diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index 50c1fe5..404e587 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -251,6 +251,14 @@ allow_nsplugin_execmem=true
#
allow_unconfined_nsplugin_transition=true
+# Allow unconfined domain to transition to confined domain
+#
+unconfined_mozilla_plugin_transition=true
+
+# Allow unconfined domain to transition to confined domain
+#
+unconfined_telepathy_transition=true
+
# System uses init upstart program
#
init_upstart = true
diff --git a/policy-F14.patch b/policy-F14.patch
index 89cff5d..456fd99 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -1467,7 +1467,7 @@ index 7bddc02..2b59ed0 100644
+
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 5f44f1b..2993130 100644
+index 5f44f1b..bb95e79 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -1497,7 +1497,7 @@ index 5f44f1b..2993130 100644
allow $3 $1_sudo_t:fd use;
allow $3 $1_sudo_t:fifo_file rw_file_perms;
allow $3 $1_sudo_t:process signal_perms;
-@@ -111,6 +117,7 @@ template(`sudo_role_template',`
+@@ -111,12 +117,15 @@ template(`sudo_role_template',`
term_relabel_all_ttys($1_sudo_t)
term_relabel_all_ptys($1_sudo_t)
@@ -1505,7 +1505,15 @@ index 5f44f1b..2993130 100644
auth_run_chk_passwd($1_sudo_t, $2)
# sudo stores a token in the pam_pid directory
-@@ -133,13 +140,18 @@ template(`sudo_role_template',`
+ auth_manage_pam_pid($1_sudo_t)
+ auth_use_nsswitch($1_sudo_t)
+
++ application_signal($1_sudo_t)
++
+ init_rw_utmp($1_sudo_t)
+
+ logging_send_audit_msgs($1_sudo_t)
+@@ -133,13 +142,18 @@ template(`sudo_role_template',`
userdom_manage_user_tmp_files($1_sudo_t)
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
@@ -1606,7 +1614,7 @@ index aecbf1c..0b5e634 100644
optional_policy(`
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index c35d801..961424f 100644
+index c35d801..b1a841a 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -90,9 +90,7 @@ fs_search_auto_mountpoints(chfn_t)
@@ -1620,11 +1628,13 @@ index c35d801..961424f 100644
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
-@@ -295,15 +293,18 @@ selinux_compute_user_contexts(passwd_t)
+@@ -293,17 +291,18 @@ selinux_compute_create_context(passwd_t)
+ selinux_compute_relabel_context(passwd_t)
+ selinux_compute_user_contexts(passwd_t)
- term_use_all_ttys(passwd_t)
- term_use_all_ptys(passwd_t)
-+term_use_generic_ptys(passwd_t)
+-term_use_all_ttys(passwd_t)
+-term_use_all_ptys(passwd_t)
++term_use_all_terms(passwd_t)
-auth_domtrans_chk_passwd(passwd_t)
auth_manage_shadow(passwd_t)
@@ -1641,7 +1651,7 @@ index c35d801..961424f 100644
domain_use_interactive_fds(passwd_t)
-@@ -334,6 +335,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -334,6 +333,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -1649,7 +1659,7 @@ index c35d801..961424f 100644
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -428,7 +430,7 @@ optional_policy(`
+@@ -428,7 +428,7 @@ optional_policy(`
# Useradd local policy
#
@@ -1658,7 +1668,7 @@ index c35d801..961424f 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -500,12 +502,8 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -500,12 +500,8 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -3701,7 +3711,7 @@ index 9a6d67d..47aa143 100644
