diff --git a/policy-20090105.patch b/policy-20090105.patch
index b12e2f9..cfa36fe 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -11412,6 +11412,216 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_udp_sendrecv_generic_if(dcc_client_t)
corenet_udp_sendrecv_generic_node(dcc_client_t)
corenet_udp_sendrecv_all_ports(dcc_client_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.3/policy/modules/services/devicekit.fc
+--- nsaserefpolicy/policy/modules/services/devicekit.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/devicekit.fc 2009-01-19 17:04:16.000000000 -0500
+@@ -0,0 +1,4 @@
++
++/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
++/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
++/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.3/policy/modules/services/devicekit.if
+--- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/devicekit.if 2009-01-19 17:09:09.000000000 -0500
+@@ -0,0 +1,139 @@
++
++## <summary>policy for devicekit</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run devicekit.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`devicekit_domtrans',`
++ gen_require(`
++ type devicekit_t;
++ type devicekit_exec_t;
++ ')
++
++ domtrans_pattern($1,devicekit_exec_t,devicekit_t)
++')
++
++
++########################################
++## <summary>
++## Read devicekit PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`devicekit_read_pid_files',`
++ gen_require(`
++ type devicekit_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 devicekit_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Manage devicekit var_run files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`devicekit_manage_var_run',`
++ gen_require(`
++ type devicekit_var_run_t;
++ ')
++
++ manage_dirs_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
++ manage_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
++ manage_lnk_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
++')
++
++
++########################################
++## <summary>
++## Send and receive messages from
++## devicekit over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`devicekit_dbus_chat',`
++ gen_require(`
++ type devicekit_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 devicekit_t:dbus send_msg;
++ allow devicekit_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
++## Send and receive messages from
++## devicekit power over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`devicekit_power_dbus_chat',`
++ gen_require(`
++ type devicekit_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 devicekit_power_t:dbus send_msg;
++ allow devicekit_power_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an devicekit environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the devicekit domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`devicekit_admin',`
++ gen_require(`
++ type devicekit_t;
++ ')
++
++ allow $1 devicekit_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, devicekit_t, devicekit_t)
++
++
++ devicekit_manage_var_run($1)
++
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.3/policy/modules/services/devicekit.te
+--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/devicekit.te 2009-01-19 17:06:44.000000000 -0500
+@@ -0,0 +1,55 @@
++policy_module(devicekit,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type devicekit_t;
++type devicekit_exec_t;
++dbus_system_domain(devicekit_t, devicekit_exec_t)
++
++permissive devicekit_t;
++
++type devicekit_power_t;
++type devicekit_power_exec_t;
++dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
++
++permissive devicekit_power_t;
++
++type devicekit_var_run_t;
++files_pid_file(devicekit_var_run_t)
++
++#
++# DeviceKit local policy
++#
++
++manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
++manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
++files_pid_filetrans(devicekit_t,devicekit_var_run_t, { file dir })
++
++fs_list_inotifyfs(devicekit_t)
++
++optional_policy(`
++ dbus_system_bus_client(devicekit_t)
++')
++
++#
++# DeviceKit-Power local policy
++#
++
++dev_rw_netcontrol(devicekit_power_t)
++files_read_etc_files(devicekit_power_t)
++fs_list_inotifyfs(devicekit_power_t)
++
++optional_policy(`
++ polkit_read_reload(devicekit_power_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(devicekit_power_t)
++ allow devicekit_power_t devicekit_t:dbus send_msg;
++ allow devicekit_t devicekit_power_t:dbus send_msg;
++')
++
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.3/policy/modules/services/dhcp.if
--- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/dhcp.if 2009-01-19 13:10:02.000000000 -0500
@@ -21508,7 +21718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## display.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-19 14:47:14.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-19 17:08:51.000000000 -0500
@@ -34,6 +34,13 @@
## <desc>
@@ -21838,7 +22048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -515,12 +572,35 @@
+@@ -515,12 +572,41 @@
')
optional_policy(`
@@ -21852,14 +22062,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dbus_system_bus_client(xdm_t)
+
+ optional_policy(`
++ devicekit_power_dbus_chat(xdm_t)
++ ')
++
++ optional_policy(`
+ hal_dbus_chat(xdm_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(xdm_t)
+ ')
++
+')
+
++
+optional_policy(`
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
@@ -21874,7 +22090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_exec(xdm_t)
')
-@@ -542,6 +622,19 @@
+@@ -542,6 +628,19 @@
')
optional_policy(`
@@ -21894,7 +22110,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +643,8 @@
+@@ -550,8 +649,8 @@
')
optional_policy(`
@@ -21904,7 +22120,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -571,6 +664,10 @@
+@@ -571,6 +670,10 @@
')
optional_policy(`
@@ -21915,7 +22131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xfs_stream_connect(xdm_t)
')
-@@ -635,6 +732,15 @@
+@@ -635,6 +738,15 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -21931,7 +22147,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Create files in /var/log with the xserver_log_t type.
