add main part of role-o-matic

2006-09-06 22:07:25 +00:00 · 2006-09-06 22:07:25 +00:00 · bbcd3c97dd
commit bbcd3c97dd
parent 75beb95014
122 changed files with 1378 additions and 620 deletions
--- a/1
+++ b/1
@ -1,3 +1,4 @@
+- Add role infrastructure.
 - Debian updates from Erich Schubert.
 - Add nscd_socket_use() to auth_use_nsswitch().
 - Remove old selopt rules.
--- a/39
+++ b/39
@ -295,17 +295,46 @@ filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\
 # Functions
 #

-# parse-rolemap modulename,outputfile
-define parse-rolemap
+# parse-rolemap-compat modulename,outputfile
+define parse-rolemap-compat
 	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
 		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
 endef

-# peruser-expansion modulename,outputfile
-define peruser-expansion
-	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
+# parse-rolemap modulename,outputfile
+define parse-rolemap
+	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
+# perrole-expansion modulename,outputfile
+define perrole-expansion
+	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
 	$(call parse-rolemap,$1,$2)
 	$(verbose) echo "')" >> $2
+
+	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+	$(call parse-rolemap-compat,$1,$2)
+	$(verbose) echo "')" >> $2
+endef
+
+# create-base-per-role-tmpl modulenames,outputfile
+define create-base-per-role-tmpl
+	$(verbose) echo "define(\`base_per_role_template',\`" >> $2
+
+	$(verbose) for i in $1; do \
+		echo "ifdef(\`""$$i""_per_role_template',\`""$$i""_per_role_template("'$$*'")')" \
+			>> $2 ;\
+	done
+
+	$(verbose) for i in $1; do \
+		echo "ifdef(\`""$$i""_per_userdomain_template',\`" >> $2 ;\
+		echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$$i""_per_userdomain_template)'__endline__)" >> $2 ;\
+		echo """$$i""_per_userdomain_template("'$$*'")')"  >> $2 ;\
+	done
+	$(verbose) echo "')" >> $@
+
 endef

 ########################################
--- a/Rules.modular
+++ b/Rules.modular
@ -71,7 +71,7 @@ $(modpkgdir)/%.pp: $(builddir)%.pp
 $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
 	@echo "Compliling $(NAME) $(@F) module"
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
-	$(call peruser-expansion,$(basename $(@F)),$@.role)
+	$(call perrole-expansion,$(basename $(@F)),$@.role)
 	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@

@ -120,13 +120,7 @@ $(tmpdir)/generated_definitions.conf: $(base_te_files)
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
 # define all available object classes
 	$(verbose) $(genperm) $(avs) $(secclass) > $@
-# per-userdomain templates
-	$(verbose) echo "define(\`base_per_userdomain_template',\`" >> $@
-	$(verbose) for i in $(patsubst %.te,%,$(base_mods)); do \
-		echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
-			>> $@ ;\
-	done
-	$(verbose) echo "')" >> $@
+	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
 	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true

 $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
--- a/Rules.monolithic
+++ b/Rules.monolithic
@ -114,11 +114,7 @@ $(tmpdir)/generated_definitions.conf: $(all_te_files)
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
 # define all available object classes
 	$(verbose) $(genperm) $(avs) $(secclass) > $@
-# per-userdomain templates:
-	$(verbose) echo "define(\`base_per_userdomain_template',\`" >> $@
-	$(verbose) $(foreach mod,$(basename $(notdir $(all_modules))), \
-		echo "ifdef(\`""$(mod)""_per_userdomain_template',\`""$(mod)""_per_userdomain_template("'$$*'")')" >> $@ ;)
-	$(verbose) echo "')" >> $@
+	$(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@)
 	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true

 $(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
--- a/doc/policy.dtd
+++ b/doc/policy.dtd
@ -20,9 +20,9 @@
      name CDATA #REQUIRED
      dftval CDATA #REQUIRED>
 <!ELEMENT summary (#PCDATA)>
-<!ELEMENT interface (summary,desc?,param+,infoflow?)>
+<!ELEMENT interface (summary,desc?,param+,infoflow?,(rolebase|rolecap)?)>
 <!ATTLIST interface name CDATA #REQUIRED lineno CDATA #REQUIRED>
-<!ELEMENT template (summary,desc?,param+)>
+<!ELEMENT template (summary,desc?,param+,(rolebase|rolecap)?)>
 <!ATTLIST template name CDATA #REQUIRED lineno CDATA #REQUIRED>
 <!ELEMENT desc (#PCDATA|%inline.class;)*>
 <!ELEMENT param (summary)>
@ -33,6 +33,8 @@
 <!ATTLIST infoflow 
      type CDATA #REQUIRED
      weight CDATA #IMPLIED>
+<!ELEMENT rolebase EMPTY>
+<!ELEMENT rolecap EMPTY>

 <!ATTLIST pre caption CDATA #IMPLIED>
 <!ELEMENT p (#PCDATA|%inline.class;)*>
--- a/policy/global_tunables
+++ b/policy/global_tunables
@ -534,13 +534,6 @@ gen_tunable(user_net_control,false)
 ## </desc>
 gen_tunable(user_rw_noexattrfile,false)

