From 3c81e309950023a2281bb92f8bc3db5666cc17d3 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Wed, 16 Nov 2011 10:58:53 -0500
Subject: [PATCH] Merge

---
 execmem.patch       | 2728 ++++++++++++++++++++++++++++++++++++++-----
 selinux-policy.spec |    2 +
 2 files changed, 2452 insertions(+), 278 deletions(-)

diff --git a/execmem.patch b/execmem.patch
index 72d33f4e..d51b616e 100644
--- a/execmem.patch
+++ b/execmem.patch
@@ -1,203 +1,1373 @@
-diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.execmem serefpolicy-3.10.0/policy/modules/admin/rpm.te
---- serefpolicy-3.10.0/policy/modules/admin/rpm.te.execmem	2011-11-04 16:05:06.562601281 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/rpm.te	2011-11-04 16:05:07.166602835 -0400
-@@ -419,14 +419,6 @@ optional_policy(`
+diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
+index 17b5426..a485d76 100644
+--- a/policy/modules/admin/rpm.te
++++ b/policy/modules/admin/rpm.te
+@@ -419,7 +419,6 @@ optional_policy(`
+ optional_policy(`
  	unconfined_domain_noaudit(rpm_script_t)
  	unconfined_domtrans(rpm_script_t)
- 	unconfined_execmem_domtrans(rpm_script_t)
+-	unconfined_execmem_domtrans(rpm_script_t)
+ 
+ 	optional_policy(`
+ 		java_domtrans_unconfined(rpm_script_t)
+diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
+index 634c47a..748db5b 100644
+--- a/policy/modules/admin/sudo.if
++++ b/policy/modules/admin/sudo.if
+@@ -47,6 +47,7 @@ template(`sudo_role_template',`
+ 	domain_role_change_exemption($1_sudo_t)
+ 	ubac_constrained($1_sudo_t)
+ 	role $2 types $1_sudo_t;
++	userdom_home_manager($1_sudo_t)
+ 
+ 	type $1_sudo_tmp_t;
+ 	files_tmp_file($1_sudo_tmp_t)
+diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
+index 71bf5e8..9ce39dd 100644
+--- a/policy/modules/admin/sudo.te
++++ b/policy/modules/admin/sudo.te
+@@ -101,14 +101,6 @@ userdom_search_user_home_content(sudodomain)
+ userdom_search_admin_dir(sudodomain)
+ userdom_manage_all_users_keys(sudodomain)
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_files(sudodomain)
+-')
 -
--	optional_policy(`
--		java_domtrans_unconfined(rpm_script_t)
--	')
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_files(sudodomain)
+-')
 -
--	optional_policy(`
--		mono_domtrans(rpm_script_t)
--	')
+ optional_policy(`
+ 	dbus_system_bus_client(sudodomain)
  ')
+diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
+index f7183ef..49ce279 100644
+--- a/policy/modules/apps/cdrecord.te
++++ b/policy/modules/apps/cdrecord.te
+@@ -109,11 +109,7 @@ tunable_policy(`cdrecord_read_content',`
+ 	userdom_dontaudit_read_user_home_content_files(cdrecord_t)
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	files_search_mnt(cdrecord_t)
+-	fs_read_nfs_files(cdrecord_t)
+-	fs_read_nfs_symlinks(cdrecord_t)
+-')
++userdom_home_manager(cdrecord_t)
  
  optional_policy(`
-diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.fc.execmem serefpolicy-3.10.0/policy/modules/apps/execmem.fc
---- serefpolicy-3.10.0/policy/modules/apps/execmem.fc.execmem	2011-11-04 16:05:06.586601343 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/execmem.fc	2011-11-04 16:05:07.167602836 -0400
-@@ -47,3 +47,56 @@ ifdef(`distro_gentoo',`
- /opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
- /opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
- /usr/local/Wolfram/Mathematica(/.*)?MathKernel	  -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+#
-+# /opt
-+#
-+/opt/(.*/)?bin/java[^/]* --	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/opt/matlab.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/opt/local/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/opt/MATLAB.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+#
-+# /usr
-+#
-+/usr/Aptana[^/]*/AptanaStudio	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/fastjar	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/frysk		--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/gappletviewer	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/gij		--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/gjarsigner	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/gkeytool	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/grmic		--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/grmiregistry	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/jv-convert	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/octave-[^/]*	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/usr/lib(.*/)?bin/java[^/]* --	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/eclipse/eclipse --	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/opera(/.*)?/opera --	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/opera(/.*)?/works --	gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)?	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/opt/ibm(/.*)?/eclipse/plugins(/.*)?	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+ifdef(`distro_redhat',`
-+/usr/java/eclipse[^/]*/eclipse	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+')
-+/usr/bin/mono.*	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+#
-+# Conflicts with ada domain
-+#
-+/usr/bin/gnatbind	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/gnatls		--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/gnatmake	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:execmem_exec_t,s0)
-diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.execmem serefpolicy-3.10.0/policy/modules/apps/execmem.if
---- serefpolicy-3.10.0/policy/modules/apps/execmem.if.execmem	2011-11-04 16:05:06.587601346 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/execmem.if	2011-11-04 16:05:24.164646504 -0400
-@@ -57,6 +57,7 @@ template(`execmem_role_template',`
- 	role $2 types $1_execmem_t;
+ 	resmgr_stream_connect(cdrecord_t)
+diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
+index 6c642a2..acb325c 100644
+--- a/policy/modules/apps/chrome.te
++++ b/policy/modules/apps/chrome.te
+@@ -92,11 +92,6 @@ miscfiles_read_fonts(chrome_sandbox_t)
+ sysnet_dns_name_resolve(chrome_sandbox_t)
  
- 	userdom_unpriv_usertype($1, $1_execmem_t)
-+	userdom_common_user($1_execmem_t)
- 	userdom_manage_tmp_role($2, $1_execmem_t)
- 	userdom_manage_tmpfs_role($2, $1_execmem_t)
- 
-@@ -129,4 +130,3 @@ interface(`execmem_execmod',`
- 
- 	allow $1 execmem_exec_t:file execmod;
- ')
+ optional_policy(`
+-	execmem_exec(chrome_sandbox_t)
+-	execmem_execmod(chrome_sandbox_t)
+-')
+-
+-optional_policy(`
+ 	gnome_rw_inherited_config(chrome_sandbox_t)
+ 	gnome_read_home_config(chrome_sandbox_t)
+ ')
+diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
+deleted file mode 100644
+index 5e09952..0000000
+--- a/policy/modules/apps/execmem.fc
++++ /dev/null
+@@ -1,49 +0,0 @@
+-
+-/usr/bin/aticonfig	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/bin/darcs 		--	gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/bin/dosbox		--	gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/bin/haddock.*  	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/bin/hasktags   	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/bin/plasma-desktop	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/bin/runghc	   	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/bin/runhaskell	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/bin/sbcl	     	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/bin/skype		--	gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/bin/valgrind	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/sbin/vboxadd-service 	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/sbin/VBox.* 	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+-
+-ifdef(`distro_gentoo',`
+-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+-')
+-/usr/lib/chromium-browser/chromium-browser  gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/lib/erlang/erts-[^/]+/bin/beam.smp --	gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/lib/R/bin/exec/R	   	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+-
+-/usr/libexec/ghc-[^/]+/.*bin  --	gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/libexec/ghc-[^/]+/ghc.*  --	gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/lib/ghc-[^/]+/ghc.*  --	gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/lib/ia32el/ia32x_loader 	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/lib/virtualbox/VirtualBox  --	gen_context(system_u:object_r:execmem_exec_t,s0)
+-
+-/opt/real/(.*/)?realplay\.bin	    --	gen_context(system_u:object_r:execmem_exec_t,s0)
+-/opt/secondlife-install/bin/SLPlugin --	gen_context(system_u:object_r:execmem_exec_t,s0)
+-
+-/opt/real/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:execmem_exec_t,s0)
+-
+-/usr/local/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:execmem_exec_t,s0)
+-
+-/usr/lib/gimp/[^/]+/plug-ins/help-browser -- gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/lib/thunderbird-[^/]+/thunderbird-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+-
+-/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0)
+-/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application -- gen_context(system_u:object_r:execmem_exec_t,s0)
+-
+-/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0)
+-
+-/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
+-/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
+-/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+-/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
+-/usr/local/Wolfram/Mathematica(/.*)?MathKernel	  -- gen_context(system_u:object_r:execmem_exec_t,s0)
+diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
+deleted file mode 100644
+index e23f640..0000000
+--- a/policy/modules/apps/execmem.if
++++ /dev/null
+@@ -1,132 +0,0 @@
+-## <summary>execmem domain</summary>
+-
+-########################################
+-## <summary>
+-##	Execute the execmem program
+-##	in the caller domain.
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-#
+-interface(`execmem_exec',`
+-	gen_require(`
+-		type execmem_exec_t;
+-	')
+-
+-	can_exec($1, execmem_exec_t)
+-')
+-
+-#######################################
+-## <summary>
+-##	The role template for the execmem module.
+-## </summary>
+-## <desc>
+-##	<p>
+-##	This template creates a derived domains which are used
+-##	for execmem applications.
+-##	</p>
+-## </desc>
+-## <param name="role_prefix">
+-##	<summary>
+-##	The prefix of the user domain (e.g., user
+-##	is the prefix for user_t).
+-##	</summary>
+-## </param>
+-## <param name="user_role">
+-##	<summary>
+-##	The role associated with the user domain.
+-##	</summary>
+-## </param>
+-## <param name="user_domain">
+-##	<summary>
+-##	The type of the user domain.
+-##	</summary>
+-## </param>
+-#
+-template(`execmem_role_template',`
+-	gen_require(`
+-		type execmem_exec_t;
+-	')
+-
+-	type $1_execmem_t;
+-	domain_type($1_execmem_t)
+-	domain_entry_file($1_execmem_t, execmem_exec_t)
+-	role $2 types $1_execmem_t;
+-
+-	userdom_unpriv_usertype($1, $1_execmem_t)
+-	userdom_manage_tmp_role($2, $1_execmem_t)
+-	userdom_manage_tmpfs_role($2, $1_execmem_t)
+-
+-	allow $1_execmem_t self:process { execmem execstack };
+-	allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
+-	domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
+-
+-	files_execmod_tmp($1_execmem_t)
+-
+-	allow $3 execmem_exec_t:file execmod;
+-	allow $1_execmem_t execmem_exec_t:file execmod;
+-
+-	# needed by plasma-desktop
+-	optional_policy(`
+-		gnome_read_usr_config($1_execmem_t)
+-	')
+-	
+-	optional_policy(`
+-		mozilla_execmod_user_home_files($1_execmem_t)
+-	')
+-
+-	optional_policy(`
+-		nsplugin_rw_shm($1_execmem_t)
+-		nsplugin_rw_semaphores($1_execmem_t)
+-	')
+-
+-	optional_policy(`
+-		xserver_role($2, $1_execmem_t)
+-	')
+-')
+-
+-########################################
+-## <summary>
+-##	Execute a execmem_exec file
+-##	in the specified domain.
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-## <param name="target_domain">
+-##	<summary>
+-##	The type of the new process.
+-##	</summary>
+-## </param>
+-#
+-interface(`execmem_domtrans',`
+-	gen_require(`
+-		type execmem_exec_t;
+-	')
+-
+-	domtrans_pattern($1, execmem_exec_t, $2)
+-')
+-
+-########################################
+-## <summary>
+-##	Execmod the execmem_exec applications
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-#
+-interface(`execmem_execmod',`
+-	gen_require(`
+-		type execmem_exec_t;
+-	')
+-
+-	allow $1 execmem_exec_t:file execmod;
+-')
+-
+diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te
+deleted file mode 100644
+index a7d37e2..0000000
+--- a/policy/modules/apps/execmem.te
++++ /dev/null
+@@ -1,10 +0,0 @@
+-policy_module(execmem, 1.0.0)
+-
+-########################################
+-#
+-# Declarations
+-#
 -
-diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.te.execmem serefpolicy-3.10.0/policy/modules/apps/execmem.te
---- serefpolicy-3.10.0/policy/modules/apps/execmem.te.execmem	2011-11-04 16:05:06.587601346 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/execmem.te	2011-11-04 16:05:07.169602840 -0400
-@@ -4,7 +4,25 @@ policy_module(execmem, 1.0.0)
- #
- # Declarations
- #
-+attribute execmem_type;
- 
 -type execmem_exec_t alias unconfined_execmem_exec_t;
-+type execmem_exec_t;
-+typealias execmem_exec_t alias { unconfined_execmem_exec_t mono_exec_t java_exec_t };
- application_executable_file(execmem_exec_t)
+-application_executable_file(execmem_exec_t)
+-
+diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
+index 10a2ce4..5c81832 100644
+--- a/policy/modules/apps/gift.te
++++ b/policy/modules/apps/gift.te
+@@ -70,17 +70,7 @@ sysnet_read_config(gift_t)
+ # giftui looks in .icons, .themes.
+ userdom_dontaudit_read_user_home_content_files(gift_t)
  
