diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 31d2fc6..83ee110 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1362,7 +1362,7 @@ index cc8df9d..90467f3 100644
+ files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf")
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index 0fd5c5f..643341a 100644
+index 0fd5c5f..a14addb 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -20,13 +20,20 @@ type bootloader_t;
@@ -1477,7 +1477,7 @@ index 0fd5c5f..643341a 100644
-seutil_dontaudit_search_config(bootloader_t)
-userdom_use_user_terminals(bootloader_t)
-+userdom_getattr_user_tmpfs_files(bootloader_t)
++userdom_getattr_user_tmp_files(bootloader_t)
+userdom_use_inherited_user_terminals(bootloader_t)
userdom_dontaudit_search_user_home_dirs(bootloader_t)
@@ -9567,7 +9567,7 @@ index b876c48..bbd0e79 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..002283d 100644
+index f962f76..51c5d2c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -11274,15 +11274,16 @@ index f962f76..002283d 100644
##
##
#
-@@ -4289,6 +5235,7 @@ interface(`files_search_tmp',`
+@@ -4289,6 +5235,8 @@ interface(`files_search_tmp',`
type tmp_t;
')
++ fs_search_tmpfs($1)
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4325,6 +5272,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5273,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -11290,7 +11291,7 @@ index f962f76..002283d 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4334,7 +5282,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5283,7 @@ interface(`files_list_tmp',`
##
##
##
@@ -11299,7 +11300,7 @@ index f962f76..002283d 100644
##
##
#
-@@ -4346,6 +5294,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,6 +5295,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -11325,7 +11326,7 @@ index f962f76..002283d 100644
########################################
##
## Remove entries from the tmp directory.
-@@ -4361,6 +5328,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4361,6 +5329,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -11333,7 +11334,7 @@ index f962f76..002283d 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4402,6 +5370,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,6 +5371,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
@@ -11366,7 +11367,7 @@ index f962f76..002283d 100644
## Manage temporary files and directories in /tmp.
##
##
-@@ -4456,6 +5450,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4456,6 +5451,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
@@ -11409,7 +11410,7 @@ index f962f76..002283d 100644
## Set the attributes of all tmp directories.
##
##
-@@ -4474,6 +5504,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4474,6 +5505,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
##
@@ -11470,7 +11471,7 @@ index f962f76..002283d 100644
## List all tmp directories.
##
##
-@@ -4519,7 +5603,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4519,7 +5604,7 @@ interface(`files_relabel_all_tmp_dirs',`
##
##
##
@@ -11479,7 +11480,7 @@ index f962f76..002283d 100644
##
##
#
-@@ -4579,7 +5663,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4579,7 +5664,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
@@ -11488,7 +11489,7 @@ index f962f76..002283d 100644
##
##
#
-@@ -4611,6 +5695,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4611,6 +5696,44 @@ interface(`files_read_all_tmp_files',`
########################################
##
@@ -11533,7 +11534,7 @@ index f962f76..002283d 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
##
-@@ -4664,6 +5786,16 @@ interface(`files_purge_tmp',`
+@@ -4664,6 +5787,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -11550,7 +11551,7 @@ index f962f76..002283d 100644
')
########################################
-@@ -5112,6 +6244,24 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5112,6 +6245,24 @@ interface(`files_create_kernel_symbol_table',`
########################################
##
@@ -11575,7 +11576,7 @@ index f962f76..002283d 100644
## Read system.map in the /boot directory.
##
##
-@@ -5241,6 +6391,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6392,24 @@ interface(`files_list_var',`
########################################
##
@@ -11600,7 +11601,7 @@ index f962f76..002283d 100644
## Create, read, write, and delete directories
## in the /var directory.
##
-@@ -5328,7 +6496,7 @@ interface(`files_dontaudit_rw_var_files',`
+@@ -5328,7 +6497,7 @@ interface(`files_dontaudit_rw_var_files',`
type var_t;
')
@@ -11609,7 +11610,7 @@ index f962f76..002283d 100644
')
########################################
-@@ -5527,6 +6695,25 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5527,6 +6696,25 @@ interface(`files_rw_var_lib_dirs',`
########################################
##
@@ -11635,7 +11636,7 @@ index f962f76..002283d 100644
## Create objects in the /var/lib directory
##
##
-@@ -5596,6 +6783,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +6784,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -11661,7 +11662,7 @@ index f962f76..002283d 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5641,7 +6847,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +6848,7 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -11670,7 +11671,7 @@ index f962f76..002283d 100644
##
##
##
-@@ -5649,12 +6855,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +6856,13 @@ interface(`files_manage_mounttab',`
##
##
#
@@ -11686,7 +11687,7 @@ index f962f76..002283d 100644
')
########################################
-@@ -5672,6 +6879,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +6880,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -11694,7 +11695,7 @@ index f962f76..002283d 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5698,7 +6906,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +6907,26 @@ interface(`files_dontaudit_search_locks',`
########################################
##
@@ -11722,7 +11723,7 @@ index f962f76..002283d 100644
##
##
##
-@@ -5706,13 +6933,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +6934,12 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -11739,7 +11740,7 @@ index f962f76..002283d 100644
')
########################################
-@@ -5731,7 +6957,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +6958,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -11748,7 +11749,7 @@ index f962f76..002283d 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5764,7 +6990,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +6991,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
##
##
@@ -11756,7 +11757,7 @@ index f962f76..002283d 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5779,7 +7004,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +7005,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
##
@@ -11765,7 +11766,7 @@ index f962f76..002283d 100644
##
##
##
-@@ -5787,13 +7012,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +7013,33 @@ interface(`files_relabel_all_lock_dirs',`
##
##
#
@@ -11800,7 +11801,7 @@ index f962f76..002283d 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5809,13 +7054,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +7055,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -11818,7 +11819,7 @@ index f962f76..002283d 100644
')
########################################
-@@ -5834,9 +7078,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +7079,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -11829,7 +11830,7 @@ index f962f76..002283d 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5878,8 +7120,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7121,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -11839,7 +11840,7 @@ index f962f76..002283d 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7142,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7143,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -11849,7 +11850,7 @@ index f962f76..002283d 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7179,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7180,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -11859,7 +11860,7 @@ index f962f76..002283d 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5979,7 +7218,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7219,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -11868,7 +11869,7 @@ index f962f76..002283d 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5999,10 +7238,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7239,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -11917,7 +11918,7 @@ index f962f76..002283d 100644
########################################
##
## Do not audit attempts to search
-@@ -6025,6 +7302,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,6 +7303,25 @@ interface(`files_dontaudit_search_pids',`
########################################
##
@@ -11943,7 +11944,7 @@ index f962f76..002283d 100644
## List the contents of the runtime process
## ID directories (/var/run).
##
-@@ -6039,7 +7335,7 @@ interface(`files_list_pids',`
+@@ -6039,7 +7336,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -11952,7 +11953,7 @@ index f962f76..002283d 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6058,7 +7354,7 @@ interface(`files_read_generic_pids',`
+@@ -6058,7 +7355,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -11961,7 +11962,7 @@ index f962f76..002283d 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6078,7 +7374,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7375,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -11970,7 +11971,7 @@ index f962f76..002283d 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6140,7 +7436,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7437,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -11978,7 +11979,7 @@ index f962f76..002283d 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6169,6 +7464,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7465,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
##
@@ -12003,7 +12004,7 @@ index f962f76..002283d 100644
## Read and write generic process ID files.
##
##
-@@ -6182,7 +7495,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7496,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -12012,7 +12013,7 @@ index f962f76..002283d 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6249,55 +7562,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,55 +7563,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -12075,7 +12076,7 @@ index f962f76..002283d 100644
##
##
##
-@@ -6305,42 +7606,35 @@ interface(`files_delete_all_pids',`
+@@ -6305,42 +7607,35 @@ interface(`files_delete_all_pids',`
##
##
#
@@ -12125,7 +12126,7 @@ index f962f76..002283d 100644
##
##
##
-@@ -6348,18 +7642,18 @@ interface(`files_manage_all_pids',`
+@@ -6348,18 +7643,18 @@ interface(`files_manage_all_pids',`
##
##
#
@@ -12149,7 +12150,7 @@ index f962f76..002283d 100644
##
##
##
-@@ -6367,37 +7661,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,37 +7662,40 @@ interface(`files_mounton_all_poly_members',`
##
##
#
@@ -12201,7 +12202,7 @@ index f962f76..002283d 100644
##
##
##
-@@ -6405,18 +7702,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6405,18 +7703,17 @@ interface(`files_dontaudit_search_spool',`
##
##
#
@@ -12224,7 +12225,7 @@ index f962f76..002283d 100644
##
##
##
-@@ -6424,18 +7720,18 @@ interface(`files_list_spool',`
+@@ -6424,18 +7721,18 @@ interface(`files_list_spool',`
##
##
#
@@ -12248,7 +12249,7 @@ index f962f76..002283d 100644
##
##
##
-@@ -6443,19 +7739,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6443,19 +7740,18 @@ interface(`files_manage_generic_spool_dirs',`
##
##
#
@@ -12273,7 +12274,7 @@ index f962f76..002283d 100644
##
##
##
-@@ -6463,55 +7758,43 @@ interface(`files_read_generic_spool',`
+@@ -6463,55 +7759,43 @@ interface(`files_read_generic_spool',`
##
##
#
@@ -12344,7 +12345,7 @@ index f962f76..002283d 100644
##
##
##
-@@ -6519,53 +7802,68 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +7803,68 @@ interface(`files_spool_filetrans',`
##
##
#
@@ -12451,7 +12452,7 @@ index f962f76..002283d 100644
##
##
##
-@@ -6573,10 +7871,784 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +7872,784 @@ interface(`files_polyinstantiate_all',`
##
##
#
@@ -20290,10 +20291,10 @@ index 0000000..b1163a6
+')
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..a3fe7f6
+index 0000000..13a745c
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,340 @@
+@@ -0,0 +1,339 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -20329,7 +20330,6 @@ index 0000000..a3fe7f6
+userdom_base_user_template(unconfined)
+userdom_manage_home_role(unconfined_r, unconfined_t)
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
-+userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
+userdom_unpriv_type(unconfined_t)
+
+type unconfined_exec_t;
@@ -21447,7 +21447,7 @@ index 76d9f66..5c271ce 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..e8dcfa7 100644
+index fe0c682..eb9cefe 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -21569,7 +21569,7 @@ index fe0c682..e8dcfa7 100644
type $1_t, ssh_server;
auth_login_pgm_domain($1_t)
-@@ -181,16 +205,18 @@ template(`ssh_server_template', `
+@@ -181,20 +205,23 @@ template(`ssh_server_template', `
type $1_var_run_t;
files_pid_file($1_var_run_t)
@@ -21590,8 +21590,15 @@ index fe0c682..e8dcfa7 100644
+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
term_create_pty($1_t, $1_devpts_t)
- manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-@@ -206,6 +232,7 @@ template(`ssh_server_template', `
+- manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+- fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
++ #manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
++ #fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
++ userdom_manage_tmp_role(system_r, sshd_t)
+
+ allow $1_t $1_var_run_t:file manage_file_perms;
+ files_pid_filetrans($1_t, $1_var_run_t, file)
+@@ -206,6 +233,7 @@ template(`ssh_server_template', `
kernel_read_kernel_sysctls($1_t)
kernel_read_network_state($1_t)
@@ -21599,7 +21606,7 @@ index fe0c682..e8dcfa7 100644
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
-@@ -220,10 +247,13 @@ template(`ssh_server_template', `
+@@ -220,10 +248,13 @@ template(`ssh_server_template', `
corenet_tcp_bind_generic_node($1_t)
corenet_udp_bind_generic_node($1_t)
corenet_tcp_bind_ssh_port($1_t)
@@ -21615,7 +21622,7 @@ index fe0c682..e8dcfa7 100644
auth_rw_login_records($1_t)
auth_rw_faillog($1_t)
-@@ -234,6 +264,7 @@ template(`ssh_server_template', `
+@@ -234,6 +265,7 @@ template(`ssh_server_template', `
corecmd_getattr_bin_files($1_t)
domain_interactive_fd($1_t)
@@ -21623,7 +21630,7 @@ index fe0c682..e8dcfa7 100644
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
-@@ -241,35 +272,33 @@ template(`ssh_server_template', `
+@@ -241,35 +273,33 @@ template(`ssh_server_template', `
logging_search_logs($1_t)
@@ -21670,7 +21677,7 @@ index fe0c682..e8dcfa7 100644
')
########################################
-@@ -292,14 +321,15 @@ template(`ssh_server_template', `
+@@ -292,14 +322,15 @@ template(`ssh_server_template', `
## User domain for the role
##
##
@@ -21687,7 +21694,7 @@ index fe0c682..e8dcfa7 100644
')
##############################
-@@ -328,103 +358,56 @@ template(`ssh_role_template',`
+@@ -328,103 +359,56 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
@@ -21801,7 +21808,7 @@ index fe0c682..e8dcfa7 100644
')
########################################
-@@ -496,8 +479,27 @@ interface(`ssh_read_pipes',`
+@@ -496,8 +480,27 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
@@ -21830,7 +21837,7 @@ index fe0c682..e8dcfa7 100644
########################################
##
## Read and write a ssh server unnamed pipe.
-@@ -513,7 +515,7 @@ interface(`ssh_rw_pipes',`
+@@ -513,7 +516,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -21839,7 +21846,7 @@ index fe0c682..e8dcfa7 100644
')