-## <desc>
-## <p>
-## Allow users to rw usb devices
-## </p>
-## </desc>
-gen_tunable(user_rw_usb,false)
-
 ## <desc>
 ## <p>
 ## Allow users to run TCP servers (bind to ports and accept connection from
--- a/policy/modules/admin/amanda.if
+++ b/policy/modules/admin/amanda.if
@ -43,6 +43,7 @@ interface(`amanda_domtrans_recover',`
 ##	The type of the terminal allow the amanda_recover domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`amanda_run_recover',`
 	gen_require(`
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@ -45,6 +45,7 @@ interface(`apt_domtrans',`
 ##	The type of the terminal allow the apt domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`apt_run',`
 	gen_require(`
--- a/policy/modules/admin/backup.if
+++ b/policy/modules/admin/backup.if
@ -41,6 +41,7 @@ interface(`backup_domtrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`backup_run',`
 	gen_require(`
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@ -43,6 +43,7 @@ interface(`bootloader_domtrans',`
 ##	The type of the terminal allow the bootloader domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`bootloader_run',`
 	gen_require(`
@ -83,6 +84,7 @@ interface(`bootloader_read_config',`
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`bootloader_rw_config',`
 	gen_require(`
--- a/policy/modules/admin/certwatch.if
+++ b/policy/modules/admin/certwatch.if
@ -47,6 +47,7 @@ interface(`certwatch_domtrans',`
 ##	The type of the terminal allow the certwatch domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`certwatach_run',`
 	gen_require(`
--- a/policy/modules/admin/consoletype.if
+++ b/policy/modules/admin/consoletype.if
@ -66,6 +66,7 @@ interface(`consoletype_run',`
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`consoletype_exec',`
 	gen_require(`
--- a/policy/modules/admin/ddcprobe.if
+++ b/policy/modules/admin/ddcprobe.if
@ -43,6 +43,7 @@ interface(`ddcprobe_domtrans',`
 ##	The type of the terminal allow the clock domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`ddcprobe_run',`
 	gen_require(`
--- a/policy/modules/admin/dmesg.if
+++ b/policy/modules/admin/dmesg.if
@ -42,6 +42,7 @@ interface(`dmesg_domtrans',`
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dmesg_exec',`
 	ifdef(`targeted_policy',`
--- a/policy/modules/admin/dmidecode.if
+++ b/policy/modules/admin/dmidecode.if
@ -43,6 +43,7 @@ interface(`dmidecode_domtrans',`
 ##	The type of the terminal allow the dmidecode domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dmidecode_run',`
 	gen_require(`
--- a/policy/modules/admin/dpkg.if
+++ b/policy/modules/admin/dpkg.if
@ -71,6 +71,7 @@ interface(`dpkg_domtrans_script',`
 ##	The type of the terminal allow the dpkg domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dpkg_run',`
 	gen_require(`
--- a/policy/modules/admin/kudzu.if
+++ b/policy/modules/admin/kudzu.if
@ -43,6 +43,7 @@ interface(`kudzu_domtrans',`
 ##	The type of the terminal allow the kudzu domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kudzu_run',`
 	gen_require(`
--- a/policy/modules/admin/logrotate.if
+++ b/policy/modules/admin/logrotate.if
@ -43,6 +43,7 @@ interface(`logrotate_domtrans',`
 ##	The type of the terminal allow the logrotate domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`logrotate_run',`
 	gen_require(`
--- a/policy/modules/admin/netutils.if
+++ b/policy/modules/admin/netutils.if
@ -43,6 +43,7 @@ interface(`netutils_domtrans',`
 ##	The type of the terminal allow the netutils domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`netutils_run',`
 	gen_require(`
@ -151,6 +152,7 @@ interface(`netutils_signal_ping',`
 ##	The type of the terminal allow the ping domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`netutils_run_ping',`
 	gen_require(`
@ -182,6 +184,7 @@ interface(`netutils_run_ping',`
 ##	The type of the terminal allow the ping domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`netutils_run_ping_cond',`
 	gen_require(`
@ -258,6 +261,7 @@ interface(`netutils_domtrans_traceroute',`
 ##	The type of the terminal allow the traceroute domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`netutils_run_traceroute',`
 	gen_require(`
@ -289,6 +293,7 @@ interface(`netutils_run_traceroute',`
 ##	The type of the terminal allow the traceroute domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`netutils_run_traceroute_cond',`
 	gen_require(`
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@ -54,6 +54,7 @@ interface(`portage_domtrans',`
 ##	The type of the terminal allow for portage to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`portage_run',`
 	gen_require(`
@ -394,6 +395,7 @@ interface(`portage_domtrans_gcc_config',`
 ##	The type of the terminal allow for gcc_config to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`portage_run_gcc_config',`
 	gen_require(`
--- a/policy/modules/admin/quota.if
+++ b/policy/modules/admin/quota.if
@ -43,6 +43,7 @@ interface(`quota_domtrans',`
 ##	The type of the terminal allow the quota domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`quota_run',`
 	gen_require(`
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@ -68,6 +68,7 @@ interface(`rpm_domtrans_script',`
 ##	The type of the terminal allow the RPM domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`rpm_run',`
 	gen_require(`
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@ -127,7 +127,7 @@ template(`su_restricted_domain_template', `

 #######################################
 ## <summary>
-##	The per user domain template for the su module.
+##	The per role template for the su module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -158,7 +158,7 @@ template(`su_restricted_domain_template', `
 ##	</summary>
 ## </param>
 #
-template(`su_per_userdomain_template',`
+template(`su_per_role_template',`
 	gen_require(`
 		type su_exec_t;
 		bool secure_mode;
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the sudo module.
+##	The per role template for the sudo module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -33,7 +33,7 @@
 ##	</summary>
 ## </param>
 #
-template(`sudo_per_userdomain_template',`
+template(`sudo_per_role_template',`

