Remove allow_ptrace and replace it with deny_ptrace, which will remove all

ptrace from the system Remove 2000 dontaudit rules between confined domains on transition and replace with single dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
2011-10-11 16:46:26 -04:00 · 2011-10-11 16:46:26 -04:00 · 6554bb3cca
commit 6554bb3cca
parent 2a89dffbb5
7 changed files with 1724 additions and 1373 deletions
--- a/apache.patch
+++ b/apache.patch
@ -1,81 +1,8 @@
-diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index cf3d50b..3ded83e 100644
--- a/policy/modules/kernel/domain.if
-+++ b/policy/modules/kernel/domain.if
-@@ -75,34 +75,6 @@ interface(`domain_base_type',`
- interface(`domain_type',`
- 	# start with basic domain
- 	domain_base_type($1)
-
-	ifdef(`distro_redhat',`
-		optional_policy(`
-			unconfined_use_fds($1)
-		')
-	')
-
-	# send init a sigchld and signull
-	optional_policy(`
-		init_sigchld($1)
-		init_signull($1)
-	')
-
-	# these seem questionable:
-
-	optional_policy(`
-		rpm_use_fds($1)
-		rpm_read_pipes($1)
-	')
-
-	optional_policy(`
-		selinux_dontaudit_getattr_fs($1)
-		selinux_dontaudit_read_fs($1)
-	')
-
-	optional_policy(`
-		seutil_dontaudit_read_config($1)
-	')
- ')
- 
- ########################################
-diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index 00e20f7..db2a183 100644
--- a/policy/modules/kernel/domain.te
-+++ b/policy/modules/kernel/domain.te
-@@ -285,3 +285,30 @@ optional_policy(`
- # broken kernel
- dontaudit can_change_object_identity can_change_object_identity:key link;
- 
-+ifdef(`distro_redhat',`
-+	optional_policy(`
-+		unconfined_use_fds(domain)
-+	')
-+')
-+
-+# send init a sigchld and signull
-+optional_policy(`
-+	init_sigchld(domain)
-+	init_signull(domain)
-+')
-+
-+# these seem questionable:
-+
-+optional_policy(`
-+	rpm_use_fds(domain)
-+	rpm_read_pipes(domain)
-+')
-+
-+optional_policy(`
-+	selinux_dontaudit_getattr_fs(domain)
-+	selinux_dontaudit_read_fs(domain)
-+')
-+
-+optional_policy(`
-+	seutil_dontaudit_read_config(domain)
-+')
-diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index e12bbc0..606323d 100644
--- a/policy/modules/services/apache.if
-+++ b/policy/modules/services/apache.if
+diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.if.apache serefpolicy-3.10.0/policy/modules/kernel/domain.if
+diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.te.apache serefpolicy-3.10.0/policy/modules/kernel/domain.te
+diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.apache serefpolicy-3.10.0/policy/modules/services/apache.if
+--- serefpolicy-3.10.0/policy/modules/services/apache.if.apache	2011-10-11 10:17:05.262944711 -0400
+++ serefpolicy-3.10.0/policy/modules/services/apache.if	2011-10-11 10:17:13.416929487 -0400
@@ -16,55 +16,43 @@ template(`apache_content_template',`
 		attribute httpd_exec_scripts, httpd_script_exec_type;
 		type httpd_t, httpd_suexec_t, httpd_log_t;
@ -240,11 +167,10 @@ index e12bbc0..606323d 100644
 	')
 ')
 
-diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index f165efd..adf2423 100644
--- a/policy/modules/services/apache.te
-+++ b/policy/modules/services/apache.te
-@@ -217,10 +217,12 @@ gen_tunable(allow_httpd_sys_script_anon_write, false)
+diff -up serefpolicy-3.10.0/policy/modules/services/apache.te.apache serefpolicy-3.10.0/policy/modules/services/apache.te
+--- serefpolicy-3.10.0/policy/modules/services/apache.te.apache	2011-10-11 10:17:05.263944709 -0400
+++ serefpolicy-3.10.0/policy/modules/services/apache.te	2011-10-11 10:17:13.418929446 -0400
+@@ -217,10 +217,12 @@ gen_tunable(allow_httpd_sys_script_anon_
 
 attribute httpdcontent;
 attribute httpd_user_content_type;
--- a/booleans-mls.conf
+++ b/booleans-mls.conf
@ -1,4 +1,4 @@
-d# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
+# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
 # 
 allow_execmem = false

