diff --git a/modules-mls.conf b/modules-mls.conf
index 7e20376..39f3cb8 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -1833,3 +1833,45 @@ milter = module
#
wm = module
+# Layer: services
+# Module: aisexec
+#
+# RHCS - Red Hat Cluster Suite
+#
+aisexec = module
+
+# Layer: services
+# Module: rgmanager
+#
+# rgmanager
+#
+rgmanager = module
+
+# Layer: services
+# Module: clogd
+#
+# clogd - clustered mirror log server
+#
+clogd = module
+
+# Layer: services
+# Module: ricci
+#
+# policy for ricci
+#
+ricci = module
+
+# Layer: services
+# Module: rhcs
+#
+# RHCS - Red Hat Cluster Suite
+#
+rhcs = module
+
+# Layer: admin
+# Module: shorewall
+#
+# Policy for shorewall
+#
+shorewall = base
+
diff --git a/policy-F13.patch b/policy-F13.patch
index 8a5d85b..88134dc 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -240,7 +240,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.33/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.33/policy/modules/admin/logrotate.te 2009-11-12 14:26:53.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/admin/logrotate.te 2009-11-16 09:58:07.000000000 -0500
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -261,7 +261,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_system_entry(logrotate_t, logrotate_exec_t)
cron_search_spool(logrotate_t)
-@@ -149,6 +150,14 @@
+@@ -137,6 +138,10 @@
+ ')
+
+ optional_policy(`
++ abrt_cache_manage(logrotate_t)
++')
++
++optional_policy(`
+ acct_domtrans(logrotate_t)
+ acct_manage_data(logrotate_t)
+ acct_exec_data(logrotate_t)
+@@ -149,6 +154,14 @@
')
optional_policy(`
@@ -276,7 +287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
consoletype_exec(logrotate_t)
')
-@@ -183,6 +192,10 @@
+@@ -183,6 +196,10 @@
')
optional_policy(`
@@ -664,7 +675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.33/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.33/policy/modules/admin/rpm.if 2009-11-12 14:26:53.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/admin/rpm.if 2009-11-16 09:56:52.000000000 -0500
@@ -13,11 +13,34 @@
interface(`rpm_domtrans',`
gen_require(`
@@ -1559,7 +1570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.33/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.33/policy/modules/admin/tmpreaper.te 2009-11-12 14:26:53.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/admin/tmpreaper.te 2009-11-16 09:57:08.000000000 -0500
@@ -42,6 +42,7 @@
cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
@@ -1583,7 +1594,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-+ rpm_read_cache(tmpreaper_t)
++ rpm_manage_cache(tmpreaper_t)
+')
+
+optional_policy(`
@@ -9143,7 +9154,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.33/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.33/policy/modules/roles/unconfineduser.te 2009-11-12 15:05:29.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/roles/unconfineduser.te 2009-11-16 11:05:10.000000000 -0500
@@ -0,0 +1,430 @@
+policy_module(unconfineduser, 1.0.0)
+
@@ -9434,10 +9445,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+optional_policy(`
-+ rtkit_daemon_system_domain(unconfined_t)
-+')
-+
-+optional_policy(`
+ samba_role_notrans(unconfined_r)
+ samba_run_unconfined_net(unconfined_t, unconfined_r)
+ samba_run_winbind_helper(unconfined_t, unconfined_r)
@@ -9567,6 +9574,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ policykit_role(unconfined_r, unconfined_notrans_t)
+')
+
++optional_policy(`
++ rtkit_daemon_system_domain(unconfined_notrans_t)
++')
++
+########################################
+#
+# Unconfined mount local policy
@@ -9828,7 +9839,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.6.33/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.33/policy/modules/services/abrt.if 2009-11-13 11:25:29.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/services/abrt.if 2009-11-16 09:55:22.000000000 -0500
@@ -19,6 +19,24 @@
domtrans_pattern($1, abrt_exec_t, abrt_t)
')
@@ -9954,7 +9965,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.33/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.33/policy/modules/services/abrt.te 2009-11-13 11:25:18.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/services/abrt.te 2009-11-16 10:52:33.000000000 -0500
@@ -33,12 +33,23 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -9980,8 +9991,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow abrt_t self:process { signal signull setsched getsched };
allow abrt_t self:fifo_file rw_fifo_file_perms;
-@@ -60,13 +71,15 @@
+@@ -58,15 +69,18 @@
+ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+ manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
