##
@@ -36027,7 +36309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1164,7 +1163,6 @@
+@@ -1164,7 +1164,6 @@
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
@@ -36035,7 +36317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -1182,36 +1180,45 @@
+@@ -1182,36 +1181,45 @@
')
')
@@ -36070,9 +36352,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
- ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ mount_run($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+ nsplugin_per_role_template($1, $1_usertype, $1_r)
+ ')
+
@@ -36086,15 +36369,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+ optional_policy(`
+ mono_per_role_template($1, $1_t, $1_r)
- ')
-
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
++ ')
++
++ optional_policy(`
+ gpg_per_role_template($1, $1_usertype, $1_r)
')
')
-@@ -1288,8 +1295,6 @@
+@@ -1288,8 +1296,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -36103,7 +36385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1311,8 +1316,6 @@
+@@ -1311,8 +1317,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -36112,7 +36394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1367,13 +1370,6 @@
+@@ -1367,13 +1371,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -36126,7 +36408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1425,6 +1421,7 @@
+@@ -1425,6 +1422,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -36134,7 +36416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1454,10 +1451,6 @@
+@@ -1454,10 +1452,6 @@
seutil_run_semanage($1,$2,$3)
seutil_run_setfiles($1, $2, $3)
@@ -36145,7 +36427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
aide_run($1,$2, $3)
')
-@@ -1477,12 +1470,30 @@
+@@ -1477,12 +1471,30 @@
optional_policy(`
netlabel_run_mgmt($1,$2, $3)
')
@@ -36176,7 +36458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
## The prefix of the user role (e.g., user
-@@ -1492,8 +1503,7 @@
+@@ -1492,8 +1504,7 @@
##
#
template(`userdom_role_change_generic_user',`
@@ -36186,7 +36468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1520,14 +1530,23 @@
+@@ -1520,14 +1531,23 @@
##
#
template(`userdom_role_change_from_generic_user',`
@@ -36212,7 +36494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
## The prefix of the user role (e.g., user
-@@ -1537,8 +1556,7 @@
+@@ -1537,8 +1557,7 @@
##
#
template(`userdom_role_change_staff',`
@@ -36222,7 +36504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1565,14 +1583,23 @@
+@@ -1565,14 +1584,23 @@
##
#
template(`userdom_role_change_from_staff',`
@@ -36248,7 +36530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
## The prefix of the user role (e.g., user
-@@ -1582,8 +1609,7 @@
+@@ -1582,8 +1610,7 @@
##
#
template(`userdom_role_change_sysadm',`
@@ -36258,7 +36540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1610,14 +1636,23 @@
+@@ -1610,14 +1637,23 @@
##
#
template(`userdom_role_change_from_sysadm',`
@@ -36284,7 +36566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
## The prefix of the user role (e.g., user
-@@ -1627,8 +1662,11 @@
+@@ -1627,8 +1663,11 @@
##
#
template(`userdom_role_change_secadm',`
@@ -36298,7 +36580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1655,14 +1693,27 @@
+@@ -1655,14 +1694,27 @@
##
#
template(`userdom_role_change_from_secadm',`
@@ -36328,7 +36610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
## The prefix of the auditadm role (e.g., user
-@@ -1672,8 +1723,11 @@
+@@ -1672,8 +1724,11 @@
##
#
template(`userdom_role_change_auditadm',`
@@ -36342,7 +36624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1700,8 +1754,11 @@
+@@ -1700,8 +1755,11 @@
##
#
template(`userdom_role_change_from_auditadm',`
@@ -36356,7 +36638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1734,11 +1791,15 @@
+@@ -1734,11 +1792,15 @@
#
template(`userdom_user_home_content',`
gen_require(`
@@ -36375,7 +36657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1834,11 +1895,11 @@
+@@ -1834,11 +1896,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -36389,7 +36671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1868,11 +1929,11 @@
+@@ -1868,11 +1930,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -36403,7 +36685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1916,12 +1977,12 @@
+@@ -1916,12 +1978,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -36419,7 +36701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1951,10 +2012,11 @@
+@@ -1951,10 +2013,11 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -36433,7 +36715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1986,11 +2048,47 @@
+@@ -1986,11 +2049,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -36483,7 +36765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2022,10 +2120,10 @@
+@@ -2022,10 +2121,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -36496,7 +36778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2055,11 +2153,11 @@
+@@ -2055,11 +2154,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -36510,7 +36792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2089,11 +2187,11 @@
+@@ -2089,11 +2188,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -36525,7 +36807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2123,10 +2221,14 @@
+@@ -2123,10 +2222,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -36542,7 +36824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2156,11 +2258,11 @@
+@@ -2156,11 +2259,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -36556,7 +36838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2190,11 +2292,11 @@
+@@ -2190,11 +2293,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -36570,7 +36852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2224,10 +2326,10 @@
+@@ -2224,10 +2327,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -36583,7 +36865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2259,12 +2361,12 @@
+@@ -2259,12 +2362,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -36599,7 +36881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2296,10 +2398,10 @@