@ -38,9 +38,9 @@ allow_saslauthd_read_shadow = false
 # 
 allow_smbd_anon_write = false

-# Allow sysadm to ptrace all processes
+# Deny all processes the ability to ptrace other processes
 # 
-allow_ptrace = false
+deny_ptrace = false

 # Allow system to run with NIS
 # 
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@ -210,9 +210,9 @@ allow_daemons_use_tty = false
 # 
 allow_polyinstantiation = false

-# Allow confined domains to ptrace them selves
+# Deny all processes the ability to ptrace other processes
 # 
-allow_ptrace = true
+deny_ptrace = false

 # Allow all domains to dump core
 # 
@ -267,6 +267,10 @@ unconfined_mozilla_plugin_transition=true
 # 
 unconfined_telepathy_transition=true

+# Allow unconfined domain to transition to chrome_sandbox confined domain
+# 
+unconfined_chrome_sandbox_transition=true
+
 # Allow telepathy domains to connect to all network ports
 # 
 telepathy_tcp_connect_generic_network_ports=true
--- a/policy-F16.patch
+++ b/policy-F16.patch
--- a/ptrace.patch
+++ b/ptrace.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 38.1%{?dist}
+Release: 39.1%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -29,6 +29,7 @@ patch4: execmem.patch
 patch5: userdomain.patch
 patch6: apache.patch
 patch7: ptrace.patch
+patch8: dontaudit.patch
 Source1: modules-targeted.conf
 Source2: booleans-targeted.conf
 Source3: Makefile.devel
@ -218,7 +219,7 @@ fi;
 if [ -e /etc/selinux/%2/.rebuild ]; then \
   rm /etc/selinux/%2/.rebuild; \
   if [ %1 -ne 1 ]; then \
-	/usr/sbin/semodule -n -s %2 -r java mono moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
+	/usr/sbin/semodule -n -s %2 -r hotplug howl java mono moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
   fi \
   /usr/sbin/semodule -B -s %2; \
 else \
@ -248,7 +249,8 @@ Based off of reference policy: Checked out revision  2.20091117
 %patch4 -p1 -b .execmem
 %patch5 -p1 -b .userdomain
 %patch6 -p1 -b .apache
-#%patch7 -p1 -b .ptrace
+%patch7 -p1 -b .ptrace
+%patch8 -p1 -b .dontaudit

 %install
 mkdir selinux_config
@ -480,6 +482,31 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Tue Oct 11 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-39.1
+- Remove allow_ptrace and replace it with deny_ptrace, which will remove all 
+ptrace from the system
+- Remove 2000 dontaudit rules between confined domains on transition
+and replace with single
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
+
+* Mon Oct 10 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-39
+- Fixes for bootloader policy
+- $1_gkeyringd_t needs to read $HOME/%USER/.local/share/keystore
+- Allow nsplugin to read /usr/share/config
+- Allow sa-update to update rules
+- Add use_fusefs_home_dirs for chroot ssh option
+- Fixes for grub2
+- Update systemd_exec_systemctl() interface
+- Allow gpg to read the mail spool
+- More fixes for sa-update running out of cron job
+- Allow ipsec_mgmt_t to read hardware state information
+- Allow pptp_t to connect to unreserved_port_t
+- Dontaudit getattr on initctl in /dev from chfn
+- Dontaudit getattr on kernel_core from chfn
+- Add systemd_list_unit_dirs to systemd_exec_systemctl call
+- Fixes for collectd policy
+- CHange sysadm_t to create content as user_tmp_t under /tmp
+
 * Thu Oct 6 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-38.1
 - Shrink size of policy through use of attributes for userdomain and apache

@ -496,9 +523,6 @@ SELinux Reference policy mls base module.
 - Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly
 - Allow systemd_logind_t to manage /run/USER/dconf/user

