Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy

booleans.subs_dist

@@ -50,4 +50,4 @@ sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
 clamd_use_jit antivirus_use_jit
 amavis_use_jit antivirus_use_jit
 logwatch_can_sendmail logwatch_can_network_connect_mail
-puppetmaster_use_db puppet_use_db
+puppet_manage_all_files puppetagent_manage_all_files

modules-targeted-contrib.conf

@@ -2512,5 +2512,11 @@ bacula = module
 #
 # rhnsd policy
 #
-
 rhnsd = module
+
+# Layer: contrib
+# Module: gear
+#
+# gear policy
+#
+gear = module

policy-rawhide-base-user_tmp.patch

@@ -0,0 +1,885 @@
+diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
+index 32514ee..91a6a37 100644
+--- a/policy/modules/admin/bootloader.te
++++ b/policy/modules/admin/bootloader.te
+@@ -154,7 +154,7 @@ modutils_domtrans_insmod(bootloader_t)
+ seutil_read_bin_policy(bootloader_t)
+ seutil_read_loadpolicy(bootloader_t)
+ 
+-userdom_getattr_user_tmpfs_files(bootloader_t)
++userdom_getattr_user_tmp_files(bootloader_t)
+ userdom_use_inherited_user_terminals(bootloader_t)
+ userdom_dontaudit_search_user_home_dirs(bootloader_t)
+ 
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index 337a00e..87c6145 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -5199,6 +5199,7 @@ interface(`files_search_tmp',`
+ 		type tmp_t;
+ 	')
+ 
++    fs_search_tmpfs($1)
+ 	read_lnk_files_pattern($1, tmp_t, tmp_t)
+ 	allow $1 tmp_t:dir search_dir_perms;
+ ')
+diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
+index a3fe7f6..13a745c 100644
+--- a/policy/modules/roles/unconfineduser.te
++++ b/policy/modules/roles/unconfineduser.te
+@@ -33,7 +33,6 @@ gen_tunable(unconfined_login, true)
+ userdom_base_user_template(unconfined)
+ userdom_manage_home_role(unconfined_r, unconfined_t)
+ userdom_manage_tmp_role(unconfined_r, unconfined_t)
+-userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
+ userdom_unpriv_type(unconfined_t)
+ 
+ type unconfined_exec_t;
+diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
+index e8dcfa7..eb9cefe 100644
+--- a/policy/modules/services/ssh.if
++++ b/policy/modules/services/ssh.if
+@@ -219,8 +219,9 @@ template(`ssh_server_template',`
+ 	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
+ 	term_create_pty($1_t, $1_devpts_t)
+ 
+-	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+-	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
++	#manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
++	#fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
++    userdom_manage_tmp_role(system_r, sshd_t)
+ 
+ 	allow $1_t $1_var_run_t:file manage_file_perms;
+ 	files_pid_filetrans($1_t, $1_var_run_t, file)
+diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
+index a8b01bf..fc87b9e 100644
+--- a/policy/modules/services/ssh.te
++++ b/policy/modules/services/ssh.te
+@@ -89,7 +89,7 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
+ type ssh_tmpfs_t;
+ typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
+ typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
+-userdom_user_tmpfs_file(ssh_tmpfs_t)
++userdom_user_tmp_file(ssh_tmpfs_t)
+ 
+ type ssh_home_t;
+ typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
+@@ -127,7 +127,7 @@ manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+ manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+ manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+ manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+-fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
++#fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+ 
+ manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
+ manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
+@@ -292,7 +292,7 @@ auth_exec_login_program(sshd_t)
+ 
+ userdom_read_user_home_content_files(sshd_t)
+ userdom_read_user_home_content_symlinks(sshd_t)
+-userdom_manage_tmp_role(system_r, sshd_t)
++#userdom_manage_tmp_role(system_r, sshd_t)
+ userdom_spec_domtrans_unpriv_users(sshd_t)
+ userdom_signal_unpriv_users(sshd_t)
+ userdom_dyntransition_unpriv_users(sshd_t)
+diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
+index 4dda124..4eee56a 100644
+--- a/policy/modules/services/xserver.fc
++++ b/policy/modules/services/xserver.fc
+@@ -76,10 +76,7 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
+ # /tmp
+ #
+ 
+-/tmp/\.X0-lock		--	gen_context(system_u:object_r:xdm_tmp_t,s0)
+-/tmp/\.X11-unix(/.*)?		gen_context(system_u:object_r:xdm_tmp_t,s0)
+-/tmp/\.ICE-unix(/.*)?		gen_context(system_u:object_r:xdm_tmp_t,s0)
+-/tmp/\.font-unix(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)
++/tmp/\.font-unix(/.*)?      gen_context(system_u:object_r:user_fonts_t,s0)
+ 
+ #
+ # /usr
+diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
+index bf98136..2469c27 100644
+--- a/policy/modules/services/xserver.if
++++ b/policy/modules/services/xserver.if
+@@ -220,7 +220,7 @@ interface(`xserver_non_drawing_client',`
+ interface(`xserver_user_client',`
+ 	refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
+ 	gen_require(`
+-		type xdm_t, xdm_tmp_t;
++		type xdm_t;
+ 		type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
+ 	')
+ 
+@@ -235,8 +235,8 @@ interface(`xserver_user_client',`
+ 	# for when /tmp/.X11-unix is created by the system
+ 	allow $1 xdm_t:fd use;
+ 	allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+-	allow $1 xdm_tmp_t:dir search_dir_perms;
+-	allow $1 xdm_tmp_t:sock_file { read write };
++    userdom_search_user_tmp_dirs($1)
++    userdom_rw_user_tmp_sock_files($1)
+ 	dontaudit $1 xdm_t:tcp_socket { read write };
+ 
+ 	# Allow connections to X server.