+@@ -2296,10 +2399,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -36612,7 +36894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2331,12 +2433,12 @@
+@@ -2331,12 +2434,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -36628,7 +36910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2368,12 +2470,12 @@
+@@ -2368,12 +2471,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -36644,7 +36926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2405,12 +2507,12 @@
+@@ -2405,12 +2508,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -36660,7 +36942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2455,11 +2557,11 @@
+@@ -2455,11 +2558,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -36674,7 +36956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2504,11 +2606,11 @@
+@@ -2504,11 +2607,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -36688,7 +36970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2548,11 +2650,11 @@
+@@ -2548,11 +2651,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -36702,7 +36984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2582,11 +2684,11 @@
+@@ -2582,11 +2685,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -36716,7 +36998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2616,11 +2718,11 @@
+@@ -2616,11 +2719,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -36730,7 +37012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2652,10 +2754,10 @@
+@@ -2652,10 +2755,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -36743,7 +37025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2687,10 +2789,10 @@
+@@ -2687,10 +2790,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -36756,7 +37038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2720,12 +2822,12 @@
+@@ -2720,12 +2823,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -36772,7 +37054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2757,10 +2859,10 @@
+@@ -2757,10 +2860,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -36785,7 +37067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2792,10 +2894,10 @@
+@@ -2792,10 +2895,10 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -36798,7 +37080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2825,12 +2927,12 @@
+@@ -2825,12 +2928,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -36814,7 +37096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2862,10 +2964,10 @@
+@@ -2862,10 +2965,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -36827,7 +37109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2897,12 +2999,12 @@
+@@ -2897,12 +3000,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -36843,7 +37125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2934,11 +3036,11 @@
+@@ -2934,11 +3037,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -36857,7 +37139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2970,11 +3072,11 @@
+@@ -2970,11 +3073,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -36871,7 +37153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3006,11 +3108,11 @@
+@@ -3006,11 +3109,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -36885,7 +37167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3042,11 +3144,11 @@
+@@ -3042,11 +3145,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -36899,7 +37181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3078,11 +3180,11 @@
+@@ -3078,11 +3181,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -36913,7 +37195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3127,10 +3229,10 @@
+@@ -3127,10 +3230,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -36926,7 +37208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($2)
')
-@@ -3171,19 +3273,19 @@
+@@ -3171,19 +3274,19 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -36950,7 +37232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
## This is a templated interface, and should only
-@@ -4609,11 +4711,11 @@
+@@ -4609,11 +4712,11 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -36964,13 +37246,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4633,9 +4735,17 @@
+@@ -4633,10 +4736,18 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
-')
-########################################
+-##
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ ')
@@ -36981,10 +37264,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+')
+
+########################################
- ##
++##
## Search all users home directories.
##
-@@ -4670,6 +4780,8 @@
+ ##
+@@ -4670,6 +4781,8 @@
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@@ -36993,7 +37277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4714,6 +4826,25 @@
+@@ -4714,6 +4827,25 @@
########################################
##
@@ -37019,7 +37303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all files
## in all users home directories.
##
-@@ -4939,7 +5070,7 @@
+@@ -4939,7 +5071,7 @@
########################################
##
@@ -37028,7 +37312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -5311,6 +5442,42 @@
+@@ -5311,6 +5443,42 @@
########################################
##
@@ -37071,7 +37355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Read and write unprivileged user ttys.
##
##
-@@ -5361,7 +5528,7 @@
+@@ -5361,7 +5529,7 @@
attribute userdomain;
')
@@ -37080,7 +37364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -5476,6 +5643,42 @@
+@@ -5476,6 +5644,42 @@
########################################
##
@@ -37123,7 +37407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains.
##
##
-@@ -5506,3 +5709,525 @@
+@@ -5506,3 +5710,525 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -38089,7 +38373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.5.1/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-06-12 23:25:08.000000000 -0400
-+++ serefpolicy-3.5.1/policy/support/obj_perm_sets.spt 2008-07-25 12:35:13.000000000 -0400
++++ serefpolicy-3.5.1/policy/support/obj_perm_sets.spt 2008-07-30 16:47:18.000000000 -0400
@@ -316,3 +316,13 @@
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')