-+allow execmem_type self:process { execmem execstack };
-+files_execmod_tmp(execmem_type)
-+execmem_execmod(execmem_type)
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(gift_t)
+-	fs_manage_nfs_files(gift_t)
+-	fs_manage_nfs_symlinks(gift_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(gift_t)
+-	fs_manage_cifs_files(gift_t)
+-	fs_manage_cifs_symlinks(gift_t)
+-')
++userdom_home_manager(gift_t)
+ 
+ optional_policy(`
+ 	nscd_socket_use(gift_t)
+@@ -133,15 +123,4 @@ miscfiles_read_localization(giftd_t)
+ sysnet_read_config(giftd_t)
+ 
+ userdom_use_inherited_user_terminals(giftd_t)
+-
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(giftd_t)
+-	fs_manage_nfs_files(giftd_t)
+-	fs_manage_nfs_symlinks(giftd_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(giftd_t)
+-	fs_manage_cifs_files(giftd_t)
+-	fs_manage_cifs_symlinks(giftd_t)
+-')
++userdom_home_manager(gitd_t)
+diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
+index deab06c..00762c5 100644
+--- a/policy/modules/apps/gnome.if
++++ b/policy/modules/apps/gnome.if
+@@ -70,6 +70,8 @@ interface(`gnome_role_gkeyringd',`
+ 	ubac_constrained($1_gkeyringd_t)
+ 	domain_user_exemption_target($1_gkeyringd_t)
+ 
++	userdom_home_manager($1_gkeyringd_t)
 +
-+optional_policy(`
-+	gnome_read_usr_config(execmem_type)
-+')
-+	
-+optional_policy(`
-+	mozilla_execmod_user_home_files(execmem_type)
+ 	role $2 types $1_gkeyringd_t;
+ 
+ 	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
+diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
+index 45b4ca9..14d7e30 100644
+--- a/policy/modules/apps/gnome.te
++++ b/policy/modules/apps/gnome.te
+@@ -153,15 +153,7 @@ optional_policy(`
+ 	policykit_read_reload(gconfdefaultsm_t)
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(gconfdefaultsm_t)
+-	fs_manage_nfs_files(gconfdefaultsm_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(gconfdefaultsm_t)
+-	fs_manage_cifs_files(gconfdefaultsm_t)
+-')
++userdom_home_manager(gconfdefaultsm_t)
+ 
+ #######################################
+ #
+@@ -233,6 +225,7 @@ corecmd_search_bin(gkeyringd_domain)
+ 
+ dev_read_rand(gkeyringd_domain)
+ dev_read_urand(gkeyringd_domain)
++dev_read_sysfs(gkeyringd_domain)
+ 
+ files_read_etc_files(gkeyringd_domain)
+ files_read_usr_files(gkeyringd_domain)
+@@ -268,13 +261,3 @@ domain_use_interactive_fds(gnome_domain)
+ 
+ userdom_use_inherited_user_terminals(gnome_domain)
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_getattr_nfs(gkeyringd_domain)
+-	fs_manage_nfs_dirs(gkeyringd_domain)
+-	fs_manage_nfs_files(gkeyringd_domain)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(gkeyringd_domain)
+-	fs_manage_cifs_files(gkeyringd_domain)
+-')
+diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
+index 401a4ec..80f8c31 100644
+--- a/policy/modules/apps/gpg.te
++++ b/policy/modules/apps/gpg.te
+@@ -150,15 +150,7 @@ userdom_stream_connect(gpg_t)
+ 
+ mta_write_config(gpg_t)
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(gpg_t)
+-	fs_manage_nfs_files(gpg_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(gpg_t)
+-	fs_manage_cifs_files(gpg_t)
+-')
++userdom_home_manager(gpg_t)
+ 
+ optional_policy(`
+ 	gnome_read_config(gpg_t)
+@@ -290,17 +282,7 @@ tunable_policy(`gpg_agent_env_file',`
+ 	userdom_manage_user_home_content_files(gpg_agent_t)
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(gpg_agent_t)
+-	fs_manage_nfs_files(gpg_agent_t)
+-	fs_manage_nfs_symlinks(gpg_agent_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(gpg_agent_t)
+-	fs_manage_cifs_files(gpg_agent_t)
+-	fs_manage_cifs_symlinks(gpg_agent_t)
+-')
++userdom_home_manager(gpg_agent_t)
+ 
+ optional_policy(`
+ 	mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
+@@ -371,13 +353,7 @@ allow gpg_pinentry_t user_tmpfs_t:file unlink;
+ userdom_signull_unpriv_users(gpg_pinentry_t)
+ userdom_use_user_terminals(gpg_pinentry_t)
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_read_nfs_files(gpg_pinentry_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_read_cifs_files(gpg_pinentry_t)
+-')
++userdom_home_reader(gpg_pinentry_t)
+ 
+ optional_policy(`
+ 	gnome_read_home_config(gpg_pinentry_t)
+diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
+index b69a628..4bc18b6 100644
+--- a/policy/modules/apps/irc.te
++++ b/policy/modules/apps/irc.te
+@@ -110,17 +110,7 @@ sysnet_read_config(irc_t)
+ # Write to the user domain tty.
+ userdom_use_inherited_user_terminals(irc_t)
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(irc_t)
+-	fs_manage_nfs_files(irc_t)
+-	fs_manage_nfs_symlinks(irc_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(irc_t)
+-	fs_manage_cifs_files(irc_t)
+-	fs_manage_cifs_symlinks(irc_t)
+-')
++userdom_home_manager(irc_t)
+ 
+ optional_policy(`
+ 	nis_use_ypbind(irc_t)
+@@ -185,17 +175,7 @@ tunable_policy(`irssi_use_full_network', `
+ 	corenet_sendrecv_all_client_packets(irssi_t)
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs', `
+-	fs_manage_nfs_dirs(irssi_t)
+-	fs_manage_nfs_files(irssi_t)
+-	fs_manage_nfs_symlinks(irssi_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs', `
+-	fs_manage_cifs_dirs(irssi_t)
+-	fs_manage_cifs_files(irssi_t)
+-	fs_manage_cifs_symlinks(irssi_t)
+-')
++userdom_home_manager(irssi_t)
+ 
+ optional_policy(`
+ 	automount_dontaudit_getattr_tmp_dirs(irssi_t)
+diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc
+index 5d2130c..86c1768 100644
+--- a/policy/modules/apps/java.fc
++++ b/policy/modules/apps/java.fc
+@@ -5,13 +5,10 @@
+ /opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+ /opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+ /opt/matlab.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:java_exec_t,s0)
+-/opt/local/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+-/opt/MATLAB.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:java_exec_t,s0)
+ 
+ #
+ # /usr
+ #
+-/usr/Aptana[^/]*/AptanaStudio	--	gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/bin/fastjar	--	gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/bin/frysk		--	gen_context(system_u:object_r:java_exec_t,s0)
+@@ -30,14 +27,12 @@
+ /usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/lib/opera(/.*)?/opera --	gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/lib/opera(/.*)?/works --	gen_context(system_u:object_r:java_exec_t,s0)
++/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+ 
+ /usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+ 
+ /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+ 
+-/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)?	--	gen_context(system_u:object_r:java_exec_t,s0)
+-/opt/ibm(/.*)?/eclipse/plugins(/.*)?	--	gen_context(system_u:object_r:java_exec_t,s0)
+-
+ ifdef(`distro_redhat',`
+ /usr/java/eclipse[^/]*/eclipse	--	gen_context(system_u:object_r:java_exec_t,s0)
+ ')
+diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
+index 7c398c0..e6d84e8 100644
+--- a/policy/modules/apps/java.if
++++ b/policy/modules/apps/java.if
+@@ -72,8 +72,7 @@ template(`java_role_template',`
+ 
+ 	domain_interactive_fd($1_java_t)
+ 
+-	userdom_unpriv_usertype($1, $1_java_t)
+-	userdom_manage_tmpfs_role($2, $1_java_t)
++	userdom_manage_user_tmpfs_files($1_java_t)
+ 
+ 	allow $1_java_t self:process { ptrace signal getsched execmem execstack };
+ 
+@@ -83,7 +82,7 @@ template(`java_role_template',`
+ 
+ 	domtrans_pattern($3, java_exec_t, $1_java_t)
+ 
+-	corecmd_bin_domtrans($1_java_t, $1_t)
++	corecmd_bin_domtrans($1_java_t, $3)
+ 
+ 	dev_dontaudit_append_rand($1_java_t)
+ 
+@@ -106,7 +105,7 @@ template(`java_role_template',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`java_domtrans',`
++template(`java_domtrans',`
+ 	gen_require(`
+ 		type java_t, java_exec_t;
+ 	')
+@@ -180,10 +179,6 @@ interface(`java_run_unconfined',`
+ 
+ 	java_domtrans_unconfined($1)
+ 	role $2 types unconfined_java_t;
+-
+-	optional_policy(`
+-		nsplugin_role_notrans($2, unconfined_java_t)
+-	')
+ ')
+ 
+ ########################################
+diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
+index 27d37b0..167950d 100644
