diff --git a/refpolicy/man/man8/ftpd_selinux.8 b/refpolicy/man/man8/ftpd_selinux.8
index 4ce159a..017b212 100644
--- a/refpolicy/man/man8/ftpd_selinux.8
+++ b/refpolicy/man/man8/ftpd_selinux.8
@@ -16,9 +16,9 @@ If you want to setup a directory where you can upload files to you must label th
.TP
chcon -t public_content_rw_t /var/ftp/incoming
.TP
-You must also turn on the boolean allow_ftp_anon_write.
+You must also turn on the boolean allow_ftpd_anon_write.
.TP
-setsebool -P allow_ftp_anon_write=1
+setsebool -P allow_ftpd_anon_write=1
.TP
If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
.TP
diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te
index 3fbcee3..b4fa3ab 100644
--- a/refpolicy/policy/modules/admin/kudzu.te
+++ b/refpolicy/policy/modules/admin/kudzu.te
@@ -1,5 +1,5 @@
-policy_module(kudzu,1.0.1)
+policy_module(kudzu,1.0.2)
########################################
#
@@ -63,6 +63,7 @@ fs_search_ramfs(kudzu_t)
fs_write_ramfs_socket(kudzu_t)
mls_file_read_up(kudzu_t)
+mls_file_write_down(kudzu_t)
modutils_read_mods_deps(kudzu_t)
modutils_read_module_conf(kudzu_t)
diff --git a/refpolicy/policy/modules/admin/readahead.te b/refpolicy/policy/modules/admin/readahead.te
index 2bf7ddf..092b49c 100644
--- a/refpolicy/policy/modules/admin/readahead.te
+++ b/refpolicy/policy/modules/admin/readahead.te
@@ -1,5 +1,5 @@
-policy_module(readahead,1.0.1)
+policy_module(readahead,1.0.2)
########################################
#
@@ -35,6 +35,7 @@ dev_getattr_generic_blk_file(readahead_t)
dev_getattr_all_chr_files(readahead_t)
dev_getattr_all_blk_files(readahead_t)
dev_dontaudit_read_all_blk_files(readahead_t)
+dev_dontaudit_getattr_memory_dev(readahead_t)
domain_use_wide_inherit_fd(readahead_t)
@@ -46,6 +47,7 @@ fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
fs_getattr_all_pipes(readahead_t)
fs_getattr_all_files(readahead_t)
+fs_search_ramfs(readahead_t)
term_dontaudit_use_console(readahead_t)
diff --git a/refpolicy/policy/modules/apps/java.fc b/refpolicy/policy/modules/apps/java.fc
index 8d6f96c..782c8ab 100644
--- a/refpolicy/policy/modules/apps/java.fc
+++ b/refpolicy/policy/modules/apps/java.fc
@@ -2,3 +2,4 @@
# /usr
#
/usr(/.*)?/bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0)
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 7f65d38..8c5d372 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -1135,6 +1135,22 @@ interface(`dev_delete_lvm_control',`
########################################
## <summary>
+## dontaudit getattr raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`dev_dontaudit_getattr_memory_dev',`
+ gen_require(`
+ type memory_device_t;
+ ')
+
+ dontaudit $1 memory_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
## Read raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index ccf9265..4eb4cee 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -954,6 +954,23 @@ interface(`fs_relabelfrom_dos_fs',`
########################################
## <summary>
+## Read eventpollfs files
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`fs_read_eventpollfs',`
+ gen_require(`
+ type eventpollfs_t;
+ ')
+
+ allow $1 eventpollfs_t:dir search_dir_perms;
+ allow $1 eventpollfs_t:file r_file_perms;
+')