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
logging_log_filetrans(xserver_t, xserver_log_t,file)
-@@ -682,6 +788,7 @@
+@@ -682,6 +794,7 @@
dev_rw_input_dev(xserver_t)
dev_rwx_zero(xserver_t)
@@ -21939,7 +22155,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_mmap_low(xserver_t)
files_read_etc_files(xserver_t)
-@@ -697,6 +804,7 @@
+@@ -697,6 +810,7 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -21947,7 +22163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mls_xwin_read_to_clearance(xserver_t)
-@@ -806,7 +914,7 @@
+@@ -806,7 +920,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -21956,7 +22172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -830,6 +938,10 @@
+@@ -830,6 +944,10 @@
xserver_use_user_fonts(xserver_t)
@@ -21967,7 +22183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -844,11 +956,14 @@
+@@ -844,11 +962,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -21983,7 +22199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -856,6 +971,11 @@
+@@ -856,6 +977,11 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -21995,7 +22211,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Rules common to all X window domains
-@@ -972,6 +1092,37 @@
+@@ -972,6 +1098,37 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -22033,7 +22249,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`TODO',`
tunable_policy(`allow_polyinstantiation',`
# xdm needs access for linking .X11-unix to poly /tmp
-@@ -986,3 +1137,13 @@
+@@ -986,3 +1143,13 @@
#
allow xdm_t user_home_type:file unlink;
') dnl end TODO
@@ -26194,7 +26410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-19 17:08:20.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -26594,7 +26810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
-@@ -512,189 +525,194 @@
+@@ -512,189 +525,198 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -26763,54 +26979,57 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
- hal_dbus_chat($1_t)
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
++ devkit_power_dbus_chat($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
- ')
-+ hal_dbus_chat($1_usertype)
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
')
optional_policy(`
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
-+ networkmanager_dbus_chat($1_usertype)
++ hal_dbus_chat($1_usertype)
')
optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
-+ vpnc_dbus_chat($1_usertype)
-+ ')
++ networkmanager_dbus_chat($1_usertype)
')
optional_policy(`
- locate_read_lib_files($1_t)
-+ inetd_use_fds($1_usertype)
-+ inetd_rw_tcp_sockets($1_usertype)
++ vpnc_dbus_chat($1_usertype)
++ ')
')
- # for running depmod as part of the kernel packaging process
optional_policy(`
- modutils_read_module_config($1_t)
-+ inn_read_config($1_usertype)
-+ inn_read_news_lib($1_usertype)
-+ inn_read_news_spool($1_usertype)
++ inetd_use_fds($1_usertype)
++ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- mta_rw_spool($1_t)
-+ locate_read_lib_files($1_usertype)
++ inn_read_config($1_usertype)
++ inn_read_news_lib($1_usertype)
++ inn_read_news_spool($1_usertype)
')
-+ # for running depmod as part of the kernel packaging process
optional_policy(`
- tunable_policy(`allow_user_mysql_connect',`
- mysql_stream_connect($1_t)
-- ')
++ locate_read_lib_files($1_usertype)
+ ')
++
++ # for running depmod as part of the kernel packaging process
++ optional_policy(`
+ modutils_read_module_config($1_usertype)
')
@@ -26832,16 +27051,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- postgresql_stream_connect($1_t)
- postgresql_tcp_connect($1_t)
+ postgresql_stream_connect($1_usertype)
++ ')
')
++
++ optional_policy(`
++ # to allow monitoring of pcmcia status
++ pcmcia_read_pid($1_usertype)
')
optional_policy(`
- resmgr_stream_connect($1_t)
-+ # to allow monitoring of pcmcia status
-+ pcmcia_read_pid($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ pcscd_read_pub_files($1_usertype)
+ pcscd_stream_connect($1_usertype)
')
@@ -26871,7 +27090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -722,15 +740,29 @@
+@@ -722,15 +744,29 @@
userdom_base_user_template($1)
@@ -26907,7 +27126,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
-@@ -746,70 +778,72 @@
+@@ -746,70 +782,72 @@
allow $1_t self:context contains;
@@ -27013,7 +27232,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -846,6 +880,28 @@
+@@ -846,6 +884,28 @@
# Local policy
#
@@ -27042,7 +27261,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
loadkeys_run($1_t,$1_r)
')
-@@ -876,7 +932,7 @@
+@@ -876,7 +936,7 @@
userdom_restricted_user_template($1)
@@ -27051,17 +27270,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
-@@ -884,14 +940,18 @@
+@@ -884,14 +944,18 @@
#
auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
+ auth_search_pam_console_data($1_usertype)
-+
-+ xserver_role($1_r, $1_t)
- dev_read_sound($1_t)
- dev_write_sound($1_t)
++ xserver_role($1_r, $1_t)
++
+ dev_read_sound($1_usertype)
+ dev_write_sound($1_usertype)