 	gen_require(`
 		type sudo_exec_t;
--- a/policy/modules/admin/sxid.if
+++ b/policy/modules/admin/sxid.if
@ -10,6 +10,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`sxid_read_log',`
 	gen_require(`
--- a/policy/modules/admin/tripwire.if
+++ b/policy/modules/admin/tripwire.if
@ -54,6 +54,7 @@ interface(`tripwire_domtrans_tripwire',`
 ##	The type of the terminal allow the tripwire domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`tripwire_run_tripwire',`
 	gen_require(`
@ -106,6 +107,7 @@ interface(`tripwire_domtrans_twadmin',`
 ##	The type of the terminal allow the twadmin domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`tripwire_run_twadmin',`
 	gen_require(`
@ -158,6 +160,7 @@ interface(`tripwire_domtrans_twprint',`
 ##	The type of the terminal allow the twprint domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`tripwire_run_twprint',`
 	gen_require(`
@ -210,6 +213,7 @@ interface(`tripwire_domtrans_siggen',`
 ##	The type of the terminal allow the siggen domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`tripwire_run_siggen',`
 	gen_require(`
--- a/policy/modules/admin/usbmodules.if
+++ b/policy/modules/admin/usbmodules.if
@ -45,6 +45,7 @@ interface(`usbmodules_domtrans',`
 ##	The type of the terminal allow the usbmodules domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`usbmodules_run',`
 	gen_require(`
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@ -101,6 +101,7 @@ interface(`usermanage_domtrans_groupadd',`
 ##	The type of the terminal allow the groupadd domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`usermanage_run_groupadd',`
 	gen_require(`
@ -215,6 +216,7 @@ interface(`usermanage_domtrans_admin_passwd',`
 ##	The type of the terminal allow the admin passwd domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`usermanage_run_admin_passwd',`
 	gen_require(`
@ -271,6 +273,7 @@ interface(`usermanage_domtrans_useradd',`
 ##	The type of the terminal allow the useradd domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`usermanage_run_useradd',`
 	gen_require(`
--- a/policy/modules/admin/vpn.if
+++ b/policy/modules/admin/vpn.if
@ -43,6 +43,7 @@ interface(`vpn_domtrans',`
 ##	The type of the terminal allow the vpnc domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`vpn_run',`
 	gen_require(`
--- a/policy/modules/apps/cdrecord.if
+++ b/policy/modules/apps/cdrecord.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the cdrecord module.
+##	The per role template for the cdrecord module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`cdrecord_per_userdomain_template', `
+template(`cdrecord_per_role_template', `

 	gen_require(`
 		type cdrecord_exec_t;
--- a/policy/modules/apps/ethereal.if
+++ b/policy/modules/apps/ethereal.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the ethereal module.
+##	The per role template for the ethereal module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`ethereal_per_userdomain_template',`
+template(`ethereal_per_role_template',`

 	##############################
 	#
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the evolution module.
+##	The per role template for the evolution module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -33,7 +33,7 @@
 ##	</summary>
 ## </param>
 #
-template(`evolution_per_userdomain_template',`
+template(`evolution_per_role_template',`

 	########################################
 	#
--- a/policy/modules/apps/games.if
+++ b/policy/modules/apps/games.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the games module.
+##	The per role template for the games module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`games_per_userdomain_template',`
+template(`games_per_role_template',`

 	########################################
 	#
--- a/policy/modules/apps/gift.if
+++ b/policy/modules/apps/gift.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the gift module.
+##	The per role template for the gift module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`gift_per_userdomain_template',`
+template(`gift_per_role_template',`

 	##############################
 	#
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the gpg module.
+##	The per role template for the gpg module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -34,7 +34,7 @@
 ##	</summary>
 ## </param>
 #
-template(`gpg_per_userdomain_template',`
+template(`gpg_per_role_template',`
 	gen_require(`
 		type gpg_exec_t, gpg_helper_exec_t;
 		type gpg_agent_exec_t, pinentry_exec_t;
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the irc module.
+##	The per role template for the irc module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`irc_per_userdomain_template',`
+template(`irc_per_role_template',`
 	gen_require(`
 		type irc_exec_t;
 	')
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the java module.
+##	The per role template for the java module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`java_per_userdomain_template',`
+template(`java_per_role_template',`
 	gen_require(`
 		type java_exec_t;
 	')
--- a/policy/modules/apps/loadkeys.if
+++ b/policy/modules/apps/loadkeys.if
@ -47,6 +47,7 @@ interface(`loadkeys_domtrans',`
 ##	The type of the terminal allow the loadkeys domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`loadkeys_run',`
 	ifdef(`targeted_policy',`
--- a/policy/modules/apps/lockdev.if
+++ b/policy/modules/apps/lockdev.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the lockdev module.
+##	The per role template for the lockdev module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -33,7 +33,7 @@
 ##	</summary>
 ## </param>
 #
-template(`lockdev_per_userdomain_template',`
+template(`lockdev_per_role_template',`
 	gen_require(`
 		type lockdev_exec_t;
 	')
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the mozilla module.
+##	The per role template for the mozilla module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`mozilla_per_userdomain_template',`
+template(`mozilla_per_role_template',`
 	
 	########################################
 	#
@ -362,7 +362,7 @@ template(`mozilla_per_userdomain_template',`
 	ifdef(`TODO',`
 		# Java plugin
 		optional_policy(`
-			#reh, these are hacked in types due to the use of the java_per_userdomain_template
+			#reh, these are hacked in types due to the use of the java_per_role_template
 			type $1_mozilla_tmp_t;
 			files_tmp_file($1_mozilla_tmp_t)

@ -374,7 +374,7 @@ template(`mozilla_per_userdomain_template',`
 			type $1_mozilla_home_dir_t;
 			userdom_user_home_content($1,$1_mozilla_home_dir_t)

-			java_per_userdomain_template($1_mozilla,$2,$3)
+			java_per_role_template($1_mozilla,$2,$3)
 		')

 		######### Launch mplayer
--- a/policy/modules/apps/mplayer.if
+++ b/policy/modules/apps/mplayer.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the mplayer module.
+##	The per role template for the mplayer module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`mplayer_per_userdomain_template',`
+template(`mplayer_per_role_template',`

 	########################################
 	#
--- a/policy/modules/apps/rssh.if
+++ b/policy/modules/apps/rssh.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the rssh module.
+##	The per role template for the rssh module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -23,7 +23,7 @@
 ##	</summary>
 ## </param>
 #
-template(`rssh_per_userdomain_template',`
+template(`rssh_per_role_template',`

 	##############################
 	#
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the screen module.
+##	The per role template for the screen module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`screen_per_userdomain_template',`
+template(`screen_per_role_template',`
 	gen_require(`
 		type screen_dir_t, screen_exec_t;
 	')
--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the thunderbird module.
+##	The per role template for the thunderbird module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`thunderbird_per_userdomain_template',`
+template(`thunderbird_per_role_template',`

 	########################################
 	#
--- a/policy/modules/apps/tvtime.if
+++ b/policy/modules/apps/tvtime.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the tvtime module.
+##	The per role template for the tvtime module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`tvtime_per_userdomain_template',`
+template(`tvtime_per_role_template',`