+
+########################################
+## <summary>
## Mount an iso9660 filesystem, which
## is usually used on CDs.
## </summary>
@@ -2282,6 +2299,25 @@ interface(`fs_use_tmpfs_chr_dev',`
########################################
## <summary>
+## dontaudit Read and write character nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+ gen_require(`
+ type tmpfs_t;
+ class dir r_dir_perms;
+ class chr_file rw_file_perms;
+ ')
+
+ dontaudit $1 tmpfs_t:dir r_dir_perms;
+ dontaudit $1 tmpfs_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te
index 1186c59..46e68e9 100644
--- a/refpolicy/policy/modules/kernel/mls.te
+++ b/refpolicy/policy/modules/kernel/mls.te
@@ -1,5 +1,5 @@
-policy_module(mls,1.1.2)
+policy_module(mls,1.1.3)
########################################
#
@@ -55,6 +55,7 @@ attribute mlsrangetrans;
# temporarily have to break encapsulation to work around this.
#
+type auditd_exec_t;
type crond_exec_t;
type cupsd_exec_t;
type getty_t;
@@ -87,4 +88,5 @@ range_transition unconfined_t initrc_exec_t s0;
ifdef(`enable_mls',`
# run init with maximum MLS range
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
+range_transition initrc_t auditd_exec_t s15:c0.c255;
')
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index a0cb9e7..8e62ea2 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.1.3)
+policy_module(apache,1.1.4)
#
# NOTES:
@@ -690,6 +690,10 @@ optional_policy(`mysql',`
unconfined_domain_template(httpd_unconfined_script_t)
+optional_policy(`cron',`
+ cron_system_entry(httpd_t, httpd_exec_t)
+')
+
optional_policy(`nscd',`
nscd_use_socket(httpd_unconfined_script_t)
')
diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te
index 7297b2e..4064a40 100644
--- a/refpolicy/policy/modules/services/apm.te
+++ b/refpolicy/policy/modules/services/apm.te
@@ -1,5 +1,5 @@
-policy_module(apm,1.1.1)
+policy_module(apm,1.1.2)
########################################
#
@@ -196,6 +196,7 @@ optional_policy(`clock',`
')
optional_policy(`cron',`
+ cron_system_entry(apmd_t, apmd_exec_t)
cron_domtrans_anacron_system_job(apmd_t)
')
diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te
index bf22d32..e99181b 100644
--- a/refpolicy/policy/modules/services/automount.te
+++ b/refpolicy/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
-policy_module(automount,1.0.4)
+policy_module(automount,1.0.5)
########################################
#
@@ -108,6 +108,7 @@ fs_search_auto_mountpoints(automount_t)
fs_manage_auto_mountpoints(automount_t)
term_dontaudit_use_console(automount_t)
+term_dontaudit_getattr_pty_dir(automount_t)
init_use_fd(automount_t)
init_use_script_pty(automount_t)
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index e735500..9962896 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
-policy_module(cron,1.1.4)
+policy_module(cron,1.1.5)
gen_require(`
class passwd rootok;
@@ -120,7 +120,7 @@ files_search_default(crond_t)
init_use_fd(crond_t)
init_use_script_pty(crond_t)
-init_read_script_pid(crond_t)
+init_rw_script_pid(crond_t)
libs_use_ld_so(crond_t)
libs_use_shared_libs(crond_t)
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 6875f0e..be62168 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
-policy_module(cups,1.1.1)
+policy_module(cups,1.1.2)
########################################
#
@@ -201,8 +201,7 @@ ifdef(`targeted_policy',`
')
optional_policy(`cron',`
- cron_use_fd(cupsd_t)
- cron_read_pipe(cupsd_t)
+ cron_system_entry(cupsd_t, cupsd_exec_t)
')
optional_policy(`dbus',`
@@ -580,8 +579,7 @@ ifdef(`targeted_policy', `
')
optional_policy(`cron',`
- cron_use_system_job_fd(cupsd_config_t)
- cron_read_pipe(cupsd_config_t)
+ cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
optional_policy(`dbus',`
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 93199de..f020aa4 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal,1.1.5)
+policy_module(hal,1.1.6)
########################################
#
@@ -50,6 +50,8 @@ kernel_read_kernel_sysctl(hald_t)
kernel_read_fs_sysctl(hald_t)
kernel_write_proc_file(hald_t)
+bootloader_getattr_boot_dir(hald_t)
+
corecmd_exec_bin(hald_t)
corecmd_exec_sbin(hald_t)
@@ -82,8 +84,8 @@ domain_exec_all_entry_files(hald_t)