# gnome keyring wants to read this.
@@ -27075,7 +27294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -899,28 +959,24 @@
+@@ -899,28 +963,24 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -27110,7 +27329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -931,8 +987,7 @@
+@@ -931,8 +991,7 @@
## </summary>
## <desc>
## <p>
@@ -27120,7 +27339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </p>
## <p>
## This template creates a user domain, types, and
-@@ -954,8 +1009,8 @@
+@@ -954,8 +1013,8 @@
# Declarations
#
@@ -27130,7 +27349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1)
##############################
-@@ -964,11 +1019,10 @@
+@@ -964,11 +1023,10 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -27143,7 +27362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -986,37 +1040,47 @@
+@@ -986,37 +1044,47 @@
')
')
@@ -27194,17 +27413,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ optional_policy(`
+ mount_run($1_t, $1_r)
-+ ')
+ ')
+
+ # Run pppd in pppd_t by default for user
+ optional_policy(`
+ ppp_run_cond($1_t, $1_r)
- ')
++ ')
+
')
#######################################
-@@ -1050,7 +1114,7 @@
+@@ -1050,7 +1118,7 @@
#
template(`userdom_admin_user_template',`
gen_require(`
@@ -27213,7 +27432,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
-@@ -1059,8 +1123,7 @@
+@@ -1059,8 +1127,7 @@
#
# Inherit rules for ordinary users.
@@ -27223,7 +27442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1083,7 +1146,8 @@
+@@ -1083,7 +1150,8 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -27233,7 +27452,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1106,8 +1170,6 @@
+@@ -1106,8 +1174,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -27242,7 +27461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1162,20 +1224,6 @@
+@@ -1162,20 +1228,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -27263,7 +27482,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1221,6 +1269,7 @@
+@@ -1221,6 +1273,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -27271,7 +27490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1286,11 +1335,15 @@
+@@ -1286,11 +1339,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -27287,7 +27506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1387,7 +1440,7 @@
+@@ -1387,7 +1444,7 @@
########################################
## <summary>
@@ -27296,7 +27515,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -1420,6 +1473,14 @@
+@@ -1420,6 +1477,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -27311,7 +27530,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1435,9 +1496,11 @@
+@@ -1435,9 +1500,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -27323,7 +27542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1494,6 +1557,25 @@
+@@ -1494,6 +1561,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -27349,7 +27568,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1547,9 +1629,9 @@
+@@ -1547,9 +1633,9 @@
type user_home_dir_t, user_home_t;
')
@@ -27361,7 +27580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1568,6 +1650,8 @@
+@@ -1568,6 +1654,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -27370,7 +27589,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1643,6 +1727,7 @@
+@@ -1643,6 +1731,7 @@
type user_home_dir_t, user_home_t;
')
@@ -27378,7 +27597,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1741,6 +1826,62 @@
+@@ -1741,6 +1830,62 @@
########################################
## <summary>
@@ -27441,7 +27660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute user home files.
## </summary>
## <param name="domain">
-@@ -1757,14 +1898,6 @@
+@@ -1757,14 +1902,6 @@
files_search_home($1)
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
@@ -27456,7 +27675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1787,6 +1920,46 @@
+@@ -1787,6 +1924,46 @@
########################################
## <summary>
@@ -27503,7 +27722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete files
## in a user home subdirectory.
## </summary>
-@@ -2819,6 +2992,24 @@
+@@ -2819,6 +2996,24 @@
########################################
## <summary>
@@ -27528,7 +27747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to use user ttys.
## </summary>
## <param name="domain">
-@@ -2851,6 +3042,7 @@
+@@ -2851,6 +3046,7 @@
')
read_files_pattern($1,userdomain,userdomain)
@@ -27536,7 +27755,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
-@@ -2965,6 +3157,24 @@
+@@ -2965,6 +3161,24 @@
########################################
## <summary>
@@ -27561,7 +27780,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -2981,3 +3191,264 @@
+@@ -2981,3 +3195,264 @@
allow $1 userdomain:dbus send_msg;
')