 	########################################
 	#
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@ -2,7 +2,7 @@
 	
 #######################################
 ## <summary>
-##	The per user domain template for the uml module.
+##	The per role template for the uml module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`uml_per_userdomain_template',`
+template(`uml_per_role_template',`
 	
 	########################################
 	#
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the userhelper module.
+##	The per role template for the userhelper module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`userhelper_per_userdomain_template',`
+template(`userhelper_per_role_template',`
 	gen_require(`
 		type userhelper_exec_t, userhelper_conf_t;
 	')
--- a/policy/modules/apps/usernetctl.if
+++ b/policy/modules/apps/usernetctl.if
@ -47,6 +47,7 @@ interface(`usernetctl_domtrans',`
 ##	The type of the terminal allow the usernetctl domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`usernetctl_run',`
 	gen_require(`
--- a/policy/modules/apps/vmware.if
+++ b/policy/modules/apps/vmware.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the vmware module.
+##	The per role template for the vmware module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`vmware_per_userdomain_template',`
+template(`vmware_per_role_template',`

 	##############################
 	#
--- a/policy/modules/apps/webalizer.if
+++ b/policy/modules/apps/webalizer.if
@ -43,6 +43,7 @@ interface(`webalizer_domtrans',`
 ##	The type of the terminal allow the webalizer domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`webalizer_run',`
 	gen_require(`
--- a/policy/modules/apps/yam.if
+++ b/policy/modules/apps/yam.if
@ -44,6 +44,7 @@ interface(`yam_domtrans',`
 ##	The type of the terminal allow the yam domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`yam_run',`
 	gen_require(`
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@ -920,6 +920,7 @@ interface(`corecmd_exec_chroot',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`corecmd_exec_all_executables',`
 	gen_require(`
@ -941,6 +942,7 @@ interface(`corecmd_exec_all_executables',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`corecmd_manage_all_executables',`
 	gen_require(`
@ -962,6 +964,7 @@ interface(`corecmd_manage_all_executables',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`corecmd_relabel_all_executables',`
 	gen_require(`
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@ -55,6 +55,7 @@ interface(`dev_node',`
 ##	Domain allowed to relabel.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dev_relabel_all_dev_nodes',`
 	gen_require(`
@ -387,6 +388,25 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
 	dontaudit $1 device_t:lnk_file setattr;
 ')

+########################################
+## <summary>
+##	Create symbolic links in device directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_generic_symlinks',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:dir add_entry_dir_perms;
+	allow $1 device_t:lnk_file create;
+')
+
 ########################################
 ## <summary>
 ##	Delete symbolic links in device directories.
@ -402,7 +422,7 @@ interface(`dev_delete_generic_symlinks',`
 		type device_t;
 	')

-	allow $1 device_t:dir { getattr read write remove_name };
+	allow $1 device_t:dir del_entry_dir_perms;
 	allow $1 device_t:lnk_file unlink;
 ')

@ -576,6 +596,7 @@ interface(`dev_filetrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dev_getattr_all_blk_files',`
 	gen_require(`
@ -612,6 +633,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dev_getattr_all_chr_files',`
 	gen_require(`
@ -648,6 +670,7 @@ interface(`dev_dontaudit_getattr_all_chr_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dev_setattr_all_blk_files',`
 	gen_require(`
@ -667,6 +690,7 @@ interface(`dev_setattr_all_blk_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dev_setattr_all_chr_files',`
 	gen_require(`
@ -713,6 +737,122 @@ interface(`dev_dontaudit_read_all_chr_files',`
 	dontaudit $1 device_node:chr_file { getattr read };
 ')

+########################################
+## <summary>
+##	Create all block device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	allow $1 self:capability mknod;
+	allow $1 device_t:dir add_entry_dir_perms;
+	allow $1 device_node:blk_file create;
+')
+
+########################################
+## <summary>
+##	Create all character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_all_chr_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	allow $1 self:capability mknod;
+	allow $1 device_t:dir add_entry_dir_perms;
+	allow $1 device_node:chr_file create;
+')
+
+########################################
+## <summary>
+##	Delete all block device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	allow $1 device_t:dir del_entry_dir_perms;
+	allow $1 device_node:blk_file delete_file_perms;
+')
+
+########################################
+## <summary>
+##	Delete all character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_all_chr_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	allow $1 device_t:dir del_entry_dir_perms;
+	allow $1 device_node:chr_file delete_file_perms;
+')
+
+########################################
+## <summary>
+##	Rename all block device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rename_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	allow $1 device_t:dir rw_dir_perms;
+	allow $1 device_node:blk_file rename;
+')
+
+########################################
+## <summary>
+##	Rename all character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rename_all_chr_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	allow $1 device_t:dir rw_dir_perms;
+	allow $1 device_node:chr_file rename;
+')
+
 ########################################
 ## <summary>
 ##	Read, write, create, and delete all block device files.
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@ -1,5 +1,5 @@

-policy_module(devices,1.1.20)
+policy_module(devices,1.1.21)

