- Add devicekit policy

2009-01-19 22:10:11 +00:00 · 2009-01-19 22:10:11 +00:00 · 70d5ccf098
commit 70d5ccf098
parent 4e42f3a511
1 changed files with 290 additions and 71 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -11412,6 +11412,216 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_udp_sendrecv_generic_if(dcc_client_t)
 corenet_udp_sendrecv_generic_node(dcc_client_t)
 corenet_udp_sendrecv_all_ports(dcc_client_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.3/policy/modules/services/devicekit.fc
+--- nsaserefpolicy/policy/modules/services/devicekit.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/devicekit.fc	2009-01-19 17:04:16.000000000 -0500
+@@ -0,0 +1,4 @@
+
+/usr/libexec/devkit-daemon	--	gen_context(system_u:object_r:devicekit_exec_t,s0)
+/usr/libexec/devkit-power-daemon	--	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+/var/run/devkit(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.3/policy/modules/services/devicekit.if
+--- nsaserefpolicy/policy/modules/services/devicekit.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/devicekit.if	2009-01-19 17:09:09.000000000 -0500
+@@ -0,0 +1,139 @@
+
+## <summary>policy for devicekit</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run devicekit.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`devicekit_domtrans',`
+	gen_require(`
+		type devicekit_t;
+                type devicekit_exec_t;
+	')
+
+	domtrans_pattern($1,devicekit_exec_t,devicekit_t)
+')
+
+
+########################################
+## <summary>
+##	Read devicekit PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`devicekit_read_pid_files',`
+	gen_require(`
+		type devicekit_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 devicekit_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage devicekit var_run files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`devicekit_manage_var_run',`
+	gen_require(`
+		type devicekit_var_run_t;
+	')
+
+         manage_dirs_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
+         manage_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
+         manage_lnk_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
+')
+
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	devicekit over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`devicekit_dbus_chat',`
+	gen_require(`
+		type devicekit_t;
+		class dbus send_msg;
+	')
+
+	allow $1 devicekit_t:dbus send_msg;
+	allow devicekit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	devicekit power over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`devicekit_power_dbus_chat',`
+	gen_require(`
+		type devicekit_t;
+		class dbus send_msg;
+	')
+
+	allow $1 devicekit_power_t:dbus send_msg;
+	allow devicekit_power_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an devicekit environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the devicekit domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`devicekit_admin',`
+	gen_require(`
+		type devicekit_t;
+	')
+
+	allow $1 devicekit_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, devicekit_t, devicekit_t)
+	        
+
+	devicekit_manage_var_run($1)
+
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.3/policy/modules/services/devicekit.te
+--- nsaserefpolicy/policy/modules/services/devicekit.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/devicekit.te	2009-01-19 17:06:44.000000000 -0500
+@@ -0,0 +1,55 @@
+policy_module(devicekit,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type devicekit_t;
+type devicekit_exec_t;
+dbus_system_domain(devicekit_t, devicekit_exec_t)
+
+permissive devicekit_t;
+
+type devicekit_power_t;
+type devicekit_power_exec_t;
+dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+
+permissive devicekit_power_t;
+
+type devicekit_var_run_t;
+files_pid_file(devicekit_var_run_t)
+
+#
+# DeviceKit local policy
+#
+
+manage_dirs_pattern(devicekit_t, devicekit_var_run_t,  devicekit_var_run_t)
+manage_files_pattern(devicekit_t, devicekit_var_run_t,  devicekit_var_run_t)
+files_pid_filetrans(devicekit_t,devicekit_var_run_t, { file dir })
+
+fs_list_inotifyfs(devicekit_t)
+
+optional_policy(`
+	dbus_system_bus_client(devicekit_t)
+')
+
+#
+# DeviceKit-Power local policy
+#
+
+dev_rw_netcontrol(devicekit_power_t)
+files_read_etc_files(devicekit_power_t)
+fs_list_inotifyfs(devicekit_power_t)
+
+optional_policy(`
+	polkit_read_reload(devicekit_power_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(devicekit_power_t)
+	allow devicekit_power_t devicekit_t:dbus send_msg;
+	allow devicekit_t devicekit_power_t:dbus send_msg;
+')
+
+
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.3/policy/modules/services/dhcp.if
 --- nsaserefpolicy/policy/modules/services/dhcp.if	2008-11-18 18:57:20.000000000 -0500
 +++ serefpolicy-3.6.3/policy/modules/services/dhcp.if	2009-01-19 13:10:02.000000000 -0500
@ -21508,7 +21718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	display.
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/xserver.te	2009-01-19 14:47:14.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te	2009-01-19 17:08:51.000000000 -0500
@@ -34,6 +34,13 @@
 
