From 2d4a79a0611f2446eb1e27a4afbad7d0258267ba Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Mon, 30 Aug 2010 08:57:06 -0400
Subject: [PATCH] Policy fixes

---
 policy/modules/apps/gnome.if           | 20 +++++++++++++++++++-
 policy/modules/roles/unconfineduser.te |  6 +++++-
 policy/modules/services/icecast.te     |  1 +
 policy/modules/system/udev.te          |  4 ++++
 4 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index 852f36f0..92ab0c30 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -471,7 +471,7 @@ interface(`gnome_stream_connect',`
 
 ########################################
 ## <summary>
-##	read gnome homedir content (.config)
+##	list gnome homedir content (.config)
 ## </summary>
 ## <param name="user_domain">
 ##	<summary>
@@ -487,6 +487,24 @@ template(`gnome_list_home_config',`
 	allow $1 config_home_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	read gnome homedir content (.config)
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`gnome_read_home_config',`
+	gen_require(`
+		type config_home_t;
+	')
+
+	read_files_pattern($1, config_home_t, config_home_t)
+')
+
 ########################################
 ## <summary>
 ##	Read/Write all inherited gnome home config 
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index faef4684..821d0dd4 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -186,7 +186,11 @@ optional_policy(`
 	')
 
 	optional_policy(`
-		xserver_rw_shm(unconfined_usertype)
+		gen_require(`
+			type user_tmpfs_t;
+		')
+	
+		xserver_rw_session(unconfined_usertype, user_tmpfs_t)
 		xserver_run_xauth(unconfined_usertype, unconfined_r)
 		xserver_dbus_chat_xdm(unconfined_usertype)
 	')
diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
index fbcdd741..f441c9ac 100644
--- a/policy/modules/services/icecast.te
+++ b/policy/modules/services/icecast.te
@@ -40,6 +40,7 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
 kernel_read_system_state(icecast_t)
 
 corenet_tcp_bind_soundd_port(icecast_t)
+corenet_tcp_connect_soundd_port(icecast_t)
 
 # Init script handling
 domain_use_interactive_fds(icecast_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a5d4a431..6581e4bb 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -244,6 +244,10 @@ optional_policy(`
 	devicekit_dgram_send(udev_t)
 ')
 
+optional_policy(`
+	gnome_read_home_config(udev_t)
+')
+
 optional_policy(`
 	lvm_domtrans(udev_t)
 ')