########################################
-@@ -605,6 +607,24 @@ interface(`ssh_domtrans',`
+@@ -605,6 +608,24 @@ interface(`ssh_domtrans',`
########################################
##
@@ -21864,7 +21871,7 @@ index fe0c682..e8dcfa7 100644
## Execute the ssh client in the caller domain.
##
##
-@@ -637,7 +657,7 @@ interface(`ssh_setattr_key_files',`
+@@ -637,7 +658,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -21873,7 +21880,7 @@ index fe0c682..e8dcfa7 100644
files_search_pids($1)
')
-@@ -662,6 +682,42 @@ interface(`ssh_agent_exec',`
+@@ -662,6 +683,42 @@ interface(`ssh_agent_exec',`
########################################
##
@@ -21916,7 +21923,7 @@ index fe0c682..e8dcfa7 100644
## Read ssh home directory content
##
##
-@@ -701,6 +757,50 @@ interface(`ssh_domtrans_keygen',`
+@@ -701,6 +758,50 @@ interface(`ssh_domtrans_keygen',`
########################################
##
@@ -21967,7 +21974,7 @@ index fe0c682..e8dcfa7 100644
## Read ssh server keys
##
##
-@@ -714,7 +814,26 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -714,7 +815,26 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -21995,7 +22002,7 @@ index fe0c682..e8dcfa7 100644
')
######################################
-@@ -754,3 +873,150 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +874,150 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -22147,7 +22154,7 @@ index fe0c682..e8dcfa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..b153547 100644
+index cc877c7..bdb6d0e 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,68 @@ policy_module(ssh, 2.4.2)
@@ -22233,7 +22240,14 @@ index cc877c7..b153547 100644
type ssh_t;
type ssh_exec_t;
-@@ -73,9 +98,11 @@ type ssh_home_t;
+@@ -67,15 +92,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
+ type ssh_tmpfs_t;
+ typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
+ typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
+-userdom_user_tmpfs_file(ssh_tmpfs_t)
++userdom_user_tmp_file(ssh_tmpfs_t)
+
+ type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
userdom_user_home_content(ssh_home_t)
@@ -22255,7 +22269,7 @@ index cc877c7..b153547 100644
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
-@@ -93,15 +121,11 @@ allow ssh_t self:sem create_sem_perms;
+@@ -93,50 +121,55 @@ allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -22272,7 +22286,9 @@ index cc877c7..b153547 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -110,33 +134,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+ manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+-fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
++#fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
@@ -22442,7 +22458,7 @@ index cc877c7..b153547 100644
+
+userdom_read_user_home_content_files(sshd_t)
+userdom_read_user_home_content_symlinks(sshd_t)
-+userdom_manage_tmp_role(system_r, sshd_t)
++#userdom_manage_tmp_role(system_r, sshd_t)
+userdom_spec_domtrans_unpriv_users(sshd_t)
+userdom_signal_unpriv_users(sshd_t)
+userdom_dyntransition_unpriv_users(sshd_t)
@@ -22788,7 +22804,7 @@ index cc877c7..b153547 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 8274418..4dda124 100644
+index 8274418..4eee56a 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -22850,7 +22866,7 @@ index 8274418..4dda124 100644
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,26 +76,34 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,26 +76,31 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /tmp
#
@@ -22859,10 +22875,7 @@ index 8274418..4dda124 100644
-/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
-/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
-/tmp/\.X11-unix/.* -s <>
-+/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_tmp_t,s0)
-+/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
-+/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
-+/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
++/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
#
# /usr
@@ -22891,7 +22904,7 @@ index 8274418..4dda124 100644
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -92,18 +130,32 @@ ifndef(`distro_debian',`
+@@ -92,18 +127,32 @@ ifndef(`distro_debian',`
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -22928,7 +22941,7 @@ index 8274418..4dda124 100644
/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -112,6 +164,16 @@ ifndef(`distro_debian',`
+@@ -112,6 +161,16 @@ ifndef(`distro_debian',`
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -22946,7 +22959,7 @@ index 8274418..4dda124 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..bf98136 100644
+index 6bf0ecc..2469c27 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,37 @@
@@ -23127,7 +23140,16 @@ index 6bf0ecc..bf98136 100644
allow $1 xserver_t:unix_stream_socket connectto;
allow $1 xextension_t:x_extension { query use };
-@@ -291,13 +229,13 @@ interface(`xserver_user_client',`
+@@ -282,7 +220,7 @@ interface(`xserver_non_drawing_client',`
+ interface(`xserver_user_client',`
+ refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
+ gen_require(`
+- type xdm_t, xdm_tmp_t;
++ type xdm_t;
+ type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
+ ')
+
+@@ -291,14 +229,14 @@ interface(`xserver_user_client',`
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -23140,11 +23162,13 @@ index 6bf0ecc..bf98136 100644
allow $1 xdm_t:fd use;
- allow $1 xdm_t:fifo_file { getattr read write ioctl };
- allow $1 xdm_tmp_t:dir search;
+- allow $1 xdm_tmp_t:sock_file { read write };
+ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
-+ allow $1 xdm_tmp_t:dir search_dir_perms;
- allow $1 xdm_tmp_t:sock_file { read write };
++ userdom_search_user_tmp_dirs($1)
++ userdom_rw_user_tmp_sock_files($1)
dontaudit $1 xdm_t:tcp_socket { read write };
+ # Allow connections to X server.
@@ -316,7 +254,7 @@ interface(`xserver_user_client',`
xserver_read_xdm_tmp_files($1)
@@ -23207,7 +23231,7 @@ index 6bf0ecc..bf98136 100644
gen_require(`
- type xdm_t, xdm_tmp_t;
- type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
-+ type xdm_t, xdm_tmp_t, xserver_tmpfs_t;
++ type xdm_t, xserver_tmpfs_t;
+ type xdm_home_t;
+ type xauth_home_t, iceauth_home_t, xserver_t;
')
@@ -23222,10 +23246,11 @@ index 6bf0ecc..bf98136 100644
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
- allow $2 xdm_t:fifo_file { getattr read write ioctl };
-+ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
- allow $2 xdm_tmp_t:dir search_dir_perms;
+- allow $2 xdm_tmp_t:dir search_dir_perms;
- allow $2 xdm_tmp_t:sock_file { read write };
-+ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
++ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
++ userdom_search_user_tmp_dirs($2)
++ userdom_rw_user_tmp_sock_files($2)
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
@@ -23237,7 +23262,8 @@ index 6bf0ecc..bf98136 100644
+ xserver_ro_session($2, $3)
xserver_use_user_fonts($2)
- xserver_read_xdm_tmp_files($2)
+- xserver_read_xdm_tmp_files($2)
++ userdom_read_user_tmp_files($2)
+ xserver_read_xdm_pid($2)
+ xserver_xdm_append_log($2)
@@ -23437,18 +23463,19 @@ index 6bf0ecc..bf98136 100644
')
########################################
-@@ -765,11 +817,91 @@ interface(`xserver_manage_xdm_spool_files',`
+@@ -765,11 +817,92 @@ interface(`xserver_manage_xdm_spool_files',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
- type xdm_t, xdm_tmp_t;
-+ type xdm_t, xdm_tmp_t, xdm_var_run_t;
++ type xdm_t, xdm_var_run_t;
')
files_search_tmp($1)
- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
+ files_search_pids($1)
-+ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
++ stream_connect_pattern($1, { xdm_var_run_t }, { xdm_var_run_t }, xdm_t)
++ userdom_stream_connect($1)
+')
+
+########################################
@@ -23531,7 +23558,7 @@ index 6bf0ecc..bf98136 100644
')
########################################
-@@ -793,6 +925,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -793,6 +926,21 @@ interface(`xserver_read_xdm_rw_config',`
########################################
##
@@ -23544,12 +23571,8 @@ index 6bf0ecc..bf98136 100644
+##
+#
+interface(`xserver_search_xdm_tmp_dirs',`
-+ gen_require(`
-+ type xdm_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ allow $1 xdm_tmp_t:dir search_dir_perms;
++ refpolicywarn(`$0() has been deprecated, please use userdom_search_user_tmp_dirs instead.')
++ userdom_search_user_tmp_dirs($1)
+')
+
+########################################
@@ -23557,14 +23580,18 @@ index 6bf0ecc..bf98136 100644
## Set the attributes of XDM temporary directories.
##
##
-@@ -806,7 +957,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
- type xdm_tmp_t;
- ')
+@@ -802,11 +950,23 @@ interface(`xserver_read_xdm_rw_config',`
+ ##
+ #
+ interface(`xserver_setattr_xdm_tmp_dirs',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
++ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
++ userdom_dontaudit_setattr_user_tmp($1)
++')
- allow $1 xdm_tmp_t:dir setattr;
-+ allow $1 xdm_tmp_t:dir setattr_dir_perms;
-+')
-+
+########################################
+##
+## Dont audit attempts to set the attributes of XDM temporary directories.
@@ -23576,15 +23603,28 @@ index 6bf0ecc..bf98136 100644
+##
+#
+interface(`xserver_dontaudit_xdm_tmp_dirs',`
-+ gen_require(`
-+ type xdm_tmp_t;
-+ ')
-+
-+ dontaudit $1 xdm_tmp_t:dir setattr_dir_perms;
++ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
++ userdom_dontaudit_setattr_user_tmp($1)
+ ')
+
+ ########################################
+@@ -821,13 +981,8 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+ ##
+ #
+ interface(`xserver_create_xdm_tmp_sockets',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
+-
+- files_search_tmp($1)
+- allow $1 xdm_tmp_t:dir list_dir_perms;
+- create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++ refpolicywarn(`$0() has been deprecated, please use userdom_create_user_tmp_sockets instead.')
++ userdom_create_user_tmp_sockets($1)
')
########################################
-@@ -846,7 +1015,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -846,7 +1001,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -23612,7 +23652,7 @@ index 6bf0ecc..bf98136 100644
')
########################################
-@@ -864,7 +1052,26 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -864,7 +1038,26 @@ interface(`xserver_read_xdm_lib_files',`
type xdm_var_lib_t;
')
@@ -23640,7 +23680,7 @@ index 6bf0ecc..bf98136 100644
')
########################################
-@@ -938,10 +1145,29 @@ interface(`xserver_getattr_log',`
+@@ -938,26 +1131,45 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -23650,15 +23690,21 @@ index 6bf0ecc..bf98136 100644
-########################################
+#######################################
-+##
+ ##
+-## Do not audit attempts to write the X server
+-## log files.
+## Allow domain to read X server logs.
-+##
-+##
+ ##
+ ##
+-##
+-## Domain to not audit.
+-##
+##
+## Domain allowed access.
+##
-+##
-+#
+ ##
+ #
+-interface(`xserver_dontaudit_write_log',`
+interface(`xserver_read_log',`
+ gen_require(`
+ type xserver_log_t;
@@ -23669,10 +23715,18 @@ index 6bf0ecc..bf98136 100644
+')
+
+########################################
- ##
- ## Do not audit attempts to write the X server
- ## log files.
-@@ -957,7 +1183,7 @@ interface(`xserver_dontaudit_write_log',`
++##
++## Do not audit attempts to write the X server
++## log files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`xserver_dontaudit_write_log',`
+ gen_require(`
type xserver_log_t;
')
@@ -23681,57 +23735,71 @@ index 6bf0ecc..bf98136 100644
')
########################################
-@@ -1004,6 +1230,84 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,7 +1216,7 @@ interface(`xserver_read_xkb_libs',`
########################################
##
+-## Read xdm temporary files.
+## Manage X keyboard extension libraries.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -1012,51 +1224,117 @@ interface(`xserver_read_xkb_libs',`
+ ##
+ ##
+ #
+-interface(`xserver_read_xdm_tmp_files',`
+interface(`xserver_manage_xkb_libs',`
-+ gen_require(`
+ gen_require(`
+- type xdm_tmp_t;
+ type xkb_var_lib_t;
-+ ')
-+
+ ')
+
+- files_search_tmp($1)
+- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+ files_search_var_lib($1)
+ allow $1 xkb_var_lib_t:dir list_dir_perms;
+ manage_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read xdm temporary files.
+## dontaudit access checks X keyboard extension libraries.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`xserver_dontaudit_read_xdm_tmp_files',`
+interface(`xserver_dontaudit_xkb_libs_access',`
-+ gen_require(`
+ gen_require(`
+- type xdm_tmp_t;
+ type xkb_var_lib_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 xdm_tmp_t:dir search_dir_perms;
+- dontaudit $1 xdm_tmp_t:file read_file_perms;
+ dontaudit $1 xkb_var_lib_t:dir audit_access;
+ dontaudit $1 xkb_var_lib_t:file audit_access;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read write xdm temporary files.
+## Read xdm config files.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain allowed access.
+## Domain to not audit
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`xserver_rw_xdm_tmp_files',`
+interface(`xserver_read_xdm_etc_files',`
+ gen_require(`
+ type xdm_etc_t;
@@ -23753,32 +23821,76 @@ index 6bf0ecc..bf98136 100644
+##
+#
+interface(`xserver_manage_xdm_etc_files',`
-+ gen_require(`
+ gen_require(`
+- type xdm_tmp_t;
+ type xdm_etc_t;
-+ ')
-+
+ ')
+
+- allow $1 xdm_tmp_t:dir search_dir_perms;
+- allow $1 xdm_tmp_t:file rw_file_perms;
+ files_search_etc($1)
+ manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
+')
+
+########################################
+##
- ## Read xdm temporary files.
- ##
- ##
-@@ -1017,7 +1321,7 @@ interface(`xserver_read_xdm_tmp_files',`
- type xdm_tmp_t;
- ')
-
-- files_search_tmp($1)
-+ files_search_tmp($1)
- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++## Read xdm temporary files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_read_xdm_tmp_files',`
++ refpolicywarn(`$0() has been deprecated, please use userdom_read_user_tmpfs_files instead.')
++ userdom_read_user_tmpfs_files($1)
++')
++
++########################################
++##
++## Do not audit attempts to read xdm temporary files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`xserver_dontaudit_read_xdm_tmp_files',`
++ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_read_user_tmp_files instead.')
++ userdom_dontaudit_read_user_tmp_files($1)
++')
++
++########################################
++##
++## Read write xdm temporary files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_rw_xdm_tmp_files',`
++ refpolicywarn(`$0() has been deprecated, please use userdom_rw_user_tmpfs_files instead.')