+--- a/policy/modules/apps/java.te
++++ b/policy/modules/apps/java.te
+@@ -82,20 +82,18 @@ dev_read_urand(java_t)
+ dev_read_rand(java_t)
+ dev_dontaudit_append_rand(java_t)
+ 
+-files_read_etc_files(java_t)
+ files_read_usr_files(java_t)
+ files_search_home(java_t)
+ files_search_var_lib(java_t)
+ files_read_etc_runtime_files(java_t)
+ # Read global fonts and font config
++files_read_etc_files(java_t)
+ 
+ fs_getattr_xattr_fs(java_t)
+ fs_dontaudit_rw_tmpfs_files(java_t)
+ 
+ logging_send_syslog_msg(java_t)
+ 
+-auth_use_nsswitch(java_t)
+-
+ miscfiles_read_localization(java_t)
+ # Read global fonts and font config
+ miscfiles_read_fonts(java_t)
+@@ -125,6 +123,14 @@ tunable_policy(`allow_java_execstack',`
+ ')
+ 
+ optional_policy(`
++	nis_use_ypbind(java_t)
 +')
 +
 +optional_policy(`
-+	nsplugin_rw_shm(execmem_type)
-+	nsplugin_rw_semaphores(execmem_type)
++	nscd_socket_use(java_t)
 +')
-diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.te.execmem serefpolicy-3.10.0/policy/modules/apps/mozilla.te
---- serefpolicy-3.10.0/policy/modules/apps/mozilla.te.execmem	2011-11-04 16:05:06.609601400 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.te	2011-11-04 16:05:07.170602843 -0400
-@@ -273,10 +273,6 @@ optional_policy(`
++
++optional_policy(`
+ 	xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
+ ')
+ 
+@@ -137,21 +143,14 @@ optional_policy(`
+ 	# execheap is needed for itanium/BEA jrocket
+ 	allow unconfined_java_t self:process { execstack execmem execheap };
+ 
+-	init_dbus_chat_script(unconfined_java_t)
+-
+ 	files_execmod_all_files(unconfined_java_t)
+ 
+ 	init_dbus_chat_script(unconfined_java_t)
+ 
+ 	unconfined_domain_noaudit(unconfined_java_t)
+ 	unconfined_dbus_chat(unconfined_java_t)
+-	userdom_unpriv_usertype(unconfined, unconfined_java_t)
+ 
+ 	optional_policy(`
+ 		rpm_domtrans(unconfined_java_t)
+ 	')
+-
+-	optional_policy(`
+-        wine_domtrans(unconfined_java_t)
+-    ')
+ ')
+diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
+index b2b83ad..7b08e13 100644
+--- a/policy/modules/apps/mono.if
++++ b/policy/modules/apps/mono.if
+@@ -40,16 +40,16 @@ template(`mono_role_template',`
+ 	domain_interactive_fd($1_mono_t)
+ 	application_type($1_mono_t)
+ 
+-	allow $1_mono_t self:process { signal getsched execheap execmem execstack };
+-	allow $3 $1_mono_t:process { getattr noatsecure signal_perms };
++	allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
++
++	allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
+ 
+ 	domtrans_pattern($3, mono_exec_t, $1_mono_t)
+ 
+ 	fs_dontaudit_rw_tmpfs_files($1_mono_t)
+ 	corecmd_bin_domtrans($1_mono_t, $1_t)
+ 
+-	userdom_unpriv_usertype($1, $1_mono_t)
+-	userdom_manage_tmpfs_role($2, $1_mono_t)
++	userdom_manage_user_tmpfs_files($1_mono_t)
+ 
+ 	optional_policy(`
+ 		xserver_role($1_r, $1_mono_t)
+diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
+index ecab36d..dff0f12 100644
+--- a/policy/modules/apps/mono.te
++++ b/policy/modules/apps/mono.te
+@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t)
+ # Local policy
+ #
+ 
+-allow mono_t self:process { signal getsched execheap execmem execstack };
++allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
+ 
+ init_dbus_chat_script(mono_t)
+ 
+diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
+index 69e2534..3654ad3 100644
+--- a/policy/modules/apps/mozilla.te
++++ b/policy/modules/apps/mozilla.te
+@@ -186,17 +186,7 @@ tunable_policy(`deny_execmem',`',`
+ 	allow mozilla_t self:process execmem;
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(mozilla_t)
+-	fs_manage_nfs_files(mozilla_t)
+-	fs_manage_nfs_symlinks(mozilla_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(mozilla_t)
+-	fs_manage_cifs_files(mozilla_t)
+-	fs_manage_cifs_symlinks(mozilla_t)
+-')
++userdom_home_manager(mozilla_t)
+ 
+ # Uploads, local html
+ tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
+@@ -426,17 +416,7 @@ tunable_policy(`allow_execstack',`
+ 	allow mozilla_plugin_t self:process execstack;
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(mozilla_plugin_t)
+-	fs_manage_nfs_files(mozilla_plugin_t)
+-	fs_manage_nfs_symlinks(mozilla_plugin_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(mozilla_plugin_t)
+-	fs_manage_cifs_files(mozilla_plugin_t)
+-	fs_manage_cifs_symlinks(mozilla_plugin_t)
+-')
++userdom_home_manager(mozilla_plugin_t)
+ 
+ optional_policy(`
+ 	alsa_read_rw_config(mozilla_plugin_t)
+diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
+index 8b1fa1b..320963b 100644
+--- a/policy/modules/apps/mplayer.te
++++ b/policy/modules/apps/mplayer.te
+@@ -84,6 +84,7 @@ userdom_read_user_tmp_files(mencoder_t)
+ userdom_read_user_tmp_symlinks(mencoder_t)
+ userdom_read_user_home_content_files(mencoder_t)
+ userdom_read_user_home_content_symlinks(mencoder_t)
++userdom_home_manager(mencoder_t)
+ 
+ # Read content to encode
+ ifndef(`enable_mls',`
+@@ -104,46 +105,6 @@ tunable_policy(`allow_mplayer_execstack',`
+ 	allow mencoder_t self:process { execmem execstack };
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(mencoder_t)
+-	fs_manage_nfs_files(mencoder_t)
+-	fs_manage_nfs_symlinks(mencoder_t)
+-
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(mencoder_t)
+-	fs_manage_cifs_files(mencoder_t)
+-	fs_manage_cifs_symlinks(mencoder_t)
+-
+-')
+-
+-# Read content to encode
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_list_auto_mountpoints(mencoder_t)
+-	files_list_home(mencoder_t)
+-	fs_read_nfs_files(mencoder_t)
+-	fs_read_nfs_symlinks(mencoder_t)
+-
+-',`
+-	files_dontaudit_list_home(mencoder_t)
+-	fs_dontaudit_list_auto_mountpoints(mencoder_t)
+-	fs_dontaudit_read_nfs_files(mencoder_t)
+-	fs_dontaudit_list_nfs(mencoder_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_list_auto_mountpoints(mencoder_t)
+-	files_list_home(mencoder_t)
+-	fs_read_cifs_files(mencoder_t)
+-	fs_read_cifs_symlinks(mencoder_t)
+-',`
+-	files_dontaudit_list_home(mencoder_t)
+-	fs_dontaudit_list_auto_mountpoints(mencoder_t)
+-	fs_dontaudit_read_cifs_files(mencoder_t)
+-	fs_dontaudit_list_cifs(mencoder_t)
+-')
+-
+ ########################################
+ #
+ # mplayer local policy
+@@ -242,6 +203,7 @@ userdom_read_user_tmp_symlinks(mplayer_t)
+ userdom_read_user_home_content_files(mplayer_t)
+ userdom_read_user_home_content_symlinks(mplayer_t)
+ userdom_write_user_tmp_sockets(mplayer_t)
++userdom_home_manager(mplayer_t)
+ 
+ xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+ 
+@@ -264,47 +226,12 @@ tunable_policy(`allow_mplayer_execstack',`
+ 	allow mplayer_t self:process { execmem execstack };
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(mplayer_t)
+-	fs_manage_nfs_files(mplayer_t)
+-	fs_manage_nfs_symlinks(mplayer_t)
+-')
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(mplayer_t)
+-	fs_manage_cifs_files(mplayer_t)
+-	fs_manage_cifs_symlinks(mplayer_t)
+-')
+-
+ # Legacy domain issues
+ tunable_policy(`allow_mplayer_execstack',`
+ 	allow mplayer_t mplayer_tmpfs_t:file execute;
+ ')
+ 
+-# Read songs
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_list_auto_mountpoints(mplayer_t)
+-	files_list_home(mplayer_t)
+-	fs_read_nfs_files(mplayer_t)
+-	fs_read_nfs_symlinks(mplayer_t)
+-
+-',`
+-	files_dontaudit_list_home(mplayer_t)
+-	fs_dontaudit_list_auto_mountpoints(mplayer_t)
+-	fs_dontaudit_read_nfs_files(mplayer_t)
+-	fs_dontaudit_list_nfs(mplayer_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_list_auto_mountpoints(mplayer_t)
+-	files_list_home(mplayer_t)
+-	fs_read_cifs_files(mplayer_t)
+-	fs_read_cifs_symlinks(mplayer_t)
+-',`
+-	files_dontaudit_list_home(mplayer_t)
+-	fs_dontaudit_list_auto_mountpoints(mplayer_t)
+-	fs_dontaudit_read_cifs_files(mplayer_t)
+-	fs_dontaudit_list_cifs(mplayer_t)
+-')
++userdom_home_manager(mplayer_t)
+ 
+ optional_policy(`
+ 	alsa_read_rw_config(mplayer_t)
+diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
+index 3b6b4cb..cc6b555 100644
+--- a/policy/modules/apps/nsplugin.te
++++ b/policy/modules/apps/nsplugin.te
+@@ -208,10 +208,6 @@ optional_policy(`
  ')
  