+@@ -395,7 +395,7 @@ template(`xserver_object_types_template',`
+ #
+ template(`xserver_user_x_domain_template',`
+ 	gen_require(`
+-		type xdm_t, xdm_tmp_t, xserver_tmpfs_t;
++		type xdm_t, xserver_tmpfs_t;
+ 		type xdm_home_t;
+ 		type xauth_home_t, iceauth_home_t, xserver_t;
+ 	')
+@@ -413,8 +413,8 @@ template(`xserver_user_x_domain_template',`
+ 	# for when /tmp/.X11-unix is created by the system
+ 	allow $2 xdm_t:fd use;
+ 	allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+-	allow $2 xdm_tmp_t:dir search_dir_perms;
+-	allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
++    userdom_search_user_tmp_dirs($2)
++    userdom_rw_user_tmp_sock_files($2)
+ 	dontaudit $2 xdm_t:tcp_socket { read write };
+ 
+ 	# Allow connections to X server.
+@@ -429,7 +429,7 @@ template(`xserver_user_x_domain_template',`
+ 	xserver_ro_session($2, $3)
+ 	xserver_use_user_fonts($2)
+ 
+-	xserver_read_xdm_tmp_files($2)
++    userdom_read_user_tmp_files($2)
+ 	xserver_read_xdm_pid($2)
+ 	xserver_xdm_append_log($2)
+ 
+@@ -817,12 +817,13 @@ interface(`xserver_manage_xdm_spool_files',`
+ #
+ interface(`xserver_stream_connect_xdm',`
+ 	gen_require(`
+-		type xdm_t, xdm_tmp_t, xdm_var_run_t;
++		type xdm_t, xdm_var_run_t;
+ 	')
+ 
+ 	files_search_tmp($1)
+ 	files_search_pids($1)
+-	stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
++	stream_connect_pattern($1, { xdm_var_run_t }, { xdm_var_run_t }, xdm_t)
++    userdom_stream_connect($1)
+ ')
+ 
+ ########################################
+@@ -934,12 +935,8 @@ interface(`xserver_read_xdm_rw_config',`
+ ## </param>
+ #
+ interface(`xserver_search_xdm_tmp_dirs',`
+-	gen_require(`
+-		type xdm_tmp_t;
+-	')
+-
+-	files_search_tmp($1)
+-	allow $1 xdm_tmp_t:dir search_dir_perms;
++    refpolicywarn(`$0() has been deprecated, please use userdom_search_user_tmp_dirs instead.')
++    userdom_search_user_tmp_dirs($1)
+ ')
+ 
+ ########################################
+@@ -953,11 +950,8 @@ interface(`xserver_search_xdm_tmp_dirs',`
+ ## </param>
+ #
+ interface(`xserver_setattr_xdm_tmp_dirs',`
+-	gen_require(`
+-		type xdm_tmp_t;
+-	')
+-
+-	allow $1 xdm_tmp_t:dir setattr_dir_perms;
++    refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
++    userdom_dontaudit_setattr_user_tmp($1)
+ ')
+ 
+ ########################################
+@@ -971,11 +965,8 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+ ## </param>
+ #
+ interface(`xserver_dontaudit_xdm_tmp_dirs',`
+-	gen_require(`
+-		type xdm_tmp_t;
+-	')
+-
+-	dontaudit $1 xdm_tmp_t:dir setattr_dir_perms;
++    refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
++    userdom_dontaudit_setattr_user_tmp($1)
+ ')
+ 
+ ########################################
+@@ -990,13 +981,8 @@ interface(`xserver_dontaudit_xdm_tmp_dirs',`
+ ## </param>
+ #
+ interface(`xserver_create_xdm_tmp_sockets',`
+-	gen_require(`
+-		type xdm_tmp_t;
+-	')
+-
+-	files_search_tmp($1)
+-	allow $1 xdm_tmp_t:dir list_dir_perms;
+-	create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++    refpolicywarn(`$0() has been deprecated, please use userdom_create_user_tmp_sockets instead.')
++    userdom_create_user_tmp_sockets($1)
+ ')
+ 
+ ########################################
+@@ -1317,12 +1303,8 @@ interface(`xserver_manage_xdm_etc_files',`
+ ## </param>
+ #
+ interface(`xserver_read_xdm_tmp_files',`
+-	gen_require(`
+-		type xdm_tmp_t;
+-	')
+-
+-	files_search_tmp($1)
+-	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++    refpolicywarn(`$0() has been deprecated, please use userdom_read_user_tmpfs_files instead.')
++    userdom_read_user_tmpfs_files($1)
+ ')
+ 
+ ########################################
+@@ -1336,12 +1318,8 @@ interface(`xserver_read_xdm_tmp_files',`
+ ## </param>
+ #
+ interface(`xserver_dontaudit_read_xdm_tmp_files',`
+-	gen_require(`
+-		type xdm_tmp_t;
+-	')
+-
+-	dontaudit $1 xdm_tmp_t:dir search_dir_perms;
+-	dontaudit $1 xdm_tmp_t:file read_file_perms;
++    refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_read_user_tmp_files instead.')
++    userdom_dontaudit_read_user_tmp_files($1)
+ ')
+ 
+ ########################################
+@@ -1355,12 +1333,8 @@ interface(`xserver_dontaudit_read_xdm_tmp_files',`
+ ## </param>
+ #
+ interface(`xserver_rw_xdm_tmp_files',`
+-	gen_require(`
+-		type xdm_tmp_t;
+-	')
+-
+-	allow $1 xdm_tmp_t:dir search_dir_perms;
+-	allow $1 xdm_tmp_t:file rw_file_perms;
++    refpolicywarn(`$0() has been deprecated, please use userdom_rw_user_tmpfs_files instead.')