++ userdom_rw_user_tmpfs_files($1)
')
-@@ -1079,6 +1383,42 @@ interface(`xserver_manage_xdm_tmp_files',`
-
########################################
- ##
+@@ -1070,11 +1348,38 @@ interface(`xserver_rw_xdm_tmp_files',`
+ ##
+ #
+ interface(`xserver_manage_xdm_tmp_files',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
++ refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_files instead.')
++ userdom_manage_user_tmp_files($1)
++')
++
++########################################
++##
+## Create, read, write, and delete xdm temporary dirs.
+##
+##
@@ -23788,13 +23900,11 @@ index 6bf0ecc..bf98136 100644
+##
+#
+interface(`xserver_relabel_xdm_tmp_dirs',`
-+ gen_require(`
-+ type xdm_tmp_t;
-+ ')
-+
-+ allow $1 xdm_tmp_t:dir relabel_dir_perms;
++ refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_tmp_dirs instead.')
++ userdom_relabel_user_tmp_dirs($1)
+')
-+
+
+- manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+########################################
+##
+## Create, read, write, and delete xdm temporary dirs.
@@ -23806,28 +23916,26 @@ index 6bf0ecc..bf98136 100644
+##
+#
+interface(`xserver_manage_xdm_tmp_dirs',`
-+ gen_require(`
-+ type xdm_tmp_t;
-+ ')
-+
-+ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to get the attributes of
- ## xdm temporary named sockets.
- ##
-@@ -1093,7 +1433,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
- type xdm_tmp_t;
- ')
++ refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_dirs instead.')
++ userdom_manage_user_tmp_dirs($1)
+ ')
+ ########################################
+@@ -1089,11 +1394,8 @@ interface(`xserver_manage_xdm_tmp_files',`
+ ##
+ #
+ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
+-
- dontaudit $1 xdm_tmp_t:sock_file getattr;
-+ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
++ refpolicywarn(`$0() has been deprecated, please use usedom_dontaudit_user_getattr_tmp_sockets instead.')
++ usedom_dontaudit_user_getattr_tmp_sockets($1)
')
########################################
-@@ -1111,8 +1451,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1413,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -23839,7 +23947,7 @@ index 6bf0ecc..bf98136 100644
')
########################################
-@@ -1210,6 +1552,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+@@ -1210,6 +1514,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
########################################
##
@@ -23865,7 +23973,7 @@ index 6bf0ecc..bf98136 100644
## Connect to the X server over a unix domain
## stream socket.
##
-@@ -1226,6 +1587,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1549,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -23892,7 +24000,7 @@ index 6bf0ecc..bf98136 100644
')
########################################
-@@ -1251,7 +1632,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1594,7 @@ interface(`xserver_read_tmp_files',`
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -23901,7 +24009,7 @@ index 6bf0ecc..bf98136 100644
##
##
##
-@@ -1261,13 +1642,27 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1604,27 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -23930,7 +24038,7 @@ index 6bf0ecc..bf98136 100644
')
########################################
-@@ -1284,10 +1679,664 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1641,657 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -24203,11 +24311,8 @@ index 6bf0ecc..bf98136 100644
+##
+#
+interface(`xserver_append_xdm_tmp_files',`
-+ gen_require(`
-+ type xdm_tmp_t;
-+ ')
-+
-+ allow $1 xdm_tmp_t:file append_inherited_file_perms;
++ refpolicywarn(`$0() has been deprecated, please use userdom_append_user_tmp_files instead.')
++ userdom_append_user_tmp_files($1)
+')
+
+########################################
@@ -24553,12 +24658,8 @@ index 6bf0ecc..bf98136 100644
+##
+#
+interface(`xserver_xdm_tmp_filetrans',`
-+ gen_require(`
-+ type xdm_tmp_t;
-+ ')
-+
-+ filetrans_pattern($1, xdm_tmp_t, $2, $3, $4)
-+ files_search_tmp($1)
++ refpolicywarn(`$0() has been deprecated, please use userdom_user_tmp_filetrans instead.')
++ userdom_user_tmp_filetrans($1,$2, $3, $4)
+')
+
+########################################
@@ -24598,7 +24699,7 @@ index 6bf0ecc..bf98136 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..f0e5cc0 100644
+index 8b40377..e3f28af 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -24758,22 +24859,18 @@ index 8b40377..f0e5cc0 100644
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
-@@ -175,13 +225,27 @@ files_type(xdm_var_lib_t)
+@@ -175,13 +225,21 @@ files_type(xdm_var_lib_t)
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
+-type xdm_tmp_t;
+-files_tmp_file(xdm_tmp_t)
+-typealias xdm_tmp_t alias ice_tmp_t;
+type xserver_var_lib_t;
+files_type(xserver_var_lib_t)
+
+type xserver_var_run_t;
+files_pid_file(xserver_var_run_t)
-+
- type xdm_tmp_t;
- files_tmp_file(xdm_tmp_t)
--typealias xdm_tmp_t alias ice_tmp_t;
-+typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
-+typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
-+userdom_user_tmp_file(xserver_tmp_t)
type xdm_tmpfs_t;
files_tmpfs_file(xdm_tmpfs_t)
@@ -24787,7 +24884,7 @@ index 8b40377..f0e5cc0 100644
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
-@@ -194,14 +258,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+@@ -194,15 +252,13 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
init_system_domain(xserver_t, xserver_exec_t)
ubac_constrained(xserver_t)
@@ -24801,12 +24898,14 @@ index 8b40377..f0e5cc0 100644
type xserver_tmpfs_t;
-typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
-typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t };
+-userdom_user_tmpfs_file(xserver_tmpfs_t)
+typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t };
+typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
- userdom_user_tmpfs_file(xserver_tmpfs_t)
++userdom_user_tmp_file(xserver_tmpfs_t)
type xsession_exec_t;
-@@ -226,21 +288,35 @@ optional_policy(`
+ corecmd_executable_file(xsession_exec_t)
+@@ -226,21 +282,35 @@ optional_policy(`
#
allow iceauth_t iceauth_home_t:file manage_file_perms;
@@ -24849,7 +24948,7 @@ index 8b40377..f0e5cc0 100644
')
########################################
-@@ -248,48 +324,91 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -248,48 +318,91 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -24941,18 +25040,18 @@ index 8b40377..f0e5cc0 100644
+ifdef(`hide_broken_symptoms',`
+ term_dontaudit_use_unallocated_ttys(xauth_t)
+ dev_dontaudit_rw_dri(xauth_t)
-+')
-+
-+optional_policy(`
-+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
')
optional_policy(`
++ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
++')
++
++optional_policy(`
+ ssh_use_ptys(xauth_t)
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -300,64 +419,109 @@ optional_policy(`
+@@ -300,64 +413,103 @@ optional_policy(`
# XDM Local policy
#
@@ -24980,14 +25079,14 @@ index 8b40377..f0e5cc0 100644
allow xdm_t self:appletalk_socket create_socket_perms;
allow xdm_t self:key { search link write };
+allow xdm_t self:dbus { send_msg acquire_svc };
-
--allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
++
+allow xdm_t xauth_home_t:file manage_file_perms;
+
+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
-+
+
+-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t)
+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
+xserver_filetrans_home_content(xdm_t)
@@ -25011,15 +25110,12 @@ index 8b40377..f0e5cc0 100644
# this is ugly, daemons should not create files under /etc!
manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
- manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
- manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
-+manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
- manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
-files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
-+files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file })
-+relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
-+relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
-+can_exec(xdm_t, xdm_tmp_t)
++userdom_manage_all_user_tmp_content(xdm_t)
++userdom_exec_user_tmp_files(xdm_t)
manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
@@ -25072,7 +25168,7 @@ index 8b40377..f0e5cc0 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +530,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +518,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -25105,7 +25201,7 @@ index 8b40377..f0e5cc0 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +563,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +551,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -25159,7 +25255,7 @@ index 8b40377..f0e5cc0 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +616,28 @@ files_list_mnt(xdm_t)
+@@ -431,9 +604,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -25188,7 +25284,7 @@ index 8b40377..f0e5cc0 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +646,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +634,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -25237,7 +25333,7 @@ index 8b40377..f0e5cc0 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +693,155 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +681,155 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -25245,7 +25341,7 @@ index 8b40377..f0e5cc0 100644
+userdom_manage_user_tmp_dirs(xdm_t)
+userdom_manage_user_tmp_files(xdm_t)
+userdom_manage_user_tmp_sockets(xdm_t)
-+userdom_manage_tmpfs_role(system_r, xdm_t)
++userdom_manage_tmp_role(system_r, xdm_t)
+
+#userdom_home_manager(xdm_t)
+tunable_policy(`xdm_write_home',`
@@ -25399,7 +25495,7 @@ index 8b40377..f0e5cc0 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -503,11 +855,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -503,11 +843,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -25426,7 +25522,7 @@ index 8b40377..f0e5cc0 100644
')
optional_policy(`
-@@ -517,9 +884,34 @@ optional_policy(`
+@@ -517,9 +872,34 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@@ -25462,7 +25558,7 @@ index 8b40377..f0e5cc0 100644
')
')
-@@ -530,6 +922,20 @@ optional_policy(`
+@@ -530,6 +910,20 @@ optional_policy(`
')
optional_policy(`
@@ -25483,7 +25579,7 @@ index 8b40377..f0e5cc0 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +953,78 @@ optional_policy(`
+@@ -547,28 +941,78 @@ optional_policy(`
')
optional_policy(`
@@ -25571,7 +25667,7 @@ index 8b40377..f0e5cc0 100644
')
optional_policy(`
-@@ -580,6 +1036,14 @@ optional_policy(`
+@@ -580,6 +1024,14 @@ optional_policy(`
')
optional_policy(`
@@ -25586,7 +25682,7 @@ index 8b40377..f0e5cc0 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1058,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1046,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -25595,7 +25691,7 @@ index 8b40377..f0e5cc0 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1068,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1056,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -25608,7 +25704,7 @@ index 8b40377..f0e5cc0 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1085,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1073,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -25624,7 +25720,7 @@ index 8b40377..f0e5cc0 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1101,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1089,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -25635,7 +25731,7 @@ index 8b40377..f0e5cc0 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1116,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1104,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -25672,7 +25768,7 @@ index 8b40377..f0e5cc0 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1162,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1150,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -25704,7 +25800,7 @@ index 8b40377..f0e5cc0 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1195,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1183,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -25719,7 +25815,7 @@ index 8b40377..f0e5cc0 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1216,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1204,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -25743,7 +25839,7 @@ index 8b40377..f0e5cc0 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1235,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1223,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -25752,7 +25848,7 @@ index 8b40377..f0e5cc0 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1279,44 @@ optional_policy(`
+@@ -785,17 +1267,44 @@ optional_policy(`
')
optional_policy(`
@@ -25799,7 +25895,7 @@ index 8b40377..f0e5cc0 100644
')
optional_policy(`
-@@ -803,6 +1324,10 @@ optional_policy(`
+@@ -803,6 +1312,10 @@ optional_policy(`
')
optional_policy(`
@@ -25810,7 +25906,7 @@ index 8b40377..f0e5cc0 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,10 +1343,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1331,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -25823,9 +25919,11 @@ index 8b40377..f0e5cc0 100644
+read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
# Label pid and temporary files with derived types.
- manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -829,7 +1354,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
- manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+-manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+-manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+-manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
++userdom_manage_user_tmp_files(xserver_t)
++userdom_manage_user_tmp_sockets(xserver_t)
# Run xkbcomp.
-allow xserver_t xkb_var_lib_t:lnk_file read;
@@ -25833,7 +25931,7 @@ index 8b40377..f0e5cc0 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1367,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1354,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -25868,7 +25966,7 @@ index 8b40377..f0e5cc0 100644
')
optional_policy(`
-@@ -912,7 +1432,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1419,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -25877,7 +25975,7 @@ index 8b40377..f0e5cc0 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1486,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1473,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -25909,7 +26007,7 @@ index 8b40377..f0e5cc0 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1532,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1519,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -25987,7 +26085,6 @@ index 8b40377..f0e5cc0 100644
+
+stream_connect_pattern(x_userdomain, xserver_tmp_t, xserver_tmp_t, xserver_t)
+allow x_userdomain xserver_tmp_t:sock_file delete_sock_file_perms;
-+dontaudit x_userdomain xdm_tmp_t:sock_file setattr_sock_file_perms;
+files_search_tmp(x_userdomain)
+
+# Communicate via System V shared memory.