++can_exec(abrt_t, abrt_tmp_t)
# abrt var/cache files
-manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
@@ -9998,7 +10012,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
kernel_read_ring_buffer(abrt_t)
-@@ -75,11 +88,17 @@
+@@ -75,10 +89,17 @@
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
@@ -10009,14 +10023,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+corenet_tcp_connect_all_ports(abrt_t)
dev_read_urand(abrt_t)
-
++dev_rw_sysfs(abrt_t)
++
+domain_read_all_domains_state(abrt_t)
+domain_signull_all_domains(abrt_t)
-+
+
files_getattr_all_files(abrt_t)
files_read_etc_files(abrt_t)
- files_read_usr_files(abrt_t)
-@@ -96,22 +115,59 @@
+@@ -87,6 +108,7 @@
+ fs_list_inotifyfs(abrt_t)
+ fs_getattr_all_fs(abrt_t)
+ fs_getattr_all_dirs(abrt_t)
++fs_search_all(abrt_t)
+
+ sysnet_read_config(abrt_t)
+
+@@ -96,22 +118,59 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@@ -10047,11 +10069,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
- rpm_manage_db(abrt_t)
- rpm_domtrans(abrt_t)
-+ rpm_manage_cache(abrt_t)
-+ rpm_read_db(abrt_t)
-+ rpm_read_pid_files(abrt_t)
+ rpm_exec(abrt_t)
+ rpm_dontaudit_manage_db(abrt_t)
++ rpm_manage_cache(abrt_t)
++ rpm_manage_pid_files(abrt_t)
++ rpm_read_db(abrt_t)
+ rpm_signull(abrt_t)
')
@@ -16296,7 +16318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.33/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.33/policy/modules/services/networkmanager.te 2009-11-12 14:26:53.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/services/networkmanager.te 2009-11-16 10:30:18.000000000 -0500
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -16324,7 +16346,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
-@@ -51,8 +55,11 @@
+@@ -51,8 +55,13 @@
manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@@ -16334,11 +16356,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
+
++manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
++files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, dir)
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
-@@ -63,6 +70,9 @@
+@@ -63,6 +72,9 @@
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t)
@@ -16348,7 +16372,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
-@@ -81,13 +91,18 @@
+@@ -81,13 +93,18 @@
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
corenet_sendrecv_all_client_packets(NetworkManager_t)
@@ -16367,7 +16391,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mls_file_read_all_levels(NetworkManager_t)
-@@ -98,15 +113,20 @@
+@@ -98,15 +115,20 @@
domain_use_interactive_fds(NetworkManager_t)
domain_read_confined_domains_state(NetworkManager_t)
@@ -16389,7 +16413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
-@@ -116,25 +136,40 @@
+@@ -116,25 +138,40 @@
seutil_read_config(NetworkManager_t)
@@ -16437,7 +16461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -146,8 +181,25 @@
+@@ -146,8 +183,25 @@
')
optional_policy(`
@@ -16465,7 +16489,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -155,23 +207,51 @@
+@@ -155,23 +209,51 @@
')
optional_policy(`
@@ -16492,17 +16516,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
+ openvpn_signull(NetworkManager_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ policykit_dbus_chat(NetworkManager_t)
+ policykit_domtrans_auth(NetworkManager_t)
+ policykit_read_lib(NetworkManager_t)
+ policykit_read_reload(NetworkManager_t)
+ userdom_read_all_users_state(NetworkManager_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ ppp_initrc_domtrans(NetworkManager_t)
ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
@@ -16519,7 +16543,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -179,12 +259,15 @@
+@@ -179,12 +261,15 @@
')
optional_policy(`
@@ -17696,8 +17720,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.33/policy/modules/services/plymouth.te
--- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.33/policy/modules/services/plymouth.te 2009-11-12 14:26:53.000000000 -0500
-@@ -0,0 +1,97 @@
++++ serefpolicy-3.6.33/policy/modules/services/plymouth.te 2009-11-16 10:36:01.000000000 -0500
+@@ -0,0 +1,101 @@
+policy_module(plymouthd, 1.0.0)
+
+########################################
@@ -17789,6 +17813,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+plymouth_stream_connect(plymouth_t)
+
++optional_policy(`
++ lvm_domtrans(plymouth_t)
++')
++
+ifdef(`hide_broken_symptoms', `
+optional_policy(`
+ hal_dontaudit_write_log(plymouth_t)
