add last bits from dan

refpolicy/policy/modules/admin/su.if

@@ -211,6 +211,13 @@ template(`su_per_userdomain_template',`
 	userdom_search_user_home($1,$1_su_t)
 
 	ifdef(`targeted_policy',`
+		# allow user to suspend terminal.
+		# does not work in strict since the
+		# parent may not be able to use
+		# the terminal if we newrole,
+		# which relabels the terminal.
+		allow $1_su_t self:process sigstop;
+
 		corecmd_exec_bin($1_su_t)
 		userdom_manage_all_user_files($1_su_t)
 		userdom_manage_all_user_symlinks($1_su_t)
@@ -220,6 +227,7 @@ template(`su_per_userdomain_template',`
 		# make sediff easier.
 		if(!secure_mode) {
 			unconfined_domtrans($1_su_t)
+			unconfined_signal($1_su_t)
 		}
 	',`
 		if(secure_mode) {

refpolicy/policy/modules/system/unconfined.if

@@ -185,6 +185,22 @@ interface(`unconfined_sigchld',`
 	allow $1 unconfined_t:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Send generic signals to the unconfined domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`unconfined_signal',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:process signal;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read unconfined domain unnamed pipes.