++    userdom_rw_user_tmpfs_files($1)
+ ')
+ 
+ ########################################
+@@ -1374,11 +1348,8 @@ interface(`xserver_rw_xdm_tmp_files',`
+ ## </param>
+ #
+ interface(`xserver_manage_xdm_tmp_files',`
+-	gen_require(`
+-		type xdm_tmp_t;
+-	')
+-
+-	manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++    refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_files instead.')
++    userdom_manage_user_tmp_files($1)
+ ')
+ 
+ ########################################
+@@ -1392,11 +1363,8 @@ interface(`xserver_manage_xdm_tmp_files',`
+ ## </param>
+ #
+ interface(`xserver_relabel_xdm_tmp_dirs',`
+-	gen_require(`
+-		type xdm_tmp_t;
+-	')
+-
+-	allow $1 xdm_tmp_t:dir relabel_dir_perms;
++    refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_tmp_dirs instead.')
++    userdom_relabel_user_tmp_dirs($1)
+ ')
+ 
+ ########################################
+@@ -1410,11 +1378,8 @@ interface(`xserver_relabel_xdm_tmp_dirs',`
+ ## </param>
+ #
+ interface(`xserver_manage_xdm_tmp_dirs',`
+-	gen_require(`
+-		type xdm_tmp_t;
+-	')
+-
+-	manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
++    refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_dirs instead.')
++    userdom_manage_user_tmp_dirs($1)
+ ')
+ 
+ ########################################
+@@ -1429,11 +1394,8 @@ interface(`xserver_manage_xdm_tmp_dirs',`
+ ## </param>
+ #
+ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+-	gen_require(`
+-		type xdm_tmp_t;
+-	')
+-
+-	dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
++    refpolicywarn(`$0() has been deprecated, please use usedom_dontaudit_user_getattr_tmp_sockets instead.')
++    usedom_dontaudit_user_getattr_tmp_sockets($1)
+ ')
+ 
+ ########################################
+@@ -1946,11 +1908,8 @@ interface(`xserver_xdm_ioctl_log',`
+ ## </param>
+ #
+ interface(`xserver_append_xdm_tmp_files',`
+-	gen_require(`
+-		type xdm_tmp_t;
+-	')
+-
+-	allow $1 xdm_tmp_t:file append_inherited_file_perms;
++    refpolicywarn(`$0() has been deprecated, please use userdom_append_user_tmp_files instead.')
++    userdom_append_user_tmp_files($1)
+ ')
+ 
+ ########################################
+@@ -2296,12 +2255,8 @@ interface(`xserver_filetrans_admin_home_content',`
+ ## </param>
+ #
+ interface(`xserver_xdm_tmp_filetrans',`
+-	gen_require(`
+-		type xdm_tmp_t;
+-	')
+-
+-	filetrans_pattern($1, xdm_tmp_t, $2, $3, $4)
+-	files_search_tmp($1)
++    refpolicywarn(`$0() has been deprecated, please use userdom_user_tmp_filetrans instead.')
++    userdom_user_tmp_filetrans($1,$2, $3, $4)
+ ')
+ 
+ ########################################
+diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
+index f0e5cc0..e3f28af 100644
+--- a/policy/modules/services/xserver.te
++++ b/policy/modules/services/xserver.te
+@@ -231,12 +231,6 @@ files_type(xserver_var_lib_t)
+ type xserver_var_run_t;
+ files_pid_file(xserver_var_run_t)
+ 
+-type xdm_tmp_t;
+-files_tmp_file(xdm_tmp_t)
+-typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
+-typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
+-userdom_user_tmp_file(xserver_tmp_t)
+-
+ type xdm_tmpfs_t;
+ files_tmpfs_file(xdm_tmpfs_t)
+ 
+@@ -264,7 +258,7 @@ files_config_file(xserver_etc_t)
+ type xserver_tmpfs_t;
+ typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t };
+ typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
+-userdom_user_tmpfs_file(xserver_tmpfs_t)
++userdom_user_tmp_file(xserver_tmpfs_t)
+ 
+ type xsession_exec_t;
+ corecmd_executable_file(xsession_exec_t)
+@@ -470,14 +464,8 @@ read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
+ # this is ugly, daemons should not create files under /etc!
+ manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
+ 
+-manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file })
+-relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-can_exec(xdm_t, xdm_tmp_t)
++userdom_manage_all_user_tmp_content(xdm_t)
++userdom_exec_user_tmp_files(xdm_t)
+ 
+ manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+ manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+@@ -697,7 +685,7 @@ userdom_stream_connect(xdm_t)
+ userdom_manage_user_tmp_dirs(xdm_t)
+ userdom_manage_user_tmp_files(xdm_t)
+ userdom_manage_user_tmp_sockets(xdm_t)
+-userdom_manage_tmpfs_role(system_r, xdm_t)
++userdom_manage_tmp_role(system_r, xdm_t)
+ 
+ #userdom_home_manager(xdm_t)
+ tunable_policy(`xdm_write_home',`
+@@ -1349,9 +1337,8 @@ dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms;
+ read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
+ 
+ # Label pid and temporary files with derived types.
+-manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+-manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+-manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
++userdom_manage_user_tmp_files(xserver_t)
++userdom_manage_user_tmp_sockets(xserver_t)
+ 
+ # Run xkbcomp.
+ allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms;
+@@ -1591,7 +1578,6 @@ manage_files_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t)
+ 
+ stream_connect_pattern(x_userdomain, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ allow x_userdomain xserver_tmp_t:sock_file delete_sock_file_perms;
+-dontaudit x_userdomain xdm_tmp_t:sock_file setattr_sock_file_perms;
+ files_search_tmp(x_userdomain)
+ 
+ # Communicate via System V shared memory.