  optional_policy(`
--	java_domtrans(mozilla_t)
+-	unconfined_execmem_signull(nsplugin_t)
 -')
 -
 -optional_policy(`
- 	lpd_domtrans_lpr(mozilla_t)
+ 	sandbox_read_tmpfs_files(nsplugin_t)
  ')
  
-@@ -456,7 +452,7 @@ optional_policy(`
+@@ -329,7 +325,3 @@ optional_policy(`
+ 	pulseaudio_manage_home_files(nsplugin_t)
+ 	pulseaudio_setattr_home_dir(nsplugin_t)
  ')
- 
- optional_policy(`
--	java_exec(mozilla_plugin_t)
-+	execmem_exec(mozilla_plugin_t)
- ')
- 
- optional_policy(`
-diff -up serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.execmem serefpolicy-3.10.0/policy/modules/apps/podsleuth.te
---- serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.execmem	2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/podsleuth.te	2011-11-04 16:05:07.171602846 -0400
-@@ -85,5 +85,5 @@ optional_policy(`
- ')
- 
- optional_policy(`
--	mono_exec(podsleuth_t)
-+	execmem_exec(podsleuth_t)
- ')
-diff -up serefpolicy-3.10.0/policy/modules/roles/staff.te.execmem serefpolicy-3.10.0/policy/modules/roles/staff.te
---- serefpolicy-3.10.0/policy/modules/roles/staff.te.execmem	2011-11-04 16:05:06.684601595 -0400
-+++ serefpolicy-3.10.0/policy/modules/roles/staff.te	2011-11-04 16:05:07.172602849 -0400
-@@ -266,10 +266,6 @@ ifndef(`distro_redhat',`
- 	')
- 
- 	optional_policy(`
--		java_role(staff_r, staff_t)
--	')
--
--	optional_policy(`
- 		lockdev_role(staff_r, staff_t)
- 	')
- 
-diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.execmem serefpolicy-3.10.0/policy/modules/roles/sysadm.te
---- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.execmem	2011-11-04 16:05:06.685601597 -0400
-+++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te	2011-11-04 16:05:07.173602852 -0400
-@@ -530,10 +530,6 @@ ifndef(`distro_redhat',`
- 	')
- 
- 	optional_policy(`
--		java_role(sysadm_r, sysadm_t)
--	')
--
--	optional_policy(`
- 		lockdev_role(sysadm_r, sysadm_t)
- 	')
- 
-diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.execmem serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te
---- serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.execmem	2011-11-04 16:05:07.157602811 -0400
-+++ serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te	2011-11-04 16:05:07.173602852 -0400
-@@ -302,10 +302,6 @@ optional_policy(`
- ')
- 
- optional_policy(`
--	java_run_unconfined(unconfined_t, unconfined_r)
--')
 -
 -optional_policy(`
- 	livecd_run(unconfined_t, unconfined_r)
+-	unconfined_execmem_exec(nsplugin_t)
+-')
+diff --git a/policy/modules/apps/openoffice.fc b/policy/modules/apps/openoffice.fc
+deleted file mode 100644
+index 4428be4..0000000
+--- a/policy/modules/apps/openoffice.fc
++++ /dev/null
+@@ -1,3 +0,0 @@
+-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+-/opt/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+-
+diff --git a/policy/modules/apps/openoffice.if b/policy/modules/apps/openoffice.if
+deleted file mode 100644
+index 792bf9c..0000000
+--- a/policy/modules/apps/openoffice.if
++++ /dev/null
+@@ -1,124 +0,0 @@
+-## <summary>Openoffice</summary>
+-
+-#######################################
+-## <summary>
+-##	The per role template for the openoffice module.
+-## </summary>
+-## <param name="user_domain">
+-##	<summary>
+-##	The type of the user domain.
+-##	</summary>
+-## </param>
+-#
+-interface(`openoffice_plugin_role',`
+-	gen_require(`
+-		type openoffice_exec_t;
+-		type openoffice_t;
+-	')
+-	
+-	########################################
+-	#
+-	# Local policy
+-	#
+-
+-	domtrans_pattern($1, openoffice_exec_t, openoffice_t)
+-	allow $1 openoffice_t:process { signal sigkill };
+-')
+-
+-#######################################
+-## <summary>
+-##	role for openoffice
+-## </summary>
+-## <desc>
+-##	<p>
+-##	This template creates a derived domains which are used
+-##	for java applications.
+-##	</p>
+-## </desc>
+-## <param name="role_prefix">
+-##	<summary>
+-##	The prefix of the user domain (e.g., user
+-##	is the prefix for user_t).
+-##	</summary>
+-## </param>
+-## <param name="user_role">
+-##	<summary>
+-##	The role associated with the user domain.
+-##	</summary>
+-## </param>
+-## <param name="user_domain">
+-##	<summary>
+-##	The type of the user domain.
+-##	</summary>
+-## </param>
+-#
+-interface(`openoffice_role_template',`
+-	gen_require(`
+-		type openoffice_exec_t;
+-	')
+-
+-	role $2 types $1_openoffice_t;
+-
+-	type $1_openoffice_t;
+-	domain_type($1_openoffice_t)
+-	domain_entry_file($1_openoffice_t, openoffice_exec_t)
+-	domain_interactive_fd($1_openoffice_t)
+-
+-	userdom_unpriv_usertype($1, $1_openoffice_t)
+-	userdom_exec_user_home_content_files($1_openoffice_t)
+-
+-	allow $1_openoffice_t self:process { getsched sigkill execmem execstack };
+-
+-	allow $3 $1_openoffice_t:process { getattr signal_perms noatsecure siginh rlimitinh };
+-	allow $1_openoffice_t $3:tcp_socket { read write };
+-
+-	domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t)
+-
+-	dev_read_urand($1_openoffice_t)
+-	dev_read_rand($1_openoffice_t)
+-
+-	fs_dontaudit_rw_tmpfs_files($1_openoffice_t)
+-
+-	allow $3 $1_openoffice_t:process { signal sigkill };
+-	allow $1_openoffice_t $3:unix_stream_socket connectto;
+-
+-	optional_policy(`
+-		xserver_role($2, $1_openoffice_t)
+-	')
+-')
+-
+-########################################
+-## <summary>
+-##	Execute openoffice_exec_t 
+-##	in the specified domain.
+-## </summary>
+-## <desc>
+-##	<p>
+-##	Execute a openoffice_exec_t
+-##	in the specified domain.  
+-##	</p>
+-##	<p>
+-##	No interprocess communication (signals, pipes,
+-##	etc.) is provided by this interface since
+-##	the domains are not owned by this module.
+-##	</p>
+-## </desc>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-## <param name="target_domain">
+-##	<summary>
+-##	The type of the new process.
+-##	</summary>
+-## </param>
+-#
+-interface(`openoffice_exec_domtrans',`
+-	gen_require(`
+-		type openoffice_exec_t;
+-	')
+-
+-	allow $2 openoffice_exec_t:file entrypoint;
+-	domtrans_pattern($1, openoffice_exec_t, $2)
+-')
+diff --git a/policy/modules/apps/openoffice.te b/policy/modules/apps/openoffice.te
+deleted file mode 100644
+index a842371..0000000
+--- a/policy/modules/apps/openoffice.te
++++ /dev/null
+@@ -1,16 +0,0 @@
+-policy_module(openoffice, 1.0.0)
+-
+-########################################
+-#
+-# Declarations
+-#
+-
+-type openoffice_t;
+-type openoffice_exec_t;
+-application_domain(openoffice_t, openoffice_exec_t)
+-
+-########################################
+-#
+-# Unconfined java local policy
+-#
+-
+diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
+index 5314e57..a4f8158 100644
+--- a/policy/modules/apps/pulseaudio.te
++++ b/policy/modules/apps/pulseaudio.te
+@@ -43,6 +43,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
+ 
+ manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+ manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
++manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+ userdom_search_user_home_dirs(pulseaudio_t)
+ userdom_search_admin_dir(pulseaudio_t)
+ 
+diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
+index f9fbc60..b0b3ce6 100644
+--- a/policy/modules/apps/screen.if
++++ b/policy/modules/apps/screen.if
+@@ -39,6 +39,8 @@ template(`screen_role_template',`
+ 	ubac_constrained($1_screen_t)
+ 	role $2 types $1_screen_t;
+ 
++	userdom_home_reader($1_screen_t)
++
+ 	domtrans_pattern($3, screen_exec_t, $1_screen_t)
+ 	allow $3 $1_screen_t:process { signal sigchld };
+ 	dontaudit $3 $1_screen_t:unix_stream_socket { read write };
+diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
+index b3b144c..0bd13e3 100644
+--- a/policy/modules/apps/screen.te
++++ b/policy/modules/apps/screen.te
+@@ -115,12 +115,3 @@ userdom_create_user_pty(screen_domain)
+ userdom_setattr_user_ptys(screen_domain)
+ userdom_setattr_user_ttys(screen_domain)
+ 
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_read_cifs_symlinks(screen_domain)
+-	fs_list_cifs(screen_domain)
+-')
+-
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_list_nfs(screen_domain)
+-	fs_read_nfs_symlinks(screen_domain)
+-')
+diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
+index 546f5a5..7942965 100644
+--- a/policy/modules/apps/telepathy.te
++++ b/policy/modules/apps/telepathy.te
+@@ -116,15 +116,7 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+ 	corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
  ')
  
-@@ -322,13 +318,6 @@ optional_policy(`
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(telepathy_gabble_t)
+-	fs_manage_nfs_files(telepathy_gabble_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(telepathy_gabble_t)
+-	fs_manage_cifs_files(telepathy_gabble_t)
+-')
++userdom_home_manager(telepathy_gabble_t)
+ 
+ optional_policy(`
+ 	dbus_system_bus_client(telepathy_gabble_t)
+@@ -183,15 +175,7 @@ files_search_pids(telepathy_logger_t)
+ 
+ fs_getattr_all_fs(telepathy_logger_t)
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(telepathy_logger_t)
+-	fs_manage_nfs_files(telepathy_logger_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(telepathy_logger_t)
+-	fs_manage_cifs_files(telepathy_logger_t)
+-')
++userdom_home_manager(telepathy_logger_t)
+ 
+ optional_policy(`
+ 	# ~/.config/dconf/user
+@@ -220,15 +204,7 @@ fs_getattr_all_fs(telepathy_mission_control_t)
+ files_read_etc_files(telepathy_mission_control_t)
+ files_read_usr_files(telepathy_mission_control_t)
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(telepathy_mission_control_t)
+-	fs_manage_nfs_files(telepathy_mission_control_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(telepathy_mission_control_t)
+-	fs_manage_cifs_files(telepathy_mission_control_t)
+-')
++userdom_home_manager(telepathy_mission_control_t)
+ 
+ optional_policy(`
+ 	dbus_system_bus_client(telepathy_mission_control_t)
+diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
+index f50789e..9ba6da8 100644
+--- a/policy/modules/apps/thunderbird.te
++++ b/policy/modules/apps/thunderbird.te
+@@ -114,17 +114,7 @@ xserver_read_xdm_tmp_files(thunderbird_t)
+ xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
+ 
+ # Access ~/.thunderbird
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(thunderbird_t)
+-	fs_manage_nfs_files(thunderbird_t)
+-	fs_manage_nfs_symlinks(thunderbird_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(thunderbird_t)
+-	fs_manage_cifs_files(thunderbird_t)
+-	fs_manage_cifs_symlinks(thunderbird_t)
+-')
++userdom_home_manager(thunderbird_t)
+ 
+ tunable_policy(`mail_read_content && use_nfs_home_dirs',`
+ 	files_list_home(thunderbird_t)
+diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
+index 98bfbf3..38318b9 100644
+--- a/policy/modules/apps/tvtime.te
++++ b/policy/modules/apps/tvtime.te
+@@ -77,16 +77,7 @@ userdom_use_inherited_user_terminals(tvtime_t)
+ userdom_read_user_home_content_files(tvtime_t)
+ 
+ # X access, Home files
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(tvtime_t)
+-	fs_manage_nfs_files(tvtime_t)
+-	fs_manage_nfs_symlinks(tvtime_t)
+-')
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(tvtime_t)
+-	fs_manage_cifs_files(tvtime_t)
+-	fs_manage_cifs_symlinks(tvtime_t)
+-')
++userdom_home_manager(tvtime_t)
+ 
+ optional_policy(`
+ 	xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t)
+diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
+index 95a3d06..356e2a1 100644
+--- a/policy/modules/apps/wireshark.te
++++ b/policy/modules/apps/wireshark.te
+@@ -97,17 +97,7 @@ sysnet_read_config(wireshark_t)
+ 
+ userdom_manage_user_home_content_files(wireshark_t)
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(wireshark_t)
+-	fs_manage_nfs_files(wireshark_t)
+-	fs_manage_nfs_symlinks(wireshark_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(wireshark_t)
+-	fs_manage_cifs_files(wireshark_t)
+-	fs_manage_cifs_symlinks(wireshark_t)
+-')
++userdom_home_manager(wireshark_t)
+ 
+ # Manual transition from userhelper
+ optional_policy(`
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index 7bcafea..0b0896b 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -302,6 +302,7 @@ ifdef(`distro_gentoo',`
+ /usr/share/shorewall6-lite(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
++/usr/share/tucan.*/tucan.py	--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/virtualbox/.*\.sh 		gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/wicd/daemon(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
+index 9527971..23a1c3c 100644
+--- a/policy/modules/kernel/corecommands.te
++++ b/policy/modules/kernel/corecommands.te
+@@ -13,7 +13,7 @@ attribute exec_type;
+ #
+ # bin_t is the type of files in the system bin/sbin directories.
+ #
+-type bin_t alias { ls_exec_t sbin_t java_exec_t execmem_exec_t mono_exec_t };
++type bin_t alias { ls_exec_t sbin_t };
+ corecmd_executable_file(bin_t)
+ dev_associate(bin_t)	#For /dev/MAKEDEV
+ 
+diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
+index 12bd6fc..b48524e 100644
+--- a/policy/modules/kernel/devices.fc
++++ b/policy/modules/kernel/devices.fc
+@@ -137,6 +137,7 @@ ifdef(`distro_suse', `
+ 
+ /dev/bus/usb/.*/[0-9]+	-c	gen_context(system_u:object_r:usb_device_t,s0)
+ 
++/dev/ati/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
+ 
+diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
+index e5652a1..6342520 100644
+--- a/policy/modules/kernel/filesystem.if
++++ b/policy/modules/kernel/filesystem.if
+@@ -2167,6 +2167,24 @@ interface(`fs_read_fusefs_symlinks',`
+ 
+ ########################################
+ ## <summary>
++##	Manage symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_manage_fusefs_symlinks',`
++	gen_require(`
++		type fusefs_t;
++	')
++
++	manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++## <summary>
+ ##	Get the attributes of an hugetlbfs
+ ##	filesystem.
+ ## </summary>
+diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
+index cfea862..de3c13e 100644
+--- a/policy/modules/roles/staff.te
++++ b/policy/modules/roles/staff.te
+@@ -66,6 +66,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	blueman_dbus_chat(staff_t)
++')
++
++optional_policy(`
+ 	dbadm_role_change(staff_r)
+ ')
+ 
+@@ -234,10 +238,6 @@ ifndef(`distro_redhat',`
+ 	')
+ 
+ 	optional_policy(`
+-		blueman_dbus_chat(staff_t)
+-	')
+-
+-	optional_policy(`
+ 		bluetooth_role(staff_r, staff_t)
+ 	')
+ 
+diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
+index 8b2cdf3..bac0dc0 100644
+--- a/policy/modules/roles/unconfineduser.if
++++ b/policy/modules/roles/unconfineduser.if
+@@ -220,42 +220,6 @@ interface(`unconfined_signull',`
+ 
+ ########################################
+ ## <summary>
+-##	Send a SIGNULL signal to the unconfined execmem domain.
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-#
+-interface(`unconfined_execmem_signull',`
+-	gen_require(`
+-		type unconfined_execmem_t;
+-	')
+-
+-	allow $1 unconfined_execmem_t:process signull;
+-')
+-
+-########################################
+-## <summary>
+-##	Send a signal to the unconfined execmem domain.
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-#
+-interface(`unconfined_execmem_signal',`
+-	gen_require(`
+-		type unconfined_execmem_t;
+-	')
+-
+-	allow $1 unconfined_execmem_t:process signal;
+-')
+-
+-########################################
+-## <summary>
+ ##	Send generic signals to the unconfined domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -557,62 +521,6 @@ interface(`unconfined_rw_shm',`
+ 
+ ########################################
+ ## <summary>
+-##	Read and write to unconfined execmem shared memory.
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	The type of the process performing this action.
+-##	</summary>
+-## </param>
+-#
+-interface(`unconfined_execmem_rw_shm',`
+-	gen_require(`
+-		type unconfined_execmem_t;
+-	')
+-
+-	allow $1 unconfined_execmem_t:shm rw_shm_perms;
+-')
+-
+-########################################
+-## <summary>
+-##	Transition to the unconfined_execmem domain.
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-#
+-interface(`unconfined_execmem_domtrans',`
+-
+-	gen_require(`
+-		type unconfined_execmem_t;
+-	')
+-
+-	execmem_domtrans($1, unconfined_execmem_t)
+-')
+-
+-########################################
+-## <summary>
+-##	execute the execmem applications
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-#
+-interface(`unconfined_execmem_exec',`
+-
+-	gen_require(`
+-		type execmem_exec_t;
+-	')
+-
+-	can_exec($1, execmem_exec_t)
+-')
+-
+-########################################
+-## <summary>
+ ##	Allow apps to set rlimits on userdomain
+ ## </summary>
+ ## <param name="domain">
+diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
+index 4ce2685..11ad8fb 100644
+--- a/policy/modules/roles/unconfineduser.te
++++ b/policy/modules/roles/unconfineduser.te
+@@ -320,13 +320,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -211,31 +1381,54 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.execmem seref
  	mozilla_role_plugin(unconfined_r)
  