 ########################################
 #
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@ -218,6 +218,7 @@ interface(`domain_role_change_exemption',`
 ##	The process type to make an exception to the constraint.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_obj_id_change_exemption',`
 	gen_require(`
@ -400,6 +401,7 @@ interface(`domain_sigchld_interactive_fds',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_setpriority_all_domains',`
 	gen_require(`
@ -418,6 +420,7 @@ interface(`domain_setpriority_all_domains',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_signal_all_domains',`
 	gen_require(`
@ -436,6 +439,7 @@ interface(`domain_signal_all_domains',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_signull_all_domains',`
 	gen_require(`
@ -454,6 +458,7 @@ interface(`domain_signull_all_domains',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_sigstop_all_domains',`
 	gen_require(`
@ -472,6 +477,7 @@ interface(`domain_sigstop_all_domains',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_sigchld_all_domains',`
 	gen_require(`
@ -490,6 +496,7 @@ interface(`domain_sigchld_all_domains',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_kill_all_domains',`
 	gen_require(`
@ -547,6 +554,7 @@ interface(`domain_dontaudit_search_all_domains_state',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_read_all_domains_state',`
 	gen_require(`
@ -568,6 +576,7 @@ interface(`domain_read_all_domains_state',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_getattr_all_domains',`
 	gen_require(`
@ -604,6 +613,7 @@ interface(`domain_dontaudit_getattr_all_domains',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_read_confined_domains_state',`
 	gen_require(`
@ -628,6 +638,7 @@ interface(`domain_read_confined_domains_state',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_getattr_confined_domains',`
 	gen_require(`
@ -646,6 +657,7 @@ interface(`domain_getattr_confined_domains',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_ptrace_all_domains',`
 	gen_require(`
@ -1090,6 +1102,7 @@ interface(`domain_read_all_entry_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_exec_all_entry_files',`
 	gen_require(`
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@ -510,6 +510,7 @@ interface(`files_execmod_all_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_read_non_security_files',`
 	gen_require(`
@ -704,6 +705,7 @@ interface(`files_dontaudit_getattr_non_security_chr_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_read_all_symlinks',`
 	gen_require(`
@ -882,6 +884,7 @@ interface(`files_read_all_chr_files',`
 ##	must be negated by the caller.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_relabel_all_files',`
 	gen_require(`
@ -916,6 +919,7 @@ interface(`files_relabel_all_files',`
 ##	must be negated by the caller.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_manage_all_files',`
 	gen_require(`
@ -1355,6 +1359,7 @@ interface(`files_boot_filetrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_manage_boot_files',`
 	gen_require(`
@ -1452,6 +1457,7 @@ interface(`files_read_kernel_img',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_create_kernel_img',`
 	gen_require(`
@ -1472,6 +1478,7 @@ interface(`files_create_kernel_img',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_delete_kernel',`
 	gen_require(`
@ -1803,6 +1810,7 @@ interface(`files_dontaudit_write_etc_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_rw_etc_files',`
 	gen_require(`
@ -1824,6 +1832,7 @@ interface(`files_rw_etc_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_manage_etc_files',`
 	gen_require(`
@ -1939,6 +1948,7 @@ interface(`files_etc_filetrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_create_boot_flag',`
 	gen_require(`
@ -1960,6 +1970,7 @@ interface(`files_create_boot_flag',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_read_etc_runtime_files',`
 	gen_require(`
@ -2001,6 +2012,7 @@ interface(`files_dontaudit_read_etc_runtime_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_rw_etc_runtime_files',`
 	gen_require(`
@ -2022,6 +2034,7 @@ interface(`files_rw_etc_runtime_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_manage_etc_runtime_files',`
 	gen_require(`
@ -2434,6 +2447,24 @@ interface(`files_home_filetrans',`
 	type_transition $1 home_root_t:$3 $2;
 ')

+########################################
+## <summary>
+##	Get the attributes of lost+found directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_lost_found_dirs',`
+	gen_require(`
+		type lost_found_t;
+	')
+
+	allow $1 lost_found_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete objects in
@ -2444,6 +2475,7 @@ interface(`files_home_filetrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_manage_lost_found',`
 	gen_require(`
@ -2538,6 +2570,7 @@ interface(`files_mounton_mnt',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_manage_mnt_dirs',`
 	gen_require(`
@ -2708,6 +2741,7 @@ interface(`files_delete_kernel_modules',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_manage_kernel_modules',`
 	gen_require(`
@ -2776,6 +2810,7 @@ interface(`files_kernel_modules_filetrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_list_world_readable',`
 	gen_require(`
@ -2794,6 +2829,7 @@ interface(`files_list_world_readable',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_read_world_readable_files',`
 	gen_require(`
@ -2812,6 +2848,7 @@ interface(`files_read_world_readable_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_read_world_readable_symlinks',`
 	gen_require(`
@ -3902,6 +3939,7 @@ interface(`files_manage_generic_locks',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_delete_all_locks',`
 	gen_require(`
@ -4139,6 +4177,7 @@ interface(`files_dontaudit_ioctl_all_pids',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_read_all_pids',`
 	gen_require(`
@ -4179,6 +4218,7 @@ interface(`files_mounton_all_poly_members',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_delete_all_pids',`
 	gen_require(`
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@ -96,6 +96,7 @@ interface(`fs_associate_noxattr',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_exec_noxattr',`
 	gen_require(`
@ -177,6 +178,7 @@ interface(`fs_unmount_xattr_fs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_getattr_xattr_fs',`
 	gen_require(`
@ -237,6 +239,7 @@ interface(`fs_relabelfrom_xattr_fs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_get_xattr_fs_quotas',`
 	gen_require(`
@ -256,6 +259,7 @@ interface(`fs_get_xattr_fs_quotas',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_set_xattr_fs_quotas',`
 	gen_require(`
@ -369,6 +373,7 @@ interface(`fs_search_auto_mountpoints',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_list_auto_mountpoints',`
 	gen_require(`
@ -442,6 +447,7 @@ interface(`fs_getattr_binfmt_misc_dirs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_register_binary_executable_type',`
 	gen_require(`
@ -517,6 +523,7 @@ interface(`fs_unmount_cifs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_getattr_cifs',`
 	gen_require(`
@ -591,6 +598,7 @@ interface(`fs_dontaudit_list_cifs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_read_cifs_files',`
 	gen_require(`
@ -620,6 +628,24 @@ interface(`fs_list_noxattr_fs',`

 ')

+########################################
+## <summary>
+##	Create, read, write, and delete all noxattrfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_noxattr_fs_dirs',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	allow $1 noxattrfs:dir manage_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read all noxattrfs files.
@ -640,6 +666,25 @@ interface(`fs_read_noxattr_fs_files',`

 ')