-* Tue Oct 3 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-36.2
- Make allow_ptrace remove all ptrace
-
 * Tue Oct 3 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-36.1
 - Fix missing patch from F16

--- a/userdomain.patch
+++ b/userdomain.patch
@ -1,7 +1,6 @@
-diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
-index 66cf96c..a6d907b 100644
--- a/policy/modules/admin/usermanage.if
-+++ b/policy/modules/admin/usermanage.if
+diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.if.userdomain serefpolicy-3.10.0/policy/modules/admin/usermanage.if
+--- serefpolicy-3.10.0/policy/modules/admin/usermanage.if.userdomain	2011-10-11 10:15:28.062129903 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.if	2011-10-11 10:15:28.489129089 -0400
@@ -308,7 +308,7 @@ interface(`usermanage_run_useradd',`
 	role $2 types useradd_t;
 
@ -11,11 +10,10 @@ index 66cf96c..a6d907b 100644
 
 	seutil_run_semanage(useradd_t, $2)
 
-diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 4779a8d..7d7efd7 100644
--- a/policy/modules/admin/usermanage.te
-+++ b/policy/modules/admin/usermanage.te
-@@ -509,7 +509,7 @@ seutil_domtrans_setfiles(useradd_t)
+diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.userdomain serefpolicy-3.10.0/policy/modules/admin/usermanage.te
+--- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.userdomain	2011-10-11 10:15:28.447129169 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te	2011-10-11 10:15:28.490129087 -0400
+@@ -512,7 +512,7 @@ seutil_domtrans_setfiles(useradd_t)
 userdom_use_unpriv_users_fds(useradd_t)
 # Add/remove user home directories
 userdom_home_filetrans_user_home_dir(useradd_t)
@ -24,10 +22,9 @@ index 4779a8d..7d7efd7 100644
 
 mta_manage_spool(useradd_t)
 
-diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
-index e23f640..182d6d1 100644
--- a/policy/modules/apps/execmem.if
-+++ b/policy/modules/apps/execmem.if
+diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.userdomain serefpolicy-3.10.0/policy/modules/apps/execmem.if
+--- serefpolicy-3.10.0/policy/modules/apps/execmem.if.userdomain	2011-10-11 10:15:28.472129121 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/execmem.if	2011-10-11 10:15:28.491129085 -0400
@@ -57,8 +57,6 @@ template(`execmem_role_template',`
 	role $2 types $1_execmem_t;
 
@ -37,10 +34,9 @@ index e23f640..182d6d1 100644
 
 	allow $1_execmem_t self:process { execmem execstack };
 	allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
-diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
-index 7c398c0..c64cced 100644
--- a/policy/modules/apps/java.if
-+++ b/policy/modules/apps/java.if
+diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.userdomain serefpolicy-3.10.0/policy/modules/apps/java.if
+--- serefpolicy-3.10.0/policy/modules/apps/java.if.userdomain	2011-10-11 10:15:28.077129873 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/java.if	2011-10-11 10:15:28.492129083 -0400
@@ -73,7 +73,8 @@ template(`java_role_template',`
 	domain_interactive_fd($1_java_t)
 
@ -51,10 +47,9 @@ index 7c398c0..c64cced 100644
 
 	allow $1_java_t self:process { ptrace signal getsched execmem execstack };
 
-diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
-index 1fa8573..8179185 100644
--- a/policy/modules/apps/mono.if
-+++ b/policy/modules/apps/mono.if
+diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.userdomain serefpolicy-3.10.0/policy/modules/apps/mono.if
+--- serefpolicy-3.10.0/policy/modules/apps/mono.if.userdomain	2011-10-11 10:15:28.082129864 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/mono.if	2011-10-11 10:15:28.493129081 -0400
@@ -49,7 +49,8 @@ template(`mono_role_template',`
 	corecmd_bin_domtrans($1_mono_t, $1_t)
 