@@ -26014,10 +26111,9 @@ index 8b40377..f0e5cc0 100644
+# for when /tmp/.X11-unix is created by the system
+allow x_userdomain xdm_t:fd use;
+allow x_userdomain xdm_t:fifo_file rw_inherited_fifo_file_perms;
-+allow x_userdomain xdm_tmp_t:dir search_dir_perms;
-+allow x_userdomain xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
++userdom_search_user_tmp_dirs(x_userdomain)
++userdom_rw_user_tmp_sock_files(x_userdomain)
+dontaudit x_userdomain xdm_t:tcp_socket { read write };
-+dontaudit x_userdomain xdm_tmp_t:dir setattr_dir_perms;
+
+allow x_userdomain xdm_t:dbus send_msg;
+allow xdm_t x_userdomain:dbus send_msg;
@@ -33466,7 +33562,7 @@ index 4e94884..b144ffe 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..13c21e8 100644
+index 59b04c1..5d3197b 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@@ -33816,7 +33912,7 @@ index 59b04c1..13c21e8 100644
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-userdom_dontaudit_search_user_home_dirs(syslogd_t)
+userdom_search_user_home_dirs(syslogd_t)
-+userdom_rw_inherited_user_tmpfs_files(syslogd_t)
++userdom_rw_inherited_user_tmp_files(syslogd_t)
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
@@ -35622,7 +35718,7 @@ index 4584457..c2ae1ea 100644
+')
+
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 459a0ef..00b82b3 100644
+index 459a0ef..9933cad 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -5,13 +5,6 @@ policy_module(mount, 1.16.1)
@@ -36045,7 +36141,7 @@ index 459a0ef..00b82b3 100644
+manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
+manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
+fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file })
-+userdom_rw_user_tmpfs_files(mount_ecryptfs_t)
++userdom_rw_user_tmp_files(mount_ecryptfs_t)
+
+domain_use_interactive_fds(mount_ecryptfs_t)
+
@@ -42134,10 +42230,10 @@ index 5fe902d..fcc9efe 100644
+ rpm_transition_script(unconfined_service_t, system_r)
')
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..4ca3a28 100644
+index db75976..8f5380f 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,28 @@
+@@ -1,4 +1,34 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -42162,13 +42258,19 @@ index db75976..4ca3a28 100644
+HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
+HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
+
++/tmp/\.X0-lock -- gen_context(system_u:object_r:user_tmp_t,s0)
++/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
++/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
++
++
++
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
+
+/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..139edc7 100644
+index 9dc60c6..9464dee 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -42565,7 +42667,7 @@ index 9dc60c6..139edc7 100644
##
##
## Role allowed access.
-@@ -287,17 +405,66 @@ interface(`userdom_manage_home_role',`
+@@ -287,17 +405,65 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
@@ -42589,6 +42691,7 @@ index 9dc60c6..139edc7 100644
+ manage_sock_files_pattern($2, user_tmp_type, user_tmp_type)
+ manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
++ fs_tmpfs_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+ relabel_dirs_pattern($2, user_tmp_type, user_tmp_type)
+ relabel_files_pattern($2, user_tmp_type, user_tmp_type)
+ relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
@@ -42596,8 +42699,6 @@ index 9dc60c6..139edc7 100644
+ relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
+')
+
-+
-+
+#######################################
+##
+## Dontaudit search of user bin dirs.
@@ -42637,7 +42738,7 @@ index 9dc60c6..139edc7 100644
')
#######################################
-@@ -317,11 +484,31 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -317,11 +483,31 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -42669,32 +42770,22 @@ index 9dc60c6..139edc7 100644
## Role access for the user tmpfs type
## that the user has full access.
##
-@@ -348,59 +535,60 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -347,60 +533,45 @@ interface(`userdom_exec_user_tmp_files',`
+ ##
#
interface(`userdom_manage_tmpfs_role',`
- gen_require(`
-+ attribute user_tmpfs_type;
- type user_tmpfs_t;
- ')
-
+- gen_require(`
+- type user_tmpfs_t;
+- ')
+-
- manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
- manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
- manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
- manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
- manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-+ role $1 types user_tmpfs_t;
-+
-+ manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
-+ manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-+ manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-+ manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-+ manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
- fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-+ relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
-+ relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-+ relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-+ relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-+ relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+- fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
++ refpolicywarn(`$0($*) has been deprecated, use userdom_manage_tmp_role() instead.')
++ userdom_manage_tmp_role($1,$2)
')
#######################################
@@ -42717,10 +42808,12 @@ index 9dc60c6..139edc7 100644
- gen_require(`
- type $1_t;
- ')
--
++interface(`userdom_basic_networking',`
+
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
-+interface(`userdom_basic_networking',`
++ allow $1 self:tcp_socket create_stream_socket_perms;
++ allow $1 self:udp_socket create_socket_perms;
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
@@ -42732,9 +42825,7 @@ index 9dc60c6..139edc7 100644
- corenet_udp_sendrecv_all_ports($1_t)
- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_all_client_packets($1_t)
-+ allow $1 self:tcp_socket create_stream_socket_perms;
-+ allow $1 self:udp_socket create_socket_perms;
-
+-
- corenet_all_recvfrom_labeled($1_t, $1_t)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
@@ -42760,7 +42851,7 @@ index 9dc60c6..139edc7 100644
')
#######################################
-@@ -431,6 +619,7 @@ template(`userdom_xwindows_client_template',`
+@@ -431,6 +602,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -42768,7 +42859,7 @@ index 9dc60c6..139edc7 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -463,8 +652,8 @@ template(`userdom_change_password_template',`
+@@ -463,8 +635,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
@@ -42779,7 +42870,7 @@ index 9dc60c6..139edc7 100644
')
')
-@@ -491,51 +680,63 @@ template(`userdom_common_user_template',`
+@@ -491,51 +663,63 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -42813,27 +42904,27 @@ index 9dc60c6..139edc7 100644
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
+-
+- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
-- corecmd_exec_bin($1_t)
+- corenet_udp_bind_generic_node($1_t)
+- corenet_udp_bind_generic_port($1_t)
+ corenet_udp_bind_generic_node($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
-- corenet_udp_bind_generic_node($1_t)
-- corenet_udp_bind_generic_port($1_t)
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
-- dev_read_rand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
--
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
@@ -42867,7 +42958,7 @@ index 9dc60c6..139edc7 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,93 +747,132 @@ template(`userdom_common_user_template',`
+@@ -546,93 +730,132 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -42950,18 +43041,20 @@ index 9dc60c6..139edc7 100644
+ consolekit_dbus_chat($1_usertype)
+ consolekit_read_log($1_usertype)
+ ')
-+
-+ optional_policy(`
+
+ optional_policy(`
+- bluetooth_dbus_chat($1_t)
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- consolekit_dbus_chat($1_t)
+ evolution_dbus_chat($1_usertype)
+ evolution_alarm_dbus_chat($1_usertype)
-+ ')
-+
+ ')
+
+ optional_policy(`
+ firewalld_dbus_chat($1_usertype)
+ ')
@@ -42973,17 +43066,15 @@ index 9dc60c6..139edc7 100644
+ optional_policy(`
+ gnome_dbus_chat_gconfdefault($1_usertype)
+ ')
-
- optional_policy(`
-- bluetooth_dbus_chat($1_t)
++
++ optional_policy(`
+ hal_dbus_chat($1_usertype)
- ')
-
- optional_policy(`
-- consolekit_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
+ kde_dbus_chat_backlighthelper($1_usertype)
- ')
-
++ ')
++
+ optional_policy(`
+ memcached_stream_connect($1_usertype)
+ ')
@@ -43038,7 +43129,7 @@ index 9dc60c6..139edc7 100644
')
optional_policy(`
-@@ -642,23 +882,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +865,21 @@ template(`userdom_common_user_template',`
optional_policy(`
mpd_manage_user_data_content($1_t)
mpd_relabel_user_data_content($1_t)
@@ -43067,7 +43158,7 @@ index 9dc60c6..139edc7 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +909,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +892,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -43076,7 +43167,7 @@ index 9dc60c6..139edc7 100644
')
optional_policy(`
-@@ -680,9 +918,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +901,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -43089,7 +43180,7 @@ index 9dc60c6..139edc7 100644
')
')
-@@ -693,32 +931,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +914,35 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -43099,27 +43190,31 @@ index 9dc60c6..139edc7 100644
+
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
++ ')
++
++ optional_policy(`
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ rpcbind_stream_connect($1_usertype)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
- usernetctl_run($1_t, $1_r)
-+ seunshare_role_template($1, $1_r, $1_t)
++ slrnpull_search_spool($1_usertype)
')
optional_policy(`
@@ -43128,15 +43223,11 @@ index 9dc60c6..139edc7 100644
- virt_home_filetrans_virt_content($1_t, dir, "isos")
- virt_home_filetrans_svirt_home($1_t, dir, "qemu")
- virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines")
-+ slrnpull_search_spool($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ thumb_role($1_r, $1_usertype)
')
')
-@@ -743,17 +984,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +967,32 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -43152,10 +43243,7 @@ index 9dc60c6..139edc7 100644
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable($1_exec_content, true)
+
@@ -43166,7 +43254,9 @@ index 9dc60c6..139edc7 100644
+ tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -43174,7 +43264,7 @@ index 9dc60c6..139edc7 100644
userdom_change_password_template($1)
-@@ -761,83 +1018,107 @@ template(`userdom_login_user_template', `
+@@ -761,83 +1000,107 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -43263,13 +43353,13 @@ index 9dc60c6..139edc7 100644
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
-+
+
+- seutil_read_config($1_t)
+ seutil_read_config($1_usertype)
+ seutil_read_file_contexts($1_usertype)
+ seutil_read_default_contexts($1_usertype)
+ seutil_exec_setfiles($1_usertype)
-
-- seutil_read_config($1_t)
++
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
@@ -43318,7 +43408,7 @@ index 9dc60c6..139edc7 100644
')
#######################################
-@@ -868,6 +1149,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1131,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -43331,7 +43421,7 @@ index 9dc60c6..139edc7 100644
##############################
#
# Local policy
-@@ -907,53 +1194,137 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1176,137 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -43349,15 +43439,23 @@ index 9dc60c6..139edc7 100644
+ dev_dontaudit_read_rand($1_usertype)
+ # temporarily allow since openoffice requires this
+ dev_read_rand($1_usertype)
-+
+
+- logging_send_syslog_msg($1_t)
+- logging_dontaudit_send_audit_msgs($1_t)
+ dev_read_video_dev($1_usertype)
+ dev_write_video_dev($1_usertype)
+ dev_rw_wireless($1_usertype)
-+
+
+- # Need to to this just so screensaver will work. Should be moved to screensaver domain
+- logging_send_audit_msgs($1_t)
+- selinux_get_enforce_mode($1_t)
+ libs_dontaudit_setattr_lib_files($1_usertype)
-+
+
+- xserver_restricted_role($1_r, $1_t)
+ init_read_state($1_usertype)
-+
+
+- optional_policy(`
+- alsa_read_rw_config($1_t)
+ tunable_policy(`selinuxuser_rw_noexattrfile',`
+ dev_rw_usbfs($1_t)
+ dev_rw_generic_usb_dev($1_usertype)
@@ -43369,21 +43467,19 @@ index 9dc60c6..139edc7 100644
+ storage_raw_read_removable_device($1_usertype)
+ storage_raw_write_removable_device($1_usertype)
+ ')
-
- logging_send_syslog_msg($1_t)
- logging_dontaudit_send_audit_msgs($1_t)
-
- # Need to to this just so screensaver will work. Should be moved to screensaver domain
-- logging_send_audit_msgs($1_t)
- selinux_get_enforce_mode($1_t)
++
++ logging_send_syslog_msg($1_t)
++ logging_dontaudit_send_audit_msgs($1_t)
++
++ # Need to to this just so screensaver will work. Should be moved to screensaver domain
++ selinux_get_enforce_mode($1_t)
+ seutil_exec_restorecond($1_t)
+ seutil_read_file_contexts($1_t)
+ seutil_read_default_contexts($1_t)
-
- xserver_restricted_role($1_r, $1_t)
-
- optional_policy(`
-- alsa_read_rw_config($1_t)
++
++ xserver_restricted_role($1_r, $1_t)
++
++ optional_policy(`
+ alsa_read_rw_config($1_usertype)
+ ')
+
@@ -43482,7 +43578,7 @@ index 9dc60c6..139edc7 100644
')
#######################################
-@@ -987,27 +1358,33 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1340,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -43520,7 +43616,7 @@ index 9dc60c6..139edc7 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1018,23 +1395,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1377,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -43572,16 +43668,16 @@ index 9dc60c6..139edc7 100644
+
+ optional_policy(`
+ gpm_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ mount_run_fusermount($1_t, $1_r)
++ mount_read_pid_files($1_t)
')
optional_policy(`
- netutils_run_ping_cond($1_t, $1_r)
- netutils_run_traceroute_cond($1_t, $1_r)
-+ mount_run_fusermount($1_t, $1_r)
-+ mount_read_pid_files($1_t)
-+ ')
-+
-+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
+ ')
+
@@ -43591,7 +43687,7 @@ index 9dc60c6..139edc7 100644
')
# Run pppd in pppd_t by default for user
-@@ -1043,7 +1457,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1439,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -43602,7 +43698,7 @@ index 9dc60c6..139edc7 100644
')
')
-@@ -1079,7 +1495,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1477,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -43613,7 +43709,7 @@ index 9dc60c6..139edc7 100644
')
##############################
-@@ -1095,6 +1513,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1495,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -43621,7 +43717,7 @@ index 9dc60c6..139edc7 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1105,14 +1524,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1506,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -43638,7 +43734,7 @@ index 9dc60c6..139edc7 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1128,6 +1541,7 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1523,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -43646,7 +43742,7 @@ index 9dc60c6..139edc7 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1559,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1541,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -43662,7 +43758,7 @@ index 9dc60c6..139edc7 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1578,38 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1560,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -43705,7 +43801,7 @@ index 9dc60c6..139edc7 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1619,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1601,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -43714,7 +43810,7 @@ index 9dc60c6..139edc7 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1628,17 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1610,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -43733,7 +43829,7 @@ index 9dc60c6..139edc7 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1674,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1656,7 @@ template(`userdom_admin_user_template',`
##
##
#
@@ -43742,7 +43838,7 @@ index 9dc60c6..139edc7 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1684,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1666,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -43751,7 +43847,7 @@ index 9dc60c6..139edc7 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1698,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1680,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -43763,7 +43859,7 @@ index 9dc60c6..139edc7 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1712,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1694,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -43806,7 +43902,7 @@ index 9dc60c6..139edc7 100644
')
optional_policy(`
-@@ -1357,14 +1797,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1779,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -43825,10 +43921,19 @@ index 9dc60c6..139edc7 100644
')
########################################
-@@ -1405,6 +1848,51 @@ interface(`userdom_user_tmpfs_file',`
- ##
- ## Allow domain to attach to TUN devices created by administrative users.
- ##
+@@ -1397,12 +1822,51 @@ interface(`userdom_user_tmp_file',`
+ ##
+ #
+ interface(`userdom_user_tmpfs_file',`
+- files_tmpfs_file($1)
++ refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_file() instead.')
