trunk: merge UBAC.

Changelog

@@ -1,3 +1,5 @@
+- Deprecate per-role templates and rolemap support.
+- Implement user-based access control for use as role separations.
 - Move shared library calls from individual modules to the domain module.
 - Enable open permission checks policy capability.
 - Remove hierarchy from portage module as it is not a good example of

Makefile

@@ -204,6 +204,10 @@ ifeq ($(DIRECT_INITRC),y)
 	M4PARAM += -D direct_sysadm_daemon
 endif
 
+ifeq "$(UBAC)" "y"
+	M4PARAM += -D enable_ubac
+endif
+
 # default MLS/MCS sensitivity and category settings.
 MLS_SENS ?= 16
 MLS_CATS ?= 256
@@ -550,6 +554,7 @@ ifneq "$(DISTRO)" ""
 endif
 	$(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
 	$(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
+	$(verbose) echo "override UBAC := $(UBAC)" >> $(headerdir)/build.conf
 	$(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
 	$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
 	$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf

README

@@ -119,6 +119,9 @@ UNK_PERMS		String.  Set the kernel behavior for handling of
 			policy.  The permissions can either be allowed, denied,
 			or the policy loading can be rejected.
 
+UBAC			Boolean.  If set, the SELinux user will be used
+			additionally for approximate role separation.
+
 MLS_SENS		Integer.  Set the number of sensitivities in the MLS
 			policy.  Ignored on standard and MCS policies.
 

Rules.modular

@@ -157,7 +157,7 @@ endif
 	$(verbose) $(M4) $(M4PARAM) -s $^ > $@
 
 $(tmpdir)/post_te_files.conf: M4PARAM += -D self_contained_policy
-$(tmpdir)/post_te_files.conf: $(m4support) $(base_post_te_files)
+$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(base_post_te_files)
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
 	$(verbose) $(M4) $(M4PARAM) $^ > $@
 

Rules.monolithic

@@ -142,7 +142,7 @@ endif
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
 	$(verbose) $(M4) $(M4PARAM) -s $^ > $@
 
-$(tmpdir)/post_te_files.conf: $(m4support) $(post_te_files)
+$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files)
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
 	$(verbose) $(M4) $(M4PARAM) $^ > $@
 

build.conf

@@ -48,6 +48,10 @@ DIRECT_INITRC = n
 # will build a loadable module policy.
 MONOLITHIC = y
 
+# User-based access control (UBAC)
+# Enable UBAC for role separations.
+UBAC = y
+
 # Number of MLS Sensitivities
 # The sensitivities will be s0 to s(MLS_SENS-1).
 # Dominance will be in increasing numerical order

config/appconfig-mcs/default_contexts

@@ -1,4 +1,4 @@
-system_r:crond_t:s0		user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
+system_r:crond_t:s0		user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
 system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0

config/appconfig-mcs/root_default_contexts

@@ -1,4 +1,4 @@
-system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
 
 staff_r:staff_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0

config/appconfig-mcs/staff_u_default_contexts

@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 system_r:remote_login_t:s0	staff_r:staff_t:s0
 system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0		staff_r:staff_crond_t:s0
+system_r:crond_t:s0		staff_r:cronjob_t:s0
 system_r:xdm_t:s0		staff_r:staff_t:s0
 staff_r:staff_su_t:s0		staff_r:staff_t:s0
 staff_r:staff_sudo_t:s0		staff_r:staff_t:s0

config/appconfig-mcs/unconfined_u_default_contexts

@@ -1,4 +1,4 @@
-system_r:crond_t:s0		unconfined_r:unconfined_t:s0
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
 system_r:initrc_t:s0		unconfined_r:unconfined_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	unconfined_r:unconfined_t:s0

config/appconfig-mcs/user_u_default_contexts

@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	user_r:user_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0
-system_r:crond_t:s0		user_r:user_crond_t:s0
+system_r:crond_t:s0		user_r:cronjob_t:s0
 system_r:xdm_t:s0		user_r:user_t:s0
 user_r:user_su_t:s0		user_r:user_t:s0
 user_r:user_sudo_t:s0		user_r:user_t:s0

config/appconfig-mls/default_contexts

@@ -1,4 +1,4 @@
-system_r:crond_t:s0		user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
+system_r:crond_t:s0		user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
 system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0

config/appconfig-mls/root_default_contexts

@@ -1,4 +1,4 @@
-system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
 
 staff_r:staff_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0

config/appconfig-mls/staff_u_default_contexts

@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 system_r:remote_login_t:s0	staff_r:staff_t:s0
 system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0		staff_r:staff_crond_t:s0
+system_r:crond_t:s0		staff_r:cronjob_t:s0
 system_r:xdm_t:s0		staff_r:staff_t:s0
 staff_r:staff_su_t:s0		staff_r:staff_t:s0
 staff_r:staff_sudo_t:s0		staff_r:staff_t:s0

config/appconfig-mls/unconfined_u_default_contexts

@@ -1,4 +1,4 @@
-system_r:crond_t:s0		unconfined_r:unconfined_t:s0
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
 system_r:initrc_t:s0		unconfined_r:unconfined_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	unconfined_r:unconfined_t:s0

config/appconfig-mls/user_u_default_contexts

@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	user_r:user_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0
-system_r:crond_t:s0		user_r:user_crond_t:s0
+system_r:crond_t:s0		user_r:cronjob_t:s0
 system_r:xdm_t:s0		user_r:user_t:s0
 user_r:user_su_t:s0		user_r:user_t:s0
 user_r:user_sudo_t:s0		user_r:user_t:s0

config/appconfig-standard/default_contexts

@@ -1,4 +1,4 @@
-system_r:crond_t	user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t unconfined_r:unconfined_crond_t
+system_r:crond_t	user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_crond_t unconfined_r:unconfined_cronjob_t
 system_r:local_login_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
 system_r:remote_login_t	user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
 system_r:sshd_t		user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t

config/appconfig-standard/root_default_contexts

@@ -1,4 +1,4 @@
-system_r:crond_t	unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
+system_r:crond_t	unconfined_r:unconfined_t sysadm_r:cronjob_t staff_r:cronjob_t user_r:cronjob_t
 system_r:local_login_t  unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
 
 staff_r:staff_su_t	unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t

config/appconfig-standard/staff_u_default_contexts

@@ -1,7 +1,7 @@
 system_r:local_login_t		staff_r:staff_t sysadm_r:sysadm_t
 system_r:remote_login_t		staff_r:staff_t
 system_r:sshd_t			staff_r:staff_t sysadm_r:sysadm_t
-system_r:crond_t		staff_r:staff_crond_t
+system_r:crond_t		staff_r:cronjob_t
 system_r:xdm_t			staff_r:staff_t
 staff_r:staff_su_t		staff_r:staff_t
 staff_r:staff_sudo_t		staff_r:staff_t

config/appconfig-standard/unconfined_u_default_contexts

@@ -1,4 +1,4 @@
-system_r:crond_t		unconfined_r:unconfined_t
+system_r:crond_t		unconfined_r:unconfined_t unconfined_r:unconfined_cronjob_t
 system_r:initrc_t		unconfined_r:unconfined_t
 system_r:local_login_t		unconfined_r:unconfined_t
 system_r:remote_login_t		unconfined_r:unconfined_t

config/appconfig-standard/user_u_default_contexts

@@ -1,7 +1,7 @@
 system_r:local_login_t		user_r:user_t
 system_r:remote_login_t		user_r:user_t
 system_r:sshd_t			user_r:user_t
-system_r:crond_t		user_r:user_crond_t
+system_r:crond_t		user_r:cronjob_t
 system_r:xdm_t			user_r:user_t
 user_r:user_su_t		user_r:user_t
 user_r:user_sudo_t		user_r:user_t

policy/constraints

@@ -25,59 +25,219 @@
 # name_list : name | name_list name		
 #
 
+define(`basic_ubac_conditions',`
+	ifdef(`enable_ubac',`
+		u1 == u2
+		or u1 == system_u
+		or u2 == system_u
+		or t1 != ubac_constrained_type
+		or t2 != ubac_constrained_type
+	')
+')
+
+define(`basic_ubac_constraint',`
+	ifdef(`enable_ubac',`
+		constrain $1 all_$1_perms
+		(
+			basic_ubac_conditions
+		);
+	')
+')
+
+define(`exempted_ubac_constraint',`
+	ifdef(`enable_ubac',`
+		constrain $1 all_$1_perms
+		(
+			basic_ubac_conditions
+			or t1 == $2
+		);
+	')
+')
+
+########################################
 #
-# SELinux process identity change constraint:
+# File rules
 #
-constrain process transition
+
+exempted_ubac_constraint(dir, ubacfile)
+exempted_ubac_constraint(file, ubacfile)
+exempted_ubac_constraint(lnk_file, ubacfile)
+exempted_ubac_constraint(fifo_file, ubacfile)
+exempted_ubac_constraint(sock_file, ubacfile)
+exempted_ubac_constraint(chr_file, ubacfile)
+exempted_ubac_constraint(blk_file, ubacfile)
+
+# SElinux object identity change constraint:
+constrain dir_file_class_set { create relabelto relabelfrom } 
 (
 	u1 == u2
-
-	or ( t1 == can_change_process_identity and t2 == process_user_target )
-
-       	or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
-
-	or ( t1 == can_system_change and u2 == system_u )
-
-	or ( t1 == process_uncond_exempt )
+	or t1 == can_change_object_identity
 );
 
+########################################
 #
-# SELinux process role change constraint:
+# Process rules
 #
-constrain process transition 
+
+constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
 (
-	r1 == r2 
-
-	or ( t1 == can_change_process_role and t2 == process_user_target )
-
-   	or ( t1 == cron_source_domain and t2 == cron_job_domain )
-
-	or ( t1 == can_system_change and r2 == system_r )
+	basic_ubac_conditions
+	or t1 == ubacproc
+);
 
+constrain process { transition noatsecure siginh rlimitinh }
+(
+	u1 == u2
+	or ( t1 == can_change_process_identity and t2 == process_user_target )
+       	or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
+	or ( t1 == can_system_change and u2 == system_u )
+	or ( t1 == process_uncond_exempt )
+);
+
+constrain process { transition noatsecure siginh rlimitinh }
+(
+	r1 == r2
+	or ( t1 == can_change_process_identity and t2 == process_user_target )
+	or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
+	or ( t1 == can_system_change and u2 == system_u )
 	or ( t1 == process_uncond_exempt )
 );
 
-#
-# SELinux dynamic transition constraint:
-#
 constrain process dyntransition
 (
 	u1 == u2 and r1 == r2
 );
 
-#
-# SElinux object identity change constraint:
-#
-constrain dir_file_class_set { create relabelto relabelfrom } 
-(
-	u1 == u2
+# These permissions do not have ubac constraints:
+# fork
+# setexec
+# setfscreate
+# setcurrent
+# execmem
+# execstack
+# execheap
+# setkeycreate
+# setsockcreate
 
-	or t1 == can_change_object_identity
-);
+########################################
+#
+# File descriptor rules
+#
+
+exempted_ubac_constraint(fd, ubacfd)
+
+########################################
+#
+# Socket rules
+#
+
+exempted_ubac_constraint(socket, ubacsock)
+exempted_ubac_constraint(tcp_socket, ubacsock)
+exempted_ubac_constraint(udp_socket, ubacsock)
+exempted_ubac_constraint(rawip_socket, ubacsock)
+exempted_ubac_constraint(netlink_socket, ubacsock)
+exempted_ubac_constraint(packet_socket, ubacsock)
+exempted_ubac_constraint(key_socket, ubacsock)
+exempted_ubac_constraint(unix_stream_socket, ubacsock)
+exempted_ubac_constraint(unix_dgram_socket, ubacsock)
+exempted_ubac_constraint(netlink_route_socket, ubacsock)
+exempted_ubac_constraint(netlink_firewall_socket, ubacsock)
+exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock)
+exempted_ubac_constraint(netlink_nflog_socket, ubacsock)
+exempted_ubac_constraint(netlink_xfrm_socket, ubacsock)
+exempted_ubac_constraint(netlink_selinux_socket, ubacsock)
+exempted_ubac_constraint(netlink_audit_socket, ubacsock)
+exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock)
+exempted_ubac_constraint(netlink_dnrt_socket, ubacsock)
+exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
+exempted_ubac_constraint(appletalk_socket, ubacsock)
+exempted_ubac_constraint(dccp_socket, ubacsock)
 
 constrain socket_class_set { create relabelto relabelfrom } 
 (
 	u1 == u2
-
 	or t1 == can_change_object_identity
 );
+
+########################################
+#
+# SysV IPC rules
+
+exempted_ubac_constraint(sem, ubacipc)
+exempted_ubac_constraint(msg, ubacipc)
+exempted_ubac_constraint(msgq, ubacipc)
+exempted_ubac_constraint(shm, ubacipc)
+exempted_ubac_constraint(ipc, ubacipc)
+
+########################################
+#
+# SE-X Windows rules
+#
+
+exempted_ubac_constraint(x_drawable, ubacxwin)
+exempted_ubac_constraint(x_screen, ubacxwin)
+exempted_ubac_constraint(x_gc, ubacxwin)
+exempted_ubac_constraint(x_font, ubacxwin)
+exempted_ubac_constraint(x_colormap, ubacxwin)
+exempted_ubac_constraint(x_property, ubacxwin)
+exempted_ubac_constraint(x_selection, ubacxwin)
+exempted_ubac_constraint(x_cursor, ubacxwin)
+exempted_ubac_constraint(x_client, ubacxwin)
+exempted_ubac_constraint(x_device, ubacxwin)
+exempted_ubac_constraint(x_server, ubacxwin)
+exempted_ubac_constraint(x_extension, ubacxwin)
+exempted_ubac_constraint(x_resource, ubacxwin)
+exempted_ubac_constraint(x_event, ubacxwin)
+exempted_ubac_constraint(x_synthetic_event, ubacxwin)
+exempted_ubac_constraint(x_application_data, ubacxwin)
+
+########################################
+#
+# D-BUS rules
+#
+
+exempted_ubac_constraint(dbus, ubacdbus)
+
+########################################
+#
+# Key rules
+#
+
+exempted_ubac_constraint(key, ubackey)
+
+########################################
+#
+# Database rules
+#
+
+exempted_ubac_constraint(db_database, ubacdb)
+exempted_ubac_constraint(db_table, ubacdb)
+exempted_ubac_constraint(db_procedure, ubacdb)
+exempted_ubac_constraint(db_column, ubacdb)
+exempted_ubac_constraint(db_tuple, ubacdb)
+exempted_ubac_constraint(db_blob, ubacdb)
+
+
+
+basic_ubac_constraint(association)
+basic_ubac_constraint(peer)
+
+
+# these classes have no UBAC restrictions
+#class security
+#class system
+#class capability
+#class memprotect
+#class passwd			# userspace
+#class node
+#class netif
+#class packet
+#class capability2
+#class nscd			# userspace
+#class context			# userspace
+
+
+
+undefine(`basic_ubac_constraint')
+undefine(`basic_ubac_conditions')
+undefine(`exempted_ubac_constraint')

policy/global_tunables

@@ -62,8 +62,8 @@ gen_tunable(global_ssp,false)
 ## <desc>
 ## <p>
 ## Allow email client to various content.
-## nfs, samba, removable devices, user temp
-## and untrusted content files
+## nfs, samba, removable devices, and user temp
+## files
 ## </p>
 ## </desc>
 gen_tunable(mail_read_content,false)
@@ -89,15 +89,6 @@ gen_tunable(nfs_export_all_ro,false)
 ## </desc>
 gen_tunable(read_default_t,false)
 
-## <desc>
-## <p>
-## Allow applications to read untrusted content
-## If this is disallowed, Internet content has
-## to be manually relabeled for read access to be granted
-## </p>
-## </desc>
-gen_tunable(read_untrusted_content,false)
-
 ## <desc>
 ## <p>
 ## Support NFS home directories
@@ -120,12 +111,3 @@ gen_tunable(use_samba_home_dirs,false)
 ## </p>
 ## </desc>
 gen_tunable(user_tcp_server,false)
-
-## <desc>
-## <p>
-## Allow applications to write untrusted content
-## If this is disallowed, no Internet content
-## will be stored.
-## </p>
-## </desc>
-gen_tunable(write_untrusted_content,false)

policy/modules/admin/acct.te

@@ -1,5 +1,5 @@
 
-policy_module(acct, 1.2.0)
+policy_module(acct, 1.2.1)
 
 ########################################
 #
@@ -64,8 +64,7 @@ logging_send_syslog_msg(acct_t)
 miscfiles_read_localization(acct_t)
 
 userdom_dontaudit_use_unpriv_user_fds(acct_t)
-
-sysadm_dontaudit_search_home_dirs(acct_t)
+userdom_dontaudit_search_user_home_dirs(acct_t)
 
 optional_policy(`
 	optional_policy(`

policy/modules/admin/alsa.te

@@ -1,5 +1,5 @@
 
-policy_module(alsa, 1.6.0)
+policy_module(alsa, 1.6.1)
 
 ########################################
 #
@@ -60,10 +60,7 @@ miscfiles_read_localization(alsa_t)
 
 userdom_manage_unpriv_user_semaphores(alsa_t)
 userdom_manage_unpriv_user_shared_mem(alsa_t)
-
-sysadm_dontaudit_search_home_dirs(alsa_t)
-
-unprivuser_search_home_dirs(alsa_t)
+userdom_search_user_home_dirs(alsa_t)
 
 optional_policy(`
 	hal_use_fds(alsa_t)

policy/modules/admin/amanda.if

@@ -33,11 +33,6 @@ interface(`amanda_domtrans_recover',`
 ##	The role to be allowed the amanda_recover domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the amanda_recover domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`amanda_run_recover',`
@@ -47,7 +42,6 @@ interface(`amanda_run_recover',`
 
 	amanda_domtrans_recover($1)
 	role $2 types amanda_recover_t;
-	allow amanda_recover_t $3:chr_file rw_term_perms;
 ')
 
 ########################################

policy/modules/admin/amanda.te

@@ -1,5 +1,5 @@
 
-policy_module(amanda, 1.10.0)
+policy_module(amanda, 1.10.1)
 
 #######################################
 #
@@ -182,7 +182,7 @@ manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_
 manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
 manage_fifo_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
 manage_sock_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
-sysadm_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file })
+userdom_user_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file })
 
 manage_dirs_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
 manage_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
@@ -227,4 +227,5 @@ logging_search_logs(amanda_recover_t)
 
 miscfiles_read_localization(amanda_recover_t)
 
-sysadm_search_home_content_dirs(amanda_recover_t)
+userdom_use_user_terminals(amanda_recover_t)
+userdom_search_user_home_content(amanda_recover_t)

policy/modules/admin/amtu.if

@@ -34,11 +34,6 @@ interface(`amtu_domtrans',`
 ##	The role to be allowed the amtu domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the amtu domain to use.
-##	</summary>
-## </param>
 #
 interface(`amtu_run',`
 	gen_require(`
@@ -47,5 +42,4 @@ interface(`amtu_run',`
 
 	amtu_domtrans($1)
 	role $2 types amtu_t;
-	allow amtu_t $3:chr_file rw_term_perms;
 ')

policy/modules/admin/amtu.te

@@ -1,4 +1,4 @@
-policy_module(amtu,1.1.0)
+policy_module(amtu, 1.1.1)
 
 ########################################
 #
@@ -23,6 +23,8 @@ files_read_etc_files(amtu_t)
 
 logging_send_audit_msgs(amtu_t)
 
+userdom_use_user_terminals(amtu_t)
+
 optional_policy(`
 	nscd_dontaudit_search_pid(amtu_t)
 ')

policy/modules/admin/anaconda.te

@@ -1,5 +1,5 @@
 
-policy_module(anaconda, 1.4.0)
+policy_module(anaconda, 1.4.1)
 
 ########################################
 #
@@ -32,7 +32,7 @@ modutils_domtrans_insmod(anaconda_t)
 
 seutil_domtrans_semanage(anaconda_t)
 
-unprivuser_home_dir_filetrans_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
+userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
 
 optional_policy(`
 	kudzu_domtrans(anaconda_t)

policy/modules/admin/apt.if

@@ -34,11 +34,6 @@ interface(`apt_domtrans',`
 ##	The role to allow the apt domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the apt domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`apt_run',`
@@ -48,7 +43,6 @@ interface(`apt_run',`
 
 	apt_domtrans($1)
 	role $2 types apt_t;
-	allow apt_t $3:chr_file rw_term_perms;
 	# TODO: likely have to add dpkg_run here.
 ')
 

policy/modules/admin/apt.te

@@ -1,5 +1,5 @@
 
-policy_module(apt, 1.4.0)
+policy_module(apt, 1.4.1)
 
 ########################################
 #
@@ -119,6 +119,8 @@ seutil_use_newrole_fds(apt_t)
 
 sysnet_read_config(apt_t)
 
+userdom_use_user_terminals(apt_t)
+
 # with boolean, for cron-apt and such?
 #optional_policy(`
 #	cron_system_entry(apt_t,apt_exec_t)

policy/modules/admin/backup.if

@@ -33,11 +33,6 @@ interface(`backup_domtrans',`
 ##	The role to be allowed the backup domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`backup_run',`
@@ -47,5 +42,4 @@ interface(`backup_run',`
 
 	backup_domtrans($1)
 	role $2 types backup_t;
-	allow backup_t $3:chr_file rw_term_perms;
 ')

policy/modules/admin/backup.te

@@ -1,5 +1,5 @@
 
-policy_module(backup, 1.3.0)
+policy_module(backup, 1.3.1)
 
 ########################################
 #
@@ -71,6 +71,8 @@ logging_send_syslog_msg(backup_t)
 
 sysnet_read_config(backup_t)
 
+userdom_use_user_terminals(backup_t)
+
 optional_policy(`
 	cron_system_entry(backup_t, backup_exec_t)
 ')

policy/modules/admin/bootloader.if

@@ -33,11 +33,6 @@ interface(`bootloader_domtrans',`
 ##	The role to be allowed the bootloader domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the bootloader domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`bootloader_run',`
@@ -48,11 +43,10 @@ interface(`bootloader_run',`
 	bootloader_domtrans($1)
 
 	role $2 types bootloader_t;
-	allow bootloader_t $3:chr_file rw_term_perms;
 
 	ifdef(`distro_redhat',`
 		# for mke2fs
-		mount_run(bootloader_t, $2, $3)
+		mount_run(bootloader_t, $2)
 	')
 ')
 

policy/modules/admin/bootloader.te

@@ -1,5 +1,5 @@
 
-policy_module(bootloader, 1.9.0)
+policy_module(bootloader, 1.9.1)
 