@ -65,10 +60,9 @@ index 1fa8573..8179185 100644
 
 	optional_policy(`
 		xserver_role($1_r, $1_mono_t)
-diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 83fc139..596232f 100644
--- a/policy/modules/apps/mozilla.if
-+++ b/policy/modules/apps/mozilla.if
+diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.userdomain serefpolicy-3.10.0/policy/modules/apps/mozilla.if
+--- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.userdomain	2011-10-11 10:15:28.083129862 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if	2011-10-11 10:15:28.494129079 -0400
@@ -51,7 +51,7 @@ interface(`mozilla_role',`
 	mozilla_run_plugin(mozilla_t, $1)
 	mozilla_dbus_chat($2)
@ -78,10 +72,9 @@ index 83fc139..596232f 100644
 
 	optional_policy(`
 		nsplugin_role($1, mozilla_t)
-diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
-index 1925bd9..0a794bc 100644
--- a/policy/modules/apps/nsplugin.if
-+++ b/policy/modules/apps/nsplugin.if
+diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.userdomain serefpolicy-3.10.0/policy/modules/apps/nsplugin.if
+--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.userdomain	2011-10-11 10:15:28.087129854 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if	2011-10-11 10:15:28.495129077 -0400
@@ -103,7 +103,7 @@ ifdef(`hide_broken_symptoms', `
 	userdom_use_inherited_user_terminals(nsplugin_t)
 	userdom_use_inherited_user_terminals(nsplugin_config_t)
@ -91,11 +84,10 @@ index 1925bd9..0a794bc 100644
 
 	optional_policy(`
 		pulseaudio_role($1, nsplugin_t)
-diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
-index 9bf1dd8..564d1ea 100644
--- a/policy/modules/apps/nsplugin.te
-+++ b/policy/modules/apps/nsplugin.te
-@@ -284,6 +284,7 @@ userdom_search_user_home_content(nsplugin_config_t)
+diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.userdomain serefpolicy-3.10.0/policy/modules/apps/nsplugin.te
+--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.userdomain	2011-10-11 10:15:28.088129853 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te	2011-10-11 10:15:28.496129075 -0400
+@@ -286,6 +286,7 @@ userdom_search_user_home_content(nsplugi
 userdom_read_user_home_content_symlinks(nsplugin_config_t)
 userdom_read_user_home_content_files(nsplugin_config_t)
 userdom_dontaudit_search_admin_dir(nsplugin_config_t)
@ -103,10 +95,9 @@ index 9bf1dd8..564d1ea 100644
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_getattr_nfs(nsplugin_t)
-diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
-index 9a5e99c..1e6cf7d 100644
--- a/policy/modules/apps/pulseaudio.if
-+++ b/policy/modules/apps/pulseaudio.if
+diff -up serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if.userdomain serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if
+--- serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if.userdomain	2011-10-11 10:15:28.089129851 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if	2011-10-11 10:15:28.497129073 -0400
@@ -35,9 +35,9 @@ interface(`pulseaudio_role',`
 	allow pulseaudio_t $2:unix_stream_socket connectto;
 	allow $2 pulseaudio_t:unix_stream_socket connectto;
@ -120,10 +111,9 @@ index 9a5e99c..1e6cf7d 100644
 
 	allow $2 pulseaudio_t:dbus send_msg;
 	allow pulseaudio_t $2:dbus { acquire_svc send_msg };
-diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
-index 8522ab4..6941c29 100644
--- a/policy/modules/apps/pulseaudio.te
-+++ b/policy/modules/apps/pulseaudio.te
+diff -up serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te.userdomain serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te
+--- serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te.userdomain	2011-10-11 10:15:28.091129847 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te	2011-10-11 10:15:28.498129071 -0400
@@ -95,6 +95,10 @@ logging_send_syslog_msg(pulseaudio_t)
 
 miscfiles_read_localization(pulseaudio_t)
@ -135,11 +125,10 @@ index 8522ab4..6941c29 100644
 optional_policy(`
 	alsa_read_rw_config(pulseaudio_t)
 ')
-diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
-index 8895098..19438a5 100644
--- a/policy/modules/apps/userhelper.if
-+++ b/policy/modules/apps/userhelper.if
-@@ -294,7 +294,7 @@ template(`userhelper_console_role_template',`
+diff -up serefpolicy-3.10.0/policy/modules/apps/userhelper.if.userdomain serefpolicy-3.10.0/policy/modules/apps/userhelper.if
+--- serefpolicy-3.10.0/policy/modules/apps/userhelper.if.userdomain	2011-10-11 10:15:28.102129826 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/userhelper.if	2011-10-11 10:15:28.498129071 -0400
+@@ -294,7 +294,7 @@ template(`userhelper_console_role_templa
 
 	auth_use_pam($1_consolehelper_t)
 