  	tunable_policy(`unconfined_mozilla_plugin_transition', `
-diff -up serefpolicy-3.10.0/policy/modules/roles/unprivuser.te.execmem serefpolicy-3.10.0/policy/modules/roles/unprivuser.te
---- serefpolicy-3.10.0/policy/modules/roles/unprivuser.te.execmem	2011-11-04 16:05:06.688601603 -0400
-+++ serefpolicy-3.10.0/policy/modules/roles/unprivuser.te	2011-11-04 16:05:07.174602855 -0400
-@@ -152,10 +152,6 @@ ifndef(`distro_redhat',`
- 	')
- 
- 	optional_policy(`
--		java_role(user_r, user_t)
--	')
--
--	optional_policy(`
- 		lockdev_role(user_r, user_t)
- 	')
- 
-diff -up serefpolicy-3.10.0/policy/modules/roles/xguest.te.execmem serefpolicy-3.10.0/policy/modules/roles/xguest.te
---- serefpolicy-3.10.0/policy/modules/roles/xguest.te.execmem	2011-11-04 16:05:06.690601610 -0400
-+++ serefpolicy-3.10.0/policy/modules/roles/xguest.te	2011-11-04 16:05:07.175602857 -0400
-@@ -107,14 +107,6 @@ optional_policy(`
+diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
+index 9db5ebd..454e627 100644
+--- a/policy/modules/roles/unprivuser.te
++++ b/policy/modules/roles/unprivuser.te
+@@ -31,6 +31,10 @@ optional_policy(`
  ')
  
  optional_policy(`
--	java_role_template(xguest, xguest_r, xguest_t)
--')
++	blueman_dbus_chat(user_t)
++')
++
++optional_policy(`
+ 	colord_dbus_chat(user_t)
+ ')
+ 
+@@ -116,10 +120,6 @@ ifndef(`distro_redhat',`
+ 	')
+ 
+ 	optional_policy(`
+-		blueman_dbus_chat(staff_t)
+-	')
 -
--optional_policy(`
+-	optional_policy(`
+ 		bluetooth_role(user_r, user_t)
+ 	')
+ 
+diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
+index b1ea76e..6f176f9 100644
+--- a/policy/modules/roles/xguest.te
++++ b/policy/modules/roles/xguest.te
+@@ -86,6 +86,13 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	tunable_policy(`xguest_use_bluetooth',`
++		blueman_dbus_chat(xguest_t)
++	')
++')
++
++
++optional_policy(`
+ 	chrome_role(xguest_r, xguest_usertype)
+ ')
+ 
+@@ -106,10 +113,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
 -	mono_role_template(xguest, xguest_r, xguest_t)
 -')
 -
@@ -243,20 +1436,91 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/xguest.te.execmem serefpolicy-3
  	mozilla_run_plugin(xguest_usertype, xguest_r)
  ')
  
-diff -up serefpolicy-3.10.0/policy/modules/services/boinc.te.execmem serefpolicy-3.10.0/policy/modules/services/boinc.te
---- serefpolicy-3.10.0/policy/modules/services/boinc.te.execmem	2011-11-04 16:05:06.724601698 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/boinc.te	2011-11-04 16:05:07.176602859 -0400
-@@ -170,5 +170,5 @@ miscfiles_read_fonts(boinc_project_t)
- miscfiles_read_localization(boinc_project_t)
+diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
+index 7cb2fe5..2ef8fef 100644
+--- a/policy/modules/services/apache.te
++++ b/policy/modules/services/apache.te
+@@ -1401,5 +1401,3 @@ tunable_policy(`httpd_builtin_scripting',`
+ 	read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+ 	read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+ ')
+-
+-
+diff --git a/policy/modules/services/blueman.te b/policy/modules/services/blueman.te
+index fde1531..12ef44c 100644
+--- a/policy/modules/services/blueman.te
++++ b/policy/modules/services/blueman.te
+@@ -26,6 +26,7 @@ domain_use_interactive_fds(blueman_t)
+ files_read_etc_files(blueman_t)
+ files_read_usr_files(blueman_t)
+ 
++auth_use_nsswitch(blueman_t)
+ auth_read_passwd(blueman_t)
+ 
+ logging_send_syslog_msg(blueman_t)
+diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
+index 5c0c84f..83fc37d 100644
+--- a/policy/modules/services/cloudform.te
++++ b/policy/modules/services/cloudform.te
+@@ -137,12 +137,7 @@ corenet_tcp_connect_all_ports(iwhd_t)
+ dev_read_rand(iwhd_t)
+ dev_read_urand(iwhd_t)
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-    fs_list_auto_mountpoints(iwhd_t)
+-    fs_manage_nfs_dirs(iwhd_t)
+-    fs_manage_nfs_files(iwhd_t)
+-    fs_manage_nfs_symlinks(iwhd_t)
+-')
++userdom_home_manager(iwhd_t)
+ 
+ ########################################
+ #
+diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
+index 6ff206b..74f1baa 100644
+--- a/policy/modules/services/colord.te
++++ b/policy/modules/services/colord.te
+@@ -91,15 +91,7 @@ sysnet_dns_name_resolve(colord_t)
+ 
+ userdom_rw_user_tmpfs_files(colord_t)
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_getattr_nfs(colord_t)
+-	fs_read_nfs_files(colord_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_getattr_cifs(colord_t)
+-	fs_read_cifs_files(colord_t)
+-')
++userdom_home_reader(colord_t)
  
  optional_policy(`
--	java_exec(boinc_project_t)
-+	execmem_exec(boinc_project_t)
- ')
-diff -up serefpolicy-3.10.0/policy/modules/services/cron.te.execmem serefpolicy-3.10.0/policy/modules/services/cron.te
---- serefpolicy-3.10.0/policy/modules/services/cron.te.execmem	2011-11-04 16:05:06.764601800 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/cron.te	2011-11-04 16:05:07.177602861 -0400
-@@ -299,10 +299,6 @@ optional_policy(`
+ 	cups_read_config(colord_t)
+diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
+index 5b322ca..d45381d 100644
+--- a/policy/modules/services/consolekit.te
++++ b/policy/modules/services/consolekit.te
+@@ -82,13 +82,7 @@ userdom_dontaudit_read_user_home_content_files(consolekit_t)
+ userdom_dontaudit_getattr_admin_home_files(consolekit_t)
+ userdom_read_user_tmp_files(consolekit_t)
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_read_nfs_files(consolekit_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_read_cifs_files(consolekit_t)
+-')
++userdom_home_reader(consolekit_t)
+ 
+ optional_policy(`
+ 	cron_read_system_job_lib_files(consolekit_t)
+diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
+index 258a3d7..a2e960c 100644
+--- a/policy/modules/services/cron.te
++++ b/policy/modules/services/cron.te
+@@ -300,10 +300,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -278,96 +1542,951 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cron.te.execmem serefpolicy-
  	mrtg_append_create_logs(system_cronjob_t)
  ')
  
-@@ -710,11 +702,6 @@ tunable_policy(`fcron_crond',`
- 	allow crond_t user_cron_spool_t:file manage_file_perms;
+diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
+index 825cafb..3bc4cfd 100644
+--- a/policy/modules/services/cups.te
++++ b/policy/modules/services/cups.te
+@@ -625,16 +625,7 @@ optional_policy(`
+ 	lpd_manage_spool(cups_pdf_t)
  ')
  
--# need a per-role version of this:
--#optional_policy(`
--#	mono_domtrans(cronjob_t)
--#')
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_search_auto_mountpoints(cups_pdf_t)
+-	fs_manage_nfs_dirs(cups_pdf_t)
+-	fs_manage_nfs_files(cups_pdf_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(cups_pdf_t)
+-	fs_manage_cifs_files(cups_pdf_t)
+-')
++userdom_home_manager(cups_pdf_t)
+ 
+ optional_policy(`
+ 	gnome_read_config(cups_pdf_t)
+diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
+index 3558f18..115133d 100644
+--- a/policy/modules/services/dbus.if
++++ b/policy/modules/services/dbus.if
+@@ -56,6 +56,8 @@ template(`dbus_role_template',`
+ 	ubac_constrained($1_dbusd_t)
+ 	role $2 types $1_dbusd_t;
+ 
++	userdom_home_manager($1_dbusd_t)
++
+ 	##############################
+ 	#
+ 	# Local policy
+diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
+index f0266a9..c9396db 100644
+--- a/policy/modules/services/dbus.te
++++ b/policy/modules/services/dbus.te
+@@ -143,13 +143,7 @@ seutil_sigchld_newrole(system_dbusd_t)
+ userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
+ userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-    fs_read_nfs_files(system_dbusd_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-    fs_read_cifs_files(system_dbusd_t)
+-')
++userdom_home_reader(system_dbusd_t)
+ 
+ optional_policy(`
+ 	bind_domtrans(system_dbusd_t)
+@@ -309,16 +303,6 @@ userdom_manage_user_home_content_dirs(session_bus_type)
+ userdom_manage_user_home_content_files(session_bus_type)
+ userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(session_bus_type)
+-	fs_manage_nfs_files(session_bus_type)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(session_bus_type)
+-	fs_manage_cifs_files(session_bus_type)
+-')
 -
  optional_policy(`
- 	nis_use_ypbind(cronjob_t)
+ 	gnome_read_gconf_home_files(session_bus_type)
  ')
-diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.execmem serefpolicy-3.10.0/policy/modules/services/hadoop.if
---- serefpolicy-3.10.0/policy/modules/services/hadoop.if.execmem	2011-11-04 16:05:06.825601957 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/hadoop.if	2011-11-04 16:05:07.178602863 -0400
-@@ -127,7 +127,7 @@ template(`hadoop_domain_template',`
+diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
+index 2fbb869..194f170 100644
+--- a/policy/modules/services/dovecot.te
++++ b/policy/modules/services/dovecot.te
+@@ -142,6 +142,7 @@ files_dontaudit_list_default(dovecot_t)
+ # Dovecot now has quota support and it uses getmntent() to find the mountpoints.
+ files_read_etc_runtime_files(dovecot_t)
+ files_search_all_mountpoints(dovecot_t)
++files_read_var_lib_files(dovecot_t)
  