files_exec_etc_files(hald_t)
files_read_etc_files(hald_t)
files_rw_etc_runtime_files(hald_t)
-files_search_mnt(hald_t)
files_manage_mnt_dirs(hald_t)
+files_manage_mnt_files(hald_t)
files_search_var_lib(hald_t)
files_read_usr_files(hald_t)
# hal is now execing pm-suspend
@@ -145,6 +147,10 @@ optional_policy(`apm',`
apm_stream_connect(hald_t)
')
+optional_policy(`bind',`
+ bind_search_cache(hald_t)
+')
+
optional_policy(`clock',`
clock_domtrans(hald_t)
')
@@ -158,6 +164,7 @@ optional_policy(`dbus',`
dbus_system_bus_client_template(hald,hald_t)
dbus_send_system_bus_msg(hald_t)
dbus_connect_system_bus(hald_t)
+ allow hald_t self:dbus send_msg;
init_dbus_chat_script(hald_t)
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index b569efc..cab3022 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
-policy_module(mta,1.1.3)
+policy_module(mta,1.1.4)
########################################
#
@@ -53,6 +53,8 @@ kernel_read_network_state(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
+fs_read_eventpollfs(system_mail_t)
+
init_use_script_pty(system_mail_t)
userdom_use_sysadm_terms(system_mail_t)
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 2a00b44..edaf293 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -1,5 +1,5 @@
-policy_module(sendmail,1.1.1)
+policy_module(sendmail,1.1.2)
########################################
#
@@ -31,6 +31,7 @@ allow sendmail_t self:fifo_file rw_file_perms;
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
allow sendmail_t self:unix_dgram_socket create_socket_perms;
allow sendmail_t self:tcp_socket create_stream_socket_perms;
+allow sendmail_t self:udp_socket create_socket_perms;
allow sendmail_t sendmail_log_t:file create_file_perms;
allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
@@ -92,6 +93,7 @@ sysnet_read_config(sendmail_t)
userdom_dontaudit_use_unpriv_user_fd(sendmail_t)
userdom_dontaudit_search_sysadm_home_dir(sendmail_t)
+mta_read_config(sendmail_t)
mta_filetrans_etc_aliases(sendmail_t)
# Write to /etc/aliases and /etc/mail.
mta_rw_aliases(sendmail_t)
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 02b91c1..fca8333 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -920,6 +920,19 @@ interface(`auth_dontaudit_exec_utempter',`
#######################################
#
+# auth_setattr_login_records(domain)
+#
+interface(`auth_setattr_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ allow $1 wtmp_t:file setattr;
+ logging_search_logs($1)
+')
+
+#######################################
+#
# auth_read_login_records(domain)
#
interface(`auth_read_login_records',`
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 920a183..8c66d9e 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
-policy_module(authlogin,1.1.1)
+policy_module(authlogin,1.1.2)
########################################
#
@@ -129,14 +129,6 @@ optional_policy(`nscd',`
nscd_use_socket(pam_t)
')
-ifdef(`TODO',`
-ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
-# Supress xdm denial
-ifdef(`xdm.te', `
-dontaudit pam_t xdm_t:fd use;
-') dnl ifdef
-') dnl endif TODO
-
########################################
#
# PAM console local policy
@@ -229,6 +221,10 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(pam_console_t)
')
+optional_policy(`alsa',`
+ alsa_domtrans(pam_console_t)
+')
+
optional_policy(`gpm',`
gpm_getattr_gpmctl(pam_console_t)
gpm_setattr_gpmctl(pam_console_t)
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index bfc5fdb..35ae344 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -29,6 +29,7 @@ dev_read_sysfs(hostname_t)
fs_getattr_xattr_fs(hostname_t)
fs_search_auto_mountpoints(hostname_t)
+fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
term_dontaudit_use_console(hostname_t)
term_use_all_user_ttys(hostname_t)
@@ -55,35 +56,6 @@ miscfiles_read_localization(hostname_t)
sysnet_read_config(hostname_t)
sysnet_dns_name_resolve(hostname_t)
-userdom_use_all_user_fd(hostname_t)
-ifdef(`distro_redhat', `
- fs_use_tmpfs_chr_dev(hostname_t)
-')
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_tty(hostname_t)
- term_dontaudit_use_generic_pty(hostname_t)
- files_dontaudit_read_root_file(hostname_t)
-')
-optional_policy(`firstboot',`