## mozilla over dbus.
##
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..3ecd99b 100644
+index cbf4bec..70d899d 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -3774,7 +3784,7 @@ index cbf4bec..3ecd99b 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,108 @@ optional_policy(`
+@@ -266,3 +291,121 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -3815,8 +3825,18 @@ index cbf4bec..3ecd99b 100644
+corecmd_exec_bin(mozilla_plugin_t)
+corecmd_exec_shell(mozilla_plugin_t)
+
++corenet_tcp_connect_flash_port(mozilla_plugin_t)
++corenet_tcp_connect_streaming_port(mozilla_plugin_t)
++corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
++corenet_tcp_connect_http_port(mozilla_plugin_t)
++corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
++corenet_tcp_connect_squid_port(mozilla_plugin_t)
++corenet_tcp_connect_ipp_port(mozilla_plugin_t)
++corenet_tcp_connect_speech_port(mozilla_plugin_t)
++
+dev_read_urand(mozilla_plugin_t)
+dev_read_video_dev(mozilla_plugin_t)
++dev_write_video_dev(mozilla_plugin_t)
+dev_read_sysfs(mozilla_plugin_t)
+dev_read_sound(mozilla_plugin_t)
+dev_write_sound(mozilla_plugin_t)
@@ -3852,6 +3872,7 @@ index cbf4bec..3ecd99b 100644
+
+optional_policy(`
+ alsa_read_rw_config(mozilla_plugin_t)
++ alsa_read_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
@@ -3874,8 +3895,10 @@ index cbf4bec..3ecd99b 100644
+')
+
+optional_policy(`
++ pulseaudio_exec(mozilla_plugin_t)
++ pulseaudio_stream_connect(mozilla_plugin_t)
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
-+ pulseaudio_rw_home_files(mozilla_plugin_t)
++ pulseaudio_manage_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
@@ -6088,15 +6111,28 @@ index 7590165..e5ef7b3 100644
')
')
+
+diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te
+index e9134f0..3d2ef30 100644
+--- a/policy/modules/apps/slocate.te
++++ b/policy/modules/apps/slocate.te
+@@ -38,6 +38,7 @@ dev_getattr_all_blk_files(locate_t)
+ dev_getattr_all_chr_files(locate_t)
+
+ files_list_all(locate_t)
++files_dontaudit_read_all_symlinks(locate_t)
+ files_getattr_all_files(locate_t)
+ files_getattr_all_pipes(locate_t)
+ files_getattr_all_sockets(locate_t)
diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc
new file mode 100644
-index 0000000..1e47b96
+index 0000000..809bb65
--- /dev/null
+++ b/policy/modules/apps/telepathy.fc
-@@ -0,0 +1,14 @@
+@@ -0,0 +1,15 @@
+HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
-+HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
++HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
++HOME_DIR/.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
+
+/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0)
+
@@ -6304,10 +6340,10 @@ index 0000000..3d12484
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
-index 0000000..c4fe796
+index 0000000..34a2b48
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,320 @@
+@@ -0,0 +1,327 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -6341,6 +6377,9 @@ index 0000000..c4fe796
+type telepathy_mission_control_cache_home_t;
+userdom_user_home_content(telepathy_mission_control_cache_home_t)
+
++type telepathy_sunshine_home_t;
++userdom_user_home_content(telepathy_sunshine_home_t)
++
+telepathy_domain_template(msn)
+telepathy_domain_template(salut)
+telepathy_domain_template(sofiasip)
@@ -6561,12 +6600,16 @@ index 0000000..c4fe796
+#
+# Telepathy Sunshine local policy.