+########################################
+## <summary>
+##	Create, read, write, and delete all noxattrfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_noxattr_fs_files',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	allow $1 noxattrfs:dir rw_dir_perms;
+	allow $1 noxattrfs:file manage_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read all noxattrfs symbolic links.
@ -727,6 +772,7 @@ interface(`fs_read_cifs_symlinks',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_exec_cifs_files',`
 	gen_require(`
@ -747,6 +793,7 @@ interface(`fs_exec_cifs_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_manage_cifs_dirs',`
 	gen_require(`
@ -786,6 +833,7 @@ interface(`fs_dontaudit_manage_cifs_dirs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_manage_cifs_files',`
 	gen_require(`
@ -989,6 +1037,7 @@ interface(`fs_unmount_dos_fs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_getattr_dos_fs',`
 	gen_require(`
@ -1164,6 +1213,7 @@ interface(`fs_unmount_iso9660_fs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_getattr_iso9660_fs',`
 	gen_require(`
@ -1258,6 +1308,7 @@ interface(`fs_unmount_nfs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_getattr_nfs',`
 	gen_require(`
@ -1331,6 +1382,7 @@ interface(`fs_dontaudit_list_nfs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_read_nfs_files',`
 	gen_require(`
@ -1388,6 +1440,7 @@ interface(`fs_write_nfs_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_exec_nfs_files',`
 	gen_require(`
@ -1650,6 +1703,7 @@ interface(`fs_read_rpc_sockets',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_manage_nfs_dirs',`
 	gen_require(`
@ -1689,6 +1743,7 @@ interface(`fs_dontaudit_manage_nfs_dirs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_manage_nfs_files',`
 	gen_require(`
@ -1729,6 +1784,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_manage_nfs_symlinks',`
 	gen_require(`
@ -2445,6 +2501,7 @@ interface(`fs_unmount_tmpfs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_getattr_tmpfs',`
 	gen_require(`
@ -2968,6 +3025,7 @@ interface(`fs_unmount_all_fs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_getattr_all_fs',`
 	gen_require(`
@ -3005,6 +3063,7 @@ interface(`fs_dontaudit_getattr_all_fs',`
 ##	The type of the domain getting quotas.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_get_all_fs_quotas',`
 	gen_require(`
@ -3023,6 +3082,7 @@ interface(`fs_get_all_fs_quotas',`
 ##	The type of the domain setting quotas.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_set_all_quotas',`
 	gen_require(`
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@ -324,6 +324,7 @@ interface(`kernel_link_key',`
 ##	The process type allowed to read the ring buffer.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_ring_buffer',`
 	gen_require(`
@ -360,6 +361,7 @@ interface(`kernel_dontaudit_read_ring_buffer',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_change_ring_buffer_level',`
 	gen_require(`
@ -378,6 +380,7 @@ interface(`kernel_change_ring_buffer_level',`
 ##	The process type clearing the buffer.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_clear_ring_buffer',`
 	gen_require(`
@ -653,6 +656,7 @@ interface(`kernel_read_proc_symlinks',`
 ##	The process type reading the system state information.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_system_state',`
 	gen_require(`
@ -673,6 +677,7 @@ interface(`kernel_read_system_state',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 # cjp: this should probably go away.  any
 # file thats writable in proc should really
@ -734,6 +739,7 @@ interface(`kernel_dontaudit_read_proc_symlinks',`
 ##	The process type reading software raid state.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_software_raid_state',`
 	gen_require(`
@ -910,7 +916,7 @@ interface(`kernel_search_network_state',`
 ##	The process type reading the state.
 ##	</summary>
 ## </param>
-##
+## <rolecap/>
 #
 interface(`kernel_read_network_state',`
 	gen_require(`
@ -932,7 +938,6 @@ interface(`kernel_read_network_state',`
 ##	The process type reading the state.
 ##	</summary>
 ## </param>
-##
 #
 interface(`kernel_read_network_state_symlinks',`
 	gen_require(`
@ -1114,6 +1119,7 @@ interface(`kernel_read_sysctl',`
 ##	The process type to allow to read the device sysctls.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_device_sysctls',`
 	gen_require(`
@ -1135,6 +1141,7 @@ interface(`kernel_read_device_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_rw_device_sysctls',`
 	gen_require(`
@ -1155,7 +1162,6 @@ interface(`kernel_rw_device_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-##
 #
 interface(`kernel_search_vm_sysctl',`
 	gen_require(`
@ -1174,7 +1180,7 @@ interface(`kernel_search_vm_sysctl',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-##
+## <rolecap/>
 #
 interface(`kernel_read_vm_sysctls',`
 	gen_require(`
@ -1195,6 +1201,7 @@ interface(`kernel_read_vm_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_rw_vm_sysctls',`
 	gen_require(`
@ -1255,7 +1262,7 @@ interface(`kernel_dontaudit_search_network_sysctl',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-##
+## <rolecap/>
 #
 interface(`kernel_read_net_sysctls',`
 	gen_require(`
@ -1277,6 +1284,7 @@ interface(`kernel_read_net_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_rw_net_sysctls',`
 	gen_require(`
@ -1299,6 +1307,7 @@ interface(`kernel_rw_net_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_unix_sysctls',`
 	gen_require(`
@ -1321,6 +1330,7 @@ interface(`kernel_read_unix_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_rw_unix_sysctls',`
 	gen_require(`
@ -1342,6 +1352,7 @@ interface(`kernel_rw_unix_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_hotplug_sysctls',`
 	gen_require(`
@ -1363,6 +1374,7 @@ interface(`kernel_read_hotplug_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_rw_hotplug_sysctls',`
 	gen_require(`
@ -1384,6 +1396,7 @@ interface(`kernel_rw_hotplug_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_modprobe_sysctls',`
 	gen_require(`
@ -1405,6 +1418,7 @@ interface(`kernel_read_modprobe_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_rw_modprobe_sysctls',`
 	gen_require(`
@ -1483,6 +1497,7 @@ interface(`kernel_dontaudit_write_kernel_sysctl',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_rw_kernel_sysctl',`
 	gen_require(`
@ -1504,6 +1519,7 @@ interface(`kernel_rw_kernel_sysctl',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_fs_sysctls',`
 	gen_require(`
@ -1525,6 +1541,7 @@ interface(`kernel_read_fs_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_rw_fs_sysctls',`
 	gen_require(`
@ -1546,6 +1563,7 @@ interface(`kernel_rw_fs_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_irq_sysctls',`
 	gen_require(`
@ -1566,7 +1584,7 @@ interface(`kernel_read_irq_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-##
+## <rolecap/>
 #
 interface(`kernel_rw_irq_sysctls',`
 	gen_require(`
@ -1587,7 +1605,7 @@ interface(`kernel_rw_irq_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-##
+## <rolecap/>
 #
 interface(`kernel_read_rpc_sysctls',`
 	gen_require(`
@ -1609,7 +1627,7 @@ interface(`kernel_read_rpc_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-##
+## <rolecap/>
 #
 interface(`kernel_rw_rpc_sysctls',`
 	gen_require(`
@ -1649,6 +1667,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_all_sysctls',`
 	gen_require(`
@ -1672,6 +1691,7 @@ interface(`kernel_read_all_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_rw_all_sysctls',`
 	gen_require(`
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@ -13,6 +13,7 @@
 ##	Domain target for user exemption.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mcs_killall',`
 	gen_require(`
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@ -21,6 +21,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_file_read_up',`
 	gen_require(`
@ -40,6 +41,7 @@ interface(`mls_file_read_up',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_file_write_down',`
 	gen_require(`
@ -59,6 +61,7 @@ interface(`mls_file_write_down',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_file_upgrade',`
 	gen_require(`
@ -78,6 +81,7 @@ interface(`mls_file_upgrade',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_file_downgrade',`
 	gen_require(`
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@ -106,6 +106,7 @@ interface(`selinux_dontaudit_read_fs',`
 ##	The process type to allow to get the enforcing mode.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`selinux_get_enforce_mode',`
 	gen_require(`
@ -136,6 +137,7 @@ interface(`selinux_get_enforce_mode',`
 ##	The process type to allow to set the enforcement mode.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`selinux_set_enforce_mode',`
 	gen_require(`
@ -209,6 +211,7 @@ interface(`selinux_load_policy',`
 ##	The process type allowed to set the Boolean.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`selinux_set_boolean',`
 	gen_require(`
@ -249,6 +252,7 @@ interface(`selinux_set_boolean',`
 ##	The process type to allow to set security parameters.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`selinux_set_parameters',`
 	gen_require(`
@ -272,6 +276,7 @@ interface(`selinux_set_parameters',`
 ##	The process type permitted to validate contexts.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`selinux_validate_context',`
 	gen_require(`
@ -292,6 +297,7 @@ interface(`selinux_validate_context',`
 ##	The process type allowed to compute an access vector.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`selinux_compute_access_vector',`
 	gen_require(`
@ -312,6 +318,7 @@ interface(`selinux_compute_access_vector',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`selinux_compute_create_context',`
 	gen_require(`
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@ -147,6 +147,7 @@ interface(`term_create_pty',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_use_all_terms',`
 	gen_require(`
@ -168,6 +169,7 @@ interface(`term_use_all_terms',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_write_console',`
 	gen_require(`
@ -187,6 +189,7 @@ interface(`term_write_console',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_read_console',`
 	gen_require(`
@ -206,6 +209,7 @@ interface(`term_read_console',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_use_console',`
 	gen_require(`
@ -245,6 +249,7 @@ interface(`term_dontaudit_use_console',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_setattr_console',`
 	gen_require(`
@ -560,6 +565,7 @@ interface(`term_dontaudit_use_ptmx',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_getattr_all_user_ptys',`
 	gen_require(`
@ -603,6 +609,7 @@ interface(`term_dontaudit_getattr_all_user_ptys',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_setattr_all_user_ptys',`
 	gen_require(`
@ -641,6 +648,7 @@ interface(`term_relabelto_all_user_ptys',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_use_all_user_ptys',`
 	gen_require(`
@ -704,6 +712,7 @@ interface(`term_relabel_all_user_ptys',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_getattr_unallocated_ttys',`
 	gen_require(`
@ -743,6 +752,7 @@ interface(`term_dontaudit_getattr_unallocated_ttys',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_setattr_unallocated_ttys',`
 	gen_require(`
@ -880,6 +890,7 @@ interface(`term_write_unallocated_ttys',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_use_unallocated_ttys',`
 	gen_require(`
@ -919,6 +930,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_getattr_all_user_ttys',`
 	gen_require(`
@ -960,6 +972,7 @@ interface(`term_dontaudit_getattr_all_user_ttys',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_setattr_all_user_ttys',`
 	gen_require(`
@ -1018,6 +1031,7 @@ interface(`term_write_all_user_ttys',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_use_all_user_ttys',`
 	gen_require(`
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@ -241,7 +241,7 @@ template(`apache_content_template',`