+@@ -1618,10 +1604,9 @@ allow x_userdomain xauth_home_t:file read_file_perms;
+ # for when /tmp/.X11-unix is created by the system
+ allow x_userdomain xdm_t:fd use;
+ allow x_userdomain xdm_t:fifo_file rw_inherited_fifo_file_perms;
+-allow x_userdomain xdm_tmp_t:dir search_dir_perms;
+-allow x_userdomain xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
++userdom_search_user_tmp_dirs(x_userdomain)
++userdom_rw_user_tmp_sock_files(x_userdomain)
+ dontaudit x_userdomain xdm_t:tcp_socket { read write };
+-dontaudit x_userdomain xdm_tmp_t:dir setattr_dir_perms;
+ 
+ allow x_userdomain xdm_t:dbus send_msg;
+ allow xdm_t  x_userdomain:dbus send_msg;
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 1259fbd..5e66714 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -553,7 +553,7 @@ logging_manage_all_logs(syslogd_t)
+ 
+ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
+ userdom_search_user_home_dirs(syslogd_t)
+-userdom_rw_inherited_user_tmpfs_files(syslogd_t)
++userdom_rw_inherited_user_tmp_files(syslogd_t)
+ 
+ ifdef(`distro_gentoo',`
+ 	# default gentoo syslog-ng config appends kernel
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index 00b82b3..9933cad 100644
+--- a/policy/modules/system/mount.te
++++ b/policy/modules/system/mount.te
+@@ -413,7 +413,7 @@ allow mount_ecryptfs_t self:unix_stream_socket create_stream_socket_perms;
+ manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
+ manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
+ fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file })
+-userdom_rw_user_tmpfs_files(mount_ecryptfs_t)
++userdom_rw_user_tmp_files(mount_ecryptfs_t)
+ 
+ domain_use_interactive_fds(mount_ecryptfs_t)
+ 
+diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
+index 4ca3a28..8f5380f 100644
+--- a/policy/modules/system/userdomain.fc
++++ b/policy/modules/system/userdomain.fc
+@@ -21,6 +21,12 @@ HOME_DIR/\.texlive2012(/.*)?		gen_context(system_u:object_r:texlive_home_t,s0)
+ HOME_DIR/\.texlive2013(/.*)?		gen_context(system_u:object_r:texlive_home_t,s0)
+ HOME_DIR/\.texlive2014(/.*)?		gen_context(system_u:object_r:texlive_home_t,s0)
+ 
++/tmp/\.X0-lock		--	gen_context(system_u:object_r:user_tmp_t,s0)
++/tmp/\.X11-unix(/.*)?		gen_context(system_u:object_r:user_tmp_t,s0)
++/tmp/\.ICE-unix(/.*)?		gen_context(system_u:object_r:user_tmp_t,s0)
++
++
++
+ /var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
+ 
+ /tmp/hsperfdata_root        gen_context(system_u:object_r:user_tmp_t,s0)
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index 102478f..4f42aa5 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -420,6 +420,7 @@ interface(`userdom_manage_tmp_role',`
+ 	manage_sock_files_pattern($2, user_tmp_type, user_tmp_type)
+ 	manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
+ 	files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
++    fs_tmpfs_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+ 	relabel_dirs_pattern($2, user_tmp_type, user_tmp_type)
+ 	relabel_files_pattern($2, user_tmp_type, user_tmp_type)
+ 	relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
+@@ -427,8 +428,6 @@ interface(`userdom_manage_tmp_role',`
+ 	relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
+ ')
+ 
+-
+-
+ #######################################
+ ## <summary>
+ ##	Dontaudit search of user bin dirs.
+@@ -534,24 +533,8 @@ interface(`userdom_manage_tmpfs_files',`
+ ## <rolecap/>
+ #
+ interface(`userdom_manage_tmpfs_role',`
+-	gen_require(`
+-		attribute user_tmpfs_type;
+-		type user_tmpfs_t;
+-	')
+-
+-	role $1 types user_tmpfs_t;
+-
+-	manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
+-	manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+-	manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+-	manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+-	manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+-	fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+-	relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
+-	relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+-	relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+-	relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+-	relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
++    refpolicywarn(`$0($*) has been deprecated, use userdom_manage_tmp_role() instead.')
++    userdom_manage_tmp_role($1,$2)
+ ')
+ 
+ #######################################
+@@ -994,7 +977,6 @@ template(`userdom_login_user_template', `
+ 	userdom_manage_home_role($1_r, $1_t)
+ 
+ 	userdom_manage_tmp_role($1_r, $1_usertype)
+-	userdom_manage_tmpfs_role($1_r, $1_usertype)
+ 
+ 	ifelse(`$1',`unconfined',`',`
+ 		gen_tunable($1_exec_content, true)
+@@ -1839,8 +1821,8 @@ interface(`userdom_user_tmp_file',`
+ ## </param>
+ #
+ interface(`userdom_user_tmpfs_file',`
+-	files_tmpfs_file($1)
+-	ubac_constrained($1)
++    refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_file() instead.')
++    userdom_user_tmp_file($1)
+ ')
+ 
+ ########################################
+@@ -1878,14 +1860,8 @@ interface(`userdom_user_tmp_content',`
+ ## </param>
+ #
+ interface(`userdom_user_tmpfs_content',`
+-	gen_require(`
+-		attribute user_tmpfs_type;
+-	')
+-
+-	typeattribute $1 user_tmpfs_type;
+-
+-	files_tmpfs_file($1)
+-	ubac_constrained($1)
++    refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_content() instead.')