 ########################################
 #
@@ -135,6 +135,9 @@ seutil_read_bin_policy(bootloader_t)
 seutil_read_loadpolicy(bootloader_t)
 seutil_dontaudit_search_config(bootloader_t)
 
+userdom_use_user_terminals(bootloader_t)
+userdom_dontaudit_search_user_home_dirs(bootloader_t)
+
 ifdef(`distro_debian',`
 	allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
 	fs_list_tmpfs(bootloader_t)
@@ -211,11 +214,3 @@ optional_policy(`
 optional_policy(`
 	rpm_rw_pipes(bootloader_t)
 ')
-
-optional_policy(`
-	staff_dontaudit_search_home_dirs(bootloader_t)
-')
-
-optional_policy(`
-	sysadm_dontaudit_search_home_dirs(bootloader_t)
-')

policy/modules/admin/certwatch.if

@@ -37,11 +37,6 @@ interface(`certwatch_domtrans',`
 ##	The role to be allowed the certwatch domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the certwatch domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`certwatch_run',`
@@ -51,7 +46,6 @@ interface(`certwatch_run',`
 
 	certwatch_domtrans($1)
 	role $2 types certwatch_t;
-	allow certwatch_t $3:chr_file rw_term_perms;
 ')
 
 ########################################

policy/modules/admin/certwatch.te

@@ -32,6 +32,8 @@ logging_send_syslog_msg(certwatch_t)
 miscfiles_read_certs(certwatch_t)
 miscfiles_read_localization(certwatch_t)
 
+userdom_use_user_terminals(certwatch_t)
+
 optional_policy(`
 	apache_exec_modules(certwatch_t)
 ')

policy/modules/admin/consoletype.if

@@ -36,11 +36,6 @@ interface(`consoletype_domtrans',`
 ##	The role to be allowed the consoletype domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the consoletype domain to use.
-##	</summary>
-## </param>
 #
 interface(`consoletype_run',`
 	gen_require(`
@@ -49,7 +44,6 @@ interface(`consoletype_run',`
 
 	consoletype_domtrans($1)
 	role $2 types consoletype_t;
-	allow consoletype_t $3:chr_file rw_term_perms;
 ')
 
 ########################################

policy/modules/admin/consoletype.te

@@ -1,5 +1,5 @@
 
-policy_module(consoletype, 1.6.0)
+policy_module(consoletype, 1.6.1)
 
 ########################################
 #
@@ -54,6 +54,8 @@ domain_use_interactive_fds(consoletype_t)
 files_dontaudit_read_root_files(consoletype_t)
 files_list_usr(consoletype_t)
 
+userdom_use_user_terminals(consoletype_t)
+
 ifdef(`distro_redhat',`
 	fs_rw_tmpfs_chr_files(consoletype_t)
 ')

policy/modules/admin/ddcprobe.if

@@ -33,11 +33,6 @@ interface(`ddcprobe_domtrans',`
 ##	Role to be authenticated for ddcprobe domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the clock domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`ddcprobe_run',`
@@ -47,5 +42,4 @@ interface(`ddcprobe_run',`
 
 	ddcprobe_domtrans($1)
 	role $2 types ddcprobe_t;
-	allow ddcprobe_t $3:chr_file rw_term_perms;
 ')

policy/modules/admin/ddcprobe.te

@@ -1,5 +1,5 @@
 
-policy_module(ddcprobe, 1.1.0)
+policy_module(ddcprobe, 1.1.1)
 
 ########################################
 #
@@ -45,6 +45,7 @@ miscfiles_read_localization(ddcprobe_t)
 
 modutils_read_module_deps(ddcprobe_t)
 
+userdom_use_user_terminals(ddcprobe_t)
 userdom_use_all_users_fds(ddcprobe_t)
 
 #reh why? this does not seem even necessary to function properly

policy/modules/admin/dmesg.te

@@ -1,5 +1,5 @@
 
-policy_module(dmesg, 1.2.0)
+policy_module(dmesg, 1.2.1)
 
 ########################################
 #
@@ -48,8 +48,7 @@ logging_write_generic_logs(dmesg_t)
 miscfiles_read_localization(dmesg_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
-
-sysadm_use_terms(dmesg_t)
+userdom_use_user_terminals(dmesg_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(dmesg_t)

policy/modules/admin/dmidecode.if

@@ -38,11 +38,6 @@ interface(`dmidecode_domtrans',`
 ##	The role to be allowed the dmidecode domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the dmidecode domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`dmidecode_run',`
@@ -52,5 +47,4 @@ interface(`dmidecode_run',`
 
 	dmidecode_domtrans($1)
 	role $2 types dmidecode_t;
-	allow dmidecode_t $3:chr_file rw_term_perms;
 ')

policy/modules/admin/dmidecode.te

@@ -1,5 +1,5 @@
 
-policy_module(dmidecode, 1.3.0)
+policy_module(dmidecode, 1.3.1)
 
 ########################################
 #
@@ -24,8 +24,8 @@ dev_read_raw_memory(dmidecode_t)
 
 mls_file_read_all_levels(dmidecode_t)
 
-term_list_ptys(dmidecode_t)
-
 files_list_usr(dmidecode_t)
 
 locallogin_use_fds(dmidecode_t)
+
+userdom_use_user_terminals(dmidecode_t)

policy/modules/admin/dpkg.if

@@ -58,11 +58,6 @@ interface(`dpkg_domtrans_script',`
 ##	The role to allow the dpkg domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the dpkg domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`dpkg_run',`
@@ -73,8 +68,7 @@ interface(`dpkg_run',`
 	dpkg_domtrans($1)
 	role $2 types dpkg_t;
 	role $2 types dpkg_script_t;
-	seutil_run_loadpolicy(dpkg_script_t, $2, $3)
-	allow dpkg_t $3:chr_file rw_term_perms;
+	seutil_run_loadpolicy(dpkg_script_t, $2)
 ')
 
 ########################################

policy/modules/admin/dpkg.te

@@ -1,5 +1,5 @@
 
-policy_module(dpkg, 1.5.0)
+policy_module(dpkg, 1.5.1)
 
 ########################################
 #
@@ -141,8 +141,6 @@ storage_raw_write_fixed_disk(dpkg_t)
 # for installing kernel packages
 storage_raw_read_fixed_disk(dpkg_t)
 
-term_list_ptys(dpkg_t)
-
 auth_relabel_all_files_except_shadow(dpkg_t)
 auth_manage_all_files_except_shadow(dpkg_t)
 auth_dontaudit_read_shadow(dpkg_t)
@@ -164,6 +162,7 @@ seutil_manage_bin_policy(dpkg_t)
 
 sysnet_read_config(dpkg_t)
 
+userdom_use_user_terminals(dpkg_t)
 userdom_use_unpriv_users_fds(dpkg_t)
 
 # transition to dpkg script:
@@ -284,8 +283,6 @@ selinux_compute_user_contexts(dpkg_script_t)
 storage_raw_read_fixed_disk(dpkg_script_t)
 storage_raw_write_fixed_disk(dpkg_script_t)
 
-term_getattr_unallocated_ttys(dpkg_script_t)
-term_list_ptys(dpkg_script_t)
 term_use_all_terms(dpkg_script_t)
 
 auth_dontaudit_getattr_shadow(dpkg_script_t)

policy/modules/admin/firstboot.if

@@ -36,11 +36,6 @@ interface(`firstboot_domtrans',`
 ##	The role to be allowed the firstboot domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the firstboot domain to use.
-##	</summary>
-## </param>
 #
 interface(`firstboot_run',`
 	gen_require(`
@@ -49,7 +44,6 @@ interface(`firstboot_run',`
 
 	firstboot_domtrans($1)
 	role $2 types firstboot_t;
-	allow firstboot_t $3:chr_file rw_term_perms;
 ')
 
 ########################################

policy/modules/admin/firstboot.te

@@ -1,5 +1,5 @@
 
-policy_module(firstboot, 1.8.0)
+policy_module(firstboot, 1.8.1)
 
 gen_require(`
 	class passwd rootok;
@@ -80,14 +80,15 @@ modutils_domtrans_insmod(firstboot_t)
 modutils_read_module_config(firstboot_t)
 modutils_read_module_deps(firstboot_t)
 
+userdom_use_user_terminals(firstboot_t)
 # Add/remove user home directories
-unprivuser_manage_home_content_dirs(firstboot_t)
-unprivuser_manage_home_content_files(firstboot_t)
-unprivuser_manage_home_content_symlinks(firstboot_t)
-unprivuser_manage_home_content_pipes(firstboot_t)
-unprivuser_manage_home_content_sockets(firstboot_t)
-unprivuser_home_filetrans_home_dir(firstboot_t)
-unprivuser_home_dir_filetrans_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
+userdom_manage_user_home_content_dirs(firstboot_t)
+userdom_manage_user_home_content_files(firstboot_t)
+userdom_manage_user_home_content_symlinks(firstboot_t)
+userdom_manage_user_home_content_pipes(firstboot_t)
+userdom_manage_user_home_content_sockets(firstboot_t)
+userdom_home_filetrans_user_home_dir(firstboot_t)
+userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
 
 optional_policy(`
 	hal_dbus_chat(firstboot_t)
@@ -116,6 +117,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	xserver_rw_xdm_xserver_shm(firstboot_t)
+	xserver_rw_shm(firstboot_t)
 	xserver_unconfined(firstboot_t)
 ')

policy/modules/admin/kismet.if

@@ -33,11 +33,6 @@ interface(`kismet_domtrans',`
 ##	The role to be allowed the kismet domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the role's terminal.
-##	</summary>
-## </param>
 #
 interface(`kismet_run',`
 	gen_require(`
@@ -46,7 +41,6 @@ interface(`kismet_run',`
 
 	kismet_domtrans($1)
 	role $2 types kismet_t;
-	allow kismet_t $3:chr_file rw_term_perms;
 ')
 
 ########################################

policy/modules/admin/kismet.te

@@ -1,5 +1,5 @@
 
-policy_module(kismet, 1.1.0)
+policy_module(kismet, 1.1.1)
 
 ########################################
 #
@@ -52,3 +52,5 @@ auth_use_nsswitch(kismet_t)
 files_read_etc_files(kismet_t)
 
 miscfiles_read_localization(kismet_t)
+
+userdom_use_user_terminals(kismet_t)

policy/modules/admin/kudzu.if

@@ -33,11 +33,6 @@ interface(`kudzu_domtrans',`
 ##	The role to be allowed the kudzu domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the kudzu domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`kudzu_run',`
@@ -47,7 +42,6 @@ interface(`kudzu_run',`
 
 	kudzu_domtrans($1)
 	role $2 types kudzu_t;
-	allow kudzu_t $3:chr_file rw_term_perms;
 ')
 
 ########################################

policy/modules/admin/kudzu.te

@@ -1,5 +1,5 @@
 
-policy_module(kudzu, 1.7.0)
+policy_module(kudzu, 1.7.1)
 
 ########################################
 #
@@ -77,7 +77,6 @@ storage_raw_write_removable_device(kudzu_t)
 storage_raw_read_fixed_disk(kudzu_t)
 storage_raw_read_removable_device(kudzu_t)
 
-term_search_ptys(kudzu_t)
 term_dontaudit_use_console(kudzu_t)
 # so it can write messages to the console
 term_use_unallocated_ttys(kudzu_t)
@@ -123,9 +122,9 @@ modutils_domtrans_insmod(kudzu_t)
 
 sysnet_read_config(kudzu_t)
 
+userdom_use_user_terminals(kudzu_t)
 userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
-
-sysadm_search_home_dirs(kudzu_t)
+userdom_search_user_home_dirs(kudzu_t)
 
 optional_policy(`
 	gpm_getattr_gpmctl(kudzu_t)

policy/modules/admin/logrotate.if

@@ -33,11 +33,6 @@ interface(`logrotate_domtrans',`
 ##	The role to be allowed the logrotate domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the logrotate domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`logrotate_run',`
@@ -47,7 +42,6 @@ interface(`logrotate_run',`
 
 	logrotate_domtrans($1)
 	role $2 types logrotate_t;
-	allow logrotate_t $3:chr_file rw_term_perms;
 ')
 
 ########################################

policy/modules/admin/logrotate.te

@@ -1,5 +1,5 @@
 
-policy_module(logrotate, 1.10.0)
+policy_module(logrotate, 1.10.1)
 
 ########################################
 #
@@ -115,6 +115,8 @@ miscfiles_read_localization(logrotate_t)
 
 seutil_dontaudit_read_config(logrotate_t)
 
+userdom_use_user_terminals(logrotate_t)
+userdom_dontaudit_search_user_home_dirs(logrotate_t)
 userdom_use_unpriv_users_fds(logrotate_t)
 
 cron_system_entry(logrotate_t, logrotate_exec_t)
@@ -122,8 +124,6 @@ cron_search_spool(logrotate_t)
 
 mta_send_mail(logrotate_t)
 
-sysadm_dontaudit_search_home_dirs(logrotate_t)
-
 ifdef(`distro_debian', `
 	allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
 	# for savelog

policy/modules/admin/logwatch.te

@@ -1,5 +1,5 @@
 
-policy_module(logwatch, 1.8.0)
+policy_module(logwatch, 1.8.1)
 
 #################################
 #
@@ -86,9 +86,9 @@ selinux_dontaudit_getattr_dir(logwatch_t)
 
 sysnet_dns_name_resolve(logwatch_t)
 
-mta_send_mail(logwatch_t)
+userdom_dontaudit_search_user_home_dirs(logwatch_t)
 
-sysadm_dontaudit_search_home_dirs(logwatch_t)
+mta_send_mail(logwatch_t)
 
 optional_policy(`
 	apache_read_log(logwatch_t)

policy/modules/admin/mrtg.te

@@ -1,5 +1,5 @@
 
-policy_module(mrtg, 1.5.0)
+policy_module(mrtg, 1.5.1)
 
 ########################################
 #
@@ -113,11 +113,10 @@ miscfiles_read_localization(mrtg_t)
 
 selinux_dontaudit_getattr_dir(mrtg_t)
 
+userdom_use_user_terminals(mrtg_t)
+userdom_dontaudit_read_user_home_content_files(mrtg_t)
 userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
 
-sysadm_use_terms(mrtg_t)
-sysadm_dontaudit_read_home_content_files(mrtg_t)
-
 ifdef(`enable_mls',`
 	corenet_udp_sendrecv_lo_if(mrtg_t)
 ')

policy/modules/admin/netutils.if

@@ -33,11 +33,6 @@ interface(`netutils_domtrans',`
 ##	The role to be allowed the netutils domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the netutils domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`netutils_run',`
@@ -47,7 +42,6 @@ interface(`netutils_run',`
 
 	netutils_domtrans($1)
 	role $2 types netutils_t;
-	allow netutils_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -155,11 +149,6 @@ interface(`netutils_signal_ping',`
 ##	The role to be allowed the ping domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the ping domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`netutils_run_ping',`
@@ -169,7 +158,6 @@ interface(`netutils_run_ping',`
 
 	netutils_domtrans_ping($1)
 	role $2 types ping_t;
-	allow ping_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -187,11 +175,6 @@ interface(`netutils_run_ping',`
 ##	The role to be allowed the ping domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the ping domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`netutils_run_ping_cond',`
@@ -204,7 +187,6 @@ interface(`netutils_run_ping_cond',`
 
 	if ( user_ping ) {
 		netutils_domtrans_ping($1)
-		allow ping_t $3:chr_file rw_term_perms;
 	}
 ')
 
@@ -259,11 +241,6 @@ interface(`netutils_domtrans_traceroute',`
 ##	The role to be allowed the traceroute domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the traceroute domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`netutils_run_traceroute',`
@@ -273,7 +250,6 @@ interface(`netutils_run_traceroute',`
 
 	netutils_domtrans_traceroute($1)
 	role $2 types traceroute_t;
-	allow traceroute_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -291,11 +267,6 @@ interface(`netutils_run_traceroute',`
 ##	The role to be allowed the traceroute domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the traceroute domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`netutils_run_traceroute_cond',`
@@ -308,7 +279,6 @@ interface(`netutils_run_traceroute_cond',`
 
 	if( user_ping ) {
 		netutils_domtrans_traceroute($1)
-		allow traceroute_t $3:chr_file rw_term_perms;
 	}
 ')
 

policy/modules/admin/netutils.te

@@ -1,5 +1,5 @@
 
-policy_module(netutils, 1.7.0)
+policy_module(netutils, 1.7.1)
 
 ########################################
 #
@@ -85,6 +85,7 @@ logging_send_syslog_msg(netutils_t)
 
 miscfiles_read_localization(netutils_t)
 
+userdom_use_user_terminals(netutils_t)
 userdom_use_all_users_fds(netutils_t)
 
 optional_policy(`
@@ -133,6 +134,8 @@ logging_send_syslog_msg(ping_t)
 
 miscfiles_read_localization(ping_t)
 
+userdom_use_user_terminals(ping_t)
+
 ifdef(`hide_broken_symptoms',`
 	init_dontaudit_use_fds(ping_t)
 ')
@@ -197,6 +200,8 @@ logging_send_syslog_msg(traceroute_t)
 
 miscfiles_read_localization(traceroute_t)
 
+userdom_use_user_terminals(traceroute_t)
+
 #rules needed for nmap
 dev_read_rand(traceroute_t)
 dev_read_urand(traceroute_t)

policy/modules/admin/portage.if

@@ -40,11 +40,6 @@ interface(`portage_domtrans',`
 ##	The role to allow the portage domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow for portage to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`portage_run',`
@@ -54,9 +49,6 @@ interface(`portage_run',`
 
 	portage_domtrans($1)
 	role $2 types { portage_t portage_fetch_t portage_sandbox_t };
-	allow portage_t $3:chr_file rw_term_perms;
-	allow portage_fetch_t $3:chr_file rw_term_perms;
-	allow portage_sandbox_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -186,6 +178,8 @@ interface(`portage_compile_domain',`
 
 	logging_send_syslog_msg($1)
 
+	userdom_use_user_terminals($1)
+
 	ifdef(`TODO',`
 	# some gui ebuilds want to interact with X server, like xawtv
 	optional_policy(`
@@ -231,11 +225,6 @@ interface(`portage_domtrans_gcc_config',`
 ##	The role to allow the gcc_config domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow for gcc_config to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`portage_run_gcc_config',`
@@ -245,5 +234,4 @@ interface(`portage_run_gcc_config',`
 
 	portage_domtrans_gcc_config($1)
 	role $2 types gcc_config_t;
-	allow gcc_config_t $3:chr_file rw_term_perms;
 ')

policy/modules/admin/portage.te

@@ -1,5 +1,5 @@
 
-policy_module(portage, 1.6.1)
+policy_module(portage, 1.6.2)
 
 ########################################
 #
@@ -90,8 +90,6 @@ files_search_pids(gcc_config_t)
 # the directory it is being run from
 files_list_all(gcc_config_t)
 
-term_search_ptys(gcc_config_t)
-
 # seems to be ok without this
 init_dontaudit_read_script_status_files(gcc_config_t)
 
@@ -105,6 +103,8 @@ logging_send_syslog_msg(gcc_config_t)
 
 miscfiles_read_localization(gcc_config_t)
 
+userdom_use_user_terminals(gcc_config_t)
+
 consoletype_exec(gcc_config_t)
 
 optional_policy(`
@@ -245,7 +245,8 @@ miscfiles_read_localization(portage_fetch_t)
 sysnet_read_config(portage_fetch_t)
 sysnet_dns_name_resolve(portage_fetch_t)
 
-sysadm_dontaudit_read_home_content_files(portage_fetch_t)
+userdom_use_user_terminals(portage_fetch_t)
+userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
 
 ifdef(`hide_broken_symptoms',`
 	dontaudit portage_fetch_t portage_cache_t:file read;

policy/modules/admin/prelink.if

@@ -33,11 +33,6 @@ interface(`prelink_domtrans',`
 ##	The role to allow the prelink domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the prelink domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`prelink_run',`
@@ -47,7 +42,6 @@ interface(`prelink_run',`
 
 	prelink_domtrans($1)
 	role $2 types prelink_t;
-	allow prelink_t $3:chr_file rw_term_perms;
 ')
 
 ########################################

policy/modules/admin/prelink.te

@@ -1,5 +1,5 @@
 
-policy_module(prelink, 1.5.0)
+policy_module(prelink, 1.5.1)
 
 ########################################
 #
@@ -79,6 +79,8 @@ libs_delete_lib_symlinks(prelink_t)
 
 miscfiles_read_localization(prelink_t)
 
+userdom_use_user_terminals(prelink_t)
+
 optional_policy(`
 	amanda_manage_lib(prelink_t)
 ')

policy/modules/admin/quota.if

@@ -33,11 +33,6 @@ interface(`quota_domtrans',`
 ##	The role to be allowed the quota domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the quota domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`quota_run',`
@@ -47,7 +42,6 @@ interface(`quota_run',`
 
 	quota_domtrans($1)
 	role $2 types quota_t;
-	allow quota_t $3:chr_file rw_term_perms;
 ')
 
 ########################################

policy/modules/admin/quota.te

@@ -1,5 +1,5 @@
 
-policy_module(quota, 1.3.0)
+policy_module(quota, 1.3.1)
 
 ########################################
 #
@@ -72,6 +72,7 @@ init_use_script_ptys(quota_t)
 
 logging_send_syslog_msg(quota_t)
 
+userdom_use_user_terminals(quota_t)
 userdom_dontaudit_use_unpriv_user_fds(quota_t)
 
 optional_policy(`

policy/modules/admin/readahead.te

@@ -1,5 +1,5 @@
 
-policy_module(readahead, 1.7.0)
+policy_module(readahead, 1.7.1)
 
 ########################################
 #
@@ -77,8 +77,7 @@ logging_dontaudit_search_audit_config(readahead_t)
 miscfiles_read_localization(readahead_t)
 
 userdom_dontaudit_use_unpriv_user_fds(readahead_t)
-
-sysadm_dontaudit_search_home_dirs(readahead_t)
+userdom_dontaudit_search_user_home_dirs(readahead_t)
 
 optional_policy(`
 	cron_system_entry(readahead_t, readahead_exec_t)

policy/modules/admin/rpm.if

@@ -56,11 +56,6 @@ interface(`rpm_domtrans_script',`
 ##	The role to allow the RPM domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the RPM domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`rpm_run',`
@@ -71,10 +66,9 @@ interface(`rpm_run',`
 	rpm_domtrans($1)
 	role $2 types rpm_t;
 	role $2 types rpm_script_t;
-	seutil_run_loadpolicy(rpm_script_t, $2, $3)
-	seutil_run_semanage(rpm_script_t, $2, $3)
-	seutil_run_setfiles(rpm_script_t, $2, $3)
-	allow rpm_t $3:chr_file rw_term_perms;
+	seutil_run_loadpolicy(rpm_script_t, $2)
+	seutil_run_semanage(rpm_script_t, $2)
+	seutil_run_setfiles(rpm_script_t, $2)
 ')
 