- 	hadoop_exec_config(hadoop_$1_t)
+ init_getattr_utmp(dovecot_t)
  
--	java_exec(hadoop_$1_t)
-+	execmem_exec(hadoop_$1_t)
+@@ -152,6 +153,7 @@ logging_send_syslog_msg(dovecot_t)
+ miscfiles_read_generic_certs(dovecot_t)
+ miscfiles_read_localization(dovecot_t)
  
- 	kerberos_use(hadoop_$1_t)
++userdom_home_manager(dovecot_t)
+ userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+ userdom_manage_user_home_content_dirs(dovecot_t)
+ userdom_manage_user_home_content_files(dovecot_t)
+@@ -238,7 +240,6 @@ files_read_usr_files(dovecot_auth_t)
+ files_read_usr_symlinks(dovecot_auth_t)
+ files_read_var_lib_files(dovecot_auth_t)
+ files_search_tmp(dovecot_auth_t)
+-files_read_var_lib_files(dovecot_t)
  
-diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.te.execmem serefpolicy-3.10.0/policy/modules/services/hadoop.te
---- serefpolicy-3.10.0/policy/modules/services/hadoop.te.execmem	2011-11-04 16:05:06.826601961 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/hadoop.te	2011-11-04 16:05:07.179602865 -0400
-@@ -167,7 +167,7 @@ miscfiles_read_localization(hadoop_t)
+ fs_getattr_xattr_fs(dovecot_auth_t)
  
- userdom_use_inherited_user_terminals(hadoop_t)
+@@ -330,23 +331,7 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+ userdom_manage_user_home_content_sockets(dovecot_deliver_t)
+ userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
  
--java_exec(hadoop_t)
-+execmem_exec(hadoop_t)
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(dovecot_deliver_t)
+-	fs_manage_nfs_files(dovecot_deliver_t)
+-	fs_manage_nfs_symlinks(dovecot_deliver_t)
+-	fs_manage_nfs_dirs(dovecot_t)
+-	fs_manage_nfs_files(dovecot_t)
+-	fs_manage_nfs_symlinks(dovecot_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(dovecot_deliver_t)
+-	fs_manage_cifs_files(dovecot_deliver_t)
+-	fs_manage_cifs_symlinks(dovecot_deliver_t)
+-	fs_manage_cifs_dirs(dovecot_t)
+-	fs_manage_cifs_files(dovecot_t)
+-	fs_manage_cifs_symlinks(dovecot_t)
+-')
++userdom_home_manager(dovecot_deliver_t)
  
- kerberos_use(hadoop_t)
+ optional_policy(`
+ 	gnome_manage_data(dovecot_deliver_t)
+diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
+index 2599f96..c7a0911 100644
+--- a/policy/modules/services/fail2ban.te
++++ b/policy/modules/services/fail2ban.te
+@@ -98,6 +98,9 @@ miscfiles_read_localization(fail2ban_t)
  
-@@ -342,7 +342,7 @@ sysnet_read_config(zookeeper_t)
- userdom_use_inherited_user_terminals(zookeeper_t)
- userdom_dontaudit_search_user_home_dirs(zookeeper_t)
+ mta_send_mail(fail2ban_t)
  
--java_exec(zookeeper_t)
-+execmem_exec(zookeeper_t)
++sysnet_manage_config(fail2ban_t)
++sysnet_filetrans_named_content(fail2ban_t)
++
+ optional_policy(`
+ 	apache_read_log(fail2ban_t)
+ ')
+diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
+index 3bc14c3..6c4a30d 100644
+--- a/policy/modules/services/ftp.te
++++ b/policy/modules/services/ftp.te
+@@ -458,16 +458,4 @@ tunable_policy(`sftpd_full_access',`
+ 	files_manage_non_security_files(sftpd_t)
+ ')
+ 
+-tunable_policy(`use_samba_home_dirs',`
+-	# allow read access to /home by default
+-	fs_list_cifs(sftpd_t)
+-	fs_read_cifs_files(sftpd_t)
+-	fs_read_cifs_symlinks(sftpd_t)
+-')
+-
+-tunable_policy(`use_nfs_home_dirs',`
+-	# allow read access to /home by default
+-	fs_list_nfs(sftpd_t)
+-	fs_read_nfs_files(sftpd_t)
+-	fs_read_nfs_symlinks(ftpd_t)
+-')
++userdom_home_reader(sftpd_t)
+diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
+index 27945d1..9077b2d 100644
+--- a/policy/modules/services/git.if
++++ b/policy/modules/services/git.if
+@@ -209,17 +209,7 @@ interface(`git_rwx_all_content',`
+ 	userdom_search_user_home_dirs($1)
+ 	files_search_var_lib($1)
+ 
+-	tunable_policy(`use_nfs_home_dirs',`
+-		fs_exec_nfs_files($1)
+-		fs_manage_nfs_dirs($1)
+-		fs_manage_nfs_files($1)
+-	')
+-
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_exec_cifs_files($1)
+-		fs_manage_cifs_dirs($1)
+-		fs_manage_cifs_files($1)
+-	')
++	userdom_home_manager($1)
+ 
+ 	tunable_policy(`git_system_use_cifs',`
+ 		fs_exec_cifs_files($1)
+@@ -323,15 +313,7 @@ interface(`git_read_all_content_files',`
+ 	userdom_search_user_home_dirs($1)
+ 	files_search_var_lib($1)
+ 
+-	tunable_policy(`use_nfs_home_dirs',`
+-		fs_list_nfs($1)
+-		fs_read_nfs_files($1)
+-	')
+-
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_list_cifs($1)
+-		fs_read_cifs_files($1)
+-	')
++	userdom_home_reader($1)
+ 
+ 	tunable_policy(`git_system_use_cifs',`
+ 		fs_list_cifs($1)
+@@ -363,16 +345,7 @@ interface(`git_read_session_content_files',`
+ 	list_dirs_pattern($1, git_session_content_t, git_session_content_t)
+ 	read_files_pattern($1, git_session_content_t, git_session_content_t)
+ 	userdom_search_user_home_dirs($1)
+-
+-	tunable_policy(`use_nfs_home_dirs',`
+-		fs_list_nfs($1)
+-		fs_read_nfs_files($1)
+-	')
+-
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_list_cifs($1)
+-		fs_read_cifs_files($1)
+-	')
++	userdom_home_reader($1)
+ ')
+ 
+ #######################################
+diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
+index 2ef543c..fa32fcf 100644
+--- a/policy/modules/services/git.te
++++ b/policy/modules/services/git.te
+@@ -166,15 +166,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
+ 	corenet_sendrecv_generic_server_packets(git_session_t)
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_list_nfs(git_session_t)
+-	fs_read_nfs_files(git_session_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_list_cifs(git_session_t)
+-	fs_read_cifs_files(git_session_t)
+-')
++userdom_home_reader(git_session_t)
  
  ########################################
  #
-@@ -427,4 +427,4 @@ miscfiles_read_localization(zookeeper_se
+diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te
+index 5fc89c4..738c3e2 100644
+--- a/policy/modules/services/i18n_input.te
++++ b/policy/modules/services/i18n_input.te
+@@ -74,16 +74,7 @@ sysnet_read_config(i18n_input_t)
  
- sysnet_read_config(zookeeper_server_t)
- 
--java_exec(zookeeper_server_t)
-+execmem_exec(zookeeper_server_t)
-diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.execmem serefpolicy-3.10.0/policy/modules/services/xserver.te
---- serefpolicy-3.10.0/policy/modules/services/xserver.te.execmem	2011-11-04 16:05:07.050602537 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/xserver.te	2011-11-04 16:05:07.181602872 -0400
-@@ -1250,10 +1250,6 @@ optional_policy(`
- ')
- 
- optional_policy(`
--	mono_rw_shm(xserver_t)
+ userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
+ userdom_read_user_home_content_files(i18n_input_t)
+-
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_read_nfs_files(i18n_input_t)
+-	fs_read_nfs_symlinks(i18n_input_t)
 -')
 -
--optional_policy(`
- 	rhgb_rw_shm(xserver_t)
- 	rhgb_rw_tmpfs_files(xserver_t)
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_read_cifs_files(i18n_input_t)
+-	fs_read_cifs_symlinks(i18n_input_t)
+-')
++userdom_home_reader(i18n_input_t)
+ 
+ optional_policy(`
+ 	canna_stream_connect(i18n_input_t)
+diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
+index f28acd2..27d96e1 100644
+--- a/policy/modules/services/lpd.te
++++ b/policy/modules/services/lpd.te
+@@ -308,19 +308,7 @@ tunable_policy(`use_lpd_server',`
+ 	read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
  ')
-diff -up serefpolicy-3.10.0/policy/modules/system/init.te.execmem serefpolicy-3.10.0/policy/modules/system/init.te
---- serefpolicy-3.10.0/policy/modules/system/init.te.execmem	2011-11-04 16:05:07.073602594 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/init.te	2011-11-04 16:05:07.182602876 -0400
-@@ -1196,10 +1196,6 @@ optional_policy(`
- 		unconfined_dontaudit_rw_pipes(daemon)
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	files_list_home(lpr_t)
+-	fs_list_auto_mountpoints(lpr_t)
+-	fs_read_nfs_files(lpr_t)
+-	fs_read_nfs_symlinks(lpr_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	files_list_home(lpr_t)
+-	fs_list_auto_mountpoints(lpr_t)
+-	fs_read_cifs_files(lpr_t)
+-	fs_read_cifs_symlinks(lpr_t)
+-')
++userdom_home_reader(lpr_t)
+ 
+ optional_policy(`
+ 	cups_read_config(lpr_t)
+diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
+index b1107b5..4389219 100644
+--- a/policy/modules/services/mock.te
++++ b/policy/modules/services/mock.te
+@@ -127,6 +127,7 @@ userdom_use_user_ptys(mock_t)
+ files_search_home(mock_t)
+ 
+ tunable_policy(`mock_enable_homedirs',`
++	userdom_manage_user_home_content_dirs(mock_t)
+ 	userdom_manage_user_home_content_files(mock_t)
+ ')
+ 
+diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
+index e4ac35e..36ff69d 100644
+--- a/policy/modules/services/mpd.te
++++ b/policy/modules/services/mpd.te
+@@ -108,16 +108,7 @@ miscfiles_read_localization(mpd_t)
+ 
+ userdom_read_home_audio_files(mpd_t)
+ userdom_read_user_tmpfs_files(mpd_t)
+-
+-tunable_policy(`use_samba_home_dirs',`
+-    fs_read_cifs_files(mpd_t)
+-    fs_read_cifs_symlinks(mpd_t)
+-')
+-
+-tunable_policy(`use_nfs_home_dirs',`
+-    fs_read_nfs_files(mpd_t)
+-    fs_read_nfs_symlinks(mpd_t)
+-')
++userdom_home_reader(mpd_t)
+ 
+ optional_policy(`
+ 	alsa_read_rw_config(mpd_t)
+diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
+index e5519fd..867dfac 100644
+--- a/policy/modules/services/mta.if
++++ b/policy/modules/services/mta.if
+@@ -340,6 +340,8 @@ interface(`mta_mailserver_delivery',`
  	')
  