@ -148,10 +137,9 @@ index 8895098..19438a5 100644
 
 	optional_policy(`
 		dbus_connect_session_bus($1_consolehelper_t)
-diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
-index 8ce8577..f967898 100644
--- a/policy/modules/apps/userhelper.te
-+++ b/policy/modules/apps/userhelper.te
+diff -up serefpolicy-3.10.0/policy/modules/apps/userhelper.te.userdomain serefpolicy-3.10.0/policy/modules/apps/userhelper.te
+--- serefpolicy-3.10.0/policy/modules/apps/userhelper.te.userdomain	2011-10-11 10:15:28.102129826 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/userhelper.te	2011-10-11 10:15:28.499129069 -0400
@@ -65,6 +65,7 @@ userhelper_exec(consolehelper_domain)
 userdom_use_user_ptys(consolehelper_domain)
 userdom_use_user_ttys(consolehelper_domain)
@ -160,10 +148,9 @@ index 8ce8577..f967898 100644
 
 optional_policy(`
 	gnome_read_gconf_home_files(consolehelper_domain)
-diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
-index e10101a..cf453e6 100644
--- a/policy/modules/apps/wine.if
-+++ b/policy/modules/apps/wine.if
+diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.userdomain serefpolicy-3.10.0/policy/modules/apps/wine.if
+--- serefpolicy-3.10.0/policy/modules/apps/wine.if.userdomain	2011-10-11 10:15:28.105129820 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/wine.if	2011-10-11 10:15:28.499129069 -0400
@@ -105,7 +105,8 @@ template(`wine_role_template',`
 	corecmd_bin_domtrans($1_wine_t, $1_t)
 
@ -174,10 +161,9 @@ index e10101a..cf453e6 100644
 
 	domain_mmap_low($1_wine_t)
 
-diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
-index 50c1a74..d618395 100644
--- a/policy/modules/apps/wm.if
-+++ b/policy/modules/apps/wm.if
+diff -up serefpolicy-3.10.0/policy/modules/apps/wm.if.userdomain serefpolicy-3.10.0/policy/modules/apps/wm.if
+--- serefpolicy-3.10.0/policy/modules/apps/wm.if.userdomain	2011-10-11 10:15:28.107129816 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/wm.if	2011-10-11 10:15:28.500129068 -0400
@@ -77,9 +77,13 @@ template(`wm_role_template',`
 	miscfiles_read_fonts($1_wm_t)
 	miscfiles_read_localization($1_wm_t)
@ -195,10 +181,22 @@ index 50c1a74..d618395 100644
 	userdom_exec_user_tmp_files($1_wm_t)
 
 	optional_policy(`
-diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
-index e1113e0..5bcd298 100644
--- a/policy/modules/roles/unconfineduser.te
-+++ b/policy/modules/roles/unconfineduser.te
+diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.userdomain serefpolicy-3.10.0/policy/modules/roles/sysadm.te
+--- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.userdomain	2011-10-11 10:15:28.000000000 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te	2011-10-11 10:16:15.471039586 -0400
+@@ -60,7 +60,8 @@ sysnet_filetrans_named_content(sysadm_t)
+ # Add/remove user home directories
+ userdom_manage_user_home_dirs(sysadm_t)
+ userdom_home_filetrans_user_home_dir(sysadm_t)
+-userdom_manage_tmp_role(sysadm_r, sysadm_t)
+userdom_manage_tmp_role(sysadm_r)
+userdom_manage_tmp(sysadm_t)
+ 
+ optional_policy(`
+ 	ssh_filetrans_admin_home_content(sysadm_t)
+diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.userdomain serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te
+--- serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.userdomain	2011-10-11 10:15:28.476129113 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te	2011-10-11 10:15:28.501129066 -0400
@@ -45,9 +45,12 @@ gen_tunable(unconfined_login, true)
 # calls is not correct, however we dont currently
 # have another method to add access to these types
@ -215,10 +213,9 @@ index e1113e0..5bcd298 100644
 userdom_unpriv_usertype(unconfined, unconfined_t)
 