 ## <desc>
@ -21838,7 +22048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -515,12 +572,35 @@
+@@ -515,12 +572,41 @@
 ')
 
 optional_policy(`
@ -21852,14 +22062,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	dbus_system_bus_client(xdm_t)
 +
 +	optional_policy(`
+		devicekit_power_dbus_chat(xdm_t)
+	')
+
+	optional_policy(`
 +		hal_dbus_chat(xdm_t)
 +	')
 +
 +	optional_policy(`
 +		networkmanager_dbus_chat(xdm_t)
 +	')
+
 +')
 +
+
 +optional_policy(`
 	# Talk to the console mouse server.
 	gpm_stream_connect(xdm_t)
@ -21874,7 +22090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	hostname_exec(xdm_t)
 ')
 
-@@ -542,6 +622,19 @@
+@@ -542,6 +628,19 @@
 ')
 
 optional_policy(`
@ -21894,7 +22110,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	seutil_sigchld_newrole(xdm_t)
 ')
 
-@@ -550,8 +643,8 @@
+@@ -550,8 +649,8 @@
 ')
 
 optional_policy(`
@ -21904,7 +22120,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -571,6 +664,10 @@
+@@ -571,6 +670,10 @@
 ')
 
 optional_policy(`
@ -21915,7 +22131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	xfs_stream_connect(xdm_t)
 ')
 
-@@ -635,6 +732,15 @@
+@@ -635,6 +738,15 @@
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
 
@ -21931,7 +22147,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Create files in /var/log with the xserver_log_t type.
 manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
 logging_log_filetrans(xserver_t, xserver_log_t,file)
-@@ -682,6 +788,7 @@
+@@ -682,6 +794,7 @@
 dev_rw_input_dev(xserver_t)
 dev_rwx_zero(xserver_t)
 
@ -21939,7 +22155,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 domain_mmap_low(xserver_t)
 
 files_read_etc_files(xserver_t)
-@@ -697,6 +804,7 @@
+@@ -697,6 +810,7 @@
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -21947,7 +22163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 mls_xwin_read_to_clearance(xserver_t)
 
-@@ -806,7 +914,7 @@
+@@ -806,7 +920,7 @@
 allow xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xserver_t xdm_var_lib_t:dir search;
 
@ -21956,7 +22172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -830,6 +938,10 @@
+@@ -830,6 +944,10 @@
 
 xserver_use_user_fonts(xserver_t)
 
@ -21967,7 +22183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xserver_t)
 	fs_manage_nfs_files(xserver_t)
-@@ -844,11 +956,14 @@
+@@ -844,11 +962,14 @@
 
 optional_policy(`
 	dbus_system_bus_client(xserver_t)
@ -21983,7 +22199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -856,6 +971,11 @@
+@@ -856,6 +977,11 @@
 	rhgb_rw_tmpfs_files(xserver_t)
 ')
 
@ -21995,7 +22211,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Rules common to all X window domains
-@@ -972,6 +1092,37 @@
+@@ -972,6 +1098,37 @@
 allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
 
@ -22033,7 +22249,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ifdef(`TODO',`
 tunable_policy(`allow_polyinstantiation',`
 # xdm needs access for linking .X11-unix to poly /tmp
-@@ -986,3 +1137,13 @@
+@@ -986,3 +1143,13 @@
 #
 allow xdm_t user_home_type:file unlink;
 ') dnl end TODO
@ -26194,7 +26410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if	2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if	2009-01-19 17:08:20.000000000 -0500
@@ -30,8 +30,9 @@
 	')
 
@ -26594,7 +26810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	##############################
 	#
-@@ -512,189 +525,194 @@
+@@ -512,189 +525,198 @@
 	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
 	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
 
@ -26763,54 +26979,57 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 		optional_policy(`
 -			hal_dbus_chat($1_t)
-+			evolution_dbus_chat($1_usertype)
-+			evolution_alarm_dbus_chat($1_usertype)
+			devkit_power_dbus_chat($1_usertype)
 		')
 
 		optional_policy(`
 -			networkmanager_dbus_chat($1_t)
 -		')
-+			hal_dbus_chat($1_usertype)
+			evolution_dbus_chat($1_usertype)
+			evolution_alarm_dbus_chat($1_usertype)
 	')
 
 	optional_policy(`
 -		inetd_use_fds($1_t)
 -		inetd_rw_tcp_sockets($1_t)
-+			networkmanager_dbus_chat($1_usertype)
+			hal_dbus_chat($1_usertype)
 	')
 
 	optional_policy(`
 -		inn_read_config($1_t)
 -		inn_read_news_lib($1_t)
 -		inn_read_news_spool($1_t)
-+			vpnc_dbus_chat($1_usertype)
-+		')
+			networkmanager_dbus_chat($1_usertype)
 	')
 
 	optional_policy(`
 -		locate_read_lib_files($1_t)
-+		inetd_use_fds($1_usertype)
-+		inetd_rw_tcp_sockets($1_usertype)
+			vpnc_dbus_chat($1_usertype)
+		')
 	')
 