 ########################################

policy/modules/admin/rpm.te

@@ -1,5 +1,5 @@
 
-policy_module(rpm, 1.8.0)
+policy_module(rpm, 1.8.1)
 
 ########################################
 #
@@ -132,8 +132,6 @@ storage_raw_write_fixed_disk(rpm_t)
 # for installing kernel packages
 storage_raw_read_fixed_disk(rpm_t)
 
-term_list_ptys(rpm_t)
-
 auth_relabel_all_files_except_shadow(rpm_t)
 auth_manage_all_files_except_shadow(rpm_t)
 auth_dontaudit_read_shadow(rpm_t)
@@ -168,6 +166,7 @@ logging_send_syslog_msg(rpm_t)
 seutil_manage_src_policy(rpm_t)
 seutil_manage_bin_policy(rpm_t)
 
+userdom_use_user_terminals(rpm_t)
 userdom_use_unpriv_users_fds(rpm_t)
 
 optional_policy(`
@@ -273,8 +272,6 @@ selinux_compute_user_contexts(rpm_script_t)
 storage_raw_read_fixed_disk(rpm_script_t)
 storage_raw_write_fixed_disk(rpm_script_t)
 
-term_getattr_unallocated_ttys(rpm_script_t)
-term_list_ptys(rpm_script_t)
 term_use_all_terms(rpm_script_t)
 
 auth_dontaudit_getattr_shadow(rpm_script_t)
@@ -338,7 +335,7 @@ optional_policy(`
 	unconfined_domtrans(rpm_script_t)
 
 	optional_policy(`
-		java_domtrans(rpm_script_t)
+		java_domtrans_unconfined(rpm_script_t)
 	')
 
 	optional_policy(`

policy/modules/admin/su.if

@@ -125,29 +125,12 @@ template(`su_restricted_domain_template', `
 
 #######################################
 ## <summary>
-##	The per role template for the su module.
+##	The role template for the su module.
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domain which is allowed
-##	to change the linux user id, to run shells as a different
-##	user.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role_prefix">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
 ## <param name="user_role">
@@ -155,8 +138,13 @@ template(`su_restricted_domain_template', `
 ##	The role associated with the user domain.
 ##	</summary>
 ## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
 #
-template(`su_per_role_template',`
+template(`su_role_template',`
 	gen_require(`
 		attribute su_domain_type;
 		type su_exec_t;
@@ -167,9 +155,10 @@ template(`su_per_role_template',`
 	domain_entry_file($1_su_t,su_exec_t)
 	domain_type($1_su_t)
 	domain_interactive_fd($1_su_t)
-	role $3 types $1_su_t;
+	ubac_constrained($1_su_t)
+	role $2 types $1_su_t;
 
-	allow $2 $1_su_t:process signal;
+	allow $3 $1_su_t:process signal;
 
 	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
 	dontaudit $1_su_t self:capability sys_tty_config;
@@ -179,13 +168,15 @@ template(`su_per_role_template',`
 	allow $1_su_t self:key { search write };
 
 	# Transition from the user domain to this domain.
-	domtrans_pattern($2, su_exec_t, $1_su_t)
+	domtrans_pattern($3, su_exec_t, $1_su_t)
+
+	ps_process_pattern($3, $1_su_t)
 
 	# By default, revert to the calling domain when a shell is executed.
-	corecmd_shell_domtrans($1_su_t, $2)
-	allow $2 $1_su_t:fd use;
-	allow $2 $1_su_t:fifo_file rw_file_perms;
-	allow $2 $1_su_t:process sigchld;
+	corecmd_shell_domtrans($1_su_t, $3)
+	allow $3 $1_su_t:fd use;
+	allow $3 $1_su_t:fifo_file rw_file_perms;
+	allow $3 $1_su_t:process sigchld;
 
 	kernel_read_system_state($1_su_t)
 	kernel_read_kernel_sysctls($1_su_t)
@@ -200,7 +191,7 @@ template(`su_per_role_template',`
 	# needed for pam_rootok
 	selinux_compute_access_vector($1_su_t)
 
-	auth_domtrans_user_chk_passwd($1, $1_su_t)
+	auth_domtrans_chk_passwd($1_su_t)
 	auth_dontaudit_read_shadow($1_su_t)
 	auth_use_nsswitch($1_su_t)
 	auth_rw_faillog($1_su_t)
@@ -224,8 +215,8 @@ template(`su_per_role_template',`
 
 	miscfiles_read_localization($1_su_t)
 
-	userdom_use_user_terminals($1, $1_su_t)
-	userdom_search_user_home_dirs($1, $1_su_t)
+	userdom_use_user_terminals($1_su_t)
+	userdom_search_user_home_dirs($1_su_t)
 
 	ifdef(`distro_rhel4',`
 		domain_role_change_exemption($1_su_t)
@@ -285,17 +276,9 @@ template(`su_per_role_template',`
 
 	# Modify .Xauthority file (via xauth program).
 	optional_policy(`
-		xserver_user_home_dir_filetrans_user_xauth($1, su_domain_type)
-		xserver_domtrans_user_xauth($1, $1_su_t)
+		xserver_user_home_dir_filetrans_user_xauth($1_su_t)
+		xserver_domtrans_xauth($1_su_t)
 	')
-
-	ifdef(`TODO',`
-	allow $1_su_t $1_home_t:file manage_file_perms;
-
-	# Access sshd cookie files.
-	allow $1_su_t sshd_tmp_t:file rw_file_perms;
-	file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
-	') dnl end TODO
 ')
 
 #######################################

policy/modules/admin/su.te

@@ -1,5 +1,5 @@
 
-policy_module(su, 1.8.0)
+policy_module(su, 1.8.1)
 
 ########################################
 #

policy/modules/admin/sudo.if

@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per role template for the sudo module.
+##	The role template for the sudo module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -10,30 +10,25 @@
 ##	to change the linux user id, to run commands as a different
 ##	user.
 ##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
 ## </desc>
-## <param name="userdomain_prefix">
+## <param name="role_prefix">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
 ## <param name="user_role">
 ##	<summary>
-##	The role associated with the user domain.
+##	The user role.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The user domain associated with the role.
 ##	</summary>
 ## </param>
 #
-template(`sudo_per_role_template',`
+template(`sudo_role_template',`
 
 	gen_require(`
 		type sudo_exec_t;
@@ -47,7 +42,8 @@ template(`sudo_per_role_template',`
 	type $1_sudo_t; 
 	application_domain($1_sudo_t, sudo_exec_t)
 	domain_interactive_fd($1_sudo_t)
-	role $3 types $1_sudo_t;
+	ubac_constrained($1_sudo_t)
+	role $2 types $1_sudo_t;
 
 	##############################
 	#
@@ -71,13 +67,13 @@ template(`sudo_per_role_template',`
 	allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
 
 	# Enter this derived domain from the user domain
-	domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
+	domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
 
 	# By default, revert to the calling domain when a shell is executed.
-	corecmd_shell_domtrans($1_sudo_t, $2)
-	allow $2 $1_sudo_t:fd use;
-	allow $2 $1_sudo_t:fifo_file rw_file_perms;
-	allow $2 $1_sudo_t:process sigchld;
+	corecmd_shell_domtrans($1_sudo_t, $3)
+	allow $3 $1_sudo_t:fd use;
+	allow $3 $1_sudo_t:fifo_file rw_file_perms;
+	allow $3 $1_sudo_t:process sigchld;
 
 	kernel_read_kernel_sysctls($1_sudo_t)
 	kernel_read_system_state($1_sudo_t)
@@ -113,22 +109,11 @@ template(`sudo_per_role_template',`
 
 	miscfiles_read_localization($1_sudo_t)
 
-	userdom_manage_user_home_content_files($1, $1_sudo_t)
-	userdom_manage_user_home_content_symlinks($1, $1_sudo_t)
-	userdom_manage_user_tmp_files($1, $1_sudo_t)
-	userdom_manage_user_tmp_symlinks($1, $1_sudo_t)
-	userdom_use_user_terminals($1, $1_sudo_t)
-	userdom_use_unpriv_users_fds($1_sudo_t)
+	userdom_manage_user_home_content_files($1_sudo_t)
+	userdom_manage_user_home_content_symlinks($1_sudo_t)
+	userdom_manage_user_tmp_files($1_sudo_t)
+	userdom_manage_user_tmp_symlinks($1_sudo_t)
+	userdom_use_user_terminals($1_sudo_t)
 	# for some PAM modules and for cwd
-	userdom_dontaudit_search_all_users_home_content($1_sudo_t)
-
-	ifdef(`TODO',`
-	# for when the network connection is killed
-	dontaudit unpriv_userdomain $1_sudo_t:process signal;
-
-	ifdef(`mta.te', `
-	domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
-	')
-
-	') dnl end TODO
+	userdom_dontaudit_search_user_home_content($1_sudo_t)
 ')

policy/modules/admin/sudo.te

@@ -1,5 +1,5 @@
 
-policy_module(sudo, 1.3.0)
+policy_module(sudo, 1.3.1)
 
 ########################################
 #
@@ -7,5 +7,3 @@ policy_module(sudo, 1.3.0)
 
 type sudo_exec_t;
 application_executable_file(sudo_exec_t)
-
-# Remaining policy in per user domain template.

policy/modules/admin/tripwire.if

@@ -46,11 +46,6 @@ interface(`tripwire_domtrans_tripwire',`
 ##	The role to be allowed the tripwire domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the tripwire domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`tripwire_run_tripwire',`
@@ -60,7 +55,6 @@ interface(`tripwire_run_tripwire',`
 
 	tripwire_domtrans_tripwire($1)
 	role $2 types tripwire_t;
-	allow tripwire_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -96,11 +90,6 @@ interface(`tripwire_domtrans_twadmin',`
 ##	The role to be allowed the twadmin domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the twadmin domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`tripwire_run_twadmin',`
@@ -110,7 +99,6 @@ interface(`tripwire_run_twadmin',`
 
 	tripwire_domtrans_twadmin($1)
 	role $2 types twadmin_t;
-	allow twadmin_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -146,11 +134,6 @@ interface(`tripwire_domtrans_twprint',`
 ##	The role to be allowed the twprint domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the twprint domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`tripwire_run_twprint',`
@@ -160,7 +143,6 @@ interface(`tripwire_run_twprint',`
 
 	tripwire_domtrans_twprint($1)
 	role $2 types twprint_t;
-	allow twprint_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -196,11 +178,6 @@ interface(`tripwire_domtrans_siggen',`
 ##	The role to be allowed the siggen domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the siggen domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`tripwire_run_siggen',`
@@ -210,5 +187,4 @@ interface(`tripwire_run_siggen',`
 
 	tripwire_domtrans_siggen($1)
 	role $2 types siggen_t;
-	allow siggen_t $3:chr_file rw_term_perms;
 ')

policy/modules/admin/tripwire.te

@@ -1,5 +1,5 @@
 
-policy_module(tripwire, 1.1.0)
+policy_module(tripwire, 1.1.1)
 
 ########################################
 #
@@ -81,6 +81,8 @@ files_getattr_all_sockets(tripwire_t)
 
 logging_send_syslog_msg(tripwire_t)
 
+userdom_use_user_terminals(tripwire_t)
+
 optional_policy(`
 	cron_system_entry(tripwire_t, tripwire_exec_t)
 ')
@@ -100,6 +102,8 @@ logging_send_syslog_msg(twadmin_t)
 
 miscfiles_read_localization(twadmin_t)
 
+userdom_use_user_terminals(twadmin_t)
+
 ########################################
 #
 # Twprint local policy
@@ -124,6 +128,8 @@ logging_send_syslog_msg(twprint_t)
 
 miscfiles_read_localization(twprint_t)
 
+userdom_use_user_terminals(twprint_t)
+
 ########################################
 #
 # Siggen local policy
@@ -137,3 +143,5 @@ files_read_all_files(siggen_t)
 logging_send_syslog_msg(siggen_t)
 
 miscfiles_read_localization(siggen_t)
+
+userdom_use_user_terminals(siggen_t)

policy/modules/admin/tzdata.if

@@ -32,11 +32,6 @@ interface(`tzdata_domtrans',`
 ##	The role to allow the tzdata domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the tzdata domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`tzdata_run',`
@@ -46,5 +41,4 @@ interface(`tzdata_run',`
 
 	tzdata_domtrans($1)
 	role $2 types tzdata_t;
-	allow tzdata_t $3:chr_file rw_term_perms;
 ')

policy/modules/admin/tzdata.te

@@ -1,5 +1,5 @@
 
-policy_module(tzdata, 1.2.0)
+policy_module(tzdata, 1.2.1)
 
 ########################################
 #
@@ -27,6 +27,8 @@ miscfiles_read_localization(tzdata_t)
 miscfiles_manage_localization(tzdata_t)
 miscfiles_etc_filetrans_localization(tzdata_t)
 
+userdom_use_user_terminals(tzdata_t)
+
 # tzdata looks for /var/spool/postfix/etc/localtime.
 optional_policy(`
 	postfix_search_spool(tzdata_t)

policy/modules/admin/updfstab.te

@@ -1,5 +1,5 @@
 
-policy_module(updfstab, 1.4.0)
+policy_module(updfstab, 1.4.1)
 
 ########################################
 #
@@ -76,7 +76,7 @@ seutil_read_config(updfstab_t)
 seutil_read_default_contexts(updfstab_t)
 seutil_read_file_contexts(updfstab_t)
 
-userdom_dontaudit_search_all_users_home_content(updfstab_t)
+userdom_dontaudit_search_user_home_content(updfstab_t)
 userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
 
 optional_policy(`
@@ -86,7 +86,7 @@ optional_policy(`
 optional_policy(`
 	init_dbus_chat_script(updfstab_t)
 
-	dbus_system_bus_client_template(updfstab, updfstab_t)
+	dbus_system_bus_client(updfstab_t)
 ')
 
 optional_policy(`

policy/modules/admin/usbmodules.if

@@ -34,11 +34,6 @@ interface(`usbmodules_domtrans',`
 ##	The role to be allowed the usbmodules domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the usbmodules domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`usbmodules_run',`
@@ -48,5 +43,4 @@ interface(`usbmodules_run',`
 
 	usbmodules_domtrans($1)
 	role $2 types usbmodules_t;
-	allow usbmodules_t $3:chr_file rw_term_perms;
 ')

policy/modules/admin/usbmodules.te

@@ -1,5 +1,5 @@
 
-policy_module(usbmodules, 1.1.0)
+policy_module(usbmodules, 1.1.1)
 
 ########################################
 #
@@ -37,6 +37,8 @@ miscfiles_read_hwdata(usbmodules_t)
 
 modutils_read_module_deps(usbmodules_t)
 
+userdom_use_user_terminals(usbmodules_t)
+
 optional_policy(`
 	hotplug_read_config(usbmodules_t)
 ')

policy/modules/admin/usermanage.if

@@ -35,11 +35,6 @@ interface(`usermanage_domtrans_chfn',`
 ##	The role to be allowed the chfn domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the chfn domain to use.
-##	</summary>
-## </param>
 #
 interface(`usermanage_run_chfn',`
 	gen_require(`
@@ -48,7 +43,6 @@ interface(`usermanage_run_chfn',`
 
 	usermanage_domtrans_chfn($1)
 	role $2 types chfn_t;
-	allow chfn_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -86,11 +80,6 @@ interface(`usermanage_domtrans_groupadd',`
 ##	The role to be allowed the groupadd domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the groupadd domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`usermanage_run_groupadd',`
@@ -100,10 +89,9 @@ interface(`usermanage_run_groupadd',`
 
 	usermanage_domtrans_groupadd($1)
 	role $2 types groupadd_t;
-	allow groupadd_t $3:chr_file rw_term_perms;
 
 	optional_policy(`
-		nscd_run(groupadd_t, $2, $3)
+		nscd_run(groupadd_t, $2)
 	')
 ')
 
@@ -142,11 +130,6 @@ interface(`usermanage_domtrans_passwd',`
 ##	The role to be allowed the passwd domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the passwd domain to use.
-##	</summary>
-## </param>
 #
 interface(`usermanage_run_passwd',`
 	gen_require(`
@@ -155,7 +138,6 @@ interface(`usermanage_run_passwd',`
 
 	usermanage_domtrans_passwd($1)
 	role $2 types passwd_t;
-	allow passwd_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -195,11 +177,6 @@ interface(`usermanage_domtrans_admin_passwd',`
 ##	The role to be allowed the admin passwd domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the admin passwd domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`usermanage_run_admin_passwd',`
@@ -209,10 +186,9 @@ interface(`usermanage_run_admin_passwd',`
 
 	usermanage_domtrans_admin_passwd($1)
 	role $2 types sysadm_passwd_t;
-	allow sysadm_passwd_t $3:chr_file rw_term_perms;
 
 	optional_policy(`
-		nscd_run(sysadm_passwd_t, $2, $3)
+		nscd_run(sysadm_passwd_t, $2)
 	')
 ')
 
@@ -269,11 +245,6 @@ interface(`usermanage_domtrans_useradd',`
 ##	The role to be allowed the useradd domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the useradd domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`usermanage_run_useradd',`
@@ -283,10 +254,9 @@ interface(`usermanage_run_useradd',`
 
 	usermanage_domtrans_useradd($1)
 	role $2 types useradd_t;
-	allow useradd_t $3:chr_file rw_term_perms;
 
 	optional_policy(`
-		nscd_run(useradd_t, $2, $3)
+		nscd_run(useradd_t, $2)
 	')
 ')
 

policy/modules/admin/usermanage.te

@@ -1,5 +1,5 @@
 
-policy_module(usermanage, 1.11.0)
+policy_module(usermanage, 1.11.1)
 
 ########################################
 #
@@ -119,7 +119,7 @@ seutil_dontaudit_search_config(chfn_t)
 userdom_use_unpriv_users_fds(chfn_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
-userdom_dontaudit_search_all_users_home_content(chfn_t)
+userdom_dontaudit_search_user_home_content(chfn_t)
 
 ########################################
 #
@@ -153,7 +153,7 @@ corecmd_exec_bin(crack_t)
 
 logging_send_syslog_msg(crack_t)
 
-sysadm_dontaudit_search_home_dirs(crack_t)
+userdom_dontaudit_search_user_home_dirs(crack_t)
 
 ifdef(`distro_debian',`
 	# the package cracklib-runtime on Debian contains a daily maintenance
@@ -227,9 +227,8 @@ auth_use_nsswitch(groupadd_t)
 seutil_read_config(groupadd_t)
 
 userdom_use_unpriv_users_fds(groupadd_t)
-
 # for when /root is the cwd
-sysadm_dontaudit_search_home_dirs(groupadd_t)
+userdom_dontaudit_search_user_home_dirs(groupadd_t)
 
 optional_policy(`
 	dpkg_use_fds(groupadd_t)
@@ -316,13 +315,14 @@ miscfiles_read_localization(passwd_t)
 
 seutil_dontaudit_search_config(passwd_t)
 
+userdom_use_user_terminals(passwd_t)
 userdom_use_unpriv_users_fds(passwd_t)
 # make sure that getcon succeeds
 userdom_getattr_all_users(passwd_t)
 userdom_read_all_users_state(passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
-userdom_dontaudit_search_all_users_home_content(passwd_t)
+userdom_dontaudit_search_user_home_content(passwd_t)
 
 optional_policy(`
 	nscd_domtrans(passwd_t)
@@ -406,7 +406,7 @@ seutil_dontaudit_search_config(sysadm_passwd_t)
 userdom_use_unpriv_users_fds(sysadm_passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
-userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t)
+userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
 
 optional_policy(`
 	nscd_domtrans(sysadm_passwd_t)
@@ -485,10 +485,10 @@ seutil_domtrans_setfiles(useradd_t)
 
 userdom_use_unpriv_users_fds(useradd_t)
 # Add/remove user home directories
-userdom_manage_all_users_home_content_dirs(useradd_t)
-userdom_manage_all_users_home_content_files(useradd_t)
-unprivuser_home_filetrans_home_dir(useradd_t)
-unprivuser_home_dir_filetrans_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_user_home_content_dirs(useradd_t)
+userdom_manage_user_home_content_files(useradd_t)
+userdom_home_filetrans_user_home_dir(useradd_t)
+userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
 
 mta_manage_spool(useradd_t)
 

policy/modules/admin/vpn.if

@@ -33,11 +33,6 @@ interface(`vpn_domtrans',`
 ##	The role to be allowed the vpnc domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the vpnc domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`vpn_run',`
@@ -47,8 +42,7 @@ interface(`vpn_run',`
 
 	vpn_domtrans($1)
 	role $2 types vpnc_t;
-	allow vpnc_t $3:chr_file rw_term_perms;
-	sysnet_run_ifconfig(vpnc_t, $2, $3)
+	sysnet_run_ifconfig(vpnc_t, $2)
 ')
 
 ########################################

policy/modules/admin/vpn.te

@@ -1,5 +1,5 @@
 
-policy_module(vpn, 1.9.0)
+policy_module(vpn, 1.9.1)
 
 ########################################
 #
@@ -105,10 +105,10 @@ sysnet_etc_filetrans_config(vpnc_t)
 sysnet_manage_config(vpnc_t)
 
 userdom_use_all_users_fds(vpnc_t)
-userdom_dontaudit_search_all_users_home_content(vpnc_t)
+userdom_dontaudit_search_user_home_content(vpnc_t)
 
 optional_policy(`
-	dbus_system_bus_client_template(vpnc, vpnc_t)
+	dbus_system_bus_client(vpnc_t)
 
 	optional_policy(`
 		networkmanager_dbus_chat(vpnc_t)

policy/modules/apps/ada.if

@@ -34,11 +34,6 @@ interface(`ada_domtrans',`
 ##	The role to be allowed the ada domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the ada domain to use.
-##	</summary>
-## </param>
 #
 interface(`ada_run',`
 	gen_require(`
@@ -47,5 +42,4 @@ interface(`ada_run',`
 
 	ada_domtrans($1)
 	role $2 types ada_t;
-	allow ada_t $3:chr_file rw_term_perms;
 ')

policy/modules/apps/ada.te

@@ -1,5 +1,5 @@
 
-policy_module(ada, 1.2.0)
+policy_module(ada, 1.2.1)
 