++    userdom_user_tmp_content($1)
+ ')
+ 
+ ########################################
+@@ -2400,6 +2376,43 @@ interface(`userdom_setattr_user_tmp_files',`
+ 
+ ########################################
+ ## <summary>
++##	Create a user tmp sockets.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_create_user_tmp_sockets',`
++    gen_require(`
++        type user_tmp_t;
++    ')
++
++    files_search_tmp($1)
++    allow $1 user_tmp_t:dir list_dir_perms;
++    create_sock_files_pattern($1, user_tmp_t, user_tmp_t)
++')
++
++########################################
++## <summary>
++##	Dontaudit getattr on user tmp sockets.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`usedom_dontaudit_user_getattr_tmp_sockets',`
++    gen_require(`
++        type user_tmp_t;
++    ')
++    dontaudit $1 user_tmp_t:sock_file getattr_sock_file_perms;
++')
++
++########################################
++## <summary>
+ ##	Relabel user tmp files.
+ ## </summary>
+ ## <param name="domain">
+@@ -2416,6 +2429,26 @@ interface(`userdom_relabel_user_tmp_files',`
+ 
+ 	allow $1 user_tmp_t:file relabel_file_perms;
+ ')
++
++########################################
++## <summary>
++##	Relabel user tmp files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_relabel_user_tmp_dirs',`
++	gen_require(`
++		type user_tmp_t;
++	')
++
++	allow $1 user_tmp_t:dir relabel_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ##	Do not audit attempts to set the
+@@ -3068,6 +3101,25 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+ ##	</summary>
+ ## </param>
+ #
++interface(`userdom_getattr_user_tmp_files',`
++	gen_require(`
++		attribute user_tmp_type;
++	')
++
++	getattr_files_pattern($1, user_tmp_type, user_tmp_type)
++	files_search_tmp($1)
++')
++
++########################################
++## <summary>
++##	Read user temporary files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
+ interface(`userdom_read_user_tmp_files',`
+ 	gen_require(`
+ 		attribute user_tmp_type;
+@@ -3080,6 +3132,23 @@ interface(`userdom_read_user_tmp_files',`
+ 
+ ########################################
+ ## <summary>
++##	Read user temporary files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_append_user_tmp_files',`
++    gen_require(`
++        type user_tmp_t;
++    ')
++    allow $1 user_tmp_t:file append_inherited_file_perms;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to read users
+ ##	temporary files.
+ ## </summary>
+@@ -3135,6 +3204,25 @@ interface(`userdom_rw_user_tmp_files',`
+ 	rw_files_pattern($1, user_tmp_t, user_tmp_t)
+ 	files_search_tmp($1)
+ ')
++########################################
++## <summary>
++##	Read and write user temporary files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_rw_user_tmp_sock_files',`
++	gen_require(`
++		type user_tmp_t;
++	')
++
++	allow $1 user_tmp_t:dir list_dir_perms;
++    allow $1 user_tmp_t:sock_file rw_inherited_sock_file_perms;
++	files_search_tmp($1)
++')
+ 
+ ########################################
+ ## <summary>
+@@ -3372,12 +3460,8 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+ ## </param>
+ #
+ interface(`userdom_getattr_user_tmpfs_files',`
+-    gen_require(`
+-        type user_tmpfs_t;
+-    ')
+-
+-    getattr_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+-    fs_search_tmpfs($1)
++    refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.')
++    userdom_getattr_user_tmp_files($1)
+ ')
+ 
+ ########################################
+@@ -3391,14 +3475,8 @@ interface(`userdom_getattr_user_tmpfs_files',`
+ ## </param>
+ #
+ interface(`userdom_read_user_tmpfs_files',`
+-	gen_require(`
+-		type user_tmpfs_t;
+-	')
+-
+-	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+-	read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+-	allow $1 user_tmpfs_t:dir list_dir_perms;
+-	fs_search_tmpfs($1)
++    refpolicywarn(`$0($*) has been deprecated, use userdom_read_user_tmp_files() instead.')
++    userdom_read_user_tmp_files($1)
+ ')
+ 
+ ########################################
+@@ -3412,14 +3490,8 @@ interface(`userdom_read_user_tmpfs_files',`
+ ## </param>
+ #
+ interface(`userdom_rw_user_tmpfs_files',`
+-	gen_require(`
+-		type user_tmpfs_t;
+-	')
+-
+-	rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+-	read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+-	allow $1 user_tmpfs_t:dir list_dir_perms;
+-	fs_search_tmpfs($1)
++    refpolicywarn(`$0($*) has been deprecated, use userdom_rw_user_tmp_files() instead.')
++    userdom_rw_user_tmp_files($1)
+ ')
+ 
+ ########################################
+@@ -3433,11 +3505,8 @@ interface(`userdom_rw_user_tmpfs_files',`
+ ## </param>
+ #
+ interface(`userdom_rw_inherited_user_tmpfs_files',`
+-	gen_require(`
+-		type user_tmpfs_t;
+-	')
+-
+-	allow $1 user_tmpfs_t:file rw_inherited_file_perms;
++    refpolicywarn(`$0($*) has been deprecated, use userdom_rw_inherited_user_tmp_files instead.')
++    userdom_rw_inherited_user_tmp_files($1)
+ ')
+ 
+ ########################################
+@@ -3451,11 +3520,26 @@ interface(`userdom_rw_inherited_user_tmpfs_files',`
+ ## </param>
+ #
+ interface(`userdom_execute_user_tmpfs_files',`
++    refpolicywarn(`$0($*) has been deprecated, use userdom_execute_user_tmp_files instead.')