+#
++manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
++manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
++userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file })
++userdom_search_user_home_dirs(telepathy_sunshine_t)
+
+manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
+exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
+files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
+
-+corecmd_list_bin(telepathy_sunshine_t)
++corecmd_exec_bin(telepathy_sunshine_t)
+
+dev_read_urand(telepathy_sunshine_t)
+
@@ -6984,7 +7027,7 @@ index 82842a0..369c3b5 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 0eb1d97..38d675c 100644
+index 0eb1d97..46af2a4 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -9,8 +9,11 @@
@@ -7040,7 +7083,7 @@ index 0eb1d97..38d675c 100644
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/opt/google/talkplugin/cron(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
@@ -8061,7 +8104,7 @@ index 3517db2..bd4c23d 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 5302dac..000c53a 100644
+index 5302dac..a738502 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -8506,7 +8549,7 @@ index 5302dac..000c53a 100644
')
########################################
-@@ -5826,3 +6137,229 @@ interface(`files_unconfined',`
+@@ -5826,3 +6137,247 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -8623,6 +8666,24 @@ index 5302dac..000c53a 100644
+
+########################################
+##
++## Allow read write all tmpfs files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_rw_tmpfs_files',`
++ gen_require(`
++ attribute tmpfsfile;
++ ')
++
++ allow $1 tmpfsfile:file { read write };
++')
++
++########################################
++##
+## Do not audit attempts to read security files
+##
+##
@@ -9214,7 +9275,7 @@ index 0dff98e..a09ab47 100644
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index ed7667a..46e9859 100644
+index ed7667a..10c14fe 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -698,6 +698,46 @@ interface(`kernel_read_debugfs',`
@@ -9273,7 +9334,32 @@ index ed7667a..46e9859 100644
')
########################################
-@@ -2845,6 +2885,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2380,6 +2420,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+
+ ########################################
+ ##
++## Read and write unlabeled sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_rw_unlabeled_socket',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:socket rw_socket_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts by caller to get attributes for
+ ## unlabeled character devices.
+ ##
+@@ -2845,6 +2903,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
##
@@ -9298,7 +9384,7 @@ index ed7667a..46e9859 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2860,3 +2918,23 @@ interface(`kernel_unconfined',`
+@@ -2860,3 +2936,23 @@ interface(`kernel_unconfined',`
typeattribute $1 kern_unconfined;
')
@@ -10947,10 +11033,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..a09ca52
+index 0000000..0e47a85
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,478 @@
+@@ -0,0 +1,492 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -10961,13 +11047,27 @@ index 0000000..a09ca52
+
+##
+##
-+## Transition to confined nsplugin domains from unconfined user
++## Transition unconfined user to the nsplugin domains when running nspluginviewer
+##
+##
+gen_tunable(allow_unconfined_nsplugin_transition, false)
+
+##
+##
++## Transition unconfined user to the mozilla plugin domain when running xulrunner plugin-container.
++##
++##
++gen_tunable(unconfined_mozilla_plugin_transition, false)
++
++##
++##
++## Transition unconfined user to telepathy confined domains.
++##
++##