++ userdom_user_tmp_file($1)
++')
++
++########################################
++##
++## Allow domain to attach to TUN devices created by administrative users.
++##
+##
+##
+## Type to be used as a file in the
@@ -43844,11 +43949,11 @@ index 9dc60c6..139edc7 100644
+ typeattribute $1 user_tmp_type;
+
+ files_tmp_file($1)
-+ ubac_constrained($1)
-+')
-+
-+########################################
-+##
+ ubac_constrained($1)
+ ')
+
+ ########################################
+ ##
+## Make the specified type usable in a
+## generic tmpfs_t directory.
+##
@@ -43860,24 +43965,16 @@ index 9dc60c6..139edc7 100644
+##
+#
+interface(`userdom_user_tmpfs_content',`
-+ gen_require(`
-+ attribute user_tmpfs_type;
-+ ')
-+
-+ typeattribute $1 user_tmpfs_type;
-+
-+ files_tmpfs_file($1)
-+ ubac_constrained($1)
++ refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_content() instead.')
++ userdom_user_tmp_content($1)
+')
+
+########################################
+##
-+## Allow domain to attach to TUN devices created by administrative users.
-+##
+ ## Allow domain to attach to TUN devices created by administrative users.
+ ##
##
- ##
- ## Domain allowed access.
-@@ -1509,11 +1997,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +1973,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -43909,7 +44006,7 @@ index 9dc60c6..139edc7 100644
## Do not audit attempts to search user home directories.
##
##
-@@ -1555,6 +2063,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2039,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -43924,7 +44021,7 @@ index 9dc60c6..139edc7 100644
')
########################################
-@@ -1570,9 +2086,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2062,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -43936,7 +44033,7 @@ index 9dc60c6..139edc7 100644
')
########################################
-@@ -1629,6 +2147,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1629,6 +2123,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -43979,7 +44076,7 @@ index 9dc60c6..139edc7 100644
########################################
##
## Create directories in the home dir root with
-@@ -1708,6 +2262,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1708,6 +2238,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -43988,7 +44085,7 @@ index 9dc60c6..139edc7 100644
')
########################################
-@@ -1741,10 +2297,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2273,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -44003,73 +44100,58 @@ index 9dc60c6..139edc7 100644
')
########################################
-@@ -1769,7 +2327,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2303,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
##
-## Delete all user home content directories.
+## Delete directories in a user home subdirectory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_delete_user_home_content_dirs',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ allow $1 user_home_t:dir delete_dir_perms;
-+')
-+
-+########################################
-+##
-+## Delete all directories in a user home subdirectory.
##
##
##
-@@ -1779,53 +2355,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2311,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+ ##
+ ##
#
- interface(`userdom_delete_all_user_home_content_dirs',`
+-interface(`userdom_delete_all_user_home_content_dirs',`
++interface(`userdom_delete_user_home_content_dirs',`
gen_require(`
- attribute user_home_content_type;
- type user_home_dir_t;
-+ attribute user_home_type;
++ type user_home_t;
')
- userdom_search_user_home_dirs($1)
- delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
-+ allow $1 user_home_type:dir delete_dir_perms;
++ allow $1 user_home_t:dir delete_dir_perms;
')
########################################
##
-## Delete directories in a user home subdirectory.
-+## Set the attributes of user home files.
++## Delete all directories in a user home subdirectory.
##
##
##
- ## Domain allowed access.
+@@ -1797,55 +2329,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
##
##
-+##
#
-interface(`userdom_delete_user_home_content_dirs',`
-+interface(`userdom_setattr_user_home_content_files',`
++interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
- type user_home_t;
+- type user_home_t;
++ attribute user_home_type;
')
- allow $1 user_home_t:dir delete_dir_perms;
-+ allow $1 user_home_t:file setattr;
++ allow $1 user_home_type:dir delete_dir_perms;
')
########################################
##
-## Set attributes of all user home content directories.
-+## Set the attributes of user tmp files.
++## Set the attributes of user home files.
##
##
##
@@ -44079,142 +44161,283 @@ index 9dc60c6..139edc7 100644
+##
#
-interface(`userdom_setattr_all_user_home_content_dirs',`
-+interface(`userdom_setattr_user_tmp_files',`
++interface(`userdom_setattr_user_home_content_files',`
gen_require(`
- attribute user_home_content_type;
-+ type user_tmp_t;
++ type user_home_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 user_home_content_type:dir setattr_dir_perms;
-+ allow $1 user_tmp_t:file setattr;
++ allow $1 user_home_t:file setattr;
')
########################################
##
-+## Relabel user tmp files.
-+##
-+##
-+##
+-## Do not audit attempts to set the
+-## attributes of user home files.
++## Set the attributes of user tmp files.
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+##
-+#
-+interface(`userdom_relabel_user_tmp_files',`
-+ gen_require(`
+ #
+-interface(`userdom_dontaudit_setattr_user_home_content_files',`
++interface(`userdom_setattr_user_tmp_files',`
+ gen_require(`
+- type user_home_t;
+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file relabel_file_perms;
-+')
-+########################################
-+##
- ## Do not audit attempts to set the
- ## attributes of user home files.
- ##
-@@ -1845,6 +2438,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+ ')
+
+- dontaudit $1 user_home_t:file setattr_file_perms;
++ allow $1 user_tmp_t:file setattr;
+ ')
########################################
##
-+## Set the attributes of all user home directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`userdom_setattr_all_user_home_content_dirs',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:dir setattr_dir_perms;
-+')
-+
-+########################################
-+##
- ## Mmap user home files.
+-## Mmap user home files.
++## Create a user tmp sockets.
##
##
-@@ -1875,15 +2487,18 @@ interface(`userdom_mmap_user_home_content_files',`
- interface(`userdom_read_user_home_content_files',`
- gen_require(`
- type user_home_dir_t, user_home_t;
-+ attribute user_home_type;
- ')
+ ##
+@@ -1853,18 +2385,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+ ##
+ ##
+ #
+-interface(`userdom_mmap_user_home_content_files',`
+- gen_require(`
+- type user_home_dir_t, user_home_t;
+- ')
+-
+- mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+- files_search_home($1)
++interface(`userdom_create_user_tmp_sockets',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 user_tmp_t:dir list_dir_perms;
++ create_sock_files_pattern($1, user_tmp_t, user_tmp_t)
+ ')
+ ########################################
+ ##
+-## Read user home files.
++## Dontaudit getattr on user tmp sockets.
+ ##
+ ##
+ ##
+@@ -1872,55 +2405,55 @@ interface(`userdom_mmap_user_home_content_files',`
+ ##
+ ##
+ #
+-interface(`userdom_read_user_home_content_files',`
+- gen_require(`
+- type user_home_dir_t, user_home_t;
+- ')
+-
- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-+ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
-+ list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type })
-+ read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
- files_search_home($1)
+- files_search_home($1)
++interface(`usedom_dontaudit_user_getattr_tmp_sockets',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++ dontaudit $1 user_tmp_t:sock_file getattr_sock_file_perms;
')
########################################
##
-## Do not audit attempts to read user home files.
-+## Do not audit attempts to getattr user home files.
++## Relabel user tmp files.
##
##
##
-@@ -1891,18 +2506,18 @@ interface(`userdom_read_user_home_content_files',`
+-## Domain to not audit.
++## Domain allowed access.
##
##
++##
#
-interface(`userdom_dontaudit_read_user_home_content_files',`
-+interface(`userdom_dontaudit_getattr_user_home_content',`
++interface(`userdom_relabel_user_tmp_files',`
gen_require(`
- type user_home_t;
-+ attribute user_home_type;
++ type user_tmp_t;
')
- dontaudit $1 user_home_t:dir list_dir_perms;
- dontaudit $1 user_home_t:file read_file_perms;
-+ dontaudit $1 user_home_type:dir getattr;
-+ dontaudit $1 user_home_type:file getattr;
++ allow $1 user_tmp_t:file relabel_file_perms;
')
########################################
##
-## Do not audit attempts to append user home files.
-+## Do not audit attempts to read user home files.
++## Relabel user tmp files.
##
##
##
-@@ -1910,17 +2525,21 @@ interface(`userdom_dontaudit_read_user_home_content_files',`
+-## Domain to not audit.
++## Domain allowed access.
##
##
++##
#
-interface(`userdom_dontaudit_append_user_home_content_files',`
-+interface(`userdom_dontaudit_read_user_home_content_files',`
++interface(`userdom_relabel_user_tmp_dirs',`
gen_require(`
- type user_home_t;
-+ attribute user_home_type;
-+ type user_home_dir_t;
++ type user_tmp_t;
')
- dontaudit $1 user_home_t:file append_file_perms;
-+ dontaudit $1 user_home_dir_t:dir list_dir_perms;
-+ dontaudit $1 user_home_type:dir list_dir_perms;
-+ dontaudit $1 user_home_type:file read_file_perms;
-+ dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
++ allow $1 user_tmp_t:dir relabel_dir_perms;
')
########################################
##
-## Do not audit attempts to write user home files.
-+## Do not audit attempts to append user home files.
++## Do not audit attempts to set the
++## attributes of user home files.
##
##
##
-@@ -1928,7 +2547,25 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
+@@ -1928,32 +2461,149 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
##
##
#
-interface(`userdom_dontaudit_write_user_home_content_files',`
++interface(`userdom_dontaudit_setattr_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+- dontaudit $1 user_home_t:file write_file_perms;
++ dontaudit $1 user_home_t:file setattr_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Delete all user home content files.
++## Set the attributes of all user home directories.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`userdom_delete_all_user_home_content_files',`
++interface(`userdom_setattr_all_user_home_content_dirs',`
+ gen_require(`
+- attribute user_home_content_type;
+- type user_home_dir_t;
++ attribute user_home_type;
+ ')
+
+- userdom_search_user_home_content($1)
+- delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
++ allow $1 user_home_type:dir setattr_dir_perms;
++')
++
++########################################
++##
++## Mmap user home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_mmap_user_home_content_files',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ ')
++
++ mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
++ files_search_home($1)
++')
++
++########################################
++##
++## Read user home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_read_user_home_content_files',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
++ list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type })
++ read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ files_search_home($1)
++')
++
++########################################
++##
++## Do not audit attempts to getattr user home files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_getattr_user_home_content',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ dontaudit $1 user_home_type:dir getattr;
++ dontaudit $1 user_home_type:file getattr;
++')
++
++########################################
++##
++## Do not audit attempts to read user home files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_read_user_home_content_files',`
++ gen_require(`
++ attribute user_home_type;
++ type user_home_dir_t;
++ ')
++
++ dontaudit $1 user_home_dir_t:dir list_dir_perms;
++ dontaudit $1 user_home_type:dir list_dir_perms;
++ dontaudit $1 user_home_type:file read_file_perms;
++ dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to append user home files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`userdom_dontaudit_append_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
@@ -44234,45 +44457,33 @@ index 9dc60c6..139edc7 100644
+##
+#
+interface(`userdom_dontaudit_write_user_home_content_files',`
- gen_require(`
- type user_home_t;
- ')
-@@ -1938,7 +2575,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ dontaudit $1 user_home_t:file write_file_perms;
+ ')
########################################
- ##
--## Delete all user home content files.
-+## Delete files in a user home subdirectory.
- ##
- ##
- ##
-@@ -1946,10 +2583,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
- ##
- ##
- #
--interface(`userdom_delete_all_user_home_content_files',`
-+interface(`userdom_delete_user_home_content_files',`
- gen_require(`
-- attribute user_home_content_type;
-- type user_home_dir_t;
-+ type user_home_t;
+@@ -1971,7 +2621,80 @@ interface(`userdom_delete_user_home_content_files',`
+ type user_home_t;
')
- userdom_search_user_home_content($1)
-@@ -1958,7 +2594,7 @@ interface(`userdom_delete_all_user_home_content_files',`
-
- ########################################
- ##
--## Delete files in a user home subdirectory.
+- allow $1 user_home_t:file delete_file_perms;
++ userdom_search_user_home_content($1)
++ delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
++')
++
++########################################
++##
+## Delete all files in a user home subdirectory.
- ##
- ##
- ##
-@@ -1966,12 +2602,66 @@ interface(`userdom_delete_all_user_home_content_files',`
- ##
- ##
- #
--interface(`userdom_delete_user_home_content_files',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`userdom_delete_all_user_home_content_files',`
+ gen_require(`
+ attribute user_home_type;
@@ -44292,11 +44503,10 @@ index 9dc60c6..139edc7 100644
+##
+#
+interface(`userdom_delete_user_home_content_sock_files',`
- gen_require(`
- type user_home_t;
- ')
-
-- allow $1 user_home_t:file delete_file_perms;
++ gen_require(`
++ type user_home_t;
++ ')
++
+ allow $1 user_home_t:sock_file delete_file_perms;
+')
+
@@ -44337,7 +44547,7 @@ index 9dc60c6..139edc7 100644
')
########################################
-@@ -2007,8 +2697,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2730,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -44347,7 +44557,7 @@ index 9dc60c6..139edc7 100644
')
########################################
-@@ -2024,20 +2713,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2746,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -44372,7 +44582,7 @@ index 9dc60c6..139edc7 100644
########################################
##
-@@ -2120,7 +2803,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2836,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -44381,7 +44591,7 @@ index 9dc60c6..139edc7 100644
##
##
##
-@@ -2128,19 +2811,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2844,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -44405,7 +44615,7 @@ index 9dc60c6..139edc7 100644
##
##
##
-@@ -2148,12 +2829,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2862,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -44421,8 +44631,29 @@ index 9dc60c6..139edc7 100644
')
########################################
-@@ -2390,11 +3071,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3102,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+ ##
+ ##
#
++interface(`userdom_getattr_user_tmp_files',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ getattr_files_pattern($1, user_tmp_type, user_tmp_type)
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Read user temporary files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
interface(`userdom_read_user_tmp_files',`
gen_require(`
- type user_tmp_t;
@@ -44436,7 +44667,29 @@ index 9dc60c6..139edc7 100644
files_search_tmp($1)
')
-@@ -2414,7 +3095,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+ ########################################
+ ##
++## Read user temporary files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_append_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++ allow $1 user_tmp_t:file append_inherited_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to read users
+ ## temporary files.