++    userdom_execute_user_tmp_files($1)
++')
++
++########################################
++## <summary>
++##	Execute user tmpfs files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_execute_user_tmp_files',`
+ 	gen_require(`
+-		type user_tmpfs_t;
++		type user_tmp_t;
+ 	')
+ 
+-	allow $1 user_tmpfs_t:file execute;
++	allow $1 user_tmp_t:file execute;
+ ')
+ 
+ ########################################
+@@ -5208,16 +5292,8 @@ interface(`userdom_list_all_user_tmp_content',`
+ ## </param>
+ #
+ interface(`userdom_manage_all_user_tmpfs_content',`
+-	gen_require(`
+-		attribute user_tmpfs_type;
+-	')
+-
+-	manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
+-	manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
+-	manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
+-	manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
+-	manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
+-	fs_search_tmpfs($1)
++    refpolicywarn(`$0($*) has been deprecated, use userdom_manage_all_user_tmp_content instead.')    
++    userdom_manage_all_user_tmp_content($1)
+ ')
+ 
+ ########################################
+@@ -5431,11 +5507,8 @@ interface(`userdom_dontaudit_setattr_user_tmp',`
+ ## </param>
+ #
+ interface(`userdom_dontaudit_setattr_user_tmpfs',`
+-	gen_require(`
+-		type user_tmpfs_t;
+-	')
+-
+-	dontaudit $1 user_tmpfs_t:file setattr;
++    refpolicywarn(`$0($*) has been deprecated, use userdom_dontaudit_setattr_user_tmp() instead.')
++    userdom_dontaudit_setattr_user_tmp($1)
+ ')
+ 
+ ########################################
+@@ -5539,11 +5612,8 @@ interface(`userdom_delete_user_tmp_files',`
+ ## </param>
+ #
+ interface(`userdom_delete_user_tmpfs_files',`
+-	gen_require(`
+-		type user_tmpfs_t;
+-	')
+-
+-	allow $1 user_tmpfs_t:file delete_file_perms;
++    refpolicywarn(`$0($*) has been deprecated, use userdom_delete_user_tmpfs_files instead.')
++    userdom_delete_user_tmpfs_files($1)
+ ')
+ 
+ ########################################
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 7283238..6cc7d53 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -97,19 +97,18 @@ dev_node(user_devpts_t)
+ files_type(user_devpts_t)
+ ubac_constrained(user_devpts_t)
+ 
+-type user_tmp_t, user_tmp_type;
++type user_tmp_t, user_tmp_type, user_tmpfs_type;
+ typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t wine_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
+ typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
++typealias user_tmp_t alias { user_tmpfs_t staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
++typealias user_tmp_t alias xdm_tmp_t;
++typealias user_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
+ files_tmp_file(user_tmp_t)
++files_tmpfs_file(user_tmp_t)
+ userdom_user_home_content(user_tmp_t)
+ files_poly_parent(user_tmp_t)
+ files_mountpoint(user_tmp_t)
+ 
+-type user_tmpfs_t, user_tmpfs_type;
+-typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
+-files_tmpfs_file(user_tmpfs_t)
+-userdom_user_home_content(user_tmpfs_t)
+-
+ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
+ dev_node(user_tty_device_t)
+ ubac_constrained(user_tty_device_t)

policy-rawhide-contrib-user_tmp.patch

@@ -0,0 +1,252 @@
+diff --git a/chrome.te b/chrome.te
+index fb60ffc..7d937cb 100644
+--- a/chrome.te
++++ b/chrome.te
+@@ -114,8 +114,8 @@ miscfiles_read_fonts(chrome_sandbox_t)
+ 
+ sysnet_dns_name_resolve(chrome_sandbox_t)
+ 
+-userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
+-userdom_execute_user_tmpfs_files(chrome_sandbox_t)
++userdom_rw_inherited_user_tmp_files(chrome_sandbox_t)
++userdom_execute_user_tmp_files(chrome_sandbox_t)
+ 
+ userdom_use_user_ptys(chrome_sandbox_t)
+ userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
+@@ -236,8 +236,8 @@ init_read_state(chrome_sandbox_nacl_t)
+ libs_legacy_use_shared_libs(chrome_sandbox_nacl_t)
+ 
+ userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
+-userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
+-userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
++userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
++userdom_execute_user_tmp_files(chrome_sandbox_nacl_t)
+ userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
+ userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
+ userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t)
+diff --git a/colord.te b/colord.te
+index 5425ddf..3d5988c 100644
+--- a/colord.te
++++ b/colord.te
+@@ -112,7 +112,7 @@ logging_send_syslog_msg(colord_t)
+ 
+ systemd_read_logind_sessions_files(colord_t)
+ 
+-userdom_rw_user_tmpfs_files(colord_t)
++userdom_rw_user_tmp_files(colord_t)
+ userdom_home_reader(colord_t)
+ userdom_list_user_home_content(colord_t)
+ userdom_read_inherited_user_home_content_files(colord_t)
+diff --git a/corosync.te b/corosync.te
+index e827567..837e0a8 100644
+--- a/corosync.te
++++ b/corosync.te
+@@ -108,8 +108,8 @@ logging_send_syslog_msg(corosync_t)
+ miscfiles_read_localization(corosync_t)
+ 
+ userdom_read_user_tmp_files(corosync_t)
+-userdom_delete_user_tmpfs_files(corosync_t)
+-userdom_rw_user_tmpfs_files(corosync_t)
++userdom_delete_user_tmp_files(corosync_t)
++userdom_rw_user_tmp_files(corosync_t)