++gen_tunable(unconfined_telepathy_transition, false)
++
++##
++##
+## Allow vidio playing tools to tun unconfined
+##
+##
@@ -11113,10 +11213,6 @@ index 0000000..a09ca52
+ ')
+
+ optional_policy(`
-+ iptables_run(unconfined_usertype, unconfined_r)
-+ ')
-+
-+ optional_policy(`
+ networkmanager_dbus_chat(unconfined_usertype)
+ ')
+
@@ -11282,8 +11378,11 @@ index 0000000..a09ca52
+ role system_r types unconfined_mono_t;
+')
+
++
+optional_policy(`
-+ mozilla_run_plugin(unconfined_usertype, unconfined_r)
++ tunable_policy(`unconfined_mozilla_plugin_transition', `
++ mozilla_run_plugin(unconfined_usertype, unconfined_r)
++ ')
+')
+
+optional_policy(`
@@ -11344,7 +11443,9 @@ index 0000000..a09ca52
+')
+
+optional_policy(`
-+ telepathy_dbus_session_role(unconfined_r, unconfined_t)
++ tunable_policy(`unconfined_telepathy_transition', `
++ telepathy_dbus_session_role(unconfined_r, unconfined_t)
++ ')
+')
+
+optional_policy(`
@@ -11428,7 +11529,6 @@ index 0000000..a09ca52
+#
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 9b55b00..2932c13 100644
--- a/policy/modules/roles/unprivuser.te
@@ -11917,7 +12017,7 @@ index 98646c4..5be7dc8 100644
+ allow abrt_t domain:process setrlimit;
')
diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
-index c0f858d..fe060aa 100644
+index c0f858d..d639ae0 100644
--- a/policy/modules/services/accountsd.if
+++ b/policy/modules/services/accountsd.if
@@ -5,9 +5,9 @@
@@ -11932,6 +12032,15 @@ index c0f858d..fe060aa 100644
##
#
interface(`accountsd_domtrans',`
+@@ -25,7 +25,7 @@ interface(`accountsd_domtrans',`
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
@@ -138,7 +138,7 @@ interface(`accountsd_admin',`
type accountsd_t;
')
@@ -14463,7 +14572,7 @@ index 3e45431..fa57a6f 100644
admin_pattern($1, bluetooth_var_lib_t)
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
-index 215b86b..08afbb9 100644
+index 215b86b..67818fe 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -4,6 +4,7 @@ policy_module(bluetooth, 3.3.0)
@@ -14474,6 +14583,28 @@ index 215b86b..08afbb9 100644
type bluetooth_t;
type bluetooth_exec_t;
init_daemon_domain(bluetooth_t, bluetooth_exec_t)
+@@ -99,6 +100,10 @@ kernel_request_load_module(bluetooth_t)
+ #search debugfs - redhat bug 548206
+ kernel_search_debugfs(bluetooth_t)
+
++ifdef(`hide_broken_symptoms', `
++ kernel_rw_unlabeled_socket(bluetooth_t)
++')
++
+ corenet_all_recvfrom_unlabeled(bluetooth_t)
+ corenet_all_recvfrom_netlabel(bluetooth_t)
+ corenet_tcp_sendrecv_generic_if(bluetooth_t)
+@@ -147,6 +152,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
+ userdom_dontaudit_search_user_home_dirs(bluetooth_t)
+
+ optional_policy(`
++ devicekit_dbus_chat_power(bluetooth_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(bluetooth_t)
+ dbus_connect_system_bus(bluetooth_t)
+
diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc
new file mode 100644
index 0000000..c095160
@@ -16429,7 +16560,7 @@ index 0258b48..c4d678b 100644
########################################
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
-index 42c6bd7..53b10e3 100644
+index 42c6bd7..ac43a92 100644
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
@@ -5,9 +5,9 @@
@@ -16444,7 +16575,32 @@ index 42c6bd7..53b10e3 100644
##
#
interface(`consolekit_domtrans',`
-@@ -95,3 +95,22 @@ interface(`consolekit_read_pid_files',`
+@@ -41,6 +41,24 @@ interface(`consolekit_dbus_chat',`
+
+ ########################################
+ ##
++## Dontaudit attempts to read consolekit log files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`consolekit_dontaudit_read_log',`
++ gen_require(`
++ type consolekit_log_t;
++ ')
++
++ dontaudit $1 consolekit_log_t:file read_file_perms;
++')
++
++########################################
++##
+ ## Read consolekit log files.