+ ##
+@@ -2414,7 +3164,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -44445,11 +44698,13 @@ index 9dc60c6..139edc7 100644
')
########################################
-@@ -2538,6 +3219,26 @@ interface(`userdom_manage_user_tmp_files',`
- ########################################
- ##
- ## Create, read, write, and delete user
-+## temporary files.
+@@ -2455,6 +3205,25 @@ interface(`userdom_rw_user_tmp_files',`
+ rw_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+ ')
++########################################
++##
++## Read and write user temporary files.
+##
+##
+##
@@ -44457,39 +44712,117 @@ index 9dc60c6..139edc7 100644
+##
+##
+#
-+interface(`userdom_filetrans_named_user_tmp_files',`
++interface(`userdom_rw_user_tmp_sock_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root")
++ allow $1 user_tmp_t:dir list_dir_perms;
++ allow $1 user_tmp_t:sock_file rw_inherited_sock_file_perms;
+ files_search_tmp($1)
+')
-+
-+########################################
-+##
-+## Create, read, write, and delete user
- ## temporary symbolic links.
+
+ ########################################
+ ##
+@@ -2538,7 +3307,7 @@ interface(`userdom_manage_user_tmp_files',`
+ ########################################
+ ##
+ ## Create, read, write, and delete user
+-## temporary symbolic links.
++## temporary files.
+ ##
+ ##
+ ##
+@@ -2546,19 +3315,19 @@ interface(`userdom_manage_user_tmp_files',`
+ ##
+ ##
+ #
+-interface(`userdom_manage_user_tmp_symlinks',`
++interface(`userdom_filetrans_named_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+- manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
++ files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root")
+ files_search_tmp($1)
+ ')
+
+ ########################################
+ ##
+ ## Create, read, write, and delete user
+-## temporary named pipes.
++## temporary symbolic links.
+ ##
+ ##
+ ##
+@@ -2566,19 +3335,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
+ ##
+ ##
+ #
+-interface(`userdom_manage_user_tmp_pipes',`
++interface(`userdom_manage_user_tmp_symlinks',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+- manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
++ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+ ')
+
+ ########################################
+ ##
+ ## Create, read, write, and delete user
+-## temporary named sockets.
++## temporary named pipes.
##
##
-@@ -2566,6 +3267,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
+ ##
+@@ -2586,27 +3355,68 @@ interface(`userdom_manage_user_tmp_pipes',`
##
##
#
+-interface(`userdom_manage_user_tmp_sockets',`
+interface(`userdom_rw_inherited_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+- manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
++ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+ files_search_tmp($1)
+ ')
+
++
+ ########################################
+ ##
+-## Create objects in a user temporary directory
+-## with an automatic type transition to
+-## a specified private type.
++## Create, read, write, and delete user
++## temporary named pipes.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
++#
++interface(`userdom_manage_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
++ manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+')
+
-+
+########################################
+##
+## Create, read, write, and delete user
-+## temporary named pipes.
++## temporary named sockets.
+##
+##
+##
@@ -44497,10 +44830,31 @@ index 9dc60c6..139edc7 100644
+##
+##
+#
- interface(`userdom_manage_user_tmp_pipes',`
- gen_require(`
- type user_tmp_t;
-@@ -2661,6 +3383,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
++interface(`userdom_manage_user_tmp_sockets',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Create objects in a user temporary directory
++## with an automatic type transition to
++## a specified private type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
+ ##
+ ## The type of the object to create.
+ ##
+@@ -2661,6 +3471,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -44515,24 +44869,26 @@ index 9dc60c6..139edc7 100644
+##
+#
+interface(`userdom_getattr_user_tmpfs_files',`
-+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+
-+ getattr_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-+ fs_search_tmpfs($1)
++ refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.')
++ userdom_getattr_user_tmp_files($1)
+')
+
########################################
##
## Read user tmpfs files.
-@@ -2677,13 +3418,14 @@ interface(`userdom_read_user_tmpfs_files',`
- ')
-
- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
- allow $1 user_tmpfs_t:dir list_dir_perms;
- fs_search_tmpfs($1)
+@@ -2672,18 +3497,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+ ##
+ #
+ interface(`userdom_read_user_tmpfs_files',`
+- gen_require(`
+- type user_tmpfs_t;
+- ')
+-
+- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- allow $1 user_tmpfs_t:dir list_dir_perms;
+- fs_search_tmpfs($1)
++ refpolicywarn(`$0($*) has been deprecated, use userdom_read_user_tmp_files() instead.')
++ userdom_read_user_tmp_files($1)
')
########################################
@@ -44542,31 +44898,36 @@ index 9dc60c6..139edc7 100644
##
##
##
-@@ -2704,7 +3446,7 @@ interface(`userdom_rw_user_tmpfs_files',`
-
- ########################################
- ##
--## Create, read, write, and delete user tmpfs files.
-+## Read/Write inherited user tmpfs files.
- ##
- ##
- ##
-@@ -2712,14 +3454,30 @@ interface(`userdom_rw_user_tmpfs_files',`
- ##
+@@ -2692,19 +3512,43 @@ interface(`userdom_read_user_tmpfs_files',`
##
#
--interface(`userdom_manage_user_tmpfs_files',`
+ interface(`userdom_rw_user_tmpfs_files',`
+- gen_require(`
+- type user_tmpfs_t;
+- ')
++ refpolicywarn(`$0($*) has been deprecated, use userdom_rw_user_tmp_files() instead.')
++ userdom_rw_user_tmp_files($1)
++')
++
++########################################
++##
++## Read/Write inherited user tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`userdom_rw_inherited_user_tmpfs_files',`
- gen_require(`
- type user_tmpfs_t;
- ')
++ refpolicywarn(`$0($*) has been deprecated, use userdom_rw_inherited_user_tmp_files instead.')
++ userdom_rw_inherited_user_tmp_files($1)
++')
-- manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
- allow $1 user_tmpfs_t:dir list_dir_perms;
- fs_search_tmpfs($1)
-+ allow $1 user_tmpfs_t:file rw_inherited_file_perms;
-+')
-+
+########################################
+##
+## Execute user tmpfs files.
@@ -44578,15 +44939,36 @@ index 9dc60c6..139edc7 100644
+##
+#
+interface(`userdom_execute_user_tmpfs_files',`
-+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+
-+ allow $1 user_tmpfs_t:file execute;
++ refpolicywarn(`$0($*) has been deprecated, use userdom_execute_user_tmp_files instead.')
++ userdom_execute_user_tmp_files($1)
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete user tmpfs files.
++## Execute user tmpfs files.
+ ##
+ ##
+ ##
+@@ -2712,14 +3556,12 @@ interface(`userdom_rw_user_tmpfs_files',`
+ ##
+ ##
+ #
+-interface(`userdom_manage_user_tmpfs_files',`
++interface(`userdom_execute_user_tmp_files',`
+ gen_require(`
+- type user_tmpfs_t;
++ type user_tmp_t;
+ ')
+
+- manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- allow $1 user_tmpfs_t:dir list_dir_perms;
+- fs_search_tmpfs($1)
++ allow $1 user_tmp_t:file execute;
')
########################################
-@@ -2814,6 +3572,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3656,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -44611,7 +44993,7 @@ index 9dc60c6..139edc7 100644
## Read and write a user domain pty.
##
##
-@@ -2832,22 +3608,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3692,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -44654,7 +45036,7 @@ index 9dc60c6..139edc7 100644
##
##
##
-@@ -2856,14 +3644,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3728,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -44692,7 +45074,7 @@ index 9dc60c6..139edc7 100644
')
########################################
-@@ -2882,8 +3689,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3773,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -44722,95 +45104,96 @@ index 9dc60c6..139edc7 100644
')
########################################
-@@ -2955,6 +3781,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3865,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
+-########################################
+#####################################
-+##
+ ##
+-## Execute an Xserver session in all unprivileged user domains. This
+-## is an explicit transition, requiring the
+-## caller to use setexeccon().
+## Allow domain dyntrans to unpriv userdomain.
-+##
-+##
+ ##
+ ##
+-##
+-## Domain allowed to transition.
+-##
+##
+## Domain allowed access.
+##
-+##
-+#
+ ##
+ #
+-interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+- gen_require(`
+- attribute unpriv_userdomain;
+- ')
+interface(`userdom_dyntransition_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
-+
+
+- xserver_xsession_spec_domtrans($1, unpriv_userdomain)
+- allow unpriv_userdomain $1:fd use;
+- allow unpriv_userdomain $1:fifo_file rw_file_perms;
+- allow unpriv_userdomain $1:process sigchld;
+ allow $1 unpriv_userdomain:process dyntransition;
-+')
-+
-+####################################
-+##
-+## Allow domain dyntrans to admin userdomain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_dyntransition_admin_users',`
-+ gen_require(`
-+ attribute admindomain;
-+ ')
-+
-+ allow $1 admindomain:process dyntransition;
-+')
-+
- ########################################
- ##
- ## Execute an Xserver session in all unprivileged user domains. This
-@@ -2978,9 +3840,9 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
- allow unpriv_userdomain $1:process sigchld;
')
-#######################################
-+########################################
++####################################
##
-## Read and write unpriviledged user SysV sempaphores.
-+## Manage unpriviledged user SysV sempaphores.
++## Allow domain dyntrans to admin userdomain.
##
##
- ##
-@@ -2988,17 +3850,18 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
- ##
+-##
+-## Domain allowed access.
+-##
++##
++## Domain allowed access.
++##
##
#
-interface(`userdom_rw_unpriv_user_semaphores',`
-+interface(`userdom_manage_unpriv_user_semaphores',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
+- gen_require(`
+- attribute unpriv_userdomain;
+- ')
++interface(`userdom_dyntransition_admin_users',`
++ gen_require(`
++ attribute admindomain;
++ ')
- allow $1 unpriv_userdomain:sem rw_sem_perms;
-+ allow $1 unpriv_userdomain:sem create_sem_perms;
++ allow $1 admindomain:process dyntransition;
')
########################################
##
-## Manage unpriviledged user SysV sempaphores.
-+## Manage unpriviledged user SysV shared
-+## memory segments.
++## Execute an Xserver session in all unprivileged user domains. This
++## is an explicit transition, requiring the
++## caller to use setexeccon().
##
##
##
-@@ -3006,57 +3869,19 @@ interface(`userdom_rw_unpriv_user_semaphores',`
+-## Domain allowed access.
++## Domain allowed to transition.
##
##
#
-interface(`userdom_manage_unpriv_user_semaphores',`
-+interface(`userdom_manage_unpriv_user_shared_mem',`
++interface(`userdom_xsession_spec_domtrans_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
- allow $1 unpriv_userdomain:sem create_sem_perms;
-+ allow $1 unpriv_userdomain:shm create_shm_perms;
++ xserver_xsession_spec_domtrans($1, unpriv_userdomain)
++ allow unpriv_userdomain $1:fd use;
++ allow unpriv_userdomain $1:fifo_file rw_file_perms;
++ allow unpriv_userdomain $1:process sigchld;
')
-#######################################
@@ -44818,52 +45201,26 @@ index 9dc60c6..139edc7 100644
##
-## Read and write unpriviledged user SysV shared
-## memory segments.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`userdom_rw_unpriv_user_shared_mem',`
-- gen_require(`
-- attribute unpriv_userdomain;
-- ')
--
-- allow $1 unpriv_userdomain:shm rw_shm_perms;
--')
--
--########################################
--##
--## Manage unpriviledged user SysV shared
--## memory segments.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`userdom_manage_unpriv_user_shared_mem',`
-- gen_require(`
-- attribute unpriv_userdomain;
-- ')
--
-- allow $1 unpriv_userdomain:shm create_shm_perms;
--')
--
--########################################
--##
--## Execute bin_t in the unprivileged user domains. This
--## is an explicit transition, requiring the
--## caller to use setexeccon().
-+## Execute bin_t in the unprivileged user domains. This
-+## is an explicit transition, requiring the
-+## caller to use setexeccon().
++## Manage unpriviledged user SysV sempaphores.
##
##
##
-@@ -3094,7 +3919,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3025,12 +3934,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+ ##
+ ##
+ #
+-interface(`userdom_rw_unpriv_user_shared_mem',`
++interface(`userdom_manage_unpriv_user_semaphores',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+- allow $1 unpriv_userdomain:shm rw_shm_perms;
++ allow $1 unpriv_userdomain:sem create_sem_perms;
+ ')
+
+ ########################################
+@@ -3094,7 +4003,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -44872,7 +45229,7 @@ index 9dc60c6..139edc7 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +3935,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4019,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -44906,7 +45263,7 @@ index 9dc60c6..139edc7 100644
')
########################################
-@@ -3214,7 +4023,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4107,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -44933,109 +45290,208 @@ index 9dc60c6..139edc7 100644
')
########################################
-@@ -3269,7 +4096,83 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4180,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
- allow $1 user_tmp_t:file write_file_perms;
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to use user ttys.
++## Do not audit attempts to write users
++## temporary files.
+ ##
+ ##
+ ##
+@@ -3282,54 +4194,56 @@ interface(`userdom_write_user_tmp_files',`
+ ##
+ ##
+ #
+-interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
+- type user_tty_device_t;
++ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++ dontaudit $1 user_tmp_t:file write;
+ ')
+
+ ########################################
+ ##
+-## Read the process state of all user domains.