 type unconfined_exec_t;
-diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
-index 49a4283..7a3ea96 100644
--- a/policy/modules/services/rshd.te
-+++ b/policy/modules/services/rshd.te
+diff -up serefpolicy-3.10.0/policy/modules/services/rshd.te.userdomain serefpolicy-3.10.0/policy/modules/services/rshd.te
+--- serefpolicy-3.10.0/policy/modules/services/rshd.te.userdomain	2011-10-11 10:15:28.333129386 -0400
+++ serefpolicy-3.10.0/policy/modules/services/rshd.te	2011-10-11 10:15:28.502129064 -0400
@@ -66,7 +66,7 @@ seutil_read_config(rshd_t)
 seutil_read_default_contexts(rshd_t)
 
@ -228,10 +225,9 @@ index 49a4283..7a3ea96 100644
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_read_nfs_files(rshd_t)
-diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 8e3e9de..862e108 100644
--- a/policy/modules/services/ssh.if
-+++ b/policy/modules/services/ssh.if
+diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.userdomain serefpolicy-3.10.0/policy/modules/services/ssh.if
+--- serefpolicy-3.10.0/policy/modules/services/ssh.if.userdomain	2011-10-11 10:15:28.354129346 -0400
+++ serefpolicy-3.10.0/policy/modules/services/ssh.if	2011-10-11 10:15:28.503129062 -0400
@@ -380,7 +380,7 @@ template(`ssh_role_template',`
 	manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
 	manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
@ -241,10 +237,9 @@ index 8e3e9de..862e108 100644
 
 	##############################
 	#
-diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index d81a09f..3fdc1df 100644
--- a/policy/modules/services/ssh.te
-+++ b/policy/modules/services/ssh.te
+diff -up serefpolicy-3.10.0/policy/modules/services/ssh.te.userdomain serefpolicy-3.10.0/policy/modules/services/ssh.te
+--- serefpolicy-3.10.0/policy/modules/services/ssh.te.userdomain	2011-10-11 10:15:28.355129344 -0400
+++ serefpolicy-3.10.0/policy/modules/services/ssh.te	2011-10-11 10:15:28.503129062 -0400
@@ -200,6 +200,7 @@ userdom_read_user_tmp_files(ssh_t)
 userdom_write_user_tmp_files(ssh_t)
 userdom_read_user_home_content_symlinks(ssh_t)
@ -253,7 +248,7 @@ index d81a09f..3fdc1df 100644
 
 tunable_policy(`allow_ssh_keysign',`
 	domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -280,7 +281,7 @@ corenet_sendrecv_xserver_server_packets(sshd_t)
+@@ -280,7 +281,7 @@ corenet_sendrecv_xserver_server_packets(
 
 userdom_read_user_home_content_files(sshd_t)
 userdom_read_user_home_content_symlinks(sshd_t)
@ -262,10 +257,9 @@ index d81a09f..3fdc1df 100644
 userdom_spec_domtrans_unpriv_users(sshd_t)
 userdom_signal_unpriv_users(sshd_t)
 userdom_dyntransition_unpriv_users(sshd_t)
-diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 7d5a298..36b8a4c 100644
--- a/policy/modules/services/sssd.te
-+++ b/policy/modules/services/sssd.te
+diff -up serefpolicy-3.10.0/policy/modules/services/sssd.te.userdomain serefpolicy-3.10.0/policy/modules/services/sssd.te
+--- serefpolicy-3.10.0/policy/modules/services/sssd.te.userdomain	2011-10-11 10:15:28.356129342 -0400
+++ serefpolicy-3.10.0/policy/modules/services/sssd.te	2011-10-11 10:15:28.504129060 -0400
@@ -92,7 +92,7 @@ miscfiles_read_generic_certs(sssd_t)
 sysnet_dns_name_resolve(sssd_t)
 sysnet_use_ldap(sssd_t)
@ -275,10 +269,9 @@ index 7d5a298..36b8a4c 100644
 