 -	# for running depmod as part of the kernel packaging process
 	optional_policy(`
 -		modutils_read_module_config($1_t)
+		inetd_use_fds($1_usertype)
+		inetd_rw_tcp_sockets($1_usertype)
+ 	')
+ 
+ 	optional_policy(`
+-		mta_rw_spool($1_t)
 +		inn_read_config($1_usertype)
 +		inn_read_news_lib($1_usertype)
 +		inn_read_news_spool($1_usertype)
 	')
 
- 	optional_policy(`
-		mta_rw_spool($1_t)
-+		locate_read_lib_files($1_usertype)
- 	')
- 
-+	# for running depmod as part of the kernel packaging process
 	optional_policy(`
 -		tunable_policy(`allow_user_mysql_connect',`
 -			mysql_stream_connect($1_t)
-		')
+		locate_read_lib_files($1_usertype)
+ 		')
+
+	# for running depmod as part of the kernel packaging process
+	optional_policy(`
 +		modutils_read_module_config($1_usertype)
 	')
 
@ -26832,16 +27051,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -			postgresql_stream_connect($1_t)
 -			postgresql_tcp_connect($1_t)
 +			postgresql_stream_connect($1_usertype)
+		')
 		')
+
+	optional_policy(`
+		# to allow monitoring of pcmcia status
+		pcmcia_read_pid($1_usertype)
 	')
 
 	optional_policy(`
 -		resmgr_stream_connect($1_t)
-+		# to allow monitoring of pcmcia status
-+		pcmcia_read_pid($1_usertype)
-+	')
-+
-+	optional_policy(`
 +		pcscd_read_pub_files($1_usertype)
 +		pcscd_stream_connect($1_usertype)
 	')
@ -26871,7 +27090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 #######################################
-@@ -722,15 +740,29 @@
+@@ -722,15 +744,29 @@
 
 	userdom_base_user_template($1)
 
@ -26907,7 +27126,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	##############################
 	#
-@@ -746,70 +778,72 @@
+@@ -746,70 +782,72 @@
 
 	allow $1_t self:context contains;
 
@ -27013,7 +27232,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -846,6 +880,28 @@
+@@ -846,6 +884,28 @@
 	# Local policy
 	#
 
@ -27042,7 +27261,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	optional_policy(`
 		loadkeys_run($1_t,$1_r)
 	')
-@@ -876,7 +932,7 @@
+@@ -876,7 +936,7 @@
 
 	userdom_restricted_user_template($1)
 
@ -27051,17 +27270,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	##############################
 	#
-@@ -884,14 +940,18 @@
+@@ -884,14 +944,18 @@
 	#
 
 	auth_role($1_r, $1_t)
 -	auth_search_pam_console_data($1_t)
 +	auth_search_pam_console_data($1_usertype)
-+
-+	xserver_role($1_r, $1_t)
 
 -	dev_read_sound($1_t)
 -	dev_write_sound($1_t)
+	xserver_role($1_r, $1_t)
+
 +	dev_read_sound($1_usertype)
 +	dev_write_sound($1_usertype)
 	# gnome keyring wants to read this.
@ -27075,7 +27294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	logging_dontaudit_send_audit_msgs($1_t)
 
 	# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -899,28 +959,24 @@
+@@ -899,28 +963,24 @@
 	selinux_get_enforce_mode($1_t)
 
 	optional_policy(`
@ -27110,7 +27329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -931,8 +987,7 @@
+@@ -931,8 +991,7 @@
 ## </summary>
 ## <desc>
 ##	<p>
@ -27120,7 +27339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	</p>
 ##	<p>
 ##	This template creates a user domain, types, and
-@@ -954,8 +1009,8 @@
+@@ -954,8 +1013,8 @@
 	# Declarations
 	#
 
@ -27130,7 +27349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	userdom_common_user_template($1)
 
 	##############################
-@@ -964,11 +1019,10 @@
+@@ -964,11 +1023,10 @@
 	#
 
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
@ -27143,7 +27362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# cjp: why?
 	files_read_kernel_symbol_table($1_t)
 
-@@ -986,37 +1040,47 @@
+@@ -986,37 +1044,47 @@
 		')
 	')
 
@ -27194,17 +27413,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	optional_policy(`
 +		mount_run($1_t, $1_r)
-+	')
+ 	')
 +
 +	# Run pppd in pppd_t by default for user
 +	optional_policy(`
 +		ppp_run_cond($1_t, $1_r)
- 	')
+	')
 +
 ')
 