--	optional_policy(`
--		mono_domtrans(initrc_t)
+ 	typeattribute $1 mailserver_delivery;
++
++	userdom_home_manager($1)
+ ')
+ 
+ #######################################
+diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
+index 65fd01f..7f55b85 100644
+--- a/policy/modules/services/mta.te
++++ b/policy/modules/services/mta.te
+@@ -233,18 +233,6 @@ read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
+ 
+ read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+ 
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(mailserver_delivery)
+-	fs_manage_cifs_files(mailserver_delivery)
+-	fs_manage_cifs_symlinks(mailserver_delivery)
+-')
+-
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(mailserver_delivery)
+-	fs_manage_nfs_files(mailserver_delivery)
+-	fs_manage_nfs_symlinks(mailserver_delivery)
+-')
+-
+ optional_policy(`
+ 	dovecot_manage_spool(mailserver_delivery)
+ 	dovecot_domtrans_deliver(mailserver_delivery)
+diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te
+index 98f541f..58148ed 100644
+--- a/policy/modules/services/oident.te
++++ b/policy/modules/services/oident.te
+@@ -59,17 +59,8 @@ miscfiles_read_localization(oidentd_t)
+ sysnet_read_config(oidentd_t)
+ 
+ oident_read_user_content(oidentd_t)
++userdom_home_reader(oidentd_t)
+ 
+ optional_policy(`
+ 	nis_use_ypbind(oidentd_t)
+ ')
+-
+-tunable_policy(`use_samba_home_dirs', `
+-	fs_list_cifs(oidentd_t)
+- 	fs_read_cifs_files(oidentd_t)
+-')
+-
+-tunable_policy(`use_nfs_home_dirs', `
+-	fs_list_nfs(oidentd_t)
+- 	fs_read_nfs_files(oidentd_t)
+-')
+diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te
+index 89ab1b6..d958b53 100644
+--- a/policy/modules/services/polipo.te
++++ b/policy/modules/services/polipo.te
+@@ -146,14 +146,4 @@ tunable_policy(`polipo_session_send_syslog_msg',`
+ 	logging_send_syslog_msg(polipo_session_t)
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_files(polipo_session_t)
+-',`
+-	fs_dontaudit_manage_nfs_files(polipo_session_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_files(polipo_session_t)
+-',`
+-	fs_dontaudit_manage_cifs_files(polipo_session_t)
+-')
++userdom_home_manager(polipo_session_t)
+diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
+index 6451f82..4c188f9 100644
+--- a/policy/modules/services/procmail.te
++++ b/policy/modules/services/procmail.te
+@@ -110,17 +110,7 @@ ifdef(`hide_broken_symptoms',`
+ 	mta_dontaudit_rw_queue(procmail_t)
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(procmail_t)
+-	fs_manage_nfs_files(procmail_t)
+-	fs_manage_nfs_symlinks(procmail_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(procmail_t)
+-	fs_manage_cifs_files(procmail_t)
+-	fs_manage_cifs_symlinks(procmail_t)
+-')
++userdom_home_manager(procmail_t)
+ 
+ optional_policy(`
+ 	clamav_domtrans_clamscan(procmail_t)
+diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
+index cc1775e..9405f78 100644
+--- a/policy/modules/services/razor.te
++++ b/policy/modules/services/razor.te
+@@ -121,17 +121,7 @@ ifdef(`distro_redhat',`
+ 	userdom_search_user_home_dirs(razor_t)
+ 	userdom_use_inherited_user_terminals(razor_t)
+ 
+-	tunable_policy(`use_nfs_home_dirs',`
+-		fs_manage_nfs_dirs(razor_t)
+-		fs_manage_nfs_files(razor_t)
+-		fs_manage_nfs_symlinks(razor_t)
 -	')
 -
- 	# Allow SELinux aware applications to request rpm_script_t execution
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_manage_cifs_dirs(razor_t)
+-		fs_manage_cifs_files(razor_t)
+-		fs_manage_cifs_symlinks(razor_t)
+-	')
++	userdom_home_manager(razor_t)
+ 
+ 	optional_policy(`
+ 		milter_manage_spamass_state(razor_t)
+diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
+index adc198d..a475797 100644
+--- a/policy/modules/services/remotelogin.te
++++ b/policy/modules/services/remotelogin.te
+@@ -88,15 +88,7 @@ userdom_manage_user_tmp_dirs(remote_login_t)
+ userdom_manage_user_tmp_files(remote_login_t)
+ userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir })
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_read_nfs_files(remote_login_t)
+-	fs_read_nfs_symlinks(remote_login_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_read_cifs_files(remote_login_t)
+-	fs_read_cifs_symlinks(remote_login_t)
+-')
++userdom_home_reader(remote_login_t)
+ 
+ optional_policy(`
+ 	alsa_domtrans(remote_login_t)
+diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
+index 4bcaacc..91c8ee8 100644
+--- a/policy/modules/services/rlogin.te
++++ b/policy/modules/services/rlogin.te
+@@ -92,21 +92,10 @@ userdom_search_admin_dir(rlogind_t)
+ userdom_manage_user_tmp_files(rlogind_t)
+ userdom_tmp_filetrans_user_tmp(rlogind_t, file)
+ userdom_use_user_terminals(rlogind_t)
++userdom_home_reader(rlogind_t)
+ 
+ rlogin_read_home_content(rlogind_t)
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_list_nfs(rlogind_t)
+-	fs_read_nfs_files(rlogind_t)
+-	fs_read_nfs_symlinks(rlogind_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_list_cifs(rlogind_t)
+-	fs_read_cifs_files(rlogind_t)
+-	fs_read_cifs_symlinks(rlogind_t)
+-')
+-
+ optional_policy(`
+ 	kerberos_keytab_template(rlogind, rlogind_t)
+ 	kerberos_manage_host_rcache(rlogind_t)
+diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
+index 49a4283..cdf9184 100644
+--- a/policy/modules/services/rshd.te
++++ b/policy/modules/services/rshd.te
+@@ -68,15 +68,7 @@ seutil_read_default_contexts(rshd_t)
+ userdom_search_user_home_content(rshd_t)
+ userdom_manage_tmp_role(system_r, rshd_t)
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_read_nfs_files(rshd_t)
+-	fs_read_nfs_symlinks(rshd_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_read_cifs_files(rshd_t)
+-	fs_read_cifs_symlinks(rshd_t)
+-')
++userdom_home_reader(rshd_t)
+ 
+ optional_policy(`
+ 	kerberos_keytab_template(rshd, rshd_t)
+diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
+index a370364..32019d8 100644
+--- a/policy/modules/services/spamassassin.te
++++ b/policy/modules/services/spamassassin.te
+@@ -147,6 +147,7 @@ manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+ manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+ manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+ userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
++userdom_home_manager(spamassassin_t)
+ 
+ kernel_read_kernel_sysctls(spamassassin_t)
+ 
+@@ -207,18 +208,6 @@ tunable_policy(`spamd_enable_home_dirs',`
+ 	userdom_manage_user_home_content_symlinks(spamd_t)
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(spamassassin_t)
+-	fs_manage_nfs_files(spamassassin_t)
+-	fs_manage_nfs_symlinks(spamassassin_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(spamassassin_t)
+-	fs_manage_cifs_files(spamassassin_t)
+-	fs_manage_cifs_symlinks(spamassassin_t)
+-')
+-
+ optional_policy(`
+ 	# Write pid file and socket in ~/.evolution/cache/tmp
+ 	evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
+@@ -328,18 +317,7 @@ seutil_read_config(spamc_t)
+ 
+ sysnet_read_config(spamc_t)
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(spamc_t)
+-	fs_manage_nfs_files(spamc_t)
+-	fs_manage_nfs_symlinks(spamc_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(spamc_t)
+-	fs_manage_cifs_files(spamc_t)
+-	fs_manage_cifs_symlinks(spamc_t)
+-')
+-
++userdom_home_manager(spamc_t)
+ 
+ optional_policy(`
+ 	abrt_stream_connect(spamc_t)
+@@ -479,22 +457,13 @@ miscfiles_read_localization(spamd_t)
+ 
+ userdom_use_unpriv_users_fds(spamd_t)
+ userdom_search_user_home_dirs(spamd_t)
++userdom_home_manager(spamd_t)
+ 
+ optional_policy(`
+ 	exim_manage_spool_dirs(spamd_t)
+ 	exim_manage_spool_files(spamd_t)
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(spamd_t)
+-	fs_manage_nfs_files(spamd_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(spamd_t)
+-	fs_manage_cifs_files(spamd_t)
+-')
+-
+ optional_policy(`
+ 	amavis_manage_lib_files(spamd_t)
+ ')
+diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
+index 5439f7e..126255f 100644
+--- a/policy/modules/services/ssh.if
++++ b/policy/modules/services/ssh.if
+@@ -277,19 +277,7 @@ template(`ssh_server_template',`
+ 	# Allow checking users mail at login
+ 	mta_getattr_spool($1_t)
+ 
+-	tunable_policy(`use_fusefs_home_dirs',`
+-		fs_manage_fusefs_dirs($1_t)
+-		fs_manage_fusefs_files($1_t)
+-	')
+-
+-	tunable_policy(`use_nfs_home_dirs',`
+-		fs_read_nfs_files($1_t)
+-		fs_read_nfs_symlinks($1_t)
+-	')
+-
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_read_cifs_files($1_t)
+-	')
++	userdom_home_manager($1_t)
+ 
+ 	optional_policy(`
+ 		kerberos_use($1_t)
+@@ -443,19 +431,7 @@ template(`ssh_role_template',`
+ 
+ 	ssh_exec_keygen($3)
+ 
+-	tunable_policy(`use_nfs_home_dirs',`
+-		fs_manage_nfs_files($1_ssh_agent_t)
+-
+-		# transition back to normal privs upon exec
+-		fs_nfs_domtrans($1_ssh_agent_t, $3)
+-	')
+-
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_manage_cifs_files($1_ssh_agent_t)
+-
+-		# transition back to normal privs upon exec
+-		fs_cifs_domtrans($1_ssh_agent_t, $3)
+-	')
++	userdom_home_manager($1_ssh_agent_t)
+ 
+ 	optional_policy(`
+ 		nis_use_ypbind($1_ssh_agent_t)
+diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
+index 02e70c9..e93db05 100644
+--- a/policy/modules/services/ssh.te
++++ b/policy/modules/services/ssh.te
+@@ -200,6 +200,7 @@ userdom_read_user_tmp_files(ssh_t)
+ userdom_write_user_tmp_files(ssh_t)
+ userdom_read_user_home_content_symlinks(ssh_t)
+ userdom_read_home_certs(ssh_t)
++userdom_home_manager(ssh_t)
+ 
+ tunable_policy(`allow_ssh_keysign',`
+ 	domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+@@ -210,16 +211,6 @@ tunable_policy(`use_fusefs_home_dirs',`
+ 	fs_manage_fusefs_files(ssh_t)
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(ssh_t)
+-	fs_manage_nfs_files(ssh_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(ssh_t)
+-	fs_manage_cifs_files(ssh_t)
+-')
+-
+ # for port forwarding
+ tunable_policy(`user_tcp_server',`
+ 	corenet_tcp_bind_ssh_port(ssh_t)
+@@ -498,14 +489,7 @@ tunable_policy(`use_samba_home_dirs',`
+     fs_read_cifs_symlinks(chroot_user_t)
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-    fs_read_nfs_files(chroot_user_t)
+-    fs_read_nfs_symlinks(chroot_user_t)
+-')
+-
+-tunable_policy(`use_fusefs_home_dirs',`
+-    fs_read_fusefs_files(chroot_user_t)
+-')
++userdom_home_manager(chroot_user_t)
+ 
+ optional_policy(`
+     ssh_rw_dgram_sockets(chroot_user_t)
+diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
+index 5c32a99..eb8979d 100644
+--- a/policy/modules/services/sssd.te
++++ b/policy/modules/services/sssd.te
+@@ -117,17 +117,7 @@ optional_policy(`
+ 	ldap_stream_connect(sssd_t)
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_read_nfs_files(sssd_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_read_cifs_files(sssd_t)
+-')
+-
+-tunable_policy(`use_fusefs_home_dirs',`
+-	fs_read_fusefs_files(sssd_t)
+-')
++userdom_home_reader(sssd_t)
+ 
+ 
+ 
+diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
+index 3619ec3..629863f 100644
+--- a/policy/modules/services/virt.te
++++ b/policy/modules/services/virt.te
+@@ -842,10 +842,6 @@ miscfiles_read_localization(virtd_lxc_t)
+ 
+ sysnet_domtrans_ifconfig(virtd_lxc_t)
+ 
+-optional_policy(`
+-	execmem_exec(virtd_lxc_t)
+-')
+-
+ #optional_policy(`
+ #	unconfined_shell_domtrans(virtd_lxc_t)
+ #	unconfined_signal(virtd_t)
+diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
+index 743ea2b..ab908aa 100644
+--- a/policy/modules/services/xserver.te
++++ b/policy/modules/services/xserver.te
+@@ -286,18 +286,7 @@ fs_search_auto_mountpoints(iceauth_t)
+ userdom_use_inherited_user_terminals(iceauth_t)
+ userdom_read_user_tmp_files(iceauth_t)
+ userdom_read_all_users_state(iceauth_t)
+-
+-tunable_policy(`use_fusefs_home_dirs',`
+-	fs_manage_fusefs_files(iceauth_t)
+-')
+-
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_files(iceauth_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_files(iceauth_t)
+-')
++userdom_home_manager(iceauth_t)
+ 
+ ifdef(`hide_broken_symptoms',`
+ 	dev_dontaudit_read_urand(iceauth_t)
+@@ -388,14 +377,7 @@ tunable_policy(`use_fusefs_home_dirs',`
+ 	fs_manage_fusefs_files(xauth_t)
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_files(xauth_t)
+-	fs_read_nfs_symlinks(xauth_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_files(xauth_t)
+-')
++userdom_home_manager(xauth_t)
+ 
+ ifdef(`hide_broken_symptoms',`
+ 	term_dontaudit_use_unallocated_ttys(xauth_t)
+@@ -614,6 +596,7 @@ files_dontaudit_access_check_etc(xdm_t)
+ files_dontaudit_getattr_all_dirs(xdm_t)
+ files_dontaudit_getattr_all_symlinks(xdm_t)
+ files_dontaudit_getattr_all_tmp_sockets(xdm_t)
++files_dontaudit_all_access_check(xdm_t)
+ 
+ fs_getattr_all_fs(xdm_t)
+ fs_search_auto_mountpoints(xdm_t)
+@@ -678,6 +661,7 @@ userdom_manage_user_tmp_dirs(xdm_t)
+ userdom_manage_user_tmp_files(xdm_t)
+ userdom_manage_user_tmp_sockets(xdm_t)
+ userdom_manage_tmpfs_role(system_r, xdm_t)
++userdom_home_manager(xdm_t)
+ 
+ application_signal(xdm_t)
+ 
+@@ -699,16 +683,10 @@ tunable_policy(`use_fusefs_home_dirs',`
+ ')
+ 
+ tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(xdm_t)
+-	fs_manage_nfs_files(xdm_t)
+-	fs_manage_nfs_symlinks(xdm_t)
+ 	fs_exec_nfs_files(xdm_t)
+ ')
+ 
+ tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(xdm_t)
+-	fs_manage_cifs_files(xdm_t)
+-	fs_manage_cifs_symlinks(xdm_t)
+ 	fs_exec_cifs_files(xdm_t)
+ ')
+ 
+@@ -1227,26 +1205,10 @@ init_use_fds(xserver_t)
+ # (xauth?)
+ userdom_read_user_home_content_files(xserver_t)
+ userdom_read_all_users_state(xserver_t)
++userdom_home_manager(xserver_t)
+ 
+ xserver_use_user_fonts(xserver_t)
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(xserver_t)
+-	fs_manage_nfs_files(xserver_t)
+-	fs_manage_nfs_symlinks(xserver_t)
+-')
+-
+-tunable_policy(`use_fusefs_home_dirs',`
+-	fs_manage_fusefs_dirs(xserver_t)
+-	fs_manage_fusefs_files(xserver_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(xserver_t)
+-	fs_manage_cifs_files(xserver_t)
+-	fs_manage_cifs_symlinks(xserver_t)
+-')
+-
+ optional_policy(`
+ 	dbus_system_bus_client(xserver_t)
+ 
+@@ -1434,7 +1396,6 @@ tunable_policy(`use_nfs_home_dirs',`
+ 
+ optional_policy(`
+ 	unconfined_rw_shm(xserver_t)
+-	unconfined_execmem_rw_shm(xserver_t)
+ 
+ 	# xserver signals unconfined user on startx
+ 	unconfined_signal(xserver_t)
+diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
+index 5a963ef..2409206 100644
+--- a/policy/modules/system/init.if
++++ b/policy/modules/system/init.if
+@@ -650,7 +650,7 @@ interface(`init_dontaudit_rw_stream_socket',`
+         type init_t;
+     ')
+ 
+-    dontaudit $1 init_t:unix_stream_socket { read write };
++    dontaudit $1 init_t:unix_stream_socket { getattr read write };
+ ')
+ 
+ ########################################
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 75f6d6b..f44bdae 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1206,13 +1206,6 @@ optional_policy(`
  	rpm_transition_script(initrc_t)
  	
-diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.execmem serefpolicy-3.10.0/policy/modules/system/userdomain.if
---- serefpolicy-3.10.0/policy/modules/system/userdomain.if.execmem	2011-11-04 16:05:07.118602710 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/userdomain.if	2011-11-04 16:05:07.187602887 -0400
-@@ -1281,14 +1281,6 @@ template(`userdom_unpriv_user_template',
+ 	optional_policy(`
+-		gen_require(`
+-			type unconfined_execmem_t, execmem_exec_t;		
+-		')
+-		init_system_domain(unconfined_execmem_t, execmem_exec_t)
+-	')
+-
+-	optional_policy(`
+ 		rtkit_scheduled(initrc_t)
+ 	')
+ ')
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index 37a5bb4..2291a13 100644
+--- a/policy/modules/system/locallogin.te
++++ b/policy/modules/system/locallogin.te
+@@ -154,15 +154,7 @@ tunable_policy(`console_login',`
+ 	term_relabel_console(local_login_t)
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_read_nfs_files(local_login_t)
+-	fs_read_nfs_symlinks(local_login_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_read_cifs_files(local_login_t)
+-	fs_read_cifs_symlinks(local_login_t)
+-')
++userdom_home_reader(local_login_t)
+ 
+ tunable_policy(`allow_console_login',`
+      term_use_console(local_login_t)
+diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
+index 2273e1a..6b39756 100644
+--- a/policy/modules/system/modutils.te
++++ b/policy/modules/system/modutils.te
+@@ -78,6 +78,7 @@ userdom_use_inherited_user_terminals(depmod_t)
+ files_list_home(depmod_t)
+ userdom_read_user_home_content_files(depmod_t)
+ userdom_manage_user_tmp_files(depmod_t)
++userdom_home_reader(depmod_t)
+ 
+ ifdef(`distro_ubuntu',`
+ 	optional_policy(`
+@@ -85,14 +86,6 @@ ifdef(`distro_ubuntu',`
+ 	')
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_read_nfs_files(depmod_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_read_cifs_files(depmod_t)
+-')
+-
+ optional_policy(`
+ 	bootloader_rw_tmp_files(insmod_t)
+ ')
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index 3ee9ea8..ac8b214 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -492,14 +492,7 @@ seutil_manage_default_contexts(semanage_t)
+ # Handle pp files created in homedir and /tmp
+ userdom_read_user_home_content_files(semanage_t)
+ userdom_read_user_tmp_files(semanage_t)
+-
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_read_nfs_files(semanage_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_read_cifs_files(semanage_t)
+-')
++userdom_home_reader(semanage_t)
+ 
+ ifdef(`distro_debian',`
+ 	files_read_var_lib_files(semanage_t)
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index 31047e8..0bb4d1e 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -1144,10 +1144,6 @@ template(`userdom_restricted_xwindows_user_template',`
  	')
  
  	optional_policy(`
--		java_role_template($1, $1_r, $1_t)
+-		openoffice_role_template($1, $1_r, $1_usertype)
 -	')
 -
 -	optional_policy(`
+ 		policykit_role($1_r, $1_usertype)
+ 	')
+ 
+@@ -1282,10 +1278,6 @@ template(`userdom_unpriv_user_template', `
+ 	')
+ 
+ 	optional_policy(`
 -		mono_role_template($1, $1_r, $1_t)
 -	')
 -
@@ -375,43 +2494,96 @@ diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.execmem serefpol
  		mount_run_fusermount($1_t, $1_r)
  		mount_read_pid_files($1_t)
  	')
-@@ -5013,3 +5005,39 @@ interface(`userdom_rw_unpriv_user_semaph
- 
-    allow $1 unpriv_userdomain:sem rw_sem_perms;
+@@ -5065,3 +5057,41 @@ interface(`userdom_filetrans_home_content',`
+ 	#	gnome_admin_home_gconf_filetrans($1, home_bin_t, dir, "bin")
+ 	#')
  ')
 +
-+#######################################
++########################################
 +## <summary>
-+##	The Interface gives a domain the privs of a unpriv_userdomain
++##	Make the specified type able to read content in user home dirs
 +## </summary>
-+## <param name="userdomain">
++## <param name="type">
 +##	<summary>
-+##	The user domain
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+template(`userdom_unpriv_user',`
++interface(`userdom_home_reader',`
 +	gen_require(`
-+		attribute unpriv_userdomain;
++		attribute userdom_home_reader_type;
 +	')
 +
-+	typeattribute $1 unpriv_userdomain;
++	typeattribute $1 userdom_home_reader_type;
 +')
 +
-+#######################################
++
++########################################
 +## <summary>
-+##	The Interface gives a domain the privs of a common_userdomain
++##	Make the specified type able to manage content in user home dirs
 +## </summary>
-+## <param name="userdomain">
++## <param name="type">
 +##	<summary>
-+##	The user domain
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+template(`userdom_common_user',`
++interface(`userdom_home_manager',`
 +	gen_require(`
-+		attribute common_userdomain;
++		attribute userdom_home_manager_type;
 +	')
 +
-+	typeattribute $1 common_userdomain;
++	typeattribute $1 userdom_home_manager_type;
 +')
++
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index d6c3860..ced52ff 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -73,6 +73,9 @@ attribute unpriv_userdomain;
+ attribute untrusted_content_type;
+ attribute untrusted_content_tmp_type;
+ 
++attribute userdom_home_reader_type;
++attribute userdom_home_manager_type;
++
+ # unprivileged user domains
+ attribute user_home_type;
+ attribute user_tmp_type;
+@@ -172,3 +175,36 @@ optional_policy(`
+ optional_policy(`
+ 	xserver_filetrans_home_content(userdomain)
+ ')
++
++
++tunable_policy(`use_nfs_home_dirs',`
++    fs_read_nfs_files(userdom_home_reader_type)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++    fs_read_cifs_files(userdom_home_reader_type)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++    fs_read_fusefs_files(userdom_home_reader_type)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++    fs_list_auto_mountpoints(userdom_home_manager_type)
++    fs_manage_nfs_dirs(userdom_home_manager_type)
++    fs_manage_nfs_files(userdom_home_manager_type)
++    fs_manage_nfs_symlinks(userdom_home_manager_type)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++    fs_manage_cifs_dirs(userdom_home_manager_type)
++    fs_manage_cifs_files(userdom_home_manager_type)
++    fs_manage_cifs_symlinks(userdom_home_manager_type)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++    fs_manage_fusefs_dirs(userdom_home_manager_type)
++    fs_manage_fusefs_files(userdom_home_manager_type)
++    fs_manage_fusefs_symlinks(userdom_home_manager_type)
++')
++
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9b66cd09..87aba5a3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -24,6 +24,7 @@ Source: serefpolicy-%{version}.tgz
 patch: policy-F16.patch
 patch1: unconfined_permissive.patch
 patch2: thumb.patch
+patch3: execmem.patch
 Source1: modules-targeted.conf
 Source2: booleans-targeted.conf
 Source3: Makefile.devel
@@ -239,6 +240,7 @@ Based off of reference policy: Checked out revision  2.20091117
 %patch -p1
 %patch1 -p1 -b .unconfined
 %patch2 -p1 -b .thumb
+%patch3 -p1 -b .execmem
 
 %install
 mkdir selinux_config