+ ##
+ ##
+@@ -95,3 +113,22 @@ interface(`consolekit_read_pid_files',`
files_search_pids($1)
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
')
@@ -18120,7 +18276,7 @@ index f706b99..ab2edfc 100644
+ files_list_pids($1)
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..58416a0 100644
+index f231f17..184b4b5 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
@@ -18215,7 +18371,18 @@ index f231f17..58416a0 100644
hal_domtrans_mac(devicekit_power_t)
hal_manage_log(devicekit_power_t)
hal_manage_pid_dirs(devicekit_power_t)
-@@ -280,5 +303,9 @@ optional_policy(`
+@@ -269,6 +292,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ networkmanager_domtrans(devicekit_power_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(devicekit_power_t)
+ policykit_domtrans_auth(devicekit_power_t)
+ policykit_read_lib(devicekit_power_t)
+@@ -280,5 +307,9 @@ optional_policy(`
')
optional_policy(`
@@ -22168,7 +22335,7 @@ index 3368699..7a7fc02 100644
#
interface(`modemmanager_domtrans',`
diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
-index b3ace16..3dd940c 100644
+index b3ace16..7f18c33 100644
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
@@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
@@ -22189,10 +22356,14 @@ index b3ace16..3dd940c 100644
term_use_unallocated_ttys(modemmanager_t)
miscfiles_read_localization(modemmanager_t)
-@@ -37,5 +39,9 @@ logging_send_syslog_msg(modemmanager_t)
+@@ -37,5 +39,13 @@ logging_send_syslog_msg(modemmanager_t)
networkmanager_dbus_chat(modemmanager_t)
optional_policy(`
++ devicekit_dbus_chat_power(modemmanager_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(modemmanager_t)
+')
+
@@ -30503,7 +30674,7 @@ index 82cb169..9e72970 100644
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..85203da 100644
+index e30bb63..e4334a6 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -30525,6 +30696,15 @@ index e30bb63..85203da 100644
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
+@@ -263,7 +260,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+ manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
+ manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
+ manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
+-allow smbd_t samba_share_t:filesystem getattr;
++allow smbd_t samba_share_t:filesystem { getattr quotaget };
+
+ manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
+ manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
@@ -279,7 +276,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
@@ -35850,7 +36030,7 @@ index da2601a..f963642 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index e226da4..69093aa 100644
+index e226da4..f37e8ae 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,43 @@ gen_require(`
@@ -36652,7 +36832,7 @@ index e226da4..69093aa 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -678,8 +959,13 @@ dev_wx_raw_memory(xserver_t)
+@@ -678,11 +959,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -36666,7 +36846,11 @@ index e226da4..69093aa 100644
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
files_read_usr_files(xserver_t)
-@@ -693,8 +979,13 @@ fs_getattr_xattr_fs(xserver_t)
++files_rw_tmpfs_files(xserver_t)
+
+ # brought on by rhgb
+ files_search_mnt(xserver_t)
+@@ -693,8 +980,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -36680,7 +36864,7 @@ index e226da4..69093aa 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1007,14 @@ logging_send_audit_msgs(xserver_t)
+@@ -716,11 +1008,14 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -36695,7 +36879,7 @@ index e226da4..69093aa 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1067,28 @@ optional_policy(`
+@@ -773,12 +1068,28 @@ optional_policy(`
')
optional_policy(`
@@ -36725,7 +36909,7 @@ index e226da4..69093aa 100644
unconfined_domtrans(xserver_t)
')
-@@ -787,6 +1097,10 @@ optional_policy(`
+@@ -787,6 +1098,10 @@ optional_policy(`
')
optional_policy(`
@@ -36736,7 +36920,7 @@ index e226da4..69093aa 100644
xfs_stream_connect(xserver_t)
')
-@@ -802,10 +1116,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -802,10 +1117,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -36750,7 +36934,7 @@ index e226da4..69093aa 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -813,7 +1127,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -813,7 +1128,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -36759,7 +36943,7 @@ index e226da4..69093aa 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -826,6 +1140,9 @@ init_use_fds(xserver_t)
+@@ -826,6 +1141,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -36769,7 +36953,7 @@ index e226da4..69093aa 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -841,11 +1158,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -841,11 +1159,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -36786,7 +36970,7 @@ index e226da4..69093aa 100644
')
optional_policy(`
-@@ -853,6 +1173,10 @@ optional_policy(`
+@@ -853,6 +1174,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -36797,7 +36981,7 @@ index e226da4..69093aa 100644
########################################
#
# Rules common to all X window domains
-@@ -896,7 +1220,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -896,7 +1221,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -36806,7 +36990,7 @@ index e226da4..69093aa 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -950,11 +1274,31 @@ allow x_domain self:x_resource { read write };
+@@ -950,11 +1275,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -36838,7 +37022,7 @@ index e226da4..69093aa 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -976,18 +1320,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -976,18 +1321,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -37374,7 +37558,7 @@ index 1c4b1e7..2997dd7 100644
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index bea0ade..c411b5e 100644
+index bea0ade..149e383 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -37566,7 +37750,33 @@ index bea0ade..c411b5e 100644
## Manage var auth files. Used by various other applications
## and pam applets etc.
##
-@@ -1500,6 +1586,8 @@ interface(`auth_manage_login_records',`
+@@ -1346,6 +1432,25 @@ interface(`auth_read_login_records',`
+
+ ########################################
+ ##
++## Read login records files (/var/log/wtmp).