 ########################################
 #
@@ -18,6 +18,8 @@ role system_r types ada_t;
 
 allow ada_t self:process { execstack execmem };
 
+userdom_use_user_terminals(ada_t)
+
 optional_policy(`
 	unconfined_domain_noaudit(ada_t)
 ')

policy/modules/apps/calamaris.te

@@ -1,5 +1,5 @@
 
-policy_module(calamaris, 1.3.0)
+policy_module(calamaris, 1.3.1)
 
 ########################################
 #
@@ -65,7 +65,7 @@ miscfiles_read_localization(calamaris_t)
 
 sysnet_read_config(calamaris_t)
 
-sysadm_dontaudit_list_home_dirs(calamaris_t)
+userdom_dontaudit_list_user_home_dirs(calamaris_t)
 
 squid_read_log(calamaris_t)
 

policy/modules/apps/cdrecord.if

@@ -1,187 +1,33 @@
 ## <summary>Policy for cdrecord</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the cdrecord module.
+##	Role access for cdrecord
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates derived domains which are used
-##	for cdrecord.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_domain">
+## <param name="domain">
 ##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <param name="user_role">
-##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`cdrecord_per_role_template', `
-
+interface(`cdrecord_role',`
 	gen_require(`
-		type cdrecord_exec_t;
+		type cdrecord_t, cdrecord_exec_t;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
-	type $1_cdrecord_t;
-	application_domain($1_cdrecord_t, cdrecord_exec_t)
-	role $3 types $1_cdrecord_t;
-
-	########################################
-	#
-	# Local policy
-	#
-
-	allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
-	allow $1_cdrecord_t self:process { getsched setsched sigkill };
-	allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;
-	allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
-
-	allow $1_cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
-
-	# allow ps to show cdrecord and allow the user to kill it 
-	ps_process_pattern($2,$1_cdrecord_t)
-	allow $2 $1_cdrecord_t:process signal;
+	role $1 types cdrecord_t;
 
 	# Transition from the user domain to the derived domain.
-	domtrans_pattern($2, cdrecord_exec_t, $1_cdrecord_t)
+	domtrans_pattern($2, cdrecord_exec_t, cdrecord_t)
 
-	# allow searching for cdrom-drive
-	dev_list_all_dev_nodes($1_cdrecord_t) 
+	allow cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
 
-	domain_interactive_fd($1_cdrecord_t)
-	domain_use_interactive_fds($1_cdrecord_t)
-
-	files_read_etc_files($1_cdrecord_t)
-
-	term_use_controlling_term($1_cdrecord_t)
-	term_list_ptys($1_cdrecord_t)
-
-	# allow cdrecord to write the CD
-	storage_raw_write_removable_device($1_cdrecord_t)
-	storage_write_scsi_generic($1_cdrecord_t)
-
-	logging_send_syslog_msg($1_cdrecord_t)
-
-	miscfiles_read_localization($1_cdrecord_t)
-
-	# write to the user domain tty.
-	userdom_use_user_terminals($1, $1_cdrecord_t)
-	userdom_use_user_terminals($1, $2)
-
-	userdom_read_user_home_content_files($1, $1_cdrecord_t)
-
-	# Handle nfs home dirs
-	tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
-		fs_list_auto_mountpoints($1_cdrecord_t)
-		files_list_home($1_cdrecord_t)
-		fs_read_nfs_files($1_cdrecord_t)
-		fs_read_nfs_symlinks($1_cdrecord_t)
-
-	',`
-		files_dontaudit_list_home($1_cdrecord_t)
-		fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
-		fs_dontaudit_read_nfs_files($1_cdrecord_t)
-		fs_dontaudit_list_nfs($1_cdrecord_t)
-	')
-	# Handle samba home dirs
-	tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`
-		fs_list_auto_mountpoints($1_cdrecord_t)
-		files_list_home($1_cdrecord_t)
-		fs_read_cifs_files($1_cdrecord_t)
-		fs_read_cifs_symlinks($1_cdrecord_t)
-	',`
-		files_dontaudit_list_home($1_cdrecord_t)
-		fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
-		fs_dontaudit_read_cifs_files($1_cdrecord_t)
-		fs_dontaudit_list_cifs($1_cdrecord_t)
-	')
-
-	# Handle removable media, /tmp, and /home
-	tunable_policy(`cdrecord_read_content',`
-		userdom_list_user_tmp($1, $1_cdrecord_t)
-		userdom_read_user_tmp_files($1, $1_cdrecord_t)
-		userdom_read_user_tmp_symlinks($1, $1_cdrecord_t)
-		userdom_search_user_home_dirs($1, $1_cdrecord_t)
-		userdom_read_user_home_content_files($1, $1_cdrecord_t)
-		userdom_read_user_home_content_symlinks($1, $1_cdrecord_t)
-
-		ifdef(`enable_mls',`
-		',`
-			fs_search_removable($1_cdrecord_t)
-			fs_read_removable_files($1_cdrecord_t)
-			fs_read_removable_symlinks($1_cdrecord_t)
-		')
-	',`
-		files_dontaudit_list_tmp($1_cdrecord_t)
-		files_dontaudit_list_home($1_cdrecord_t)
-		fs_dontaudit_list_removable($1_cdrecord_t)
-		fs_dontaudit_read_removable_files($1_cdrecord_t)
-		userdom_dontaudit_list_user_tmp($1, $1_cdrecord_t)
-		userdom_dontaudit_read_user_tmp_files($1, $1_cdrecord_t)
-		userdom_dontaudit_list_user_home_dirs($1, $1_cdrecord_t)
-		userdom_dontaudit_read_user_home_content_files($1, $1_cdrecord_t)
-	')
-
-	# Handle default_t content
-	tunable_policy(`cdrecord_read_content && read_default_t',`
-		files_list_default($1_cdrecord_t)
-		files_read_default_files($1_cdrecord_t)
-		files_read_default_symlinks($1_cdrecord_t)
-	',`
-		files_dontaudit_read_default_files($1_cdrecord_t)
-		files_dontaudit_list_default($1_cdrecord_t)
-	')
-
-	# Handle untrusted content
-	tunable_policy(`cdrecord_read_content && read_untrusted_content',`
-		files_list_tmp($1_cdrecord_t)
-		files_list_home($1_cdrecord_t)
-		userdom_search_user_home_dirs($1, $1_cdrecord_t)
-
-		userdom_list_user_untrusted_content($1, $1_cdrecord_t)
-		userdom_read_user_untrusted_content_files($1, $1_cdrecord_t)
-		userdom_read_user_untrusted_content_symlinks($1, $1_cdrecord_t)
-		userdom_list_user_tmp_untrusted_content($1, $1_cdrecord_t)
-		userdom_read_user_tmp_untrusted_content_files($1, $1_cdrecord_t)
-		userdom_read_user_tmp_untrusted_content_symlinks($1, $1_cdrecord_t)
-	',`
-		files_dontaudit_list_tmp($1_cdrecord_t)
-		files_dontaudit_list_home($1_cdrecord_t)
-		userdom_dontaudit_list_user_home_dirs($1, $1_cdrecord_t)
-		userdom_dontaudit_list_user_untrusted_content($1, $1_cdrecord_t)
-		userdom_dontaudit_read_user_untrusted_content_files($1, $1_cdrecord_t)
-		userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_cdrecord_t)
-		userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_cdrecord_t)
-	')
-
-	tunable_policy(`use_nfs_home_dirs',`
-		files_search_mnt($1_cdrecord_t)
-		fs_read_nfs_files($1_cdrecord_t)
-		fs_read_nfs_symlinks($1_cdrecord_t)
-	')
-
-	optional_policy(`
-		resmgr_stream_connect($1_cdrecord_t)
-	')
+	# allow ps to show cdrecord and allow the user to kill it 
+	ps_process_pattern($2, cdrecord_t)
+	allow $2 cdrecord_t:process signal;
 ')

policy/modules/apps/cdrecord.te

@@ -1,5 +1,5 @@
 
-policy_module(cdrecord, 1.4.0)
+policy_module(cdrecord, 2.0.0)
 
 ########################################
 #
@@ -15,5 +15,112 @@ policy_module(cdrecord, 1.4.0)
 ## </desc>
 gen_tunable(cdrecord_read_content, false)
 
+type cdrecord_t;
 type cdrecord_exec_t;
-application_executable_file(cdrecord_exec_t)
+typealias cdrecord_t alias { user_cdrecord_t staff_cdrecord_t sysadm_cdrecord_t };
+typealias cdrecord_t alias { auditadm_cdrecord_t secadm_cdrecord_t };
+application_domain(cdrecord_t, cdrecord_exec_t)
+ubac_constrained(cdrecord_t)
+
+########################################
+#
+# Local policy
+#
+
+allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
+allow cdrecord_t self:process { getsched setsched sigkill };
+allow cdrecord_t self:unix_dgram_socket create_socket_perms;
+allow cdrecord_t self:unix_stream_socket create_stream_socket_perms;
+
+# allow searching for cdrom-drive
+dev_list_all_dev_nodes(cdrecord_t) 
+
+domain_interactive_fd(cdrecord_t)
+domain_use_interactive_fds(cdrecord_t)
+
+files_read_etc_files(cdrecord_t)
+
+term_use_controlling_term(cdrecord_t)
+term_list_ptys(cdrecord_t)
+
+# allow cdrecord to write the CD
+storage_raw_write_removable_device(cdrecord_t)
+storage_write_scsi_generic(cdrecord_t)
+
+logging_send_syslog_msg(cdrecord_t)
+
+miscfiles_read_localization(cdrecord_t)
+
+# write to the user domain tty.
+userdom_use_user_terminals(cdrecord_t)
+userdom_read_user_home_content_files(cdrecord_t)
+
+# Handle nfs home dirs
+tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
+	fs_list_auto_mountpoints(cdrecord_t)
+	files_list_home(cdrecord_t)
+	fs_read_nfs_files(cdrecord_t)
+	fs_read_nfs_symlinks(cdrecord_t)
+
+',`
+	files_dontaudit_list_home(cdrecord_t)
+	fs_dontaudit_list_auto_mountpoints(cdrecord_t)
+	fs_dontaudit_read_nfs_files(cdrecord_t)
+	fs_dontaudit_list_nfs(cdrecord_t)
+')
+# Handle samba home dirs
+tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`
+	fs_list_auto_mountpoints(cdrecord_t)
+	files_list_home(cdrecord_t)
+	fs_read_cifs_files(cdrecord_t)
+	fs_read_cifs_symlinks(cdrecord_t)
+',`
+	files_dontaudit_list_home(cdrecord_t)
+	fs_dontaudit_list_auto_mountpoints(cdrecord_t)
+	fs_dontaudit_read_cifs_files(cdrecord_t)
+	fs_dontaudit_list_cifs(cdrecord_t)
+')
+
+# Handle removable media, /tmp, and /home
+tunable_policy(`cdrecord_read_content',`
+	userdom_list_user_tmp(cdrecord_t)
+	userdom_read_user_tmp_files(cdrecord_t)
+	userdom_read_user_tmp_symlinks(cdrecord_t)
+	userdom_read_user_home_content_files(cdrecord_t)
+	userdom_read_user_home_content_symlinks(cdrecord_t)
+
+	ifndef(`enable_mls',`
+		fs_search_removable(cdrecord_t)
+		fs_read_removable_files(cdrecord_t)
+		fs_read_removable_symlinks(cdrecord_t)
+	')
+',`
+	files_dontaudit_list_tmp(cdrecord_t)
+	files_dontaudit_list_home(cdrecord_t)
+	fs_dontaudit_list_removable(cdrecord_t)
+	fs_dontaudit_read_removable_files(cdrecord_t)
+	userdom_dontaudit_list_user_tmp(cdrecord_t)
+	userdom_dontaudit_read_user_tmp_files(cdrecord_t)
+	userdom_dontaudit_list_user_home_dirs(cdrecord_t)
+	userdom_dontaudit_read_user_home_content_files(cdrecord_t)
+')
+
+# Handle default_t content
+tunable_policy(`cdrecord_read_content && read_default_t',`
+	files_list_default(cdrecord_t)
+	files_read_default_files(cdrecord_t)
+	files_read_default_symlinks(cdrecord_t)
+',`
+	files_dontaudit_read_default_files(cdrecord_t)
+	files_dontaudit_list_default(cdrecord_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	files_search_mnt(cdrecord_t)
+	fs_read_nfs_files(cdrecord_t)
+	fs_read_nfs_symlinks(cdrecord_t)
+')
+
+optional_policy(`
+	resmgr_stream_connect(cdrecord_t)
+')

policy/modules/apps/ethereal.fc

@@ -1,4 +1,4 @@
-HOME_DIR/\.ethereal(/.*)? 		gen_context(system_u:object_r:ROLE_ethereal_home_t,s0)
+HOME_DIR/\.ethereal(/.*)? 		gen_context(system_u:object_r:ethereal_home_t,s0)
 
 /usr/sbin/ethereal.*		--	gen_context(system_u:object_r:ethereal_exec_t,s0)
 /usr/sbin/tethereal.*		--	gen_context(system_u:object_r:tethereal_exec_t,s0)

policy/modules/apps/ethereal.if

@@ -1,244 +1,55 @@
 ## <summary>Ethereal packet capture tool.</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the ethereal module.
+##	Role access for ethereal
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for ethereal packet capture tool.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_domain">
+## <param name="domain">
 ##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <param name="user_role">
-##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`ethereal_per_role_template',`
-
+interface(`ethereal_role',`
 	gen_require(`
-		type ethereal_exec_t;
+		type ethereal_t, ethereal_exec_t, ethereal_home_t;
 	')
 
-	##############################
-	#
-	# Declarations
-	#
+	role $1 types ethereal_t;
 
-	# Type for program
-	type $1_ethereal_t;
-	application_domain($1_ethereal_t, ethereal_exec_t)
-	role $3 types $1_ethereal_t;
+	domain_auto_trans($2, ethereal_exec_t, ethereal_t)
+	allow ethereal_t $2:fd use;
+	allow ethereal_t $2:process sigchld;
 
-	type $1_ethereal_home_t alias $1_ethereal_rw_t;
-	files_poly_member($1_ethereal_home_t)
-	userdom_user_home_content($1, $1_ethereal_home_t)
-
-	type $1_ethereal_tmp_t;
-	files_tmp_file($1_ethereal_tmp_t)
-
-	type $1_ethereal_tmpfs_t;
-	files_tmpfs_file($1_ethereal_tmpfs_t)
-
-	##############################
-	#
-	# Local Policy
-	#
-
-	allow $1_ethereal_t self:capability { net_admin net_raw setgid };
-	allow $1_ethereal_t self:process { signal getsched };
-	allow $1_ethereal_t self:fifo_file { getattr read write };
-	allow $1_ethereal_t self:shm destroy;
-	allow $1_ethereal_t self:shm create_shm_perms;
-	allow $1_ethereal_t self:netlink_route_socket { nlmsg_read create_socket_perms };
-	allow $1_ethereal_t self:packet_socket { setopt bind ioctl getopt create read };
-	allow $1_ethereal_t self:tcp_socket create_socket_perms;
-	allow $1_ethereal_t self:udp_socket create_socket_perms;
-
-	# Re-execute itself (why?)
-	can_exec($1_ethereal_t, ethereal_exec_t)
-	corecmd_search_bin($1_ethereal_t)
-
-	# /home/.ethereal
-	manage_dirs_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t)
-	manage_files_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t)
-	manage_lnk_files_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t)
-	userdom_user_home_dir_filetrans($1, $1_ethereal_t, $1_ethereal_home_t, dir)
-
-	# Store temporary files
-	manage_dirs_pattern($1_ethereal_t, $1_ethereal_tmp_t, $1_ethereal_tmp_t)
-	manage_files_pattern($1_ethereal_t, $1_ethereal_tmp_t, $1_ethereal_tmp_t)
-	files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file })
-
-	manage_dirs_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
-	manage_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
-	manage_lnk_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
-	manage_sock_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
-	manage_fifo_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
-	fs_tmpfs_filetrans($1_ethereal_t, $1_ethereal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
-	domain_auto_trans($2, ethereal_exec_t, $1_ethereal_t)
-	allow $1_ethereal_t $2:fd use;
-	allow $1_ethereal_t $2:process sigchld;
-
-	manage_dirs_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
-	manage_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
-	manage_lnk_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
-	relabel_dirs_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
-	relabel_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
-	relabel_lnk_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
-
-	kernel_read_kernel_sysctls($1_ethereal_t)
-	kernel_read_system_state($1_ethereal_t)
-	kernel_read_sysctl($1_ethereal_t)
-
-	corecmd_search_bin($1_ethereal_t)
-
-	corenet_tcp_connect_generic_port($1_ethereal_t)
-	corenet_tcp_sendrecv_generic_if($1_ethereal_t)
-
-	dev_read_urand($1_ethereal_t)
-
-	files_read_etc_files($1_ethereal_t)
-	files_read_usr_files($1_ethereal_t)
-
-	fs_list_inotifyfs($1_ethereal_t)
-	fs_search_auto_mountpoints($1_ethereal_t)
-
-	libs_read_lib_files($1_ethereal_t)
-
-	miscfiles_read_fonts($1_ethereal_t)
-	miscfiles_read_localization($1_ethereal_t)
-
-	seutil_use_newrole_fds($1_ethereal_t)
-
-	sysnet_read_config($1_ethereal_t)
-
-	userdom_manage_user_home_content_files($1, $1_ethereal_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_ethereal_t)
-		fs_manage_nfs_files($1_ethereal_t)
-		fs_manage_nfs_symlinks($1_ethereal_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_ethereal_t)
-		fs_manage_cifs_files($1_ethereal_t)
-		fs_manage_cifs_symlinks($1_ethereal_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_ethereal_t)
-	')
-
-	# Manual transition from userhelper 
-	optional_policy(`
-		userhelper_use_user_fd($1, $1_ethereal_t)
-		userhelper_sigchld_user($1, $1_ethereal_t)
-	')
-
-	optional_policy(`
-		xserver_user_x_domain_template($1, $1_ethereal, $1_ethereal_t, $1_ethereal_tmpfs_t)
-		xserver_create_xdm_tmp_sockets($1_ethereal_t)
-	')
-
-	ifdef(`TODO',`
-		# Why does it write this?
-		optional_policy(`
-			dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
-		')
-		#TODO
-		gnome_application($1_ethereal, $1)
-		gnome_file_dialog($1_ethereal, $1)
-		# FIXME: policy is incomplete
-	')
-
-')
-
-#######################################
-## <summary>
-##	The administrative functions template for the ethereal module.
-## </summary>
-## <desc>
-##	<p>
-##	This template creates rules for administrating ethereal,
-##	allowing the specified user to manage ethereal files.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-#
-template(`ethereal_admin_template',`
-	gen_require(`
-		type $1_ethereal_t;
-	')
-
-	# Create various types of sockets
-	allow $1_ethereal_t self:netlink_route_socket create_netlink_socket_perms;
-	allow $1_ethereal_t self:udp_socket create_socket_perms;
-	allow $1_ethereal_t self:packet_socket create_socket_perms;
-	allow $1_ethereal_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_ethereal_t self:tcp_socket create_socket_perms;
-
-	userdom_use_user_terminals($1, $1_ethereal_t)
-	# Ethereal tries to write to user terminal
-	userdom_dontaudit_use_user_terminals($1, $1_ethereal_t)
+	manage_dirs_pattern($2, ethereal_home_t, ethereal_home_t)
+	manage_files_pattern($2, ethereal_home_t, ethereal_home_t)
+	manage_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t)
+	relabel_dirs_pattern($2, ethereal_home_t, ethereal_home_t)
+	relabel_files_pattern($2, ethereal_home_t, ethereal_home_t)
+	relabel_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t)
 ')
 
 ########################################
 ## <summary>
 ##	Run ethereal in ethereal domain.
 ## </summary>
-## <desc>
-##	<p>
-##	Run ethereal in ethereal domain.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`ethereal_domtrans_user_ethereal',`
+interface(`ethereal_domtrans',`
 	gen_require(`
-		type $1_ethereal_t, ethereal_exec_t;
+		type ethereal_t, ethereal_exec_t;
 	')
 
-	domtrans_pattern($2, ethereal_exec_t, $1_ethereal_t)
+	domtrans_pattern($1, ethereal_exec_t, ethereal_t)
 ')
 
 ########################################
@@ -251,7 +62,7 @@ template(`ethereal_domtrans_user_ethereal',`
 ##	</summary>
 ## </param>
 #
-template(`ethereal_domtrans_tethereal',`
+interface(`ethereal_domtrans_tethereal',`
 	gen_require(`
 		type tethereal_t, tethereal_exec_t;
 	')
@@ -274,11 +85,6 @@ template(`ethereal_domtrans_tethereal',`
 ##	The role to be allowed the tethereal domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the tethereal domain to use.
-##	</summary>
-## </param>
 #
 interface(`ethereal_run_tethereal',`
 	gen_require(`
@@ -287,5 +93,4 @@ interface(`ethereal_run_tethereal',`
 
 	ethereal_domtrans_tethereal($1)
 	role $2 types tethereal_t;
-	allow tethereal_t $3:chr_file rw_term_perms;
 ')

policy/modules/apps/ethereal.te

@@ -1,13 +1,35 @@
 
-policy_module(ethereal, 1.5.0)
+policy_module(ethereal, 2.0.0)
 
 ########################################
 #
 # Declarations
 #
 
+type ethereal_t;
 type ethereal_exec_t;
-application_executable_file(ethereal_exec_t)
+typealias ethereal_t alias { user_ethereal_t staff_ethereal_t sysadm_ethereal_t };
+typealias ethereal_t alias { auditadm_ethereal_t secadm_ethereal_t };
+application_domain(ethereal_t, ethereal_exec_t)
+ubac_constrained(ethereal_t)
+
+type ethereal_home_t;
+typealias ethereal_home_t alias { user_ethereal_home_t staff_ethereal_home_t sysadm_ethereal_home_t };
+typealias ethereal_home_t alias { auditadm_ethereal_home_t secadm_ethereal_home_t };
+files_poly_member(ethereal_home_t)
+userdom_user_home_content(ethereal_home_t)
+
+type ethereal_tmp_t;
+typealias ethereal_tmp_t alias { user_ethereal_tmp_t staff_ethereal_tmp_t sysadm_ethereal_tmp_t };
+typealias ethereal_tmp_t alias { auditadm_ethereal_tmp_t secadm_ethereal_tmp_t };
+files_tmp_file(ethereal_tmp_t)
+ubac_constrained(ethereal_tmp_t)
+
+type ethereal_tmpfs_t;
+typealias ethereal_tmpfs_t alias { user_ethereal_tmpfs_t staff_ethereal_tmpfs_t sysadm_ethereal_tmpfs_t };
+typealias ethereal_tmpfs_t alias { auditadm_ethereal_tmpfs_t secadm_ethereal_tmpfs_t };
+files_tmpfs_file(ethereal_tmpfs_t)
+ubac_constrained(ethereal_tmpfs_t)
 
 type tethereal_t;
 type tethereal_exec_t;
@@ -16,6 +38,99 @@ application_domain(tethereal_t, tethereal_exec_t)
 type tethereal_tmp_t;
 files_tmp_file(tethereal_tmp_t)
 
