+- Hostname needs to send syslog messages
+- Localectl needs to be able to send dbus signals to users
+- Make sure userdom_filetrans_type will create files/dirs with user_home_t labeling by default
+- Allow user_home_manger domains to create spam* homedir content with correct labeling
+- Allow user_home_manger domains to create HOMEDIR/.tvtime with correct labeling
+- Add missing miscfiles_setattr_man_pages() interface and for now comment some rules for userdom_filetrans_type to make build process working
+- Declare userdom_filetrans_type attribute
+- userdom_manage_home_role() needs to be called withoout usertype attribute because of userdom_filetrans_type attribute
+- fusefsd is mounding a fuse file system on /run/user/UID/gvfs
+
* Thu Feb 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-15
- Man pages are now generated in the build process
- Allow cgred to list inotifyfs filesystem