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`auth_dontaudit_read_login_records',`
++ gen_require(`
++ type wtmp_t;
++ ')
++
++ dontaudit $1 wtmp_t:file read_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to read login records
+ ## files (/var/log/wtmp).
+ ##
+@@ -1500,6 +1605,8 @@ interface(`auth_manage_login_records',`
#
interface(`auth_use_nsswitch',`
@@ -37575,7 +37785,7 @@ index bea0ade..c411b5e 100644
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1619,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1638,15 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
@@ -43603,7 +43813,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <>
+HOME_DIR/\.debug(/.*)? <>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 2aa8928..b4d758b 100644
+index 2aa8928..54365f8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -44509,12 +44719,13 @@ index 2aa8928..b4d758b 100644
##############################
#
# Local policy
-@@ -867,45 +1005,103 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -867,45 +1005,105 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
+ auth_search_pam_console_data($1_usertype)
++ auth_dontaudit_read_login_records($1_usertype)
- dev_read_sound($1_t)
- dev_write_sound($1_t)
@@ -44573,6 +44784,7 @@ index 2aa8928..b4d758b 100644
+ ')
+
+ optional_policy(`
++ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
+ ')
+
@@ -44624,7 +44836,7 @@ index 2aa8928..b4d758b 100644
')
')
-@@ -940,7 +1136,7 @@ template(`userdom_unpriv_user_template', `
+@@ -940,7 +1138,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -44633,7 +44845,7 @@ index 2aa8928..b4d758b 100644
userdom_common_user_template($1)
##############################
-@@ -949,54 +1145,77 @@ template(`userdom_unpriv_user_template', `
+@@ -949,54 +1147,77 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -44741,7 +44953,7 @@ index 2aa8928..b4d758b 100644
')
')
-@@ -1032,7 +1251,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1032,7 +1253,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -44750,7 +44962,7 @@ index 2aa8928..b4d758b 100644
')
##############################
-@@ -1067,6 +1286,9 @@ template(`userdom_admin_user_template',`
+@@ -1067,6 +1288,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -44760,7 +44972,7 @@ index 2aa8928..b4d758b 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1081,6 +1303,7 @@ template(`userdom_admin_user_template',`
+@@ -1081,6 +1305,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -44768,7 +44980,7 @@ index 2aa8928..b4d758b 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1112,10 +1335,13 @@ template(`userdom_admin_user_template',`
+@@ -1112,10 +1337,13 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -44782,7 +44994,7 @@ index 2aa8928..b4d758b 100644
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1135,6 +1361,7 @@ template(`userdom_admin_user_template',`
+@@ -1135,6 +1363,7 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
@@ -44790,7 +45002,7 @@ index 2aa8928..b4d758b 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1203,6 +1430,8 @@ template(`userdom_security_admin_template',`
+@@ -1203,6 +1432,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -44799,7 +45011,7 @@ index 2aa8928..b4d758b 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1230,6 +1459,7 @@ template(`userdom_security_admin_template',`
+@@ -1230,6 +1461,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -44807,7 +45019,7 @@ index 2aa8928..b4d758b 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1268,12 +1498,15 @@ template(`userdom_security_admin_template',`
+@@ -1268,12 +1500,15 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -44824,7 +45036,7 @@ index 2aa8928..b4d758b 100644
')
########################################
-@@ -1384,6 +1617,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1384,6 +1619,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -44832,7 +45044,7 @@ index 2aa8928..b4d758b 100644
files_search_home($1)
')
-@@ -1430,6 +1664,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1430,6 +1666,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -44847,7 +45059,7 @@ index 2aa8928..b4d758b 100644
')
########################################
-@@ -1445,9 +1687,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1445,9 +1689,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -44859,7 +45071,7 @@ index 2aa8928..b4d758b 100644
')
########################################
-@@ -1504,6 +1748,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1504,6 +1750,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -44902,7 +45114,7 @@ index 2aa8928..b4d758b 100644
########################################