+##############################
+#
+# Local Policy
+#
+
+allow ethereal_t self:capability { net_admin net_raw setgid };
+allow ethereal_t self:process { signal getsched };
+allow ethereal_t self:fifo_file { getattr read write };
+allow ethereal_t self:shm destroy;
+allow ethereal_t self:shm create_shm_perms;
+allow ethereal_t self:netlink_route_socket { nlmsg_read create_socket_perms };
+allow ethereal_t self:packet_socket { setopt bind ioctl getopt create read };
+allow ethereal_t self:tcp_socket create_socket_perms;
+allow ethereal_t self:udp_socket create_socket_perms;
+
+# Re-execute itself (why?)
+can_exec(ethereal_t, ethereal_exec_t)
+corecmd_search_bin(ethereal_t)
+
+# /home/.ethereal
+manage_dirs_pattern(ethereal_t, ethereal_home_t, ethereal_home_t)
+manage_files_pattern(ethereal_t, ethereal_home_t, ethereal_home_t)
+manage_lnk_files_pattern(ethereal_t, ethereal_home_t, ethereal_home_t)
+userdom_user_home_dir_filetrans(ethereal_t, ethereal_home_t, dir)
+
+# Store temporary files
+manage_dirs_pattern(ethereal_t, ethereal_tmp_t, ethereal_tmp_t)
+manage_files_pattern(ethereal_t, ethereal_tmp_t, ethereal_tmp_t)
+files_tmp_filetrans(ethereal_t, ethereal_tmp_t, { dir file })
+
+manage_dirs_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
+manage_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
+manage_lnk_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
+manage_sock_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
+manage_fifo_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
+fs_tmpfs_filetrans(ethereal_t, ethereal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(ethereal_t)
+kernel_read_system_state(ethereal_t)
+kernel_read_sysctl(ethereal_t)
+
+corecmd_search_bin(ethereal_t)
+
+corenet_tcp_connect_generic_port(ethereal_t)
+corenet_tcp_sendrecv_generic_if(ethereal_t)
+
+dev_read_urand(ethereal_t)
+
+files_read_etc_files(ethereal_t)
+files_read_usr_files(ethereal_t)
+
+fs_list_inotifyfs(ethereal_t)
+fs_search_auto_mountpoints(ethereal_t)
+
+libs_read_lib_files(ethereal_t)
+
+miscfiles_read_fonts(ethereal_t)
+miscfiles_read_localization(ethereal_t)
+
+seutil_use_newrole_fds(ethereal_t)
+
+sysnet_read_config(ethereal_t)
+
+userdom_manage_user_home_content_files(ethereal_t)
+userdom_use_user_terminals(ethereal_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(ethereal_t)
+	fs_manage_nfs_files(ethereal_t)
+	fs_manage_nfs_symlinks(ethereal_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(ethereal_t)
+	fs_manage_cifs_files(ethereal_t)
+	fs_manage_cifs_symlinks(ethereal_t)
+')
+
+optional_policy(`
+	nscd_socket_use(ethereal_t)
+')
+
+# Manual transition from userhelper 
+optional_policy(`
+	userhelper_use_fd(ethereal_t)
+	userhelper_sigchld(ethereal_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(ethereal, ethereal_t, ethereal_tmpfs_t)
+	xserver_create_xdm_tmp_sockets(ethereal_t)
+')
+
 ########################################
 #
 # Tethereal policy
@@ -48,6 +163,8 @@ seutil_use_newrole_fds(tethereal_t)
 
 sysnet_dns_name_resolve(tethereal_t)
 
+userdom_use_user_terminals(tethereal_t)
+
 optional_policy(`
 	nscd_socket_use(tethereal_t)
 ')

policy/modules/apps/evolution.fc

@@ -2,13 +2,13 @@
 # HOME_DIR/
 #
 
-HOME_DIR/\.camel_certs(/.*)?					gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
-HOME_DIR/\.evolution(/.*)?					gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
+HOME_DIR/\.camel_certs(/.*)?					gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.evolution(/.*)?					gen_context(system_u:object_r:evolution_home_t,s0)
 
 #
 # /tmp
 #
-/tmp/\.exchange-USER(/.*)?					gen_context(system_u:object_r:ROLE_evolution_exchange_tmp_t,s0)
+/tmp/\.exchange-USER(/.*)?					gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
 
 #
 # /usr

policy/modules/apps/evolution.if

@@ -1,795 +1,71 @@
 ## <summary>Evolution email client</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the evolution module.
+##	Role access for evolution
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for evolution email client and other related evolution applications such as webcal and alarm
-##	type is also created to protect the user evolution keys.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_domain">
+## <param name="domain">
 ##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <param name="user_role">
-##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`evolution_per_role_template',`
+interface(`evolution_role',`
+	gen_require(`
+		type evolution_t, evolution_exec_t, evolution_home_t;
+		type evolution_alarm_t, evolution_alarm_exec_t;
+		type evolution_exchange_t, evolution_exchange_exec_t;
+		type evolution_exchange_orbit_tmp_t;
+		type evolution_server_t, evolution_server_exec_t;
+		type evolution_webcal_t, evolution_webcal_exec_t;
+	')
 
-	########################################
-	#
-	# Declarations
-	#
+	role $1 types { evolution_t evolution_alarm_t evolution_exchange_t };
+	role $1 types { evolution_server_t evolution_webcal_t };
 
-	type $1_evolution_t;
-	application_domain($1_evolution_t, evolution_exec_t)
-	role $3 types $1_evolution_t;
+	domtrans_pattern($2, evolution_exec_t, evolution_t)
+	domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t)
+	domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t)
+	domtrans_pattern($2, evolution_server_exec_t, evolution_server_t)
+	domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t)
 
-	type $1_evolution_tmpfs_t;
-	files_tmpfs_file($1_evolution_tmpfs_t)
+	ps_process_pattern($2, evolution_t)
+	ps_process_pattern($2, evolution_alarm_t)
+	ps_process_pattern($2, evolution_exchange_t)
+	ps_process_pattern($2, evolution_server_t)
+	ps_process_pattern($2, evolution_webcal_t)
 
-	type $1_evolution_home_t alias $1_evolution_rw_t;
-	files_poly_member($1_evolution_home_t)
-	userdom_user_home_content($1, $1_evolution_home_t)
+	allow evolution_t $2:dir search;
+	allow evolution_t $2:file read;
+	allow evolution_t $2:lnk_file read;
+	allow evolution_t $2:unix_stream_socket connectto;
 
-	type $1_evolution_orbit_tmp_t;
-	files_tmp_file($1_evolution_orbit_tmp_t)
-
-	type $1_evolution_alarm_t;
-	application_domain($1_evolution_alarm_t, evolution_alarm_exec_t)
-	role $3 types $1_evolution_alarm_t;
-
-	type $1_evolution_alarm_tmpfs_t;
-	files_tmpfs_file($1_evolution_alarm_tmpfs_t)
-
-	type $1_evolution_alarm_orbit_tmp_t;
-	files_tmp_file($1_evolution_alarm_orbit_tmp_t)
-
-	type $1_evolution_exchange_t;
-	application_domain($1_evolution_exchange_t, evolution_exchange_exec_t)
-	role $3 types $1_evolution_exchange_t;
-
-	type $1_evolution_exchange_tmpfs_t;
-	files_tmpfs_file($1_evolution_exchange_tmpfs_t)
-
-	type $1_evolution_exchange_tmp_t;
-	files_tmp_file($1_evolution_exchange_tmp_t)
-
-	type $1_evolution_exchange_orbit_tmp_t;
-	files_tmp_file($1_evolution_exchange_orbit_tmp_t)
-
-	type $1_evolution_server_t;
-	application_domain($1_evolution_server_t, evolution_server_exec_t)
-	role $3 types $1_evolution_server_t;
-
-	type $1_evolution_server_orbit_tmp_t;
-	files_tmp_file($1_evolution_server_orbit_tmp_t)
-
-	type $1_evolution_webcal_t;
-	application_domain($1_evolution_webcal_t, evolution_webcal_exec_t)
-	role $3 types $1_evolution_webcal_t;
-
-	type $1_evolution_webcal_tmpfs_t;
-	files_tmpfs_file($1_evolution_webcal_tmpfs_t)
-
-	type $1_orbit_tmp_t;
-	files_tmp_file($1_orbit_tmp_t)
-
-	########################################
-	#
-	# Evolution local policy
-	#
-
-	allow $1_evolution_t self:capability { setuid setgid sys_nice };
-	allow $1_evolution_t self:process { signal getsched setsched };
-	allow $1_evolution_t self:fifo_file rw_file_perms;
-	allow $1_evolution_t self:tcp_socket create_socket_perms;
-	allow $1_evolution_t self:udp_socket create_socket_perms;
-
-	allow $1_evolution_t $1_evolution_alarm_t:dir search_dir_perms;
-	allow $1_evolution_t $1_evolution_alarm_t:file read;
-
-	allow $1_evolution_t $1_evolution_alarm_t:unix_stream_socket connectto;
-	allow $1_evolution_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
-
-	can_exec($1_evolution_t, evolution_alarm_exec_t)
-
-	allow $1_evolution_t $1_evolution_exchange_t:unix_stream_socket connectto;
-	allow $1_evolution_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
-
-	allow $1_evolution_t $1_evolution_home_t:dir manage_dir_perms;
-	allow $1_evolution_t $1_evolution_home_t:file manage_file_perms;
-	allow $1_evolution_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
-
-	allow $1_evolution_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;
-	allow $1_evolution_t $1_evolution_orbit_tmp_t:file manage_file_perms;
-	files_tmp_filetrans($1_evolution_t, $1_evolution_orbit_tmp_t, { dir file })
-
-	allow $1_evolution_server_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;
-	allow $1_evolution_server_t $1_evolution_orbit_tmp_t:file manage_file_perms;
-	files_tmp_filetrans($1_evolution_server_t, $1_evolution_orbit_tmp_t, { dir file })
-
-	allow $1_evolution_t $1_evolution_server_t:dir search_dir_perms;
-	allow $1_evolution_t $1_evolution_server_t:file read;
-
-	allow $1_evolution_t $1_evolution_server_t:unix_stream_socket connectto;
-	allow $1_evolution_t $1_evolution_server_orbit_tmp_t:sock_file write;
-
-	can_exec($1_evolution_t, evolution_server_exec_t)
-
-	allow $1_evolution_t $1_evolution_tmpfs_t:dir rw_dir_perms;
-	allow $1_evolution_t $1_evolution_tmpfs_t:file manage_file_perms;
-	allow $1_evolution_t $1_evolution_tmpfs_t:lnk_file manage_lnk_file_perms;
-	allow $1_evolution_t $1_evolution_tmpfs_t:sock_file manage_sock_file_perms;
-	allow $1_evolution_t $1_evolution_tmpfs_t:fifo_file manage_fifo_file_perms;
-	fs_tmpfs_filetrans($1_evolution_t, $1_evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
-	allow $1_evolution_t $2:dir search;
-	allow $1_evolution_t $2:fd use;
-	allow $1_evolution_t $2:file read;
-	allow $1_evolution_t $2:lnk_file read;
-	allow $1_evolution_t $2:process sigchld;
-	allow $1_evolution_t $2:unix_stream_socket connectto;
-	allow $1_evolution_t $2:dir search;
-	allow $1_evolution_t $2:file read;
-
-	domain_auto_trans($2, evolution_exec_t, $1_evolution_t)
-
-	allow $2 $1_evolution_t:unix_stream_socket connectto;
-	allow $2 $1_evolution_t:process noatsecure;
-	allow $2 $1_evolution_t:process signal_perms;
+	allow $2 evolution_t:unix_stream_socket connectto;
+	allow $2 evolution_t:process noatsecure;
+	allow $2 evolution_t:process signal_perms;
 
 	# Access .evolution
-	allow $2 $1_evolution_home_t:dir manage_dir_perms;
-	allow $2 $1_evolution_home_t:file manage_file_perms;
-	allow $2 $1_evolution_home_t:lnk_file manage_lnk_file_perms;
-	allow $2 $1_evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-	userdom_search_user_home_dirs($1, $1_evolution_t)
+	allow $2 evolution_home_t:dir manage_dir_perms;
+	allow $2 evolution_home_t:file manage_file_perms;
+	allow $2 evolution_home_t:lnk_file manage_lnk_file_perms;
+	allow $2 evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
 
-	# Allow the user domain to signal/ps.
-	ps_process_pattern($2, $1_evolution_t)
-
-	domain_dontaudit_read_all_domains_state($1_evolution_t)
-
-	#FIXME check to see if really needed
-	kernel_read_kernel_sysctls($1_evolution_t)
-	kernel_read_system_state($1_evolution_t)
-	# Allow netstat
-	kernel_read_network_state($1_evolution_t)
-	kernel_read_net_sysctls($1_evolution_t)
-
-	corecmd_exec_shell($1_evolution_t)
-	# Run various programs
-	corecmd_exec_bin($1_evolution_t)
-
-	corenet_all_recvfrom_unlabeled($1_evolution_t)
-	corenet_all_recvfrom_netlabel($1_evolution_t)
-	corenet_tcp_sendrecv_generic_if($1_evolution_t)
-	corenet_udp_sendrecv_generic_if($1_evolution_t)
-	corenet_raw_sendrecv_generic_if($1_evolution_t)
-	corenet_tcp_sendrecv_all_nodes($1_evolution_t)
-	corenet_udp_sendrecv_all_nodes($1_evolution_t)
-	corenet_tcp_sendrecv_pop_port($1_evolution_t)
-	corenet_udp_sendrecv_pop_port($1_evolution_t)
-	corenet_tcp_sendrecv_smtp_port($1_evolution_t)
-	corenet_udp_sendrecv_smtp_port($1_evolution_t)
-	corenet_tcp_sendrecv_innd_port($1_evolution_t)
-	corenet_udp_sendrecv_innd_port($1_evolution_t)
-	corenet_tcp_sendrecv_ldap_port($1_evolution_t)
-	corenet_udp_sendrecv_ldap_port($1_evolution_t)
-	corenet_tcp_sendrecv_ipp_port($1_evolution_t)
-	corenet_udp_sendrecv_ipp_port($1_evolution_t)
-	corenet_tcp_connect_pop_port($1_evolution_t)
-	corenet_tcp_connect_smtp_port($1_evolution_t)
-	corenet_tcp_connect_innd_port($1_evolution_t)
-	corenet_tcp_connect_ldap_port($1_evolution_t)
-	corenet_tcp_connect_ipp_port($1_evolution_t)
-	corenet_sendrecv_pop_client_packets($1_evolution_t)
-	corenet_sendrecv_smtp_client_packets($1_evolution_t)
-	corenet_sendrecv_innd_client_packets($1_evolution_t)
-	corenet_sendrecv_ldap_client_packets($1_evolution_t)
-	corenet_sendrecv_ipp_client_packets($1_evolution_t)
-	# not sure about this bind
-	corenet_udp_bind_all_nodes($1_evolution_t)
-	corenet_udp_bind_generic_port($1_evolution_t)
-
-	dev_read_urand($1_evolution_t)
-
-	files_read_etc_files($1_evolution_t)
-	files_read_usr_files($1_evolution_t)
-	files_read_usr_symlinks($1_evolution_t)
-	files_read_var_files($1_evolution_t)
-
-	fs_search_auto_mountpoints($1_evolution_t)
-
-	logging_send_syslog_msg($1_evolution_t)
-
-	miscfiles_read_localization($1_evolution_t)
-
-	sysnet_read_config($1_evolution_t)
-	sysnet_dns_name_resolve($1_evolution_t)
-
-	udev_read_state($1_evolution_t)
-
-	userdom_rw_user_tmp_files($1, $1_evolution_t)
-	userdom_manage_user_tmp_dirs($1, $1_evolution_t)
-	userdom_manage_user_tmp_sockets($1, $1_evolution_t)
-	userdom_manage_user_tmp_files($1, $1_evolution_t)
-	userdom_use_user_terminals($1, $1_evolution_t)
-	# FIXME: suppress access to .local/.icons/.themes until properly implemented
-	# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
-	# until properly implemented
-	userdom_dontaudit_read_user_home_content_files($1, $1_evolution_t)
-
-	mta_read_config($1_evolution_t)
-
-	xserver_user_x_domain_template($1, $1_evolution, $1_evolution_t, $1_evolution_tmpfs_t)
-	xserver_read_xdm_tmp_files($1_evolution_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_evolution_t)
-		fs_manage_nfs_files($1_evolution_t)
-		fs_manage_nfs_symlinks($1_evolution_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_evolution_t)
-		fs_manage_cifs_files($1_evolution_t)
-		fs_manage_cifs_symlinks($1_evolution_t)
-	')
-
-	tunable_policy(`mail_read_content && use_nfs_home_dirs',`
-		fs_list_auto_mountpoints($1_evolution_t)
-		files_list_home($1_evolution_t)
-		fs_read_nfs_files($1_evolution_t)
-		fs_read_nfs_symlinks($1_evolution_t)
-
-	',`
-		files_dontaudit_list_home($1_evolution_t)
-		fs_dontaudit_list_auto_mountpoints($1_evolution_t)
-		fs_dontaudit_read_nfs_files($1_evolution_t)
-		fs_dontaudit_list_nfs($1_evolution_t)
-	')
-
-	tunable_policy(`mail_read_content && use_samba_home_dirs',`
-		fs_list_auto_mountpoints($1_evolution_t)
-		files_list_home($1_evolution_t)
-		fs_read_cifs_files($1_evolution_t)
-		fs_read_cifs_symlinks($1_evolution_t)
-	',`
-		files_dontaudit_list_home($1_evolution_t)
-		fs_dontaudit_list_auto_mountpoints($1_evolution_t)
-		fs_dontaudit_read_cifs_files($1_evolution_t)
-		fs_dontaudit_list_cifs($1_evolution_t)
-	')
-
-	tunable_policy(`mail_read_content',`
-		userdom_list_user_tmp($1, $1_evolution_t)
-		userdom_read_user_tmp_files($1, $1_evolution_t)
-		userdom_read_user_tmp_symlinks($1, $1_evolution_t)
-		userdom_search_user_home_dirs($1, $1_evolution_t)
-		userdom_read_user_home_content_files($1, $1_evolution_t)
-		userdom_read_user_home_content_symlinks($1, $1_evolution_t)
-
-		ifndef(`enable_mls',`
-			fs_search_removable($1_evolution_t)
-			fs_read_removable_files($1_evolution_t)
-			fs_read_removable_symlinks($1_evolution_t)
-		')
-	',`
-		files_dontaudit_list_tmp($1_evolution_t)
-		files_dontaudit_list_home($1_evolution_t)
-		fs_dontaudit_list_removable($1_evolution_t)
-		fs_dontaudit_read_removable_files($1_evolution_t)
-		userdom_dontaudit_list_user_tmp($1,$1_evolution_t)
-		userdom_dontaudit_read_user_tmp_files($1,$1_evolution_t)
-		userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
-		userdom_dontaudit_read_user_home_content_files($1,$1_evolution_t)
-	')
-
-	tunable_policy(`mail_read_content && read_default_t',`
-		files_list_default($1_evolution_t)
-		files_read_default_files($1_evolution_t)
-		files_read_default_symlinks($1_evolution_t)
-	',`
-		files_dontaudit_read_default_files($1_evolution_t)
-		files_dontaudit_list_default($1_evolution_t)
-	')
-
-	tunable_policy(`mail_read_content && read_untrusted_content',`
-		files_list_tmp($1_evolution_t)
-		files_list_home($1_evolution_t)
-		userdom_search_user_home_dirs($1,$1_evolution_t)
-
-		userdom_list_user_untrusted_content($1, $1_evolution_t)
-		userdom_read_user_untrusted_content_files($1, $1_evolution_t)
-		userdom_read_user_untrusted_content_symlinks($1, $1_evolution_t)
-		userdom_list_user_tmp_untrusted_content($1, $1_evolution_t)
-		userdom_read_user_tmp_untrusted_content_files($1, $1_evolution_t)
-		userdom_read_user_tmp_untrusted_content_symlinks($1, $1_evolution_t)
-	',`
-		files_dontaudit_list_tmp($1_evolution_t)
-		files_dontaudit_list_home($1_evolution_t)
-		userdom_dontaudit_list_user_home_dirs($1, $1_evolution_t)
-		userdom_dontaudit_list_user_untrusted_content($1, $1_evolution_t)
-		userdom_dontaudit_read_user_untrusted_content_files($1, $1_evolution_t)
-		userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_evolution_t)
-		userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_evolution_t)
-	')
-
-	tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
-		files_search_home($1_evolution_t)
-
-		fs_search_auto_mountpoints($1_evolution_t)
-		fs_manage_nfs_dirs($1_evolution_t)
-		fs_manage_nfs_files($1_evolution_t)
-		fs_manage_nfs_symlinks($1_evolution_t)
-	',`
-		fs_dontaudit_list_auto_mountpoints($1_evolution_t)
-		fs_dontaudit_manage_nfs_dirs($1_evolution_t)
-		fs_dontaudit_manage_nfs_files($1_evolution_t)
-	')
-
-	tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
-		files_search_home($1_evolution_t)
-
-		fs_search_auto_mountpoints($1_evolution_t)
-		fs_manage_cifs_dirs($1_evolution_t)
-		fs_manage_cifs_files($1_evolution_t)
-		fs_manage_cifs_symlinks($1_evolution_t)
-	',`
-		fs_dontaudit_list_auto_mountpoints($1_evolution_t)
-		fs_dontaudit_manage_cifs_dirs($1_evolution_t)
-		fs_dontaudit_manage_cifs_files($1_evolution_t)
-	')
-
-	tunable_policy(`write_untrusted_content',`
-		files_search_home($1_evolution_t)
-
-		userdom_manage_user_untrusted_content_files($1, $1_evolution_t)
-		userdom_user_home_dir_filetrans($1, $1_evolution_t, $1_untrusted_content_tmp_t, { file dir })
-		userdom_user_home_content_filetrans($1, $1_evolution_t, $1_untrusted_content_tmp_t, { file dir })
-
-	',`
-		files_dontaudit_list_home($1_evolution_t)
-		files_dontaudit_list_tmp($1_evolution_t)
-
-		userdom_dontaudit_list_user_home_dirs($1, $1_evolution_t)
-		#userdom_dontaudit_manage_user_tmp($1,$1_evolution_t)
-		#userdom_dontaudit_manage_user_tmp_files($1,$1_evolution_t)
-		#userdom_dontaudit_manage_user_home_subdirs($1,$1_evolution_t)
-	')
-
-	optional_policy(`
-		automount_read_state($1_evolution_t)
-	')
-
-	# Allow printing the mail
-	optional_policy(`
-		cups_read_rw_config($1_evolution_t)
-	')
-
-	optional_policy(`
-		dbus_system_bus_client_template($1_evolution, $1_evolution_t)
-		dbus_user_bus_client_template($1, $1_evolution, $1_evolution_t)
-	')
-
-	optional_policy(`
-		gnome_stream_connect_gconf_template($1, $1_evolution_t)
-	')
-
-	# Encrypt mail
-	optional_policy(`
-		gpg_domtrans_user_gpg($1, $1_evolution_t)
-		gpg_signal_user_gpg($1, $1_evolution_t)
-	')
-
-	optional_policy(`
-		lpd_domtrans_user_lpr($1, $1_evolution_t)
-	')
-
-	optional_policy(`
-		mozilla_read_user_home_files($1, $1_evolution_t)
-		mozilla_domtrans_user_mozilla($1, $1_evolution_t)
-	')
-
-	# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
-	optional_policy(`
-		nis_use_ypbind($1_evolution_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_evolution_t)
-	')
-
-	### Junk mail filtering (start spamd)
-	optional_policy(`
-		spamassassin_exec_spamd($1_evolution_t)
-		spamassassin_domtrans_user_client($1, $1_evolution_t)
-		spamassassin_domtrans_user_local_client($1, $1_evolution_t)
-		# Allow evolution to signal the daemon
-		# FIXME: Now evolution can read spamd temp files
-		spamassassin_read_spamd_tmp_files($1_evolution_t)
-		spamassassin_signal_spamd($1_evolution_t)
-		spamassassin_dontaudit_getattr_spamd_tmp_sockets($1_evolution_t)
-	')
-
-	ifdef(`TODO',`
-
-		# Gnome common stuff
-		gnome_application($1_evolution, $1)
-
-		#TODO gnome stuff
-		# Store passwords in .gnome2_private
-		# Type for storing secret data
-		# (different from home, not directly accessible from ROLE_t)
-		type $1_evolutioin_secret_t;
-		userdom_user_home_content($1,$1_evolutioin_secret_t)
-
-		# Put secret files in .gnome2_private
-		allow $1_evolution_t $1_gnome_secret_t:dir rw_dir_perms;
-		allow $1_evolution_t $1_evolutioin_secret_t:file manage_file_perms;
-		type_transition $1_evolution_t $1_gnome_secret_t:file $1_evolutioin_secret_t;
-
-		allow $2 $1_evolution_secret_t:file unlink;
-
-		ifdef(`TODO',`
-			gnome_file_dialog($1_evolution, $1)
-		')
-	')
-
-	########################################
-	#
-	# Evolution alarm local policy
-	#
-
-	allow $1_evolution_alarm_t self:process { signal getsched };
-	allow $1_evolution_alarm_t self:fifo_file rw_fifo_file_perms;
-
-	allow $1_evolution_alarm_t $1_evolution_t:unix_stream_socket connectto;
-	allow $1_evolution_alarm_t $1_evolution_orbit_tmp_t:sock_file write;
-
-	allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:dir rw_dir_perms;
-	allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:file manage_file_perms;
-	allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms;
-	allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms;
-	allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms;
-	fs_tmpfs_filetrans($1_evolution_alarm_t,$1_evolution_alarm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
-	allow $1_evolution_alarm_t $1_evolution_exchange_t:unix_stream_socket connectto;
-	allow $1_evolution_alarm_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
-
-	# Access evolution home
-	allow $1_evolution_alarm_t $1_evolution_home_t:dir manage_dir_perms;
-	allow $1_evolution_alarm_t $1_evolution_home_t:file manage_file_perms;
-	allow $1_evolution_alarm_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
-
-	allow $1_evolution_alarm_t $1_evolution_server_t:unix_stream_socket connectto;
-	allow $1_evolution_alarm_t $1_evolution_server_orbit_tmp_t:sock_file write;
-
-	domain_auto_trans($2, evolution_alarm_exec_t, $1_evolution_alarm_t)
-	allow $1_evolution_alarm_t $2:fd use;
-
-	dev_read_urand($1_evolution_alarm_t)
-
-	files_read_etc_files($1_evolution_alarm_t)
-	files_read_usr_files($1_evolution_alarm_t)
-
-	fs_search_auto_mountpoints($1_evolution_alarm_t)
-
-	miscfiles_read_localization($1_evolution_alarm_t)
-
-	# Access evolution home
-	userdom_search_user_home_dirs($1,$1_evolution_alarm_t)
-	# FIXME: suppress access to .local/.icons/.themes until properly implemented
-	# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
-	# until properly implemented
-	userdom_dontaudit_read_user_home_content_files($1, $1_evolution_alarm_t)
-
-	xserver_user_x_domain_template($1, $1_evolution_alarm, $1_evolution_alarm_t, $1_evolution_alarm_tmpfs_t)
-
-	# Access evolution home
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_files($1_evolution_alarm_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_files($1_evolution_alarm_t)
-	')
-
-	optional_policy(`
-		dbus_user_bus_client_template($1, $1_evolution_alarm, $1_evolution_alarm_t)
-	')
-
-	optional_policy(`
-		gnome_stream_connect_gconf_template($1, $1_evolution_alarm_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_evolution_alarm_t)
-	')
-
-	ifdef(`TODO',`
-		# Gnome common stuff
-		gnome_application($1_evolution_alarm,$1)
-	')
-
-	########################################
-	#
-	# Evolution exchange connector local policy
-	#
-
-	allow $1_evolution_exchange_t self:process getsched;
-	allow $1_evolution_exchange_t self:fifo_file rw_fifo_file_perms;
-
-	allow $1_evolution_exchange_t self:tcp_socket create_socket_perms;
-	allow $1_evolution_exchange_t self:udp_socket create_socket_perms;
-
-	allow $1_evolution_exchange_t $1_evolution_t:unix_stream_socket connectto;
-	allow $1_evolution_exchange_t $1_evolution_orbit_tmp_t:sock_file write;
-
-	allow $1_evolution_exchange_t $1_evolution_alarm_t:unix_stream_socket connectto;
-	allow $1_evolution_exchange_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
-
-	# Access evolution home
-	allow $1_evolution_exchange_t $1_evolution_home_t:dir manage_dir_perms;
-	allow $1_evolution_exchange_t $1_evolution_home_t:file manage_file_perms;
-	allow $1_evolution_exchange_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
-
-	allow $1_evolution_exchange_t $1_evolution_server_t:unix_stream_socket connectto;
-	allow $1_evolution_exchange_t $1_evolution_server_orbit_tmp_t:sock_file write;
-
-	# /tmp/.exchange-$USER
-	allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:dir manage_dir_perms;
-	allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:file manage_file_perms;
-	files_tmp_filetrans($1_evolution_exchange_t, $1_evolution_exchange_tmp_t, { file dir })
-
-	allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:dir rw_dir_perms;
-	allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:file manage_file_perms;
-	allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms;
-	allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms;
-	allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms;
-	fs_tmpfs_filetrans($1_evolution_exchange_t, $1_evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
-	allow $1_evolution_exchange_t $2:unix_stream_socket connectto;
-	#FIXME, who should own this. I dont think this module should
-	allow $1_evolution_exchange_t $1_orbit_tmp_t:sock_file write;
+	allow evolution_exchange_t $2:unix_stream_socket connectto;
 