+ 
+ optional_policy(`
+ 	fs_manage_tmpfs_files(corosync_t)
+diff --git a/gpg.te b/gpg.te
+index 695e8fa..fe77236 100644
+--- a/gpg.te
++++ b/gpg.te
+@@ -364,9 +364,9 @@ miscfiles_read_fonts(gpg_pinentry_t)
+ 
+ # for .Xauthority
+ userdom_read_user_home_content_files(gpg_pinentry_t)
+-userdom_read_user_tmpfs_files(gpg_pinentry_t)
++userdom_read_user_tmp_files(gpg_pinentry_t)
+ # Bug: user pulseaudio files need open,read and unlink:
+-allow gpg_pinentry_t user_tmpfs_t:file unlink;
++allow gpg_pinentry_t user_tmp_t:file unlink;
+ userdom_signull_unpriv_users(gpg_pinentry_t)
+ userdom_use_user_terminals(gpg_pinentry_t)
+ 
+diff --git a/journalctl.te b/journalctl.te
+index 5de3229..e1d6594 100644
+--- a/journalctl.te
++++ b/journalctl.te
+@@ -36,8 +36,7 @@ fs_getattr_all_fs(journalctl_t)
+ userdom_list_user_home_dirs(journalctl_t)
+ userdom_read_user_home_content_files(journalctl_t)
+ userdom_use_inherited_user_ptys(journalctl_t)
+-userdom_write_inherited_user_tmp_files(journalctl_t)
+-userdom_rw_inherited_user_tmpfs_files(journalctl_t)
++userdom_rw_inherited_user_tmp_files(journalctl_t)
+ userdom_rw_inherited_user_home_content_files(journalctl_t)
+ 
+ miscfiles_read_localization(journalctl_t)
+diff --git a/kismet.te b/kismet.te
+index c070420..4e66536 100644
+--- a/kismet.te
++++ b/kismet.te
+@@ -96,7 +96,7 @@ corenet_tcp_connect_rtsclient_port(kismet_t)
+ auth_use_nsswitch(kismet_t)
+ 
+ userdom_use_inherited_user_terminals(kismet_t)
+-userdom_read_user_tmpfs_files(kismet_t)
++userdom_read_user_tmp_files(kismet_t)
+ 
+ optional_policy(`
+ 	dbus_system_bus_client(kismet_t)
+diff --git a/mozilla.te b/mozilla.te
+index ad56dac..01dc360 100644
+--- a/mozilla.te
++++ b/mozilla.te
+@@ -357,7 +357,6 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin
+ manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+ files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+ userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+-xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+ can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
+ 
+ manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+@@ -365,7 +364,6 @@ manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugi
+ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+ manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+ fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+-userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+ userdom_manage_home_texlive(mozilla_plugin_t)
+ 
+ allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
+@@ -484,8 +482,6 @@ term_getattr_ptmx(mozilla_plugin_t)
+ term_dontaudit_use_ptmx(mozilla_plugin_t)
+ 
+ userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t)
+-userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+-userdom_delete_user_tmpfs_files(mozilla_plugin_t)
+ userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
+ userdom_manage_user_tmp_sockets(mozilla_plugin_t)
+ userdom_manage_user_tmp_dirs(mozilla_plugin_t)
+diff --git a/mpd.te b/mpd.te
+index 92632e8..953e3bf 100644
+--- a/mpd.te
++++ b/mpd.te
+@@ -172,7 +172,7 @@ tunable_policy(`mpd_enable_homedirs',`
+ 	userdom_stream_connect(mpd_t)
+ 	userdom_read_home_audio_files(mpd_t)
+ 	userdom_list_user_tmp(mpd_t)
+-	userdom_read_user_tmpfs_files(mpd_t)
++	userdom_read_user_tmp_files(mpd_t)
+ 	userdom_dontaudit_setattr_user_tmp(mpd_t)
+ ')
+ 
+diff --git a/podsleuth.te b/podsleuth.te
+index 5bf10ce..c06ace5 100644
+--- a/podsleuth.te
++++ b/podsleuth.te
+@@ -80,7 +80,7 @@ sysnet_dns_name_resolve(podsleuth_t)
+ 
+ userdom_signal_unpriv_users(podsleuth_t)
+ userdom_signull_unpriv_users(podsleuth_t)
+-userdom_read_user_tmpfs_files(podsleuth_t)
++userdom_read_user_tmp_files(podsleuth_t)
+ 
+ optional_policy(`
+ 	dbus_system_bus_client(podsleuth_t)
+diff --git a/pulseaudio.te b/pulseaudio.te
+index 1d2470f..64ac070 100644
+--- a/pulseaudio.te
++++ b/pulseaudio.te
+@@ -97,7 +97,7 @@ auth_use_nsswitch(pulseaudio_t)
+ 
+ logging_send_syslog_msg(pulseaudio_t)
+ 
+-userdom_read_user_tmpfs_files(pulseaudio_t)
++userdom_read_user_tmp_files(pulseaudio_t)
+ 
+ userdom_search_user_home_dirs(pulseaudio_t)
+ userdom_write_user_tmp_sockets(pulseaudio_t)
+@@ -224,7 +224,7 @@ pulseaudio_signull(pulseaudio_client)
+ 
+ userdom_manage_user_home_content_files(pulseaudio_client)
+ 
+-userdom_read_user_tmpfs_files(pulseaudio_client)
++userdom_read_user_tmp_files(pulseaudio_client)
+ 
+ tunable_policy(`use_nfs_home_dirs',`
+     fs_getattr_nfs(pulseaudio_client)
+diff --git a/qemu.te b/qemu.te
+index 8c1e989..958c0ef 100644
+--- a/qemu.te
++++ b/qemu.te
+@@ -52,7 +52,7 @@ storage_raw_write_removable_device(qemu_t)
+ storage_raw_read_removable_device(qemu_t)
+ 
+ userdom_search_user_home_content(qemu_t)
+-userdom_read_user_tmpfs_files(qemu_t)
++userdom_read_user_tmp_files(qemu_t)
+ userdom_stream_connect(qemu_t)
+ 
+ tunable_policy(`qemu_full_network',`
+diff --git a/rhcs.te b/rhcs.te
+index ec50831..eb9e2ac 100644
+--- a/rhcs.te
++++ b/rhcs.te
+@@ -219,9 +219,8 @@ init_read_script_state(cluster_t)
+ init_rw_script_tmp_files(cluster_t)
+ init_manage_script_status_files(cluster_t)
+ 
+-userdom_read_user_tmp_files(cluster_t)