 optional_policy(`
 	dbus_system_bus_client(sssd_t)
-diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 60e0e2d..fcf2f38 100644
--- a/policy/modules/services/xserver.te
-+++ b/policy/modules/services/xserver.te
+diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.userdomain serefpolicy-3.10.0/policy/modules/services/xserver.te
+--- serefpolicy-3.10.0/policy/modules/services/xserver.te.userdomain	2011-10-11 10:15:28.480129106 -0400
+++ serefpolicy-3.10.0/policy/modules/services/xserver.te	2011-10-11 10:15:28.505129058 -0400
@@ -671,7 +671,7 @@ userdom_stream_connect(xdm_t)
 userdom_manage_user_tmp_dirs(xdm_t)
 userdom_manage_user_tmp_files(xdm_t)
@ -288,10 +281,9 @@ index 60e0e2d..fcf2f38 100644
 
 application_signal(xdm_t)
 
-diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e7a65ae..6974244 100644
--- a/policy/modules/system/userdomain.if
-+++ b/policy/modules/system/userdomain.if
+diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.userdomain serefpolicy-3.10.0/policy/modules/system/userdomain.if
+--- serefpolicy-3.10.0/policy/modules/system/userdomain.if.userdomain	2011-10-11 10:15:28.482129102 -0400
+++ serefpolicy-3.10.0/policy/modules/system/userdomain.if	2011-10-11 10:15:28.506129056 -0400
@@ -35,21 +35,14 @@ template(`userdom_base_user_template',`
 	type $1_t, userdomain, $1_usertype;
 	domain_type($1_t)
@ -611,7 +603,7 @@ index e7a65ae..6974244 100644
 ')
 
 #######################################
-@@ -424,6 +336,21 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -424,6 +336,21 @@ interface(`userdom_exec_user_tmp_files',
 ##	Role allowed access.
 ##	</summary>
 ## </param>
@ -633,7 +625,7 @@ index e7a65ae..6974244 100644
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
-@@ -431,25 +358,23 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -431,25 +358,23 @@ interface(`userdom_exec_user_tmp_files',
 ## </param>
 ## <rolecap/>
 #
@ -671,7 +663,7 @@ index e7a65ae..6974244 100644
 ')
 