@@ -27355,7 +27383,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+permissive kdump_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.33/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.33/policy/modules/system/libraries.fc 2009-11-12 14:26:53.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/system/libraries.fc 2009-11-16 09:36:01.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -27551,7 +27579,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') dnl end distro_redhat
#
-@@ -307,10 +302,102 @@
+@@ -307,10 +302,104 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
@@ -27575,6 +27603,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++/opt/altera9.1/quartus/linux/libccl_err\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -31039,7 +31069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.33/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.33/policy/modules/system/userdomain.if 2009-11-13 11:30:17.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/system/userdomain.if 2009-11-16 11:06:05.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -31957,7 +31987,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
loadkeys_run($1_t,$1_r)
')
')
-@@ -865,51 +950,93 @@
+@@ -865,51 +950,97 @@
userdom_restricted_user_template($1)
@@ -32014,8 +32044,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ optional_policy(`
+ alsa_read_rw_config($1_usertype)
+ ')
-
-- xserver_restricted_role($1_r, $1_t)
++
+ optional_policy(`
+ apache_role($1_r, $1_usertype)
+ ')
@@ -32026,36 +32055,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ devicekit_dbus_chat_power($1_usertype)
+ ')
+- xserver_restricted_role($1_r, $1_t)
++ optional_policy(`
++ fprintd_dbus_chat($1_t)
++ ')
+
optional_policy(`
- alsa_read_rw_config($1_t)
-+ fprintd_dbus_chat($1_t)
++ gnomeclock_dbus_chat($1_t)
')
optional_policy(`
- dbus_role_template($1, $1_r, $1_t)
- dbus_system_bus_client($1_t)
-+ gnomeclock_dbus_chat($1_t)
-+ ')
-
- optional_policy(`
-- consolekit_dbus_chat($1_t)
+ gnome_manage_config($1_usertype)
+ gnome_manage_gconf_home_files($1_usertype)
+ gnome_read_gconf_config($1_usertype)
++ ')
+
+ optional_policy(`
+- consolekit_dbus_chat($1_t)
++ openoffice_role_template($1, $1_r, $1_usertype)
')
optional_policy(`
- cups_dbus_chat($1_t)
-+ openoffice_role_template($1, $1_r, $1_usertype)
++ policykit_role($1_r, $1_usertype)
')
+
+ optional_policy(`
-+ policykit_role($1_r, $1_usertype)
++ pulseaudio_role($1_r, $1_usertype)
')
optional_policy(`
- java_role($1_r, $1_t)
-+ pulseaudio_role($1_r, $1_usertype)
++ rtkit_daemon_system_domain($1_usertype)
')
optional_policy(`
@@ -32064,7 +32098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -943,8 +1070,8 @@
+@@ -943,8 +1074,8 @@
# Declarations
#
@@ -32074,7 +32108,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1)
##############################
-@@ -953,58 +1080,67 @@
+@@ -953,58 +1084,67 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -32108,14 +32142,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- storage_raw_read_removable_device($1_t)
+ optional_policy(`
+ cdrecord_role($1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
-+ cron_role($1_r, $1_t)
')
+
+ optional_policy(`
-+ games_rw_data($1_usertype)
++ cron_role($1_r, $1_t)
')
- tunable_policy(`user_dmesg',`
@@ -32123,7 +32153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- ',`
- kernel_dontaudit_read_ring_buffer($1_t)
+ optional_policy(`
-+ gpg_role($1_r, $1_usertype)
++ games_rw_data($1_usertype)
')
- # Allow users to run TCP servers (bind to ports and accept connection from
@@ -32133,28 +32163,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- corenet_tcp_bind_generic_node($1_t)
- corenet_tcp_bind_generic_port($1_t)
+ optional_policy(`
-+ gpm_stream_connect($1_usertype)
++ gpg_role($1_r, $1_usertype)
')
optional_policy(`
- netutils_run_ping_cond($1_t,$1_r)
- netutils_run_traceroute_cond($1_t,$1_r)
-+ execmem_role_template($1, $1_r, $1_t)
++ gpm_stream_connect($1_usertype)
')
optional_policy(`
- postgresql_role($1_r,$1_t)
-+ java_role_template($1, $1_r, $1_t)
++ execmem_role_template($1, $1_r, $1_t)
')
- # Run pppd in pppd_t by default for user
optional_policy(`
- ppp_run_cond($1_t,$1_r)
-+ mono_role_template($1, $1_r, $1_t)
++ java_role_template($1, $1_r, $1_t)
')
optional_policy(`
- setroubleshoot_stream_connect($1_t)
++ mono_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
+ mount_run($1_t, $1_r)
+ ')
+
@@ -32172,7 +32206,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -1040,7 +1176,7 @@
+@@ -1040,7 +1180,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -32181,7 +32215,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