 #######################################
-@@ -1050,7 +1114,7 @@
+@@ -1050,7 +1118,7 @@
 #
 template(`userdom_admin_user_template',`
 	gen_require(`
@ -27213,7 +27432,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 
 	##############################
-@@ -1059,8 +1123,7 @@
+@@ -1059,8 +1127,7 @@
 	#
 
 	# Inherit rules for ordinary users.
@ -27223,7 +27442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	domain_obj_id_change_exemption($1_t)
 	role system_r types $1_t;
-@@ -1083,7 +1146,8 @@
+@@ -1083,7 +1150,8 @@
 	# Skip authentication when pam_rootok is specified.
 	allow $1_t self:passwd rootok;
 
@ -27233,7 +27452,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
-@@ -1106,8 +1170,6 @@
+@@ -1106,8 +1174,6 @@
 
 	dev_getattr_generic_blk_files($1_t)
 	dev_getattr_generic_chr_files($1_t)
@ -27242,7 +27461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# Allow MAKEDEV to work
 	dev_create_all_blk_files($1_t)
 	dev_create_all_chr_files($1_t)
-@@ -1162,20 +1224,6 @@
+@@ -1162,20 +1228,6 @@
 	# But presently necessary for installing the file_contexts file.
 	seutil_manage_bin_policy($1_t)
 
@ -27263,7 +27482,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	optional_policy(`
 		postgresql_unconfined($1_t)
 	')
-@@ -1221,6 +1269,7 @@
+@@ -1221,6 +1273,7 @@
 	dev_relabel_all_dev_nodes($1)
 
 	files_create_boot_flag($1)
@ -27271,7 +27490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	# Necessary for managing /boot/efi
 	fs_manage_dos_files($1)
-@@ -1286,11 +1335,15 @@
+@@ -1286,11 +1339,15 @@
 interface(`userdom_user_home_content',`
 	gen_require(`
 		type user_home_t;
@ -27287,7 +27506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1387,7 +1440,7 @@
+@@ -1387,7 +1444,7 @@
 
 ########################################
 ## <summary>
@ -27296,7 +27515,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1420,6 +1473,14 @@
+@@ -1420,6 +1477,14 @@
 
 	allow $1 user_home_dir_t:dir list_dir_perms;
 	files_search_home($1)
@ -27311,7 +27530,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1435,9 +1496,11 @@
+@@ -1435,9 +1500,11 @@
 interface(`userdom_dontaudit_list_user_home_dirs',`
 	gen_require(`
 		type user_home_dir_t;
@ -27323,7 +27542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1494,6 +1557,25 @@
+@@ -1494,6 +1561,25 @@
 	allow $1 user_home_dir_t:dir relabelto;
 ')
 
@ -27349,7 +27568,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 ## <summary>
 ##	Create directories in the home dir root with
-@@ -1547,9 +1629,9 @@
+@@ -1547,9 +1633,9 @@
 		type user_home_dir_t, user_home_t;
 	')
 
@ -27361,7 +27580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1568,6 +1650,8 @@
+@@ -1568,6 +1654,8 @@
 	')
 
 	dontaudit $1 user_home_t:dir search_dir_perms;
@ -27370,7 +27589,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1643,6 +1727,7 @@
+@@ -1643,6 +1731,7 @@
 		type user_home_dir_t, user_home_t;
 	')
 
@ -27378,7 +27597,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
 	files_search_home($1)
 ')
-@@ -1741,6 +1826,62 @@
+@@ -1741,6 +1830,62 @@
 
 ########################################
 ## <summary>
@ -27441,7 +27660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Execute user home files.
 ## </summary>
 ## <param name="domain">
-@@ -1757,14 +1898,6 @@
+@@ -1757,14 +1902,6 @@
 
 	files_search_home($1)
 	exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
@ -27456,7 +27675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1787,6 +1920,46 @@
+@@ -1787,6 +1924,46 @@
 
 ########################################
 ## <summary>
@ -27503,7 +27722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Create, read, write, and delete files
 ##	in a user home subdirectory.
 ## </summary>
-@@ -2819,6 +2992,24 @@
+@@ -2819,6 +2996,24 @@
 
 ########################################
 ## <summary>
@ -27528,7 +27747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Do not audit attempts to use user ttys.
 ## </summary>
 ## <param name="domain">
-@@ -2851,6 +3042,7 @@
+@@ -2851,6 +3046,7 @@
 	')
 
 	read_files_pattern($1,userdomain,userdomain)
@ -27536,7 +27755,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	kernel_search_proc($1)
 ')
 
-@@ -2965,6 +3157,24 @@
+@@ -2965,6 +3161,24 @@
 
 ########################################
 ## <summary>
@ -27561,7 +27780,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Send a dbus message to all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -2981,3 +3191,264 @@
+@@ -2981,3 +3195,264 @@
 
 	allow $1 userdomain:dbus send_msg;
 ')