 	# Clock applet talks to exchange (FIXME: Needs policy)
-	allow $2 $1_evolution_exchange_t:unix_stream_socket connectto;
-	allow $2 $1_evolution_exchange_orbit_tmp_t:sock_file write;
-
-	# Transition from user domain
-	domain_auto_trans($2, evolution_exchange_exec_t, $1_evolution_exchange_t)
-
-	kernel_read_network_state($1_evolution_exchange_t)
-	kernel_read_net_sysctls($1_evolution_exchange_t)
-
-	# Allow netstat
-	corecmd_exec_bin($1_evolution_exchange_t)
-
-	dev_read_urand($1_evolution_exchange_t)
-
-	files_read_etc_files($1_evolution_exchange_t)
-	files_read_usr_files($1_evolution_exchange_t)
-
-	# Access evolution home
-	fs_search_auto_mountpoints($1_evolution_exchange_t)
-
-	miscfiles_read_localization($1_evolution_exchange_t)
-
-	# Access evolution home
-	userdom_search_user_home_dirs($1, $1_evolution_exchange_t)
-	# FIXME: suppress access to .local/.icons/.themes until properly implemented
-	# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
-	# until properly implemented
-	userdom_dontaudit_read_user_home_content_files($1, $1_evolution_exchange_t)
-
-	xserver_user_x_domain_template($1, $1_evolution_exchange, $1_evolution_exchange_t, $1_evolution_exchange_tmpfs_t)
-
-	# Access evolution home
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_files($1_evolution_exchange_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_files($1_evolution_exchange_t)
-	')
-
-	optional_policy(`
-		gnome_stream_connect_gconf_template($1, $1_evolution_exchange_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_evolution_exchange_t)
-	')
-
-	ifdef(`TODO',`
-	# Gnome common stuff
-	gnome_application($1_evolution_exchange, $1)
-	')
-
-	########################################
-	#
-	# Evolution data server local policy
-	#
-
-	allow $1_evolution_server_t self:process { getsched signal };
-
-	allow $1_evolution_server_t self:fifo_file { read write };
-	allow $1_evolution_server_t self:unix_stream_socket { accept connectto };
-	# Talk to ldap (address book),
-	# Obtain weather data via http (read server name from xml file in /usr)
-	allow $1_evolution_server_t self:tcp_socket create_socket_perms;
-
-	allow $1_evolution_server_t $1_evolution_t:unix_stream_socket connectto;
-	allow $1_evolution_server_t $1_evolution_orbit_tmp_t:sock_file write;
-
-	allow $1_evolution_server_t $1_evolution_exchange_t:unix_stream_socket connectto;
-	allow $1_evolution_server_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
-
-	# Access evolution home
-	allow $1_evolution_server_t $1_evolution_home_t:dir manage_dir_perms;
-	allow $1_evolution_server_t $1_evolution_home_t:file manage_file_perms;
-	allow $1_evolution_server_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
-
-	allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto;
-	allow $1_evolution_server_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
-
-	# Transition from user type
-	domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t)
-
-	kernel_read_system_state($1_evolution_server_t)
-
-	corecmd_exec_shell($1_evolution_server_t)
-
-	# Obtain weather data via http (read server name from xml file in /usr)
-	corenet_all_recvfrom_unlabeled($1_evolution_server_t)
-	corenet_all_recvfrom_netlabel($1_evolution_server_t)
-	corenet_tcp_sendrecv_generic_if($1_evolution_server_t)
-	corenet_tcp_sendrecv_all_nodes($1_evolution_server_t)
-	corenet_tcp_sendrecv_http_port($1_evolution_server_t)
-	corenet_tcp_sendrecv_http_cache_port($1_evolution_server_t)
-	corenet_tcp_connect_http_cache_port($1_evolution_server_t)
-	corenet_tcp_connect_http_port($1_evolution_server_t)
-	corenet_sendrecv_http_client_packets($1_evolution_server_t)
-	corenet_sendrecv_http_cache_client_packets($1_evolution_server_t)
-
-	dev_read_urand($1_evolution_server_t)
-
-	files_read_etc_files($1_evolution_server_t)
-	# Obtain weather data via http (read server name from xml file in /usr)
-	files_read_usr_files($1_evolution_server_t)
-
-	fs_search_auto_mountpoints($1_evolution_server_t)
-
-	miscfiles_read_localization($1_evolution_server_t)
-	# Look in /etc/pki
-	miscfiles_read_certs($1_evolution_server_t)
-
-	# Talk to ldap (address book)
-	sysnet_read_config($1_evolution_server_t)
-	sysnet_dns_name_resolve($1_evolution_server_t)
-	sysnet_use_ldap($1_evolution_server_t)
-
-	# Access evolution home
-	userdom_search_user_home_dirs($1, $1_evolution_server_t)
-	# FIXME: suppress access to .local/.icons/.themes until properly implemented
-	# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
-	# until properly implemented
-	userdom_dontaudit_read_user_home_content_files($1, $1_evolution_server_t)
-
-	# Access evolution home
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_files($1_evolution_server_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_files($1_evolution_server_t)
-	')
-
-	optional_policy(`
-		gnome_stream_connect_gconf_template($1, $1_evolution_server_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_evolution_server_t)
-	')
-
-	ifdef(`TODO',`
-	# Gnome common stuff
-	gnome_application($1_evolution_server, $1)
-	')
-
-	########################################
-	#
-	# Evolution webcal local policy
-	#
-
-	allow $1_evolution_webcal_t self:tcp_socket create_socket_perms;
-
-	# X/evolution common stuff
-	allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:dir rw_dir_perms;
-	allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:file manage_file_perms;
-	allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms;
-	allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms;
-	allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
-	fs_tmpfs_filetrans($1_evolution_webcal_t, $1_evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
-	# Transition from user type
-	domain_auto_trans($2, evolution_webcal_exec_t, $1_evolution_webcal_t)
-
-	corenet_all_recvfrom_unlabeled($1_evolution_webcal_t)
-	corenet_all_recvfrom_netlabel($1_evolution_webcal_t)
-	corenet_tcp_sendrecv_generic_if($1_evolution_webcal_t)
-	corenet_raw_sendrecv_generic_if($1_evolution_webcal_t)
-	corenet_tcp_sendrecv_all_nodes($1_evolution_webcal_t)
-	corenet_raw_sendrecv_all_nodes($1_evolution_webcal_t)
-	corenet_tcp_sendrecv_http_port($1_evolution_webcal_t)
-	corenet_tcp_sendrecv_http_cache_port($1_evolution_webcal_t)
-	corenet_tcp_connect_http_cache_port($1_evolution_webcal_t)
-	corenet_tcp_connect_http_port($1_evolution_webcal_t)
-	corenet_sendrecv_http_client_packets($1_evolution_webcal_t)
-	corenet_sendrecv_http_cache_client_packets($1_evolution_webcal_t)
-
-	# Networking capability - connect to website and handle ics link
-	sysnet_read_config($1_evolution_webcal_t)
-	sysnet_dns_name_resolve($1_evolution_webcal_t)
-
-	# Search home directory (?)
-	userdom_search_user_home_dirs($1, $1_evolution_webcal_t)
-	# FIXME: suppress access to .local/.icons/.themes until properly implemented
-	# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
-	# until properly implemented
-	userdom_dontaudit_read_user_home_content_files($1, $1_evolution_webcal_t)
-
-	xserver_user_x_domain_template($1, $1_evolution_webcal, $1_evolution_webcal_t, $1_evolution_webcal_tmpfs_t)
-
-	optional_policy(`
-		nscd_socket_use($1_evolution_webcal_t)
-	')
-
-	ifdef(`TODO',`
-	# Gnome common stuff
-	gnome_application($1_evolution_webcal, $1)
-	')
+	allow $2 evolution_exchange_t:unix_stream_socket connectto;
+	allow $2 evolution_exchange_orbit_tmp_t:sock_file write;
 ')
 
 ########################################
 ## <summary>
 ##	Create objects in users evolution home folders.
 ## </summary>
-## <desc>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
@@ -802,52 +78,36 @@ template(`evolution_per_role_template',`
 ## </param>
 ## <param name="class">
 ##	<summary>
-##	The object class of the object being created.  If
-##	no class is specified, dir will be used.
+##	The object class of the object being created.
 ##	</summary>
 ## </param>
 #
-template(`evolution_home_filetrans',`
+interface(`evolution_home_filetrans',`
 	gen_require(`
-		type $1_evolution_home_t;
+		type evolution_home_t;
 	')
 
-	allow $2 $1_evolution_home_t:dir rw_dir_perms;
-	type_transition $2 $1_evolution_home_t:$4 $3;
+	allow $1 evolution_home_t:dir rw_dir_perms;
+	type_transition $1 evolution_home_t:$3 $2;
 ')
 
 ########################################
 ## <summary>
-##	Connect to user evolution unix stream socket.
+##	Connect to evolution unix stream socket.
 ## </summary>
-## <desc>
-##	<p>
-##	Connect to user evolution unix stream socket.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`evolution_stream_connect',`
+interface(`evolution_stream_connect',`
 	gen_require(`
-		type $1_evolution_t, $1_evolution_home_t;
+		type evolution_t, evolution_home_t;
 	')
 
-	allow $2 $1_evolution_t:unix_stream_socket connectto;
-	allow $2 $1_evolution_home_t:dir search;
+	allow $1 evolution_t:unix_stream_socket connectto;
+	allow $1 evolution_home_t:dir search;
 ')
 
 ########################################
@@ -855,12 +115,6 @@ template(`evolution_stream_connect',`
 ##	Send and receive messages from
 ##	evolution over dbus.
 ## </summary>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
@@ -869,12 +123,12 @@ template(`evolution_stream_connect',`
 #
 interface(`evolution_dbus_chat',`
 	gen_require(`
-		type $1_evolution_t;
+		type evolution_t;
 		class dbus send_msg;
 	')
 
-	allow $2 $1_evolution_t:dbus send_msg;
-	allow $1_evolution_t $2:dbus send_msg;
+	allow $1 evolution_t:dbus send_msg;
+	allow evolution_t $1:dbus send_msg;
 ')
 
 ########################################
@@ -882,12 +136,6 @@ interface(`evolution_dbus_chat',`
 ##	Send and receive messages from
 ##	evolution_alarm over dbus.
 ## </summary>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
@@ -896,10 +144,10 @@ interface(`evolution_dbus_chat',`
 #
 interface(`evolution_alarm_dbus_chat',`
 	gen_require(`
-		type $1_evolution_alarm_t;
+		type evolution_alarm_t;
 		class dbus send_msg;
 	')
 
-	allow $2 $1_evolution_alarm_t:dbus send_msg;
-	allow $1_evolution_alarm_t $2:dbus send_msg;
+	allow $1 evolution_alarm_t:dbus send_msg;
+	allow evolution_alarm_t $1:dbus send_msg;
 ')

policy/modules/apps/evolution.te

@@ -1,22 +1,629 @@
 
-policy_module(evolution, 1.6.0)
+policy_module(evolution, 2.0.0)
 
 ########################################
 #
 # Declarations
 #
 
+type evolution_t;
 type evolution_exec_t;
-application_executable_file(evolution_exec_t)
+typealias evolution_t alias { user_evolution_t staff_evolution_t sysadm_evolution_t };
+typealias evolution_t alias { auditadm_evolution_t secadm_evolution_t };
+application_domain(evolution_t, evolution_exec_t)
+ubac_constrained(evolution_t)
 
+type evolution_alarm_t;
 type evolution_alarm_exec_t;
-application_executable_file(evolution_alarm_exec_t)
+typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t };
+typealias evolution_alarm_t alias { auditadm_evolution_alarm_t secadm_evolution_alarm_t };
+application_domain(evolution_alarm_t, evolution_alarm_exec_t)
+ubac_constrained(evolution_alarm_t)
 
+type evolution_alarm_tmpfs_t;
+typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t };
+typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t };
+files_tmpfs_file(evolution_alarm_tmpfs_t)
+ubac_constrained(evolution_alarm_tmpfs_t)
+
+type evolution_alarm_orbit_tmp_t;
+typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t };
+typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t };
+files_tmp_file(evolution_alarm_orbit_tmp_t)
+ubac_constrained(evolution_alarm_orbit_tmp_t)
+
+type evolution_exchange_t;
 type evolution_exchange_exec_t;
-application_executable_file(evolution_exchange_exec_t)
+typealias evolution_exchange_t alias { user_evolution_exchange_t staff_evolution_exchange_t sysadm_evolution_exchange_t };
+typealias evolution_exchange_t alias { auditadm_evolution_exchange_t secadm_evolution_exchange_t };
+application_domain(evolution_exchange_t, evolution_exchange_exec_t)
+ubac_constrained(evolution_exchange_t)
 
+type evolution_exchange_tmpfs_t;
+typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t };
+typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t };
+files_tmpfs_file(evolution_exchange_tmpfs_t)
+ubac_constrained(evolution_exchange_tmpfs_t)
+
+type evolution_exchange_tmp_t;
+typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t };
+typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t };
+files_tmp_file(evolution_exchange_tmp_t)
+ubac_constrained(evolution_exchange_tmp_t)
+
+type evolution_exchange_orbit_tmp_t;
+typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t };
+typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t };
+files_tmp_file(evolution_exchange_orbit_tmp_t)
+ubac_constrained(evolution_exchange_orbit_tmp_t)
+
+type evolution_home_t;
+typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t };
+typealias evolution_home_t alias { auditadm_evolution_home_t secadm_evolution_home_t };
+files_poly_member(evolution_home_t)
+userdom_user_home_content(evolution_home_t)
+
+type evolution_orbit_tmp_t;
+typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t };
+typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t };
+files_tmp_file(evolution_orbit_tmp_t)
+ubac_constrained(evolution_orbit_tmp_t)
+
+type evolution_server_t;
 type evolution_server_exec_t;
-application_executable_file(evolution_server_exec_t)
+typealias evolution_server_t alias { user_evolution_server_t staff_evolution_server_t sysadm_evolution_server_t };
+typealias evolution_server_t alias { auditadm_evolution_server_t secadm_evolution_server_t };
+application_domain(evolution_server_t, evolution_server_exec_t)
+ubac_constrained(evolution_server_t)
 