+-userdom_delete_user_tmpfs_files(cluster_t)
+-userdom_rw_user_tmpfs_files(cluster_t)
++userdom_delete_user_tmp_files(cluster_t)
++userdom_rw_user_tmp_files(cluster_t)
+ userdom_kill_all_users(cluster_t)
+ 
+ tunable_policy(`cluster_can_network_connect',`
+diff --git a/sandboxX.te b/sandboxX.te
+index 956922c..499e739 100644
+--- a/sandboxX.te
++++ b/sandboxX.te
+@@ -415,8 +415,8 @@ selinux_compute_relabel_context(sandbox_web_type)
+ selinux_compute_user_contexts(sandbox_web_type)
+ seutil_read_default_contexts(sandbox_web_type)
+ 
+-userdom_rw_user_tmpfs_files(sandbox_web_type)
+-userdom_delete_user_tmpfs_files(sandbox_web_type)
++userdom_rw_user_tmp_files(sandbox_web_type)
++userdom_delete_user_tmp_files(sandbox_web_type)
+ 
+ optional_policy(`
+ 	alsa_read_rw_config(sandbox_web_type)
+diff --git a/thumb.te b/thumb.te
+index 0e30ce2..bd82684 100644
+--- a/thumb.te
++++ b/thumb.te
+@@ -46,7 +46,7 @@ manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
+ userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails")
+ userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
+ userdom_dontaudit_access_check_user_content(thumb_t)
+-userdom_rw_inherited_user_tmpfs_files(thumb_t)
++userdom_rw_inherited_user_tmp_files(thumb_t)
+ userdom_manage_home_texlive(thumb_t)
+ 
+ manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+@@ -55,7 +55,6 @@ manage_sock_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+ exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+ files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
+ userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
+-xserver_xdm_tmp_filetrans(thumb_t, thumb_tmp_t, sock_file)
+ 
+ manage_dirs_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t)
+ manage_files_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t)
+diff --git a/userhelper.if b/userhelper.if
+index 35d784a..b25ec0d 100644
+--- a/userhelper.if
++++ b/userhelper.if
+@@ -315,7 +315,7 @@ template(`userhelper_console_role_template',`
+ 
+ 	auth_use_pam($1_consolehelper_t)
+ 
+-	userdom_manage_tmpfs_role($2, $1_consolehelper_t)
++	userdom_manage_tmp_role($2, $1_consolehelper_t)
+ 
+ 	optional_policy(`
+ 		dbus_connect_session_bus($1_consolehelper_t)

selinux-policy.spec

@@ -19,12 +19,14 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 40%{?dist}
+Release: 45%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
 patch: policy-rawhide-base.patch
 patch1: policy-rawhide-contrib.patch
+patch2: policy-rawhide-base-user_tmp.patch
+patch3: policy-rawhide-contrib-user_tmp.patch
 Source1: modules-targeted-base.conf 
 Source31: modules-targeted-contrib.conf
 Source2: booleans-targeted.conf
@@ -319,9 +321,11 @@ Based off of reference policy: Checked out revision  2.20091117
 %prep 
 %setup -n serefpolicy-contrib-%{version} -q -b 29
 %patch1 -p1
+%patch3 -p1
 contrib_path=`pwd`
 %setup -n serefpolicy-%{version} -q
 %patch -p1
+%patch2 -p1
 refpolicy_path=`pwd`
 cp $contrib_path/* $refpolicy_path/policy/modules/contrib
 
@@ -584,6 +588,46 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Apr 8 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-45
+Rename puppet_t to puppetagent_t and used it only for puppet agent which can be started by init. Also make it as unconfined_noaudit because there is no reason to confine it but we wantto avoid init_t.
+
+* Tue Apr 8 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-44
+- Change hsperfdata_root to have as user_tmp_t
+- Allow rsyslog low-level network access
+- Fix use_nfs_home_dirs/use_samba_home_dirs for xdm_t to allow append .xsession-errors by lightdm
+- Allow conman to resolve DNS and use user ptys
+- update pegasus_openlmi_admin_t policy
+- nslcd wants chown capability
+- Dontaudit exec insmod in boinc policy
+
+* Fri Apr 4 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-43
+- Add labels for /var/named/chroot_sdb/dev devices
+- Add support for strongimcv
+- Add additional fixes for yubikeys based on william@firstyear.id.au
+- Allow init_t run /sbin/augenrules
+- Remove dup decl for dev_unmount_sysfs_fs
+- Allow unpriv SELinux user to use sandbox
+- Fix ntp_filetrans_named_content for sntp-kod file
+- Add httpd_dbus_sssd boolean
+- Dontaudit exec insmod in boinc policy
+- Add dbus_filetrans_named_content_system()
+- We want to label only /usr/bin/start-puppet-master to avoid puppet agent running in puppet_t
+- varnishd wants chown capability
+- update ntp_filetrans_named_content() interface
+- Add additional fixes for neutron_t. #1083335
+- Dontaudit sandbox_t getattr on proc_kcore_t
+- Allow pki_tomcat_t to read ipa lib files
+
+* Tue Apr 1 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-42
+- Merge user_tmp_t and user_tmpfs_t together to have only user_tmp_t
+
+* Thu Mar 27 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-41
+- Turn on gear_port_t
+- Add gear policy and remove permissive domains.
+- Add labels for ostree
+- Add SELinux awareness for NM
+- Label /usr/sbin/pwhistory_helper as updpwd_exec_t
+
 * Wed Mar 26 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-40
 - update storage_filetrans_all_named_dev for sg* devices
 - Allow auditctl_t  to getattr on all removeable devices