 #######################################
-@@ -578,260 +503,31 @@ template(`userdom_change_password_template',`
+@@ -578,260 +503,31 @@ template(`userdom_change_password_templa
 template(`userdom_common_user_template',`
 	gen_require(`
 		attribute unpriv_userdomain;
@ -690,11 +682,9 @@ index e7a65ae..6974244 100644
 -	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
 -	allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
 -	allow $1_t self:socket create_socket_perms;
-+	typeattribute $1_t common_userdomain;
- 
+-
 -	allow $1_usertype unpriv_userdomain:fd use;
-+	userdom_basic_networking(common_userdomain)
- 
+-
 -	kernel_read_system_state($1_usertype)
 -	kernel_read_network_state($1_usertype)
 -	kernel_read_software_raid_state($1_usertype)
@ -746,11 +736,13 @@ index e7a65ae..6974244 100644
 -
 -	# for eject
 -	storage_getattr_fixed_disk_dev($1_usertype)
-
+	typeattribute $1_t common_userdomain;
+ 
 -	auth_read_login_records($1_usertype)
 -	auth_run_pam($1_t,$1_r)
 -	auth_run_utempter($1_t,$1_r)
-
+	userdom_basic_networking(common_userdomain)
+ 
 -	init_read_utmp($1_usertype)
 -
 -	seutil_read_file_contexts($1_usertype)
@ -775,21 +767,16 @@ index e7a65ae..6974244 100644
 -		# Allow graphical boot to check battery lifespan
 -		apm_stream_connect($1_usertype)
 -	')
-+	auth_run_pam(common_userdomain,$1_r)
-+	auth_run_utempter(common_userdomain,$1_r)
-+	seutil_run_newrole(common_userdomain,$1_r)
- 
- 	optional_policy(`
+-
+-	optional_policy(`
 -		canna_stream_connect($1_usertype)
-+		chrome_role($1_r, common_userdomain)
- 	')
- 
- 	optional_policy(`
+-	')
+-
+-	optional_policy(`
 -		chrome_role($1_r, $1_usertype)
-+		git_session_role($1_r, common_userdomain)
- 	')
- 
- 	optional_policy(`
+-	')
+-
+-	optional_policy(`
 -		colord_read_lib_files($1_usertype)
 -	')
 -
@ -850,10 +837,9 @@ index e7a65ae..6974244 100644
 -		optional_policy(`
 -			vpn_dbus_chat($1_usertype)
 -		')
-+		nsplugin_role($1_r, common_userdomain)
- 	')
- 
- 	optional_policy(`
+-	')
+-
+-	optional_policy(`
 -		git_session_role($1_r, $1_usertype)
 -	')
 -
@ -922,27 +908,33 @@ index e7a65ae..6974244 100644
 -	optional_policy(`
 -		resmgr_stream_connect($1_usertype)
 -	')
-
-	optional_policy(`
+	auth_run_pam(common_userdomain,$1_r)
+	auth_run_utempter(common_userdomain,$1_r)
+	seutil_run_newrole(common_userdomain,$1_r)
+ 
+ 	optional_policy(`
 -		rpc_dontaudit_getattr_exports($1_usertype)
 -		rpc_manage_nfs_rw_content($1_usertype)
-	')
-
-	optional_policy(`
+		chrome_role($1_r, common_userdomain)
+ 	')
+ 
+ 	optional_policy(`
 -		rpcbind_stream_connect($1_usertype)
-	')
-
-	optional_policy(`
+		git_session_role($1_r, common_userdomain)
+ 	')
+ 
+ 	optional_policy(`
 -		samba_stream_connect_winbind($1_usertype)
-	')
-
-	optional_policy(`
+		nsplugin_role($1_r, common_userdomain)
+ 	')
+ 
+ 	optional_policy(`
 -		sandbox_transition($1_usertype, $1_r)
 +		sandbox_transition(common_userdomain, $1_r)
 	')
 
 	optional_policy(`
-@@ -839,11 +535,7 @@ template(`userdom_common_user_template',`
+@@ -839,11 +535,7 @@ template(`userdom_common_user_template',
 	')
 
 	optional_policy(`
@ -955,7 +947,7 @@ index e7a65ae..6974244 100644
 	')
 ')
 
-@@ -872,10 +564,9 @@ template(`userdom_login_user_template', `
+@@ -872,10 +564,9 @@ template(`userdom_login_user_template',
 
 	userdom_base_user_template($1)
 
@ -969,7 +961,7 @@ index e7a65ae..6974244 100644
 
 	ifelse(`$1',`unconfined',`',`
 		gen_tunable(allow_$1_exec_content, true)
-@@ -1010,9 +701,6 @@ template(`userdom_restricted_user_template',`
+@@ -1010,9 +701,6 @@ template(`userdom_restricted_user_templa
 	typeattribute $1_t unpriv_userdomain;
 	domain_interactive_fd($1_t)
 
@ -979,7 +971,7 @@ index e7a65ae..6974244 100644
 	##############################
 	#
 	# Local policy
-@@ -3918,6 +3606,10 @@ template(`userdom_unpriv_usertype',`
+@@ -3929,6 +3617,10 @@ template(`userdom_unpriv_usertype',`
 	
 	auth_use_nsswitch($2)
 	ubac_constrained($2)
@ -990,10 +982,9 @@ index e7a65ae..6974244 100644
 ')
 
 ########################################
-diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 04d748b..c636356 100644
--- a/policy/modules/system/userdomain.te
-+++ b/policy/modules/system/userdomain.te
+diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.te.userdomain serefpolicy-3.10.0/policy/modules/system/userdomain.te
+--- serefpolicy-3.10.0/policy/modules/system/userdomain.te.userdomain	2011-10-11 10:15:28.427129208 -0400
+++ serefpolicy-3.10.0/policy/modules/system/userdomain.te	2011-10-11 10:15:28.507129054 -0400
@@ -69,6 +69,8 @@ attribute userdomain;
 
 # unprivileged user domains