##
@@ -33141,7 +33171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1160,7 +1174,6 @@
+@@ -1160,7 +1173,6 @@
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
@@ -33149,7 +33179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -1178,32 +1191,45 @@
+@@ -1178,32 +1190,45 @@
')
')
@@ -33179,10 +33209,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
- ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ games_rw_data($1_usertype)
- ')
-
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
++ ')
++
++ optional_policy(`
+ mount_run($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ ')
+
@@ -33192,9 +33221,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+ optional_policy(`
+ polkit_per_role_template($1, $1_usertype, $1_r)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+ java_per_role_template($1, $1_t, $1_r)
+ ')
+
@@ -33207,7 +33237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -1280,8 +1306,6 @@
+@@ -1280,8 +1305,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -33216,7 +33246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1303,8 +1327,6 @@
+@@ -1303,8 +1326,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -33225,7 +33255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1359,13 +1381,6 @@
+@@ -1359,13 +1380,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -33239,7 +33269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
userhelper_exec($1_t)
')
-@@ -1413,6 +1428,7 @@
+@@ -1413,6 +1427,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -33247,7 +33277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1442,10 +1458,6 @@
+@@ -1442,10 +1457,6 @@
seutil_run_semanage($1,$2,$3)
seutil_run_setfiles($1, $2, $3)
@@ -33258,7 +33288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
aide_run($1,$2, $3)
')
-@@ -1465,12 +1477,30 @@
+@@ -1465,12 +1476,30 @@
optional_policy(`
netlabel_run_mgmt($1,$2, $3)
')
@@ -33289,7 +33319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
## The prefix of the user role (e.g., user
-@@ -1480,8 +1510,7 @@
+@@ -1480,8 +1509,7 @@
##
#
template(`userdom_role_change_generic_user',`
@@ -33299,7 +33329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1508,14 +1537,23 @@
+@@ -1508,14 +1536,23 @@
##
#
template(`userdom_role_change_from_generic_user',`
@@ -33325,7 +33355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
## The prefix of the user role (e.g., user
-@@ -1525,8 +1563,7 @@
+@@ -1525,8 +1562,7 @@
##
#
template(`userdom_role_change_staff',`
@@ -33335,7 +33365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1553,14 +1590,23 @@
+@@ -1553,14 +1589,23 @@
##
#
template(`userdom_role_change_from_staff',`
@@ -33361,7 +33391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
## The prefix of the user role (e.g., user
-@@ -1570,8 +1616,7 @@
+@@ -1570,8 +1615,7 @@
##
#
template(`userdom_role_change_sysadm',`
@@ -33371,7 +33401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1598,14 +1643,23 @@
+@@ -1598,14 +1642,23 @@
##
#
template(`userdom_role_change_from_sysadm',`
@@ -33397,7 +33427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
## The prefix of the user role (e.g., user
-@@ -1615,8 +1669,11 @@
+@@ -1615,8 +1668,11 @@
##
#
template(`userdom_role_change_secadm',`
@@ -33411,7 +33441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1643,14 +1700,27 @@
+@@ -1643,14 +1699,27 @@
##
#
template(`userdom_role_change_from_secadm',`
@@ -33441,7 +33471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
## The prefix of the auditadm role (e.g., user
-@@ -1660,8 +1730,11 @@
+@@ -1660,8 +1729,11 @@
##
#
template(`userdom_role_change_auditadm',`
@@ -33455,7 +33485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1688,8 +1761,11 @@
+@@ -1688,8 +1760,11 @@
##
#
template(`userdom_role_change_from_auditadm',`
@@ -33469,23 +33499,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1723,10 +1799,14 @@
+@@ -1722,11 +1797,15 @@
+ #
template(`userdom_user_home_content',`
gen_require(`
- attribute $1_file_type;
+- attribute $1_file_type;
++ attribute user_file_type;
+ attribute user_home_type;
+ attribute home_type;
')
- typeattribute $2 $1_file_type;
+- typeattribute $2 $1_file_type;
- files_type($2)
++ typeattribute $2 user_file_type;
+ typeattribute $2 user_home_type;
+ typeattribute $2 home_type;
+ files_poly_member($2)
')
########################################
-@@ -1822,11 +1902,11 @@
+@@ -1822,11 +1901,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -33499,7 +33532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1856,11 +1936,11 @@
+@@ -1856,11 +1935,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -33513,7 +33546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1904,12 +1984,12 @@
+@@ -1904,12 +1983,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -33529,7 +33562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1939,10 +2019,11 @@
+@@ -1939,10 +2018,11 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -33543,7 +33576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1974,11 +2055,47 @@
+@@ -1974,11 +2054,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -33593,7 +33626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2010,10 +2127,10 @@
+@@ -2010,10 +2126,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -33606,7 +33639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2043,11 +2160,11 @@
+@@ -2043,11 +2159,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -33620,7 +33653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2077,11 +2194,11 @@
+@@ -2077,11 +2193,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -33635,7 +33668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2111,10 +2228,14 @@
+@@ -2111,10 +2227,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -33652,7 +33685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2144,11 +2265,11 @@
+@@ -2144,11 +2264,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -33666,7 +33699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2178,11 +2299,11 @@
+@@ -2178,11 +2298,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -33680,7 +33713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2212,10 +2333,10 @@
+@@ -2212,10 +2332,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -33693,7 +33726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2247,12 +2368,12 @@
+@@ -2247,12 +2367,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -33709,7 +33742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2284,10 +2405,10 @@
+@@ -2284,10 +2404,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -33722,7 +33755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2319,12 +2440,12 @@
+@@ -2319,12 +2439,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -33738,7 +33771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2356,12 +2477,12 @@
+@@ -2356,12 +2476,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -33754,7 +33787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2393,12 +2514,12 @@
+@@ -2393,12 +2513,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -33770,7 +33803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2443,11 +2564,11 @@
+@@ -2443,11 +2563,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -33784,7 +33817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2492,11 +2613,11 @@
+@@ -2492,11 +2612,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -33798,7 +33831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2536,11 +2657,11 @@
+@@ -2536,11 +2656,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -33812,7 +33845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2570,11 +2691,11 @@
+@@ -2570,11 +2690,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -33826,7 +33859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2604,11 +2725,11 @@
+@@ -2604,11 +2724,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -33840,7 +33873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2640,10 +2761,10 @@
+@@ -2640,10 +2760,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -33853,7 +33886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2675,10 +2796,10 @@
+@@ -2675,10 +2795,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -33866,7 +33899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2708,12 +2829,12 @@
+@@ -2708,12 +2828,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -33882,7 +33915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2745,10 +2866,10 @@
+@@ -2745,10 +2865,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -33895,7 +33928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2780,10 +2901,10 @@
+@@ -2780,10 +2900,10 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -33908,7 +33941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2813,12 +2934,12 @@
+@@ -2813,12 +2933,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -33924,7 +33957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2850,10 +2971,10 @@
+@@ -2850,10 +2970,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -33937,7 +33970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2885,12 +3006,12 @@
+@@ -2885,12 +3005,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -33953,7 +33986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2922,11 +3043,11 @@
+@@ -2922,11 +3042,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -33967,7 +34000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2958,11 +3079,11 @@
+@@ -2958,11 +3078,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -33981,7 +34014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2994,11 +3115,11 @@
+@@ -2994,11 +3114,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -33995,7 +34028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3030,11 +3151,11 @@
+@@ -3030,11 +3150,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -34009,7 +34042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3066,11 +3187,11 @@
+@@ -3066,11 +3186,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -34023,7 +34056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3115,10 +3236,10 @@
+@@ -3115,10 +3235,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -34036,7 +34069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($2)
')
-@@ -3159,19 +3280,19 @@
+@@ -3159,19 +3279,19 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -34060,7 +34093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
## This is a templated interface, and should only
-@@ -4597,11 +4718,11 @@
+@@ -4597,11 +4717,11 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -34074,10 +34107,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4621,6 +4742,14 @@
+@@ -4621,7 +4741,15 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
+-')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
@@ -34086,10 +34120,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ ')
- ')
++')
########################################
-@@ -4702,6 +4831,25 @@
+ ##
+@@ -4702,6 +4830,25 @@
########################################
##
@@ -34115,7 +34150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all files
## in all users home directories.
##
-@@ -4927,7 +5075,7 @@
+@@ -4927,7 +5074,7 @@
########################################
##
@@ -34124,7 +34159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -5299,6 +5447,42 @@
+@@ -5299,6 +5446,42 @@
########################################
##
@@ -34167,7 +34202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Read and write unprivileged user ttys.
##
##
-@@ -5349,7 +5533,7 @@
+@@ -5349,7 +5532,7 @@
attribute userdomain;
')
@@ -34176,7 +34211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -5464,6 +5648,42 @@
+@@ -5464,6 +5647,42 @@
########################################
##
@@ -34219,7 +34254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains.
##
##
-@@ -5494,3 +5714,521 @@
+@@ -5494,3 +5713,521 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')