 #######################################
 ## <summary>
-##	The per user domain template for the apache module.
+##	The per role template for the apache module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -271,7 +271,7 @@ template(`apache_content_template',`
 ##	</summary>
 ## </param>
 #
-template(`apache_per_userdomain_template', `
+template(`apache_per_role_template', `
 	gen_require(`
 		attribute httpdcontent, httpd_script_domains;
 		attribute httpd_exec_scripts;
@ -513,6 +513,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`apache_manage_all_content',`
 	gen_require(`
@ -558,6 +559,7 @@ interface(`apache_rw_cache_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`apache_read_config',`
 	gen_require(`
@ -638,6 +640,7 @@ interface(`apache_domtrans_helper',`
 ##	The type of the terminal allow the dmidecode domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`apache_run_helper',`
 	gen_require(`
@ -659,6 +662,7 @@ interface(`apache_run_helper',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`apache_read_log',`
 	gen_require(`
@ -825,6 +829,7 @@ interface(`apache_domtrans_rotatelogs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 # Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
 interface(`apache_manage_sys_content',`
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@ -61,6 +61,7 @@ interface(`bind_signal',`
 ##	The type of the terminal allow the bind domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`bind_run_ndc',`
 	gen_require(`
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@ -103,6 +103,7 @@ interface(`bluetooth_dbus_chat',`
 ##	The type of the terminal allow the bluetooth_helper domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`bluetooth_run_helper',`
 	gen_require(`
--- a/policy/modules/services/clockspeed.if
+++ b/policy/modules/services/clockspeed.if
@ -40,6 +40,7 @@ interface(`clockspeed_domtrans_cli',`
 ##	The type of the terminal allow the clockspeed_cli domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 template(`clockspeed_run_cli',`
 	gen_require(`
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the cron module.
+##	The per role template for the cron module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -33,7 +33,7 @@
 ##	</summary>
 ## </param>
 #
-template(`cron_per_userdomain_template',`
+template(`cron_per_role_template',`
 	gen_require(`
 		attribute cron_spool_type;
 		type crond_t, cron_spool_t, crontab_exec_t;
@ -277,6 +277,7 @@ template(`cron_per_userdomain_template',`
 ##	is the prefix for user_t).
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 template(`cron_admin_template',`
 	gen_require(`
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@ -151,6 +151,7 @@ interface(`cups_dbus_chat_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cups_read_config',`
 	gen_require(`
@ -172,6 +173,7 @@ interface(`cups_read_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cups_read_rw_config',`
 	gen_require(`
@ -192,6 +194,7 @@ interface(`cups_read_rw_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cups_read_log',`
 	gen_require(`
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@ -18,7 +18,7 @@ interface(`dbus_stub',`