##
## Create directories in the home dir root with
-@@ -1578,6 +1858,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1578,6 +1860,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -44911,7 +45123,7 @@ index 2aa8928..b4d758b 100644
')
########################################
-@@ -1592,10 +1874,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1592,10 +1876,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -44926,7 +45138,7 @@ index 2aa8928..b4d758b 100644
')
########################################
-@@ -1638,34 +1922,53 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1638,34 +1924,53 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
##
@@ -44988,7 +45200,7 @@ index 2aa8928..b4d758b 100644
gen_require(`
type user_home_dir_t, user_home_t;
')
-@@ -1689,12 +1992,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1689,12 +1994,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -45021,7 +45233,7 @@ index 2aa8928..b4d758b 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1705,11 +2028,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1705,11 +2030,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -45039,7 +45251,7 @@ index 2aa8928..b4d758b 100644
')
########################################
-@@ -1799,8 +2125,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1799,8 +2127,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -45049,7 +45261,7 @@ index 2aa8928..b4d758b 100644
')
########################################
-@@ -1816,20 +2141,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1816,20 +2143,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -45074,7 +45286,7 @@ index 2aa8928..b4d758b 100644
########################################
##
-@@ -2171,7 +2490,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2171,7 +2492,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -45083,7 +45295,7 @@ index 2aa8928..b4d758b 100644
')
########################################
-@@ -2424,13 +2743,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2424,13 +2745,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -45099,7 +45311,7 @@ index 2aa8928..b4d758b 100644
##
##
##
-@@ -2451,26 +2771,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2451,26 +2773,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -45126,7 +45338,7 @@ index 2aa8928..b4d758b 100644
## Get the attributes of a user domain tty.
##
##
-@@ -2804,7 +3104,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2804,7 +3106,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -45135,7 +45347,7 @@ index 2aa8928..b4d758b 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2820,11 +3120,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2820,11 +3122,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -45151,7 +45363,7 @@ index 2aa8928..b4d758b 100644
')
########################################
-@@ -2906,7 +3208,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2906,7 +3210,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -45160,7 +45372,7 @@ index 2aa8928..b4d758b 100644
')
########################################
-@@ -2961,7 +3263,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2961,7 +3265,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -45207,7 +45419,7 @@ index 2aa8928..b4d758b 100644
')
########################################
-@@ -2998,6 +3338,7 @@ interface(`userdom_read_all_users_state',`
+@@ -2998,6 +3340,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -45215,7 +45427,7 @@ index 2aa8928..b4d758b 100644
kernel_search_proc($1)
')
-@@ -3128,3 +3469,854 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3128,3 +3471,854 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c224b8f..c261d67 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.5
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,20 @@ exit 0
%endif
%changelog
+* Thu Sep 30 2010 Dan Walsh 3.9.5-9
+- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user
+- Turn off iptables from unconfined user
+- Allow sudo to send signals to any domains the user could have transitioned to.
+- Passwd in single user mode needs to talk to console_device_t
+- Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
+- locate tried to read a symbolic link, will dontaudit
+- New labels for telepathy-sunshine content in homedir
+- Google is storing other binaries under /opt/google/talkplugin
+- bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug
+- Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15
+- modemmanger and bluetooth send dbus messages to devicekit_power
+- Samba needs to getquota on filesystems labeld samba_share_t
+
* Wed Sep 29 2010 Dan Walsh 3.9.5-8
- Dontaudit attempts by xdm_t to write to bin_t for kdm
- Allow initrc_t to manage system_conf_t