diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 0b1ca38a..5c3200a6 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -297,14 +297,17 @@ optional_policy(`
# mozilla_plugin local policy
#
allow mozilla_plugin_t self:process { setsched signal_perms execmem };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mozilla_plugin_t self:tcp_socket create_socket_perms;
+allow mozilla_plugin_t self:udp_socket create_socket_perms;
allow mozilla_plugin_t self:sem create_sem_perms;
allow mozilla_plugin_t self:shm create_shm_perms;
allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
-read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
can_exec(mozilla_plugin_t, mozilla_home_t)
+read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@@ -330,6 +333,7 @@ dev_read_video_dev(mozilla_plugin_t)
dev_read_sysfs(mozilla_plugin_t)
dev_read_sound(mozilla_plugin_t)
dev_write_sound(mozilla_plugin_t)
+dev_dontaudit_rw_dri(mozilla_plugin_t)
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
@@ -349,13 +353,20 @@ userdom_rw_user_tmpfs_files(mozilla_plugin_t)
userdom_delete_user_tmpfs_files(mozilla_plugin_t)
userdom_stream_connect(mozilla_plugin_t)
userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
+
+userdom_list_user_tmp(mozilla_plugin_t)
+userdom_read_user_tmp_files(mozilla_plugin_t)
+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
')
optional_policy(`
+ dbus_session_bus_client(mozilla_plugin_t)
dbus_read_lib_files(mozilla_plugin_t)
')
@@ -369,6 +380,7 @@ optional_policy(`
nsplugin_rw_exec(mozilla_plugin_t)
nsplugin_manage_home_dirs(mozilla_plugin_t)
nsplugin_manage_home_files(mozilla_plugin_t)
+ nsplugin_user_home_dir_filetrans(mozilla_plugin_t)
nsplugin_signal(mozilla_plugin_t)
')
diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
index 94397463..4dbb1616 100644
--- a/policy/modules/apps/nsplugin.if
+++ b/policy/modules/apps/nsplugin.if
@@ -409,3 +409,28 @@ interface(`nsplugin_signal',`
allow $1 nsplugin_t:process signal;
')
+
+########################################
+##
+## Create objects in a user home directory
+## with an automatic type transition to
+## the nsplugin home file type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+#
+interface(`nsplugin_user_home_dir_filetrans',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ userdom_user_home_content_filetrans($1, nsplugin_home_t, $2)
+')
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index ef2a773d..f9636424 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -114,6 +114,7 @@ interface(`xserver_restricted_role',`
xserver_create_xdm_tmp_sockets($2)
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
+ xserver_read_xdm_etc_files($2)
ifdef(`hide_broken_symptoms',`
dontaudit iceauth_t $2:socket_class_set { read write };
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index c80794bc..6c6f684f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -650,6 +650,7 @@ application_signal(xdm_t)
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
+xserver_domtrans_xauth(xdm_t)
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };