Allow sudo to send signals to any domains the user could have transitioned to.

Passwd in single user mode needs to talk to console_device_t
Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
locate tried to read a symbolic link, will dontaudit
New labels for telepathy-sunshine content in homedir
Google is storing other binaries under /opt/google/talkplugin
bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug
Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15
modemmanger and bluetooth send dbus messages to devicekit_power
Samba needs to getquota on filesystems labeld samba_share_t

policy/modules/admin/sudo.if

@@ -124,6 +124,8 @@ template(`sudo_role_template',`
 	auth_manage_pam_pid($1_sudo_t)
 	auth_use_nsswitch($1_sudo_t)
 
+	application_signal($1_sudo_t)
+
 	init_rw_utmp($1_sudo_t)
 
 	logging_send_audit_msgs($1_sudo_t)

policy/modules/admin/usermanage.te

@@ -291,9 +291,7 @@ selinux_compute_create_context(passwd_t)
 selinux_compute_relabel_context(passwd_t)
 selinux_compute_user_contexts(passwd_t)
 
-term_use_all_ttys(passwd_t)
+term_use_all_terms(passwd_t)
-term_use_all_ptys(passwd_t)
-term_use_generic_ptys(passwd_t)
 
 auth_manage_shadow(passwd_t)
 auth_relabel_shadow(passwd_t)

policy/modules/apps/mozilla.te

@@ -328,8 +328,18 @@ kernel_request_load_module(mozilla_plugin_t)
 corecmd_exec_bin(mozilla_plugin_t)
 corecmd_exec_shell(mozilla_plugin_t)
 
+corenet_tcp_connect_flash_port(mozilla_plugin_t)
+corenet_tcp_connect_streaming_port(mozilla_plugin_t)
+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
+corenet_tcp_connect_http_port(mozilla_plugin_t)
+corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
+corenet_tcp_connect_squid_port(mozilla_plugin_t)
+corenet_tcp_connect_ipp_port(mozilla_plugin_t)
+corenet_tcp_connect_speech_port(mozilla_plugin_t)
+
 dev_read_urand(mozilla_plugin_t)
 dev_read_video_dev(mozilla_plugin_t)
+dev_write_video_dev(mozilla_plugin_t)
 dev_read_sysfs(mozilla_plugin_t)
 dev_read_sound(mozilla_plugin_t)
 dev_write_sound(mozilla_plugin_t)
@@ -365,6 +375,7 @@ userdom_read_user_home_content_symlinks(mozilla_plugin_t)
 
 optional_policy(`
 	alsa_read_rw_config(mozilla_plugin_t)
+	alsa_read_home_files(mozilla_plugin_t)
 ')
 
 optional_policy(`
@@ -387,8 +398,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	pulseaudio_exec(mozilla_plugin_t)
+	pulseaudio_stream_connect(mozilla_plugin_t)
 	pulseaudio_setattr_home_dir(mozilla_plugin_t)
-	pulseaudio_rw_home_files(mozilla_plugin_t)
+	pulseaudio_manage_home_files(mozilla_plugin_t)
 ')
 
 optional_policy(`

policy/modules/apps/slocate.te

@@ -38,6 +38,7 @@ dev_getattr_all_blk_files(locate_t)
 dev_getattr_all_chr_files(locate_t)
 
 files_list_all(locate_t)
+files_dontaudit_read_all_symlinks(locate_t)
 files_getattr_all_files(locate_t)
 files_getattr_all_pipes(locate_t)
 files_getattr_all_sockets(locate_t)

policy/modules/apps/telepathy.fc

@@ -1,6 +1,7 @@
 HOME_DIR/\.mission-control(/.*)?				gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
 HOME_DIR/\.cache/\.mc_connections		--		gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
-HOME_DIR/\.cache/telepathy/gabble(/.*)?			gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/\.cache/telepathy/gabble(/.*)?				gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/.telepathy-sunshine(/.*)?			gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
 
 /usr/libexec/mission-control-5			--		gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0)
 

policy/modules/apps/telepathy.te

@@ -31,6 +31,9 @@ userdom_user_home_content(telepathy_mission_control_home_t)
 type telepathy_mission_control_cache_home_t;
 userdom_user_home_content(telepathy_mission_control_cache_home_t)
 
+type telepathy_sunshine_home_t;
+userdom_user_home_content(telepathy_sunshine_home_t)
+
 telepathy_domain_template(msn)
 telepathy_domain_template(salut)
 telepathy_domain_template(sofiasip)
@@ -251,12 +254,16 @@ sysnet_read_config(telepathy_sofiasip_t)
 #
 # Telepathy Sunshine local policy.
 #
+manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
+manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
+userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file })
+userdom_search_user_home_dirs(telepathy_sunshine_t)
 
 manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
 exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
 files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
 
-corecmd_list_bin(telepathy_sunshine_t)
+corecmd_exec_bin(telepathy_sunshine_t)
 
 dev_read_urand(telepathy_sunshine_t)
 

policy/modules/kernel/corecommands.fc

@@ -157,7 +157,7 @@ ifdef(`distro_gentoo',`
 
 /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
-/opt/google/talkplugin/cron(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/opt/google/talkplugin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 
 /opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 

policy/modules/kernel/files.if

@@ -6248,6 +6248,24 @@ interface(`files_dontaudit_getattr_tmpfs_files',`
 	allow $1 tmpfsfile:file getattr;
 ')
 
+########################################
+## <summary>
+##	Allow read write all tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_rw_tmpfs_files',`
+	gen_require(`
+		attribute tmpfsfile;
+	')
+
+	allow $1 tmpfsfile:file { read write };
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read security files 

policy/modules/kernel/kernel.if

@@ -2418,6 +2418,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
 	allow $1 unlabeled_t:blk_file getattr;
 ')
 
+########################################
+## <summary>
+##	Read and write unlabeled sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_socket',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:socket rw_socket_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts by caller to get attributes for

policy/modules/roles/unconfineduser.te

@@ -8,11 +8,25 @@ attribute unconfined_login_domain;
 
 ## <desc>
 ## <p>
-## Transition to confined nsplugin domains from unconfined user
+## Transition unconfined user to the nsplugin domains when running nspluginviewer
 ## </p>
 ## </desc>
 gen_tunable(allow_unconfined_nsplugin_transition, false)
 
+## <desc>
+## <p>
+## Transition unconfined user to the mozilla plugin domain when running xulrunner plugin-container.
+## </p>
+## </desc>
+gen_tunable(unconfined_mozilla_plugin_transition, false)
+
+## <desc>
+## <p>
+## Transition unconfined user to telepathy confined domains.
+## </p>
+## </desc>
+gen_tunable(unconfined_telepathy_transition, false)
+
 ## <desc>
 ## <p>
 ## Allow vidio playing tools to tun unconfined
@@ -159,10 +173,6 @@ optional_policy(`
 		hal_dbus_chat(unconfined_usertype)
 	')
 
-	optional_policy(`
-		iptables_run(unconfined_usertype, unconfined_r)
-	')
-
 	optional_policy(`
 		networkmanager_dbus_chat(unconfined_usertype)
 	')
@@ -329,8 +339,11 @@ optional_policy(`
 	role system_r types unconfined_mono_t;
 ')
 
+
 optional_policy(`
-	mozilla_run_plugin(unconfined_usertype, unconfined_r)
+	tunable_policy(`unconfined_mozilla_plugin_transition', `
+			mozilla_run_plugin(unconfined_usertype, unconfined_r)
+	')
 ')
 
 optional_policy(`
@@ -391,7 +404,9 @@ optional_policy(`
 ')
 
 optional_policy(`
-	telepathy_dbus_session_role(unconfined_r, unconfined_t)
+	tunable_policy(`unconfined_telepathy_transition', `
+		   telepathy_dbus_session_role(unconfined_r, unconfined_t)
+	')
 ')
 
 optional_policy(`
@@ -475,4 +490,3 @@ domain_ptrace_all_domains(unconfined_notrans_t)
 #
 
 gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-

policy/modules/services/accountsd.if

@@ -25,7 +25,7 @@ interface(`accountsd_domtrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #

policy/modules/services/bluetooth.te

@@ -100,6 +100,10 @@ kernel_request_load_module(bluetooth_t)
 #search debugfs - redhat bug 548206
 kernel_search_debugfs(bluetooth_t)
 
+ifdef(`hide_broken_symptoms', `
+	kernel_rw_unlabeled_socket(bluetooth_t)
+')
+
 corenet_all_recvfrom_unlabeled(bluetooth_t)
 corenet_all_recvfrom_netlabel(bluetooth_t)
 corenet_tcp_sendrecv_generic_if(bluetooth_t)
@@ -147,6 +151,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
 userdom_dontaudit_use_user_terminals(bluetooth_t)
 userdom_dontaudit_search_user_home_dirs(bluetooth_t)
 
+optional_policy(`
+	devicekit_dbus_chat_power(bluetooth_t)
+')
+
 optional_policy(`
 	dbus_system_bus_client(bluetooth_t)
 	dbus_connect_system_bus(bluetooth_t)

policy/modules/services/consolekit.if

@@ -39,6 +39,24 @@ interface(`consolekit_dbus_chat',`
 	allow consolekit_t $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##	Dontaudit attempts to read consolekit log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`consolekit_dontaudit_read_log',`
+	gen_require(`
+		type consolekit_log_t;
+	')
+
+	dontaudit $1 consolekit_log_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read consolekit log files.

policy/modules/services/devicekit.te

@@ -291,6 +291,10 @@ optional_policy(`
 	hal_dbus_chat(devicekit_power_t)
 ')
 
+optional_policy(`
+	networkmanager_domtrans(devicekit_power_t)
+')
+
 optional_policy(`
 	policykit_dbus_chat(devicekit_power_t)
 	policykit_domtrans_auth(devicekit_power_t)

policy/modules/services/modemmanager.te

@@ -38,6 +38,10 @@ logging_send_syslog_msg(modemmanager_t)
 
 networkmanager_dbus_chat(modemmanager_t)
 
+optional_policy(`
+	devicekit_dbus_chat_power(modemmanager_t)
+')
+
 optional_policy(`
 	policykit_dbus_chat(modemmanager_t)
 ')

policy/modules/services/samba.te

@@ -260,7 +260,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
 manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
 manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
 manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
-allow smbd_t samba_share_t:filesystem getattr;
+allow smbd_t samba_share_t:filesystem { getattr quotaget };
 
 manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
 manage_files_pattern(smbd_t, samba_var_t, samba_var_t)

policy/modules/services/xserver.te

@@ -969,6 +969,7 @@ domain_signal_all_domains(xserver_t)
 files_read_etc_files(xserver_t)
 files_read_etc_runtime_files(xserver_t)
 files_read_usr_files(xserver_t)
+files_rw_tmpfs_files(xserver_t)
 
 # brought on by rhgb
 files_search_mnt(xserver_t)

policy/modules/system/authlogin.if

@@ -1430,6 +1430,25 @@ interface(`auth_read_login_records',`
 	allow $1 wtmp_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read login records files (/var/log/wtmp).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_dontaudit_read_login_records',`
+	gen_require(`
+		type wtmp_t;
+	')
+
+	dontaudit $1 wtmp_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read login records

policy/modules/system/userdomain.if

@@ -1006,6 +1006,7 @@ template(`userdom_restricted_xwindows_user_template',`
 
 	auth_role($1_r, $1_t)
 	auth_search_pam_console_data($1_usertype)
+	auth_dontaudit_read_login_records($1_usertype)
 
 	dev_read_sound($1_usertype)
 	dev_write_sound($1_usertype)
@@ -1057,6 +1058,7 @@ template(`userdom_restricted_xwindows_user_template',`
 		')
 
 		optional_policy(`
+			consolekit_dontaudit_read_log($1_usertype)
 			consolekit_dbus_chat($1_usertype)
 		')