+type evolution_server_orbit_tmp_t;
+typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t };
+typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t };
+files_tmp_file(evolution_server_orbit_tmp_t)
+ubac_constrained(evolution_server_orbit_tmp_t)
+
+type evolution_tmpfs_t;
+typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t };
+typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t };
+files_tmpfs_file(evolution_tmpfs_t)
+ubac_constrained(evolution_tmpfs_t)
+
+type evolution_webcal_t;
 type evolution_webcal_exec_t;
-application_executable_file(evolution_webcal_exec_t)
+typealias evolution_webcal_t alias { user_evolution_webcal_t staff_evolution_webcal_t sysadm_evolution_webcal_t };
+typealias evolution_webcal_t alias { auditadm_evolution_webcal_t secadm_evolution_webcal_t };
+application_domain(evolution_webcal_t, evolution_webcal_exec_t)
+ubac_constrained(evolution_webcal_t)
+
+type evolution_webcal_tmpfs_t;
+typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t };
+typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t };
+files_tmpfs_file(evolution_webcal_tmpfs_t)
+ubac_constrained(evolution_webcal_tmpfs_t)
+
+########################################
+#
+# Evolution local policy
+#
+
+allow evolution_t self:capability { setuid setgid sys_nice };
+allow evolution_t self:process { signal getsched setsched };
+allow evolution_t self:fifo_file rw_file_perms;
+allow evolution_t self:tcp_socket create_socket_perms;
+allow evolution_t self:udp_socket create_socket_perms;
+
+allow evolution_t evolution_alarm_t:dir search_dir_perms;
+allow evolution_t evolution_alarm_t:file read;
+
+allow evolution_t evolution_alarm_t:unix_stream_socket connectto;
+allow evolution_t evolution_alarm_orbit_tmp_t:sock_file write;
+
+can_exec(evolution_t, evolution_alarm_exec_t)
+
+allow evolution_t evolution_exchange_t:unix_stream_socket connectto;
+allow evolution_t evolution_exchange_orbit_tmp_t:sock_file write;
+
+allow evolution_t evolution_home_t:dir manage_dir_perms;
+allow evolution_t evolution_home_t:file manage_file_perms;
+allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms;
+userdom_search_user_home_dirs(evolution_t)
+
+allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms;
+allow evolution_t evolution_orbit_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_t, evolution_orbit_tmp_t, { dir file })
+
+allow evolution_server_t evolution_orbit_tmp_t:dir manage_dir_perms;
+allow evolution_server_t evolution_orbit_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_server_t, evolution_orbit_tmp_t, { dir file })
+
+allow evolution_t evolution_server_t:dir search_dir_perms;
+allow evolution_t evolution_server_t:file read;
+
+allow evolution_t evolution_server_t:unix_stream_socket connectto;
+allow evolution_t evolution_server_orbit_tmp_t:sock_file write;
+
+can_exec(evolution_t, evolution_server_exec_t)
+
+allow evolution_t evolution_tmpfs_t:dir rw_dir_perms;
+allow evolution_t evolution_tmpfs_t:file manage_file_perms;
+allow evolution_t evolution_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_t evolution_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+#FIXME check to see if really needed
+kernel_read_kernel_sysctls(evolution_t)
+kernel_read_system_state(evolution_t)
+# Allow netstat
+kernel_read_network_state(evolution_t)
+kernel_read_net_sysctls(evolution_t)
+
+corecmd_exec_shell(evolution_t)
+# Run various programs
+corecmd_exec_bin(evolution_t)
+
+corenet_all_recvfrom_unlabeled(evolution_t)
+corenet_all_recvfrom_netlabel(evolution_t)
+corenet_tcp_sendrecv_generic_if(evolution_t)
+corenet_udp_sendrecv_generic_if(evolution_t)
+corenet_raw_sendrecv_generic_if(evolution_t)
+corenet_tcp_sendrecv_all_nodes(evolution_t)
+corenet_udp_sendrecv_all_nodes(evolution_t)
+corenet_tcp_sendrecv_pop_port(evolution_t)
+corenet_udp_sendrecv_pop_port(evolution_t)
+corenet_tcp_sendrecv_smtp_port(evolution_t)
+corenet_udp_sendrecv_smtp_port(evolution_t)
+corenet_tcp_sendrecv_innd_port(evolution_t)
+corenet_udp_sendrecv_innd_port(evolution_t)
+corenet_tcp_sendrecv_ldap_port(evolution_t)
+corenet_udp_sendrecv_ldap_port(evolution_t)
+corenet_tcp_sendrecv_ipp_port(evolution_t)
+corenet_udp_sendrecv_ipp_port(evolution_t)
+corenet_tcp_connect_pop_port(evolution_t)
+corenet_tcp_connect_smtp_port(evolution_t)
+corenet_tcp_connect_innd_port(evolution_t)
+corenet_tcp_connect_ldap_port(evolution_t)
+corenet_tcp_connect_ipp_port(evolution_t)
+corenet_sendrecv_pop_client_packets(evolution_t)
+corenet_sendrecv_smtp_client_packets(evolution_t)
+corenet_sendrecv_innd_client_packets(evolution_t)
+corenet_sendrecv_ldap_client_packets(evolution_t)
+corenet_sendrecv_ipp_client_packets(evolution_t)
+# not sure about this bind
+corenet_udp_bind_all_nodes(evolution_t)
+corenet_udp_bind_generic_port(evolution_t)
+
+dev_read_urand(evolution_t)
+
+domain_dontaudit_read_all_domains_state(evolution_t)
+
+files_read_etc_files(evolution_t)
+files_read_usr_files(evolution_t)
+files_read_usr_symlinks(evolution_t)
+files_read_var_files(evolution_t)
+
+fs_search_auto_mountpoints(evolution_t)
+
+logging_send_syslog_msg(evolution_t)
+
+miscfiles_read_localization(evolution_t)
+
+sysnet_read_config(evolution_t)
+sysnet_dns_name_resolve(evolution_t)
+
+udev_read_state(evolution_t)
+
+userdom_rw_user_tmp_files(evolution_t)
+userdom_manage_user_tmp_dirs(evolution_t)
+userdom_manage_user_tmp_sockets(evolution_t)
+userdom_manage_user_tmp_files(evolution_t)
+userdom_use_user_terminals(evolution_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_t)
+
+mta_read_config(evolution_t)
+
+xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
+xserver_read_xdm_tmp_files(evolution_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(evolution_t)
+	fs_manage_nfs_files(evolution_t)
+	fs_manage_nfs_symlinks(evolution_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(evolution_t)
+	fs_manage_cifs_files(evolution_t)
+	fs_manage_cifs_symlinks(evolution_t)
+')
+
+tunable_policy(`mail_read_content && use_nfs_home_dirs',`
+	fs_list_auto_mountpoints(evolution_t)
+	files_list_home(evolution_t)
+	fs_read_nfs_files(evolution_t)
+	fs_read_nfs_symlinks(evolution_t)
+
+',`
+	files_dontaudit_list_home(evolution_t)
+	fs_dontaudit_list_auto_mountpoints(evolution_t)
+	fs_dontaudit_read_nfs_files(evolution_t)
+	fs_dontaudit_list_nfs(evolution_t)
+')
+
+tunable_policy(`mail_read_content && use_samba_home_dirs',`
+	fs_list_auto_mountpoints(evolution_t)
+	files_list_home(evolution_t)
+	fs_read_cifs_files(evolution_t)
+	fs_read_cifs_symlinks(evolution_t)
+',`
+	files_dontaudit_list_home(evolution_t)
+	fs_dontaudit_list_auto_mountpoints(evolution_t)
+	fs_dontaudit_read_cifs_files(evolution_t)
+	fs_dontaudit_list_cifs(evolution_t)
+')
+
+tunable_policy(`mail_read_content',`
+	userdom_list_user_tmp(evolution_t)
+	userdom_read_user_tmp_files(evolution_t)
+	userdom_read_user_tmp_symlinks(evolution_t)
+	userdom_read_user_home_content_files(evolution_t)
+	userdom_read_user_home_content_symlinks(evolution_t)
+
+	ifndef(`enable_mls',`
+		fs_search_removable(evolution_t)
+		fs_read_removable_files(evolution_t)
+		fs_read_removable_symlinks(evolution_t)
+	')
+',`
+	files_dontaudit_list_tmp(evolution_t)
+	files_dontaudit_list_home(evolution_t)
+	fs_dontaudit_list_removable(evolution_t)
+	fs_dontaudit_read_removable_files(evolution_t)
+	userdom_dontaudit_list_user_tmp(evolution_t)
+	userdom_dontaudit_read_user_tmp_files(evolution_t)
+	userdom_dontaudit_list_user_home_dirs(evolution_t)
+	userdom_dontaudit_read_user_home_content_files(evolution_t)
+')
+
+tunable_policy(`mail_read_content && read_default_t',`
+	files_list_default(evolution_t)
+	files_read_default_files(evolution_t)
+	files_read_default_symlinks(evolution_t)
+',`
+	files_dontaudit_read_default_files(evolution_t)
+	files_dontaudit_list_default(evolution_t)
+')
+
+optional_policy(`
+	automount_read_state(evolution_t)
+')
+
+# Allow printing the mail
+optional_policy(`
+	cups_read_rw_config(evolution_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(evolution_t)
+	dbus_session_bus_client(evolution_t)
+')
+
+optional_policy(`
+	gnome_stream_connect_gconf(evolution_t)
+')
+
+# Encrypt mail
+optional_policy(`
+	gpg_domtrans(evolution_t)
+	gpg_signal(evolution_t)
+')
+
+optional_policy(`
+	lpd_domtrans_lpr(evolution_t)
+')
+
+optional_policy(`
+	mozilla_read_user_home_files(evolution_t)
+	mozilla_domtrans(evolution_t)
+')
+
+# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
+optional_policy(`
+	nis_use_ypbind(evolution_t)
+')
+
+optional_policy(`
+	nscd_socket_use(evolution_t)
+')
+
+### Junk mail filtering (start spamd)
+optional_policy(`
+	spamassassin_exec_spamd(evolution_t)
+	spamassassin_domtrans_client(evolution_t)
+	spamassassin_domtrans_local_client(evolution_t)
+	# Allow evolution to signal the daemon
+	# FIXME: Now evolution can read spamd temp files
+	spamassassin_read_spamd_tmp_files(evolution_t)
+	spamassassin_signal_spamd(evolution_t)
+	spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t)
+')
+
+########################################
+#
+# Evolution alarm local policy
+#
+
+allow evolution_alarm_t self:process { signal getsched };
+allow evolution_alarm_t self:fifo_file rw_fifo_file_perms;
+
+allow evolution_alarm_t evolution_t:unix_stream_socket connectto;
+allow evolution_alarm_t evolution_orbit_tmp_t:sock_file write;
+
+allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:file manage_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_alarm_t, evolution_alarm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+allow evolution_alarm_t evolution_exchange_t:unix_stream_socket connectto;
+allow evolution_alarm_t evolution_exchange_orbit_tmp_t:sock_file write;
+
+# Access evolution home
+allow evolution_alarm_t evolution_home_t:dir manage_dir_perms;
+allow evolution_alarm_t evolution_home_t:file manage_file_perms;
+allow evolution_alarm_t evolution_home_t:lnk_file manage_lnk_file_perms;
+
+allow evolution_alarm_t evolution_server_t:unix_stream_socket connectto;
+allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write;
+
+dev_read_urand(evolution_alarm_t)
+
+files_read_etc_files(evolution_alarm_t)
+files_read_usr_files(evolution_alarm_t)
+
+fs_search_auto_mountpoints(evolution_alarm_t)
+
+miscfiles_read_localization(evolution_alarm_t)
+
+# Access evolution home
+userdom_search_user_home_dirs(evolution_alarm_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
+
+xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
+
+# Access evolution home
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_files(evolution_alarm_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_files(evolution_alarm_t)
+')
+
+optional_policy(`
+	dbus_session_bus_client(evolution_alarm_t)
+')
+
+optional_policy(`
+	gnome_stream_connect_gconf(evolution_alarm_t)
+')
+
+optional_policy(`
+	nscd_socket_use(evolution_alarm_t)
+')
+
+########################################
+#
+# Evolution exchange connector local policy
+#
+
+allow evolution_exchange_t self:process getsched;
+allow evolution_exchange_t self:fifo_file rw_fifo_file_perms;
+
+allow evolution_exchange_t self:tcp_socket create_socket_perms;
+allow evolution_exchange_t self:udp_socket create_socket_perms;
+
+allow evolution_exchange_t evolution_t:unix_stream_socket connectto;
+allow evolution_exchange_t evolution_orbit_tmp_t:sock_file write;
+
+allow evolution_exchange_t evolution_alarm_t:unix_stream_socket connectto;
+allow evolution_exchange_t evolution_alarm_orbit_tmp_t:sock_file write;
+
+# Access evolution home
+allow evolution_exchange_t evolution_home_t:dir manage_dir_perms;
+allow evolution_exchange_t evolution_home_t:file manage_file_perms;
+allow evolution_exchange_t evolution_home_t:lnk_file manage_lnk_file_perms;
+
+allow evolution_exchange_t evolution_server_t:unix_stream_socket connectto;
+allow evolution_exchange_t evolution_server_orbit_tmp_t:sock_file write;
+
+# /tmp/.exchange-$USER
+allow evolution_exchange_t evolution_exchange_tmp_t:dir manage_dir_perms;
+allow evolution_exchange_t evolution_exchange_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_exchange_t, evolution_exchange_tmp_t, { file dir })
+
+allow evolution_exchange_t evolution_exchange_tmpfs_t:dir rw_dir_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:file manage_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_network_state(evolution_exchange_t)
+kernel_read_net_sysctls(evolution_exchange_t)
+
+# Allow netstat
+corecmd_exec_bin(evolution_exchange_t)
+
+dev_read_urand(evolution_exchange_t)
+
+files_read_etc_files(evolution_exchange_t)
+files_read_usr_files(evolution_exchange_t)
+
+# Access evolution home
+fs_search_auto_mountpoints(evolution_exchange_t)
+
+miscfiles_read_localization(evolution_exchange_t)
+
+userdom_write_user_tmp_sockets(evolution_exchange_t)
+# Access evolution home
+userdom_search_user_home_dirs(evolution_exchange_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_exchange_t)
+
+xserver_user_x_domain_template(evolution_exchange,evolution_exchange_t, evolution_exchange_tmpfs_t)
+
+# Access evolution home
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_files(evolution_exchange_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_files(evolution_exchange_t)
+')
+
+optional_policy(`
+	gnome_stream_connect_gconf(evolution_exchange_t)
+')
+
+optional_policy(`
+	nscd_socket_use(evolution_exchange_t)
+')
+
+########################################
+#
+# Evolution data server local policy
+#
+
+allow evolution_server_t self:process { getsched signal };
+
+allow evolution_server_t self:fifo_file { read write };
+allow evolution_server_t self:unix_stream_socket { accept connectto };
+# Talk to ldap (address book),
+# Obtain weather data via http (read server name from xml file in /usr)
+allow evolution_server_t self:tcp_socket create_socket_perms;
+
+allow evolution_server_t evolution_t:unix_stream_socket connectto;
+allow evolution_server_t evolution_orbit_tmp_t:sock_file write;
+
+allow evolution_server_t evolution_exchange_t:unix_stream_socket connectto;
+allow evolution_server_t evolution_exchange_orbit_tmp_t:sock_file write;
+
+# Access evolution home
+allow evolution_server_t evolution_home_t:dir manage_dir_perms;
+allow evolution_server_t evolution_home_t:file manage_file_perms;
+allow evolution_server_t evolution_home_t:lnk_file manage_lnk_file_perms;
+
+allow evolution_server_t evolution_alarm_t:unix_stream_socket connectto;
+allow evolution_server_t evolution_alarm_orbit_tmp_t:sock_file write;
+
+kernel_read_system_state(evolution_server_t)
+
+corecmd_exec_shell(evolution_server_t)
+
+# Obtain weather data via http (read server name from xml file in /usr)
+corenet_all_recvfrom_unlabeled(evolution_server_t)
+corenet_all_recvfrom_netlabel(evolution_server_t)
+corenet_tcp_sendrecv_generic_if(evolution_server_t)
+corenet_tcp_sendrecv_all_nodes(evolution_server_t)
+corenet_tcp_sendrecv_http_port(evolution_server_t)
+corenet_tcp_sendrecv_http_cache_port(evolution_server_t)
+corenet_tcp_connect_http_cache_port(evolution_server_t)
+corenet_tcp_connect_http_port(evolution_server_t)
+corenet_sendrecv_http_client_packets(evolution_server_t)
+corenet_sendrecv_http_cache_client_packets(evolution_server_t)
+
+dev_read_urand(evolution_server_t)
+
+files_read_etc_files(evolution_server_t)
+# Obtain weather data via http (read server name from xml file in /usr)
+files_read_usr_files(evolution_server_t)
+
+fs_search_auto_mountpoints(evolution_server_t)
+
+miscfiles_read_localization(evolution_server_t)
+# Look in /etc/pki
+miscfiles_read_certs(evolution_server_t)
+
+# Talk to ldap (address book)
+sysnet_read_config(evolution_server_t)
+sysnet_dns_name_resolve(evolution_server_t)
+sysnet_use_ldap(evolution_server_t)
+
+# Access evolution home
+userdom_search_user_home_dirs(evolution_server_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_server_t)
+
+# Access evolution home
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_files(evolution_server_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_files(evolution_server_t)
+')
+
+optional_policy(`
+	gnome_stream_connect_gconf(evolution_server_t)
+')
+
+optional_policy(`
+	nscd_socket_use(evolution_server_t)
+')
+
+########################################
+#
+# Evolution webcal local policy
+#
+
+allow evolution_webcal_t self:tcp_socket create_socket_perms;
+
+# X/evolution common stuff
+allow evolution_webcal_t evolution_webcal_tmpfs_t:dir rw_dir_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:file manage_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+corenet_all_recvfrom_unlabeled(evolution_webcal_t)
+corenet_all_recvfrom_netlabel(evolution_webcal_t)
+corenet_tcp_sendrecv_generic_if(evolution_webcal_t)
+corenet_raw_sendrecv_generic_if(evolution_webcal_t)
+corenet_tcp_sendrecv_all_nodes(evolution_webcal_t)
+corenet_raw_sendrecv_all_nodes(evolution_webcal_t)
+corenet_tcp_sendrecv_http_port(evolution_webcal_t)
+corenet_tcp_sendrecv_http_cache_port(evolution_webcal_t)
+corenet_tcp_connect_http_cache_port(evolution_webcal_t)
+corenet_tcp_connect_http_port(evolution_webcal_t)
+corenet_sendrecv_http_client_packets(evolution_webcal_t)
+corenet_sendrecv_http_cache_client_packets(evolution_webcal_t)
+
+# Networking capability - connect to website and handle ics link
+sysnet_read_config(evolution_webcal_t)
+sysnet_dns_name_resolve(evolution_webcal_t)
+
+# Search home directory (?)
+userdom_search_user_home_dirs(evolution_webcal_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_webcal_t)
+
+xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
+
+optional_policy(`
+	nscd_socket_use(evolution_webcal_t)
+')

policy/modules/apps/games.if

@@ -1,164 +1,32 @@
 ## <summary>Games</summary>
 
-#######################################
+############################################################
 ## <summary>
-##	The per role template for the games module.
+##	Role access for games
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for games.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_domain">
+## <param name="domain">
 ##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <param name="user_role">
-##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`games_per_role_template',`
-
+interface(`games_role',`
 	gen_require(`
-		type games_exec_t, games_data_t;
+		type games_t, games_exec_t;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
+	role $1 types games_t;
 
-	type $1_games_t;
-	application_domain($1_games_t, games_exec_t)
-	role $3 types $1_games_t;
+	domtrans_pattern($2, games_exec_t, games_t)
+	allow $2 games_t:unix_stream_socket connectto;
+	allow games_t $2:unix_stream_socket connectto;
 
-	type $1_games_devpts_t;
-	term_pty($1_games_devpts_t)
-
-	type $1_games_tmpfs_t;
-	files_tmpfs_file($1_games_tmpfs_t)
-
-	type $1_games_tmp_t;
-	files_tmp_file($1_games_tmp_t)
-
-	########################################
-	#
-	# Local policy
-	#
-
-	allow $1_games_t self:sem create_sem_perms;
-	allow $1_games_t self:tcp_socket create_stream_socket_perms;
-	allow $1_games_t self:udp_socket create_socket_perms;
-
-	manage_files_pattern($1_games_t, games_data_t, games_data_t)
-	manage_lnk_files_pattern($1_games_t, games_data_t, games_data_t)
-
-	allow $1_games_t $1_games_devpts_t:chr_file { rw_chr_file_perms setattr };
-	term_create_pty($1_games_t,$1_games_devpts_t)
-
-	manage_dirs_pattern($1_games_t, $1_games_tmp_t, $1_games_tmp_t)
-	manage_files_pattern($1_games_t, $1_games_tmp_t, $1_games_tmp_t)
-	files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir })
-
-	manage_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
-	manage_lnk_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
-	manage_fifo_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
-	manage_sock_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
-	fs_tmpfs_filetrans($1_games_t, $1_games_tmpfs_t, { file lnk_file sock_file fifo_file })
-
-	can_exec($1_games_t, games_exec_t)
-
-	domain_auto_trans($2, games_exec_t, $1_games_t)
-	allow $2 $1_games_t:unix_stream_socket connectto;
-	allow $1_games_t $2:unix_stream_socket connectto;
-
-	kernel_read_system_state($1_games_t)
-
-	corecmd_exec_bin($1_games_t)
-
-	corenet_all_recvfrom_unlabeled($1_games_t)
-	corenet_all_recvfrom_netlabel($1_games_t)
-	corenet_tcp_sendrecv_generic_if($1_games_t)
-	corenet_udp_sendrecv_generic_if($1_games_t)
-	corenet_tcp_sendrecv_all_nodes($1_games_t)
-	corenet_udp_sendrecv_all_nodes($1_games_t)
-	corenet_tcp_sendrecv_all_ports($1_games_t)
-	corenet_udp_sendrecv_all_ports($1_games_t)
-	corenet_tcp_bind_all_nodes($1_games_t)
-	corenet_tcp_bind_generic_port($1_games_t)
-	corenet_tcp_connect_generic_port($1_games_t)
-	corenet_sendrecv_generic_client_packets($1_games_t)
-	corenet_sendrecv_generic_server_packets($1_games_t)
-
-	dev_read_sound($1_games_t)
-	dev_write_sound($1_games_t)
-	dev_read_input($1_games_t)
-	dev_read_mouse($1_games_t)
-	dev_read_urand($1_games_t)
-
-	files_list_var($1_games_t)
-	files_search_var_lib($1_games_t)
-	files_dontaudit_search_var($1_games_t)
-	files_read_etc_files($1_games_t)
-	files_read_usr_files($1_games_t)
-	files_read_var_files($1_games_t)
-
-	init_dontaudit_rw_utmp($1_games_t)
-
-	logging_dontaudit_search_logs($1_games_t)
-
-	miscfiles_read_man_pages($1_games_t)
-	miscfiles_read_localization($1_games_t)
-
-	sysnet_read_config($1_games_t)
-
-	userdom_manage_user_tmp_dirs($1,$1_games_t)
-	userdom_manage_user_tmp_files($1,$1_games_t)
-	userdom_manage_user_tmp_symlinks($1,$1_games_t)
-	userdom_manage_user_tmp_sockets($1,$1_games_t)
-	# Suppress .icons denial until properly implemented
-	userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
-
-	tunable_policy(`allow_execmem',`
-		allow $1_games_t self:process execmem;
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_games_t)
-	')
-
-	optional_policy(`
-		xserver_user_x_domain_template($1, $1_games, $1_games_t, $1_games_tmpfs_t)
-		xserver_create_xdm_tmp_sockets($1_games_t)
-		xserver_read_xdm_lib_files($1_games_t)
-	')
-
-	ifdef(`TODO',`
-		gnome_application($1_games, $1)
-		gnome_file_dialog($1_games, $1)
-		# Access /home/user/.gnome2
-		# FIXME: Change to use per app types
-		allow $1_games_t $1_gnome_settings_t:dir manage_dir_perms;
-		allow $1_games_t $1_gnome_settings_t:file manage_file_perms;
-		allow $1_games_t $1_gnome_settings_t:lnk_file manage_lnk_file_perms;
-		#missing policy
-		optional_policy(`
-			dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
-		')
-	')
+	# Allow the user domain to signal/ps.
+	ps_process_pattern($2, games_t)
+	allow $2 games_t:process signal_perms;
 ')

policy/modules/apps/games.te

@@ -1,67 +1,182 @@
 
-policy_module(games, 1.7.0)
+policy_module(games, 2.0.0)
 