- firstboot_use_fd(hostname_t)
-')
-
-optional_policy(`hotplug',`
- hotplug_dontaudit_use_fd(hostname_t)
-')
-
-optional_policy(`nscd',`
- nscd_use_socket(hostname_t)
-')
-
-optional_policy(`selinuxutil',`
- seutil_sigchld_newrole(hostname_t)
-')
-
-optional_policy(`udev',`
- udev_dontaudit_use_fd(hostname_t)
- udev_read_db(hostname_t)
-')
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 062a7b4..4a10420 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.1.4)
+policy_module(init,1.1.5)
gen_require(`
class passwd rootok;
@@ -298,6 +298,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
+auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
auth_delete_pam_pid(initrc_t)
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index a3a3128..28c4f03 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -158,7 +158,7 @@ ifdef(`distro_redhat',`
# Flash plugin, Macromedia
HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index fc66ecf..2f5f22a 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
-policy_module(logging,1.1.1)
+policy_module(logging,1.1.2)
########################################
#
@@ -20,7 +20,11 @@ type auditd_log_t;
files_security_file(auditd_log_t)
type auditd_t;
-type auditd_exec_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+ type auditd_exec_t;
+')
init_daemon_domain(auditd_t,auditd_exec_t)
type auditd_var_run_t;
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 6bf2646..ea4ac9c 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -1,5 +1,5 @@
-policy_module(lvm,1.1.0)
+policy_module(lvm,1.1.1)
########################################
#
@@ -209,6 +209,7 @@ storage_create_fixed_disk(lvm_t)
storage_manage_fixed_disk(lvm_t)
term_dontaudit_getattr_all_user_ttys(lvm_t)
+term_dontaudit_getattr_pty_dir(lvm_t)
corecmd_search_sbin(lvm_t)
corecmd_dontaudit_getattr_sbin_file(lvm_t)
@@ -259,11 +260,3 @@ optional_policy(`gpm',`
optional_policy(`udev',`
udev_read_db(lvm_t)
')
-
-ifdef(`TODO',`
-# it has no reason to need this
-allow lvm_t var_t:dir { search getattr };
-allow lvm_t ramfs_t:filesystem unmount;
-
-dontaudit lvm_t xconsole_device_t:fifo_file getattr;
-') dnl end TODO
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 2197e82..79e9c1d 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -1,5 +1,5 @@
-policy_module(mount,1.1.2)
+policy_module(mount,1.1.3)
########################################
#
@@ -32,6 +32,7 @@ corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
+dev_rw_lvm_control(mount_t)
storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
@@ -46,7 +47,7 @@ fs_relabelfrom_all_fs(mount_t)
fs_search_auto_mountpoints(mount_t)
fs_use_tmpfs_chr_dev(mount_t)
-term_use_console(mount_t)
+term_use_all_terms(mount_t)
# required for mount.smbfs
corecmd_exec_sbin(mount_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 8f1d53f..97c60aa 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
-policy_module(selinuxutil,1.0.2)
+policy_module(selinuxutil,1.0.3)
gen_require(`
bool secure_mode;
@@ -316,6 +316,7 @@ ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
#
allow restorecon_t self:capability { dac_override dac_read_search fowner };
+allow restorecon_t self:fifo_file rw_file_perms;
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
@@ -469,6 +470,7 @@ ifdef(`distro_gentoo', `
#
allow setfiles_t self:capability { dac_override dac_read_search fowner };
+allow setfiles_t self:fifo_file rw_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 45f5d7d..59fe009 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -33,6 +33,7 @@ template(`unconfined_domain_template',`
corenet_unconfined($1)
dev_unconfined($1)
domain_unconfined($1)
+ domain_dontaudit_read_all_domains_state($1)
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 6b51898..a19ab64 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -111,6 +111,7 @@ template(`base_user_template',`
allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
+ files_search_home($1_t)
can_exec($1_t,$1_tmp_t)
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index a4a0801..2e79479 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.1.5)
+policy_module(userdomain,1.1.6)
gen_require(`
role sysadm_r, staff_r, user_r, secadm_r;