++## Do not audit attempts to delete users
++## temporary files.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`userdom_read_all_users_state',`
++interface(`userdom_dontaudit_delete_user_tmp_files',`
+ gen_require(`
+- attribute userdomain;
++ type user_tmp_t;
+ ')
+
+- read_files_pattern($1, userdomain, userdomain)
+- kernel_search_proc($1)
++ dontaudit $1 user_tmp_t:file delete_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of all user domains.
++## Do not audit attempts to read/write users
++## temporary fifo files.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`userdom_getattr_all_users',`
++interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+ gen_require(`
+- attribute userdomain;
++ type user_tmp_t;
+ ')
+
+- allow $1 userdomain:process getattr;
++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Inherit the file descriptors from all user domains
++## Allow domain to read/write inherited users
++## fifo files.
+ ##
+ ##
+ ##
+@@ -3337,18 +4251,17 @@ interface(`userdom_getattr_all_users',`
+ ##
+ ##
+ #
+-interface(`userdom_use_all_users_fds',`
++interface(`userdom_rw_inherited_user_pipes',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+- allow $1 userdomain:fd use;
++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to inherit the file
+-## descriptors from any user domains.
++## Do not audit attempts to use user ttys.
+ ##
+ ##
+ ##
+@@ -3356,12 +4269,87 @@ interface(`userdom_use_all_users_fds',`
+ ##
+ ##
+ #
+-interface(`userdom_dontaudit_use_all_users_fds',`
++interface(`userdom_dontaudit_use_user_ttys',`
+ gen_require(`
+- attribute userdomain;
++ type user_tty_device_t;
+ ')
+
+- dontaudit $1 userdomain:fd use;
++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to write users
-+## temporary files.
++## Read the process state of all user domains.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`userdom_dontaudit_write_user_tmp_files',`
++interface(`userdom_read_all_users_state',`
+ gen_require(`
-+ type user_tmp_t;
++ attribute userdomain;
+ ')
+
-+ dontaudit $1 user_tmp_t:file write;
++ read_files_pattern($1, userdomain, userdomain)
++ read_lnk_files_pattern($1,userdomain,userdomain)
++ kernel_search_proc($1)
+')
+
+########################################
+##
-+## Do not audit attempts to delete users
-+## temporary files.
++## Get the attributes of all user domains.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`userdom_dontaudit_delete_user_tmp_files',`
++interface(`userdom_getattr_all_users',`
+ gen_require(`
-+ type user_tmp_t;
++ attribute userdomain;
+ ')
+
-+ dontaudit $1 user_tmp_t:file delete_file_perms;
++ allow $1 userdomain:process getattr;
+')
+
+########################################
+##
-+## Do not audit attempts to read/write users
-+## temporary fifo files.
++## Inherit the file descriptors from all user domains
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
++interface(`userdom_use_all_users_fds',`
+ gen_require(`
-+ type user_tmp_t;
++ attribute userdomain;
+ ')
+
-+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 userdomain:fd use;
+')
+
+########################################
+##
-+## Allow domain to read/write inherited users
-+## fifo files.
++## Do not audit attempts to inherit the file
++## descriptors from any user domains.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`userdom_rw_inherited_user_pipes',`
++interface(`userdom_dontaudit_use_all_users_fds',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
-+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
-@@ -3287,7 +4190,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
- type user_tty_device_t;
- ')
-
-- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
-+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
++ dontaudit $1 userdomain:fd use;
')
########################################
-@@ -3306,6 +4209,7 @@ interface(`userdom_read_all_users_state',`
- ')
-
- read_files_pattern($1, userdomain, userdomain)
-+ read_lnk_files_pattern($1,userdomain,userdomain)
- kernel_search_proc($1)
- ')
-
-@@ -3382,6 +4286,42 @@ interface(`userdom_signal_all_users',`
+@@ -3382,6 +4370,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -45078,7 +45534,7 @@ index 9dc60c6..139edc7 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4342,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4426,24 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -45103,7 +45559,7 @@ index 9dc60c6..139edc7 100644
## Create keys for all user domains.
##
##
-@@ -3435,4 +4393,1680 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4477,1666 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -45126,7 +45582,7 @@ index 9dc60c6..139edc7 100644
+ ')
+
+ allow $1 userdomain:process rlimitinh;
-+')
+ ')
+
+########################################
+##
@@ -45215,7 +45671,7 @@ index 9dc60c6..139edc7 100644
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 userdomain:process ptrace;
+ ')
- ')
++')
+
+########################################
+##
@@ -45944,16 +46400,8 @@ index 9dc60c6..139edc7 100644
+##
+#
+interface(`userdom_manage_all_user_tmpfs_content',`
-+ gen_require(`
-+ attribute user_tmpfs_type;
-+ ')
-+
-+ manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
-+ manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-+ manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-+ manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-+ manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-+ fs_search_tmpfs($1)
++ refpolicywarn(`$0($*) has been deprecated, use userdom_manage_all_user_tmp_content instead.')
++ userdom_manage_all_user_tmp_content($1)
+')
+
+########################################
@@ -46167,11 +46615,8 @@ index 9dc60c6..139edc7 100644
+##
+#
+interface(`userdom_dontaudit_setattr_user_tmpfs',`
-+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+
-+ dontaudit $1 user_tmpfs_t:file setattr;
++ refpolicywarn(`$0($*) has been deprecated, use userdom_dontaudit_setattr_user_tmp() instead.')
++ userdom_dontaudit_setattr_user_tmp($1)
+')
+
+########################################
@@ -46275,11 +46720,8 @@ index 9dc60c6..139edc7 100644
+##
+#
+interface(`userdom_delete_user_tmpfs_files',`
-+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+
-+ allow $1 user_tmpfs_t:file delete_file_perms;
++ refpolicywarn(`$0($*) has been deprecated, use userdom_delete_user_tmpfs_files instead.')
++ userdom_delete_user_tmpfs_files($1)
+')
+
+########################################
@@ -46785,7 +47227,7 @@ index 9dc60c6..139edc7 100644
+')
+
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38d..9284c24 100644
+index f4ac38d..a86e4fc 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@@ -46874,7 +47316,7 @@ index f4ac38d..9284c24 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +83,390 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,389 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -46893,20 +47335,22 @@ index f4ac38d..9284c24 100644
ubac_constrained(user_devpts_t)
-type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
-+type user_tmp_t, user_tmp_type;
++type user_tmp_t, user_tmp_type, user_tmpfs_type;
+typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t wine_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
++typealias user_tmp_t alias { user_tmpfs_t staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
++typealias user_tmp_t alias xdm_tmp_t;
++typealias user_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
files_tmp_file(user_tmp_t)
++files_tmpfs_file(user_tmp_t)
userdom_user_home_content(user_tmp_t)
+-
+-type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
+-files_tmpfs_file(user_tmpfs_t)
+-userdom_user_home_content(user_tmpfs_t)
+files_poly_parent(user_tmp_t)
+files_mountpoint(user_tmp_t)
--type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
-+type user_tmpfs_t, user_tmpfs_type;
-+typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
- files_tmpfs_file(user_tmpfs_t)
- userdom_user_home_content(user_tmpfs_t)
-
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 2be1b57..6d64a86 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -11714,7 +11714,7 @@ index 0000000..a0fdbcb
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..b4f29e9
+index 0000000..c8338dc
--- /dev/null
+++ b/chrome.te
@@ -0,0 +1,249 @@
@@ -11834,8 +11834,8 @@ index 0000000..b4f29e9
+
+sysnet_dns_name_resolve(chrome_sandbox_t)
+
-+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
-+userdom_execute_user_tmpfs_files(chrome_sandbox_t)
++userdom_rw_inherited_user_tmp_files(chrome_sandbox_t)
++userdom_execute_user_tmp_files(chrome_sandbox_t)
+
+userdom_use_user_ptys(chrome_sandbox_t)
+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
@@ -11957,8 +11957,8 @@ index 0000000..b4f29e9
+libs_legacy_use_shared_libs(chrome_sandbox_nacl_t)
+
+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
-+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
-+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
++userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
++userdom_execute_user_tmp_files(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
+userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t)
@@ -13945,7 +13945,7 @@ index 8e27a37..825f537 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
-index 9f2dfb2..5425ddf 100644
+index 9f2dfb2..3d5988c 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.1.0)
@@ -14028,7 +14028,7 @@ index 9f2dfb2..5425ddf 100644
- fs_getattr_cifs(colord_t)
- fs_read_cifs_files(colord_t)
-')
-+userdom_rw_user_tmpfs_files(colord_t)
++userdom_rw_user_tmp_files(colord_t)
+userdom_home_reader(colord_t)
+userdom_list_user_home_content(colord_t)
+userdom_read_inherited_user_home_content_files(colord_t)
@@ -15300,7 +15300,7 @@ index 694a037..b836c07 100644
+ allow $1 corosync_unit_file_t:service all_service_perms;
')
diff --git a/corosync.te b/corosync.te
-index d5aa1e4..e827567 100644
+index d5aa1e4..837e0a8 100644
--- a/corosync.te
+++ b/corosync.te
@@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t)
@@ -15326,8 +15326,8 @@ index d5aa1e4..e827567 100644
userdom_read_user_tmp_files(corosync_t)
-userdom_manage_user_tmpfs_files(corosync_t)
-+userdom_delete_user_tmpfs_files(corosync_t)
-+userdom_rw_user_tmpfs_files(corosync_t)
++userdom_delete_user_tmp_files(corosync_t)
++userdom_rw_user_tmp_files(corosync_t)
+
+optional_policy(`
+ fs_manage_tmpfs_files(corosync_t)
@@ -32769,7 +32769,7 @@ index 180f1b7..3c8757e 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
-index 0e97e82..695e8fa 100644
+index 0e97e82..fe77236 100644
--- a/gpg.te
+++ b/gpg.te
@@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0)
@@ -33177,9 +33177,9 @@ index 0e97e82..695e8fa 100644
+# for .Xauthority
+userdom_read_user_home_content_files(gpg_pinentry_t)
-+userdom_read_user_tmpfs_files(gpg_pinentry_t)
++userdom_read_user_tmp_files(gpg_pinentry_t)
+# Bug: user pulseaudio files need open,read and unlink:
-+allow gpg_pinentry_t user_tmpfs_t:file unlink;
++allow gpg_pinentry_t user_tmp_t:file unlink;
+userdom_signull_unpriv_users(gpg_pinentry_t)
userdom_use_user_terminals(gpg_pinentry_t)
@@ -36323,10 +36323,10 @@ index 0000000..9d32f23
+')
diff --git a/journalctl.te b/journalctl.te
new file mode 100644
-index 0000000..1b313e8
+index 0000000..896cde4
--- /dev/null
+++ b/journalctl.te
-@@ -0,0 +1,47 @@
+@@ -0,0 +1,46 @@
+policy_module(journalctl, 1.0.0)
+
+########################################
@@ -36371,8 +36371,7 @@ index 0000000..1b313e8
+userdom_list_user_home_dirs(journalctl_t)
+userdom_read_user_home_content_files(journalctl_t)
+userdom_use_inherited_user_ptys(journalctl_t)
-+userdom_write_inherited_user_tmp_files(journalctl_t)
-+userdom_rw_inherited_user_tmpfs_files(journalctl_t)
++userdom_rw_inherited_user_tmp_files(journalctl_t)
+userdom_rw_inherited_user_home_content_files(journalctl_t)
diff --git a/kde.fc b/kde.fc
new file mode 100644
@@ -38719,7 +38718,7 @@ index aa2a337..7ff229f 100644
files_search_var_lib($1)
admin_pattern($1, kismet_var_lib_t)
diff --git a/kismet.te b/kismet.te
-index 8ad0d4d..c070420 100644
+index 8ad0d4d..4e66536 100644
--- a/kismet.te
+++ b/kismet.te
@@ -81,25 +81,22 @@ kernel_read_network_state(kismet_t)
@@ -38752,7 +38751,7 @@ index 8ad0d4d..c070420 100644
-userdom_use_user_terminals(kismet_t)
+userdom_use_inherited_user_terminals(kismet_t)
-+userdom_read_user_tmpfs_files(kismet_t)
++userdom_read_user_tmp_files(kismet_t)
optional_policy(`
dbus_system_bus_client(kismet_t)
@@ -40502,7 +40501,7 @@ index dd8e01a..9cd6b0b 100644
##
##
diff --git a/logrotate.te b/logrotate.te
-index be0ab84..44689e1 100644
+index be0ab84..835c246 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
@@ -40633,7 +40632,7 @@ index be0ab84..44689e1 100644
auth_manage_login_records(logrotate_t)
auth_use_nsswitch(logrotate_t)
-@@ -103,24 +133,39 @@ init_all_labeled_script_domtrans(logrotate_t)
+@@ -103,24 +133,40 @@ init_all_labeled_script_domtrans(logrotate_t)
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
logging_send_audit_msgs(logrotate_t)
@@ -40660,8 +40659,9 @@ index be0ab84..44689e1 100644
-mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
+tunable_policy(`logrotate_use_nfs',`
-+ fs_read_nfs_files(logrotate_t)
-+ fs_read_nfs_symlinks(logrotate_t)
++ fs_manage_nfs_files(logrotate_t)
++ fs_manage_nfs_dirs(logrotate_t)
++ fs_manage_nfs_symlinks(logrotate_t)
+')
-ifdef(`distro_debian',`
@@ -40679,7 +40679,7 @@ index be0ab84..44689e1 100644
')
optional_policy(`
-@@ -135,16 +180,17 @@ optional_policy(`
+@@ -135,16 +181,17 @@ optional_policy(`
optional_policy(`
apache_read_config(logrotate_t)
@@ -40699,7 +40699,7 @@ index be0ab84..44689e1 100644
')
optional_policy(`
-@@ -170,6 +216,11 @@ optional_policy(`
+@@ -170,6 +217,11 @@ optional_policy(`
')
optional_policy(`
@@ -40711,7 +40711,7 @@ index be0ab84..44689e1 100644
fail2ban_stream_connect(logrotate_t)
')
-@@ -178,7 +229,7 @@ optional_policy(`
+@@ -178,7 +230,7 @@ optional_policy(`
')
optional_policy(`
@@ -40720,7 +40720,7 @@ index be0ab84..44689e1 100644
')
optional_policy(`
-@@ -198,21 +249,26 @@ optional_policy(`
+@@ -198,21 +250,26 @@ optional_policy(`
')
optional_policy(`
@@ -40751,7 +40751,7 @@ index be0ab84..44689e1 100644
')
optional_policy(`
-@@ -228,10 +284,21 @@ optional_policy(`
+@@ -228,10 +285,21 @@ optional_policy(`
')
optional_policy(`
@@ -40773,7 +40773,7 @@ index be0ab84..44689e1 100644
su_exec(logrotate_t)
')
-@@ -241,13 +308,11 @@ optional_policy(`
+@@ -241,13 +309,11 @@ optional_policy(`
#######################################
#
@@ -45979,7 +45979,7 @@ index 6194b80..7490fe3 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..ab5b577 100644
+index 11ac8e4..1025b89 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,48 @@ policy_module(mozilla, 2.8.0)
@@ -46424,7 +46424,7 @@ index 11ac8e4..ab5b577 100644
')
optional_policy(`
-@@ -300,259 +331,253 @@ optional_policy(`
+@@ -300,259 +331,249 @@ optional_policy(`
########################################
#
@@ -46494,7 +46494,6 @@ index 11ac8e4..ab5b577 100644
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
-+xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
@@ -46502,7 +46501,6 @@ index 11ac8e4..ab5b577 100644
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
-+userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+userdom_manage_home_texlive(mozilla_plugin_t)
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
@@ -46704,8 +46702,6 @@ index 11ac8e4..ab5b577 100644
+term_dontaudit_use_ptmx(mozilla_plugin_t)
+userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t)
-+userdom_rw_user_tmpfs_files(mozilla_plugin_t)
-+userdom_delete_user_tmpfs_files(mozilla_plugin_t)
userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
+userdom_manage_user_tmp_sockets(mozilla_plugin_t)
+userdom_manage_user_tmp_dirs(mozilla_plugin_t)
@@ -46824,7 +46820,7 @@ index 11ac8e4..ab5b577 100644
')
optional_policy(`
-@@ -560,7 +585,11 @@ optional_policy(`
+@@ -560,7 +581,11 @@ optional_policy(`
')
optional_policy(`
@@ -46837,7 +46833,7 @@ index 11ac8e4..ab5b577 100644
')
optional_policy(`
-@@ -568,108 +597,136 @@ optional_policy(`
+@@ -568,108 +593,136 @@ optional_policy(`
')
optional_policy(`
@@ -47095,7 +47091,7 @@ index 5fa77c7..2e01c7d 100644
domain_system_change_exemption($1)
role_transition $2 mpd_initrc_exec_t system_r;
diff --git a/mpd.te b/mpd.te
-index fe72523..92632e8 100644
+index fe72523..953e3bf 100644
--- a/mpd.te
+++ b/mpd.te
@@ -62,6 +62,12 @@ files_type(mpd_var_lib_t)
@@ -47166,7 +47162,7 @@ index fe72523..92632e8 100644
+ userdom_stream_connect(mpd_t)
+ userdom_read_home_audio_files(mpd_t)
+ userdom_list_user_tmp(mpd_t)
-+ userdom_read_user_tmpfs_files(mpd_t)
++ userdom_read_user_tmp_files(mpd_t)
+ userdom_dontaudit_setattr_user_tmp(mpd_t)
+')
+
@@ -63894,7 +63890,7 @@ index 3078ce9..d2f68fa 100644
hal_dontaudit_write_log(plymouth_t)
hal_dontaudit_rw_pipes(plymouth_t)
diff --git a/podsleuth.te b/podsleuth.te
-index 9123f71..5bf10ce 100644
+index 9123f71..c06ace5 100644
--- a/podsleuth.te
+++ b/podsleuth.te
@@ -29,7 +29,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
@@ -63915,7 +63911,7 @@ index 9123f71..5bf10ce 100644
fs_mount_dos_fs(podsleuth_t)
fs_unmount_dos_fs(podsleuth_t)
-@@ -76,8 +76,6 @@ fs_getattr_tmpfs(podsleuth_t)
+@@ -76,13 +76,11 @@ fs_getattr_tmpfs(podsleuth_t)
fs_list_tmpfs(podsleuth_t)
fs_rw_removable_blk_files(podsleuth_t)
@@ -63924,6 +63920,12 @@ index 9123f71..5bf10ce 100644
sysnet_dns_name_resolve(podsleuth_t)
userdom_signal_unpriv_users(podsleuth_t)
+ userdom_signull_unpriv_users(podsleuth_t)
+-userdom_read_user_tmpfs_files(podsleuth_t)
++userdom_read_user_tmp_files(podsleuth_t)
+
+ optional_policy(`
+ dbus_system_bus_client(podsleuth_t)
diff --git a/policykit.fc b/policykit.fc
index 1d76c72..93d09d9 100644
--- a/policykit.fc
@@ -70235,7 +70237,7 @@ index 45843b5..116be8a 100644
+ ps_process_pattern($1, pulseaudio_t)
')
diff --git a/pulseaudio.te b/pulseaudio.te
-index 6643b49..1d2470f 100644
+index 6643b49..64ac070 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.6.0)
@@ -70382,7 +70384,8 @@ index 6643b49..1d2470f 100644
-miscfiles_read_localization(pulseaudio_t)
-
- userdom_read_user_tmpfs_files(pulseaudio_t)
+-userdom_read_user_tmpfs_files(pulseaudio_t)
++userdom_read_user_tmp_files(pulseaudio_t)
userdom_search_user_home_dirs(pulseaudio_t)
userdom_write_user_tmp_sockets(pulseaudio_t)
@@ -70490,8 +70493,9 @@ index 6643b49..1d2470f 100644
-# TODO: ~/.cache
userdom_manage_user_home_content_files(pulseaudio_client)
- userdom_read_user_tmpfs_files(pulseaudio_client)
+-userdom_read_user_tmpfs_files(pulseaudio_client)
-# userdom_delete_user_tmpfs_files(pulseaudio_client)
++userdom_read_user_tmp_files(pulseaudio_client)
tunable_policy(`use_nfs_home_dirs',`
- fs_getattr_nfs(pulseaudio_client)
@@ -72557,7 +72561,7 @@ index eaf56b8..c32349e 100644
#
interface(`qemu_entry_type',`
diff --git a/qemu.te b/qemu.te
-index 4f90743..8c1e989 100644
+index 4f90743..958c0ef 100644
--- a/qemu.te
+++ b/qemu.te
@@ -6,28 +6,58 @@ policy_module(qemu, 1.8.0)
@@ -72620,7 +72624,7 @@ index 4f90743..8c1e989 100644
+storage_raw_read_removable_device(qemu_t)
+
+userdom_search_user_home_content(qemu_t)
-+userdom_read_user_tmpfs_files(qemu_t)
++userdom_read_user_tmp_files(qemu_t)
+userdom_stream_connect(qemu_t)
+
tunable_policy(`qemu_full_network',`
@@ -78463,7 +78467,7 @@ index c8bdea2..1337d42 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..aa30a92 100644
+index 6cf79c4..113697f 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -78502,7 +78506,7 @@ index 6cf79c4..aa30a92 100644
attribute cluster_domain;
attribute cluster_log;
attribute cluster_pid;
-@@ -44,34 +73,283 @@ type foghorn_initrc_exec_t;
+@@ -44,34 +73,282 @@ type foghorn_initrc_exec_t;
init_script_file(foghorn_initrc_exec_t)
rhcs_domain_template(gfs_controld)
@@ -78656,9 +78660,8 @@ index 6cf79c4..aa30a92 100644
+init_rw_script_tmp_files(cluster_t)
+init_manage_script_status_files(cluster_t)
+
-+userdom_read_user_tmp_files(cluster_t)
-+userdom_delete_user_tmpfs_files(cluster_t)
-+userdom_rw_user_tmpfs_files(cluster_t)
++userdom_delete_user_tmp_files(cluster_t)
++userdom_rw_user_tmp_files(cluster_t)
+userdom_kill_all_users(cluster_t)
+
+tunable_policy(`cluster_can_network_connect',`
@@ -78790,7 +78793,7 @@ index 6cf79c4..aa30a92 100644
')
#####################################
-@@ -79,9 +357,11 @@ optional_policy(`
+@@ -79,9 +356,11 @@ optional_policy(`
# dlm_controld local policy
#
@@ -78803,7 +78806,7 @@ index 6cf79c4..aa30a92 100644
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
-@@ -98,16 +378,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,16 +377,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@@ -78837,7 +78840,7 @@ index 6cf79c4..aa30a92 100644
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -118,9 +412,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +411,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -78848,7 +78851,7 @@ index 6cf79c4..aa30a92 100644
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
-@@ -140,6 +433,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+@@ -140,6 +432,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
corenet_sendrecv_zented_server_packets(fenced_t)
corenet_tcp_bind_zented_port(fenced_t)
@@ -78857,7 +78860,7 @@ index 6cf79c4..aa30a92 100644
corenet_tcp_sendrecv_zented_port(fenced_t)
corenet_sendrecv_http_client_packets(fenced_t)
-@@ -148,9 +443,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +442,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -78868,7 +78871,7 @@ index 6cf79c4..aa30a92 100644
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +453,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +452,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@@ -78877,7 +78880,7 @@ index 6cf79c4..aa30a92 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +475,8 @@ optional_policy(`
+@@ -182,7 +474,8 @@ optional_policy(`
')
optional_policy(`
@@ -78887,7 +78890,7 @@ index 6cf79c4..aa30a92 100644
')
optional_policy(`
-@@ -190,12 +484,12 @@ optional_policy(`
+@@ -190,12 +483,12 @@ optional_policy(`
')
optional_policy(`
@@ -78903,7 +78906,7 @@ index 6cf79c4..aa30a92 100644
')
optional_policy(`
-@@ -203,6 +497,13 @@ optional_policy(`
+@@ -203,6 +496,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -78917,7 +78920,7 @@ index 6cf79c4..aa30a92 100644
#######################################
#
# foghorn local policy
-@@ -221,16 +522,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +521,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
@@ -78938,7 +78941,7 @@ index 6cf79c4..aa30a92 100644
snmp_stream_connect(foghorn_t)
')
-@@ -257,6 +560,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +559,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@@ -78947,7 +78950,7 @@ index 6cf79c4..aa30a92 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +580,54 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +579,54 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -79004,7 +79007,7 @@ index 6cf79c4..aa30a92 100644
######################################
#
# qdiskd local policy
-@@ -321,6 +670,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +669,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -86711,7 +86714,7 @@ index 0000000..03bdcef
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..956922c
+index 0000000..499e739
--- /dev/null
+++ b/sandboxX.te
@@ -0,0 +1,500 @@
@@ -87132,8 +87135,8 @@ index 0000000..956922c
+selinux_compute_user_contexts(sandbox_web_type)
+seutil_read_default_contexts(sandbox_web_type)
+
-+userdom_rw_user_tmpfs_files(sandbox_web_type)
-+userdom_delete_user_tmpfs_files(sandbox_web_type)
++userdom_rw_user_tmp_files(sandbox_web_type)
++userdom_delete_user_tmp_files(sandbox_web_type)
+
+optional_policy(`
+ alsa_read_rw_config(sandbox_web_type)
@@ -97216,10 +97219,10 @@ index 0000000..c1fd8b4
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..7f7e7ff
+index 0000000..ebb001b
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,159 @@
+@@ -0,0 +1,158 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -97268,7 +97271,7 @@ index 0000000..7f7e7ff
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails")
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
+userdom_dontaudit_access_check_user_content(thumb_t)
-+userdom_rw_inherited_user_tmpfs_files(thumb_t)
++userdom_rw_inherited_user_tmp_files(thumb_t)
+userdom_manage_home_texlive(thumb_t)
+
+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
@@ -97277,7 +97280,6 @@ index 0000000..7f7e7ff
+exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
+userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
-+xserver_xdm_tmp_filetrans(thumb_t, thumb_tmp_t, sock_file)
+
+manage_dirs_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t)
+manage_files_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t)
@@ -98866,7 +98868,7 @@ index c416a83..cd83b89 100644
+/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/userhelper.if b/userhelper.if
-index 98b51fd..35d784a 100644
+index 98b51fd..b25ec0d 100644
--- a/userhelper.if
+++ b/userhelper.if
@@ -1,4 +1,4 @@
@@ -99163,7 +99165,7 @@ index 98b51fd..35d784a 100644
+
+ auth_use_pam($1_consolehelper_t)
+
-+ userdom_manage_tmpfs_role($2, $1_consolehelper_t)
++ userdom_manage_tmp_role($2, $1_consolehelper_t)
+
+ optional_policy(`
+ dbus_connect_session_bus($1_consolehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4506690..d54cd3d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -25,8 +25,6 @@ Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
patch: policy-rawhide-base.patch
patch1: policy-rawhide-contrib.patch
-patch2: policy-rawhide-base-user_tmp.patch
-patch3: policy-rawhide-contrib-user_tmp.patch
Source1: modules-targeted-base.conf
Source31: modules-targeted-contrib.conf
Source2: booleans-targeted.conf
@@ -321,11 +319,9 @@ Based off of reference policy: Checked out revision 2.20091117
%prep
%setup -n serefpolicy-contrib-%{version} -q -b 29
%patch1 -p1
-%patch3 -p1
contrib_path=`pwd`
%setup -n serefpolicy-%{version} -q
%patch -p1
-%patch2 -p1
refpolicy_path=`pwd`
cp $contrib_path/* $refpolicy_path/policy/modules/contrib