 ########################################
 #
 # Declarations
 #
 
-type games_data_t;
-files_type(games_data_t)
-
-# games_t is for system operation of games, generic games daemons and
-# games recovery scripts
 type games_t;
 type games_exec_t;
-init_system_domain(games_t, games_exec_t)
+typealias games_t alias { user_games_t staff_games_t sysadm_games_t };
+typealias games_t alias { auditadm_games_t secadm_games_t };
+application_domain(games_t, games_exec_t)
+ubac_constrained(games_t)
 
-type games_var_run_t;
-files_pid_file(games_var_run_t)
+type games_data_t;
+typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t };
+typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t };
+files_type(games_data_t)
+ubac_constrained(games_data_t)
+
+type games_devpts_t;
+typealias games_devpts_t alias { user_games_devpts_t staff_games_devpts_t sysadm_games_devpts_t };
+typealias games_devpts_t alias { auditadm_games_devpts_t secadm_games_devpts_t };
+term_pty(games_devpts_t)
+ubac_constrained(games_devpts_t)
+
+# games_srv_t is for system operation of games, generic games daemons and
+# games recovery scripts
+type games_srv_t;
+init_system_domain(games_srv_t, games_exec_t)
+
+type games_srv_var_run_t;
+files_pid_file(games_srv_var_run_t)
+
+type games_tmp_t;
+typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t };
+typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t };
+files_tmp_file(games_tmp_t)
+ubac_constrained(games_tmp_t)
+
+type games_tmpfs_t;
+typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t };
+typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t };
+files_tmpfs_file(games_tmpfs_t)
+ubac_constrained(games_tmpfs_t)
+
+########################################
+#
+# Server local policy
+#
+
+dontaudit games_srv_t self:capability sys_tty_config;
+allow games_srv_t self:process signal_perms;
+
+manage_files_pattern(games_srv_t, games_data_t, games_data_t)
+manage_lnk_files_pattern(games_srv_t, games_data_t, games_data_t)
+
+manage_files_pattern(games_srv_t, games_srv_var_run_t, games_srv_var_run_t)
+files_pid_filetrans(games_srv_t, games_srv_var_run_t, file)
+
+can_exec(games_srv_t, games_exec_t)
+
+kernel_read_kernel_sysctls(games_srv_t)
+kernel_list_proc(games_srv_t)
+kernel_read_proc_symlinks(games_srv_t)
+
+dev_read_sysfs(games_srv_t)
+
+fs_getattr_all_fs(games_srv_t)
+fs_search_auto_mountpoints(games_srv_t)
+
+term_dontaudit_use_console(games_srv_t)
+
+domain_use_interactive_fds(games_srv_t)
+
+init_use_fds(games_srv_t)
+init_use_script_ptys(games_srv_t)
+
+logging_send_syslog_msg(games_srv_t)
+
+miscfiles_read_localization(games_srv_t)
+
+userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
+
+userdom_dontaudit_search_user_home_dirs(games_srv_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(games_srv_t)
+')
+
+optional_policy(`
+	udev_read_db(games_srv_t)
+')
 
 ########################################
 #
 # Local policy
 #
 
-dontaudit games_t self:capability sys_tty_config;
-allow games_t self:process signal_perms;
+allow games_t self:sem create_sem_perms;
+allow games_t self:tcp_socket create_stream_socket_perms;
+allow games_t self:udp_socket create_socket_perms;
 
 manage_files_pattern(games_t, games_data_t, games_data_t)
 manage_lnk_files_pattern(games_t, games_data_t, games_data_t)
 
-manage_files_pattern(games_t, games_var_run_t, games_var_run_t)
-files_pid_filetrans(games_t, games_var_run_t, file)
+allow games_t games_devpts_t:chr_file { rw_chr_file_perms setattr };
+term_create_pty(games_t, games_devpts_t)
 
-can_exec(games_t,games_exec_t)
+manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t)
+manage_files_pattern(games_t, games_tmp_t, games_tmp_t)
+files_tmp_filetrans(games_t, games_tmp_t, { file dir })
 
-kernel_read_kernel_sysctls(games_t)
-kernel_list_proc(games_t)
-kernel_read_proc_symlinks(games_t)
+manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_lnk_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_fifo_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_sock_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file })
 
-dev_read_sysfs(games_t)
+can_exec(games_t, games_exec_t)
 
-fs_getattr_all_fs(games_t)
-fs_search_auto_mountpoints(games_t)
+kernel_read_system_state(games_t)
 
-term_dontaudit_use_console(games_t)
+corecmd_exec_bin(games_t)
 
-domain_use_interactive_fds(games_t)
+corenet_all_recvfrom_unlabeled(games_t)
+corenet_all_recvfrom_netlabel(games_t)
+corenet_tcp_sendrecv_generic_if(games_t)
+corenet_udp_sendrecv_generic_if(games_t)
+corenet_tcp_sendrecv_all_nodes(games_t)
+corenet_udp_sendrecv_all_nodes(games_t)
+corenet_tcp_sendrecv_all_ports(games_t)
+corenet_udp_sendrecv_all_ports(games_t)
+corenet_tcp_bind_all_nodes(games_t)
+corenet_tcp_bind_generic_port(games_t)
+corenet_tcp_connect_generic_port(games_t)
+corenet_sendrecv_generic_client_packets(games_t)
+corenet_sendrecv_generic_server_packets(games_t)
 
-init_use_fds(games_t)
-init_use_script_ptys(games_t)
+dev_read_sound(games_t)
+dev_write_sound(games_t)
+dev_read_input(games_t)
+dev_read_mouse(games_t)
+dev_read_urand(games_t)
 
-logging_send_syslog_msg(games_t)
+files_list_var(games_t)
+files_search_var_lib(games_t)
+files_dontaudit_search_var(games_t)
+files_read_etc_files(games_t)
+files_read_usr_files(games_t)
+files_read_var_files(games_t)
 
+init_dontaudit_rw_utmp(games_t)
+
+logging_dontaudit_search_logs(games_t)
+
+miscfiles_read_man_pages(games_t)
 miscfiles_read_localization(games_t)
 
-userdom_dontaudit_use_unpriv_user_fds(games_t)
+sysnet_read_config(games_t)
 
-sysadm_dontaudit_search_home_dirs(games_t)
+userdom_manage_user_tmp_dirs(games_t)
+userdom_manage_user_tmp_files(games_t)
+userdom_manage_user_tmp_symlinks(games_t)
+userdom_manage_user_tmp_sockets(games_t)
+# Suppress .icons denial until properly implemented
+userdom_dontaudit_read_user_home_content_files(games_t)
 
-optional_policy(`
-	seutil_sigchld_newrole(games_t)
+tunable_policy(`allow_execmem',`
+	allow games_t self:process execmem;
 ')
 
 optional_policy(`
-	udev_read_db(games_t)
+	nscd_socket_use(games_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
+	xserver_create_xdm_tmp_sockets(games_t)
+	xserver_read_xdm_lib_files(games_t)
 ')

policy/modules/apps/gift.fc

@@ -1,4 +1,4 @@
-HOME_DIR/\.giFT(/.*)?			gen_context(system_u:object_r:ROLE_gift_home_t,s0)
+HOME_DIR/\.giFT(/.*)?			gen_context(system_u:object_r:gift_home_t,s0)
 
 /usr/(local/)?bin/apollon	-- 	gen_context(system_u:object_r:gift_exec_t,s0)
 /usr/(local/)?bin/giftd		--	gen_context(system_u:object_r:giftd_exec_t,s0)

policy/modules/apps/gift.if

@@ -1,193 +1,42 @@
 ## <summary>giFT peer to peer file sharing tool</summary>
 
-#######################################
+############################################################
 ## <summary>
-##	The per role template for the gift module.
+##	Role access for gift
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for gift client sessions and gift daemons.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_domain">
+## <param name="domain">
 ##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <param name="user_role">
-##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`gift_per_role_template',`
+interface(`gift_role',`
+	gen_require(`
+		type gift_t, gift_exec_t;
+		type giftd_t, giftd_exec_t;
+		type gift_home_t;
+	')
 
-	##############################
-	#
-	# Declarations
-	#
-
-	type $1_gift_t;
-	application_domain($1_gift_t, gift_exec_t)
-	role $3 types $1_gift_t;
-
-	type $1_gift_home_t alias $1_gift_rw_t;
-	files_poly_member($1_gift_home_t)
-	userdom_user_home_content($1, $1_gift_home_t)
-
-	type $1_gift_tmpfs_t;
-	files_tmpfs_file($1_gift_tmpfs_t)
-
-	type $1_giftd_t;
-	application_domain($1_giftd_t, giftd_exec_t)
-	role $3 types $1_giftd_t;
-
-	##############################
-	#
-	# giFT user interface local policy
-	#
-
-	allow $1_gift_t self:tcp_socket create_socket_perms;
-
-	manage_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
-	manage_lnk_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
-	manage_fifo_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
-	manage_sock_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
-	fs_tmpfs_filetrans($1_gift_t, $1_gift_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
-	manage_dirs_pattern($1_gift_t, $1_gift_home_t, $1_gift_home_t)
-	manage_files_pattern($1_gift_t, $1_gift_home_t, $1_gift_home_t)
-	manage_lnk_files_pattern($1_gift_t, $1_gift_home_t, $1_gift_home_t)
-	userdom_user_home_dir_filetrans($1, $1_gift_t, $1_gift_home_t,dir)
-
-	# Launch gift daemon
-	domtrans_pattern($1_gift_t, giftd_exec_t, $1_giftd_t)
+	role $1 types { gift_t giftd_t };
 
 	# transition from user domain
-	domtrans_pattern($2, gift_exec_t, $1_gift_t)
+	domtrans_pattern($2, gift_exec_t, gift_t)
+	domtrans_pattern($2, giftd_exec_t, giftd_t)
 
 	# user managed content
-	manage_dirs_pattern($2, $1_gift_home_t, $1_gift_home_t)
-	manage_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
-	manage_lnk_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
-	relabel_dirs_pattern($2, $1_gift_home_t, $1_gift_home_t)
-	relabel_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
-	relabel_lnk_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
+	manage_dirs_pattern($2, gift_home_t, gift_home_t)
+	manage_files_pattern($2, gift_home_t, gift_home_t)
+	manage_lnk_files_pattern($2, gift_home_t, gift_home_t)
+	relabel_dirs_pattern($2, gift_home_t, gift_home_t)
+	relabel_files_pattern($2, gift_home_t, gift_home_t)
+	relabel_lnk_files_pattern($2, gift_home_t, gift_home_t)
 
 	# Allow the user domain to signal/ps.
-	ps_process_pattern($2, $1_gift_t)
-	allow $2 $1_gift_t:process signal_perms;
-
-	# Read /proc/meminfo
-	kernel_read_system_state($1_giftd_t)
-
-	# Connect to gift daemon
-	corenet_all_recvfrom_unlabeled($1_gift_t)
-	corenet_all_recvfrom_netlabel($1_gift_t)
-	corenet_tcp_sendrecv_generic_if($1_gift_t)
-	corenet_tcp_sendrecv_all_nodes($1_gift_t)
-	corenet_tcp_sendrecv_giftd_port($1_gift_t)
-	corenet_tcp_connect_giftd_port($1_gift_t)
-	corenet_sendrecv_giftd_client_packets($1_gift_t)
-
-	fs_search_auto_mountpoints($1_gift_t)
-
-	sysnet_read_config($1_gift_t)
-
-	# giftui looks in .icons, .themes.
-	userdom_dontaudit_read_user_home_content_files($1, $1_gift_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_gift_t)
-		fs_manage_nfs_files($1_gift_t)
-		fs_manage_nfs_symlinks($1_gift_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_gift_t)
-		fs_manage_cifs_files($1_gift_t)
-		fs_manage_cifs_symlinks($1_gift_t)
-	')
-
-#	optional_policy(`
-#		gnome_user_application($1,$1_gift,$1_gift_t)
-#	')
-
-	optional_policy(`
-		nscd_socket_use($1_gift_t)
-	')
-
-	optional_policy(`
-		xserver_user_x_domain_template($1, $1_gift, $1_gift_t, $1_gift_tmpfs_t)
-	')
-
-	##############################
-	#
-	# giFT server local policy
-	#
-
-	allow $1_giftd_t self:process { signal setsched };
-	allow $1_giftd_t self:unix_stream_socket create_socket_perms;
-	allow $1_giftd_t self:tcp_socket create_stream_socket_perms;
-	allow $1_giftd_t self:udp_socket create_socket_perms;
-
-	manage_dirs_pattern($1_giftd_t, $1_gift_home_t, $1_gift_home_t)
-	manage_files_pattern($1_giftd_t, $1_gift_home_t, $1_gift_home_t)
-	manage_lnk_files_pattern($1_giftd_t, $1_gift_home_t, $1_gift_home_t)
-	userdom_user_home_dir_filetrans($1, $1_giftd_t, $1_gift_home_t, dir)
-
-	domtrans_pattern($2, giftd_exec_t, $1_giftd_t)
-
-	kernel_read_system_state($1_giftd_t)
-	kernel_read_kernel_sysctls($1_giftd_t)
-
-	# Serve content on various p2p networks. Ports can be random.
-	corenet_all_recvfrom_unlabeled($1_giftd_t)
-	corenet_all_recvfrom_netlabel($1_giftd_t)
-	corenet_tcp_sendrecv_generic_if($1_giftd_t)
-	corenet_udp_sendrecv_generic_if($1_giftd_t)
-	corenet_tcp_sendrecv_all_nodes($1_giftd_t)
-	corenet_udp_sendrecv_all_nodes($1_giftd_t)
-	corenet_tcp_sendrecv_all_ports($1_giftd_t)
-	corenet_udp_sendrecv_all_ports($1_giftd_t)
-	corenet_tcp_bind_all_nodes($1_giftd_t)
-	corenet_udp_bind_all_nodes($1_giftd_t)
-	corenet_tcp_bind_all_ports($1_giftd_t)
-	corenet_udp_bind_all_ports($1_giftd_t)
-	corenet_tcp_connect_all_ports($1_giftd_t)
-	corenet_sendrecv_all_client_packets($1_giftd_t)
-
-	files_read_usr_files($1_giftd_t)
-	# Read /etc/mtab
-	files_read_etc_runtime_files($1_giftd_t)
-
-	miscfiles_read_localization($1_giftd_t)
-
-	sysnet_read_config($1_giftd_t)
-
-	userdom_use_user_terminals($1,$1_giftd_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_giftd_t)
-		fs_manage_nfs_files($1_giftd_t)
-		fs_manage_nfs_symlinks($1_giftd_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_giftd_t)
-		fs_manage_cifs_files($1_giftd_t)
-		fs_manage_cifs_symlinks($1_giftd_t)
-	')
+	ps_process_pattern($2, { gift_t giftd_t })
+	allow $2 { gift_t giftd_t }:process signal_perms;
 ')

policy/modules/apps/gift.te

@@ -1,13 +1,149 @@
 
-policy_module(gift, 1.4.0)
+policy_module(gift, 2.0.0)
 
 ########################################
 #
 # Declarations
 #
 
+type gift_t;
 type gift_exec_t;
-application_executable_file(gift_exec_t)
+typealias gift_t alias { user_gift_t staff_gift_t sysadm_gift_t };
+typealias gift_t alias { auditadm_gift_t secadm_gift_t };
+application_domain(gift_t, gift_exec_t)
+ubac_constrained(gift_t)
 
+type gift_home_t;
+typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t };
+typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t };
+files_poly_member(gift_home_t)
+userdom_user_home_content(gift_home_t)
+
+type gift_tmpfs_t;
+typealias gift_tmpfs_t alias { user_gift_tmpfs_t staff_gift_tmpfs_t sysadm_gift_tmpfs_t };
+typealias gift_tmpfs_t alias { auditadm_gift_tmpfs_t secadm_gift_tmpfs_t };
+files_tmpfs_file(gift_tmpfs_t)
+ubac_constrained(gift_tmpfs_t)
+
+type giftd_t;
 type giftd_exec_t;
-application_executable_file(giftd_exec_t)
+typealias giftd_t alias { user_giftd_t staff_giftd_t sysadm_giftd_t };
+typealias giftd_t alias { auditadm_giftd_t secadm_giftd_t };
+application_domain(giftd_t, giftd_exec_t)
+ubac_constrained(giftd_t)
+
+##############################
+#
+# giFT user interface local policy
+#
+
+allow gift_t self:tcp_socket create_socket_perms;
+
+manage_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_lnk_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_fifo_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_sock_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+fs_tmpfs_filetrans(gift_t, gift_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(gift_t, gift_home_t, gift_home_t)
+manage_files_pattern(gift_t, gift_home_t, gift_home_t)
+manage_lnk_files_pattern(gift_t, gift_home_t, gift_home_t)
+userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir)
+
+# Launch gift daemon
+domtrans_pattern(gift_t, giftd_exec_t, giftd_t)
+
+# Read /proc/meminfo
+kernel_read_system_state(giftd_t)
+
+# Connect to gift daemon
+corenet_all_recvfrom_unlabeled(gift_t)
+corenet_all_recvfrom_netlabel(gift_t)
+corenet_tcp_sendrecv_generic_if(gift_t)
+corenet_tcp_sendrecv_all_nodes(gift_t)
+corenet_tcp_sendrecv_giftd_port(gift_t)
+corenet_tcp_connect_giftd_port(gift_t)
+corenet_sendrecv_giftd_client_packets(gift_t)
+
+fs_search_auto_mountpoints(gift_t)
+
+sysnet_read_config(gift_t)
+
+# giftui looks in .icons, .themes.
+userdom_dontaudit_read_user_home_content_files(gift_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(gift_t)
+	fs_manage_nfs_files(gift_t)
+	fs_manage_nfs_symlinks(gift_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(gift_t)
+	fs_manage_cifs_files(gift_t)
+	fs_manage_cifs_symlinks(gift_t)
+')
+
+optional_policy(`
+	nscd_socket_use(gift_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t)
+')
+
+##############################
+#
+# giFT server local policy
+#
+
+allow giftd_t self:process { signal setsched };
+allow giftd_t self:unix_stream_socket create_socket_perms;
+allow giftd_t self:tcp_socket create_stream_socket_perms;
+allow giftd_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(giftd_t, gift_home_t, gift_home_t)
+manage_files_pattern(giftd_t, gift_home_t, gift_home_t)
+manage_lnk_files_pattern(giftd_t, gift_home_t, gift_home_t)
+userdom_user_home_dir_filetrans(giftd_t, gift_home_t, dir)
+
+kernel_read_system_state(giftd_t)
+kernel_read_kernel_sysctls(giftd_t)
+
+# Serve content on various p2p networks. Ports can be random.
+corenet_all_recvfrom_unlabeled(giftd_t)
+corenet_all_recvfrom_netlabel(giftd_t)
+corenet_tcp_sendrecv_generic_if(giftd_t)
+corenet_udp_sendrecv_generic_if(giftd_t)
+corenet_tcp_sendrecv_all_nodes(giftd_t)
+corenet_udp_sendrecv_all_nodes(giftd_t)
+corenet_tcp_sendrecv_all_ports(giftd_t)
+corenet_udp_sendrecv_all_ports(giftd_t)
+corenet_tcp_bind_all_nodes(giftd_t)
+corenet_udp_bind_all_nodes(giftd_t)
+corenet_tcp_bind_all_ports(giftd_t)
+corenet_udp_bind_all_ports(giftd_t)
+corenet_tcp_connect_all_ports(giftd_t)
+corenet_sendrecv_all_client_packets(giftd_t)
+
+files_read_usr_files(giftd_t)
+# Read /etc/mtab
+files_read_etc_runtime_files(giftd_t)
+
+miscfiles_read_localization(giftd_t)
+
+sysnet_read_config(giftd_t)
+
+userdom_use_user_terminals(giftd_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(giftd_t)
+	fs_manage_nfs_files(giftd_t)
+	fs_manage_nfs_symlinks(giftd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(giftd_t)
+	fs_manage_cifs_files(giftd_t)
+	fs_manage_cifs_symlinks(giftd_t)
+')

policy/modules/apps/gnome.fc

@@ -1,8 +1,8 @@
-HOME_DIR/\.config/gtk-.*	gen_context(system_u:object_r:ROLE_gnome_home_t,s0)
-HOME_DIR/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:ROLE_gconf_home_t,s0)
+HOME_DIR/\.config/gtk-.*	gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
 
 /etc/gconf(/.*)?		gen_context(system_u:object_r:gconf_etc_t,s0)
 
-/tmp/gconfd-USER/.*	--	gen_context(system_u:object_r:ROLE_gconf_tmp_t,s0)
+/tmp/gconfd-USER/.*	--	gen_context(system_u:object_r:gconf_tmp_t,s0)
 
 /usr/libexec/gconfd-2 	--	gen_context(system_u:object_r:gconfd_exec_t,s0)