-@@ -1049,8 +1185,7 @@
+@@ -1049,8 +1189,7 @@
#
# Inherit rules for ordinary users.
@@ -32191,7 +32225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1075,6 +1210,9 @@
+@@ -1075,6 +1214,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -32201,7 +32235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1227,7 @@
+@@ -1089,6 +1231,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -32209,7 +32243,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1096,8 +1235,6 @@
+@@ -1096,8 +1239,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -32218,7 +32252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1124,12 +1261,11 @@
+@@ -1124,12 +1265,11 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
@@ -32233,7 +32267,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_all_terms($1_t)
auth_getattr_shadow($1_t)
-@@ -1152,20 +1288,6 @@
+@@ -1152,20 +1292,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -32254,7 +32288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1333,7 @@
+@@ -1211,6 +1337,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -32262,7 +32296,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1276,11 +1399,15 @@
+@@ -1276,11 +1403,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -32278,7 +32312,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1391,12 +1518,13 @@
+@@ -1391,12 +1522,13 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -32293,7 +32327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -1429,6 +1557,14 @@
+@@ -1429,6 +1561,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -32308,7 +32342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1444,9 +1580,11 @@
+@@ -1444,9 +1584,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -32320,7 +32354,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1503,6 +1641,42 @@
+@@ -1503,6 +1645,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -32363,7 +32397,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1577,6 +1751,8 @@
+@@ -1577,6 +1755,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -32372,7 +32406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1619,6 +1795,24 @@
+@@ -1619,6 +1799,24 @@
########################################
## <summary>
@@ -32397,7 +32431,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1670,6 +1864,7 @@
+@@ -1670,6 +1868,7 @@
type user_home_dir_t, user_home_t;
')
@@ -32405,7 +32439,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1686,11 +1881,11 @@
+@@ -1686,11 +1885,11 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -32420,7 +32454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1797,19 +1992,32 @@
+@@ -1797,19 +1996,32 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -32460,7 +32494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1844,6 +2052,7 @@
+@@ -1844,6 +2056,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -32468,7 +32502,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2196,7 +2405,7 @@
+@@ -2196,7 +2409,7 @@
########################################
## <summary>
@@ -32477,7 +32511,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## temporary files.
## </summary>
## <param name="domain">
-@@ -2205,37 +2414,56 @@
+@@ -2205,31 +2418,50 @@
## </summary>
## </param>
#
@@ -32512,13 +32546,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
- allow $1 user_tmp_t:dir list_dir_perms;
-- files_search_tmp($1)
+ dontaudit $1 user_tmp_t:file manage_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete user
++')
++
++########################################
++## <summary>
+## Read user temporary symbolic links.
+## </summary>
+## <param name="domain">
@@ -32534,16 +32566,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+ allow $1 user_tmp_t:dir list_dir_perms;
-+ files_search_tmp($1)
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete user
- ## temporary directories.
- ## </summary>
- ## <param name="domain">
-@@ -2276,6 +2504,46 @@
+ files_search_tmp($1)
+ ')
+
+@@ -2276,6 +2508,46 @@
########################################
## <summary>
## Create, read, write, and delete user
@@ -32590,7 +32616,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## temporary symbolic links.
## </summary>
## <param name="domain">
-@@ -2391,7 +2659,7 @@
+@@ -2391,7 +2663,7 @@
########################################
## <summary>
@@ -32599,7 +32625,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -2399,19 +2667,21 @@
+@@ -2399,19 +2671,21 @@
## </summary>
## </param>
#
@@ -32625,7 +32651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -2419,15 +2689,14 @@
+@@ -2419,15 +2693,14 @@
## </summary>
## </param>
#
@@ -32645,7 +32671,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2749,7 +3018,7 @@
+@@ -2749,7 +3022,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -32654,7 +32680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2765,11 +3034,32 @@
+@@ -2765,11 +3038,32 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -32689,7 +32715,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2897,7 +3187,43 @@
+@@ -2897,7 +3191,43 @@
type user_tmp_t;
')
@@ -32734,7 +32760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2934,6 +3260,7 @@
+@@ -2934,6 +3264,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -32742,7 +32768,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
-@@ -3064,3 +3391,578 @@
+@@ -3064,3 +3395,578 @@
allow $1 userdomain:dbus send_msg;
')