 #######################################
 ## <summary>
-##	The per user domain template for the dbus module.
+##	The per role template for the dbus module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -48,7 +48,7 @@ interface(`dbus_stub',`
 ##	</summary>
 ## </param>
 #
-template(`dbus_per_userdomain_template',`
+template(`dbus_per_role_template',`

 	##############################
 	#
--- a/policy/modules/services/dcc.if
+++ b/policy/modules/services/dcc.if
@ -42,6 +42,7 @@ interface(`dcc_domtrans_cdcc',`
 ##	The type of the terminal allow the cdcc domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dcc_run_cdcc',`
 	gen_require(`
@ -95,6 +96,7 @@ interface(`dcc_domtrans_client',`
 ##	The type of the terminal allow the dcc_client domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dcc_run_client',`
 	gen_require(`
@ -148,6 +150,7 @@ interface(`dcc_domtrans_dbclean',`
 ##	The type of the terminal allow the dcc_dbclean domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dcc_run_dbclean',`
 	gen_require(`
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the ftp module.
+##	The per role template for the ftp module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -23,7 +23,7 @@
 ##	</summary>
 ## </param>
 #
-template(`ftp_per_userdomain_template',`
+template(`ftp_per_role_template',`
 	tunable_policy(`ftpd_is_daemon',`
 		userdom_manage_user_home_content_files($1,ftpd_t)
 		userdom_manage_user_home_content_symlinks($1,ftpd_t)
--- a/policy/modules/services/inn.if
+++ b/policy/modules/services/inn.if
@ -88,6 +88,7 @@ interface(`inn_manage_pid',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+
 #
 interface(`inn_read_config',`
 	gen_require(`
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@ -70,6 +70,7 @@ interface(`kerberos_use',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kerberos_read_config',`
 	gen_require(`
@ -108,6 +109,7 @@ interface(`kerberos_dontaudit_write_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kerberos_rw_config',`
 	gen_require(`
@ -127,6 +129,7 @@ interface(`kerberos_rw_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kerberos_read_keytab',`
 	gen_require(`
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
@ -28,6 +28,7 @@ interface(`ldap_list_db',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`ldap_read_config',`
 	gen_require(`
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the lpd module.
+##	The per role template for the lpd module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`lpd_per_userdomain_template',`
+template(`lpd_per_role_template',`
 	gen_require(`
 		type lpr_exec_t, lpd_t, print_spool_t, printconf_t, lpd_var_run_t, printer_t;
 	')
@ -215,6 +215,7 @@ template(`lpd_per_userdomain_template',`
 ##	is the prefix for user_t).
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 template(`lpr_admin_template',`
 	gen_require(`
@ -273,6 +274,7 @@ interface(`lpd_domtrans_checkpc',`
 ##	The type of the terminal allow the lpd domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`lpd_run_checkpc',`
 	gen_require(`
@ -334,6 +336,7 @@ interface(`lpd_manage_spool',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`lpd_read_config',`
 	gen_require(`
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@ -144,7 +144,7 @@ template(`mta_base_mail_template',`

 #######################################
 ## <summary>
-##	The per user domain template for the mta module.
+##	The per role template for the mta module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -175,7 +175,7 @@ template(`mta_base_mail_template',`
 ##	</summary>
 ## </param>
 #
-template(`mta_per_userdomain_template',`
+template(`mta_per_role_template',`

 	##############################
 	#
@ -255,6 +255,7 @@ template(`mta_per_userdomain_template',`
 ##	The type of the user domain.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 template(`mta_admin_template',`
 	gen_require(`
@ -523,6 +524,7 @@ interface(`mta_sendmail_exec',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mta_read_config',`
 	gen_require(`
@ -582,6 +584,7 @@ interface(`mta_etc_filetrans_aliases',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mta_rw_aliases',`
 	gen_require(`
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@ -30,6 +30,7 @@ interface(`munin_stream_connect',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`munin_read_config',`
 	gen_require(`
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@ -27,6 +27,7 @@ interface(`mysql_signal',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mysql_stream_connect',`
 	gen_require(`
@ -47,6 +48,7 @@ interface(`mysql_stream_connect',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mysql_read_config',`
 	gen_require(`
--- a/policy/modules/services/nagios.if
+++ b/policy/modules/services/nagios.if
@ -10,6 +10,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`nagios_read_config',`
 	gen_require(`
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@ -72,6 +72,7 @@ interface(`nis_use_ypbind_uncond',`
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`nis_use_ypbind',`
 	gen_require(`
--- a/policy/modules/services/oav.if
+++ b/policy/modules/services/oav.if
@ -44,6 +44,7 @@ interface(`oav_domtrans_update',`
 ##	The type of the terminal allow the oav_update domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`oav_run_update',`
 	gen_require(`
--- a/policy/modules/services/openvpn.if
+++ b/policy/modules/services/openvpn.if
@ -10,6 +10,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`openvpn_read_config',`
 	gen_require(`
--- a/policy/modules/services/portmap.if
+++ b/policy/modules/services/portmap.if
@ -45,6 +45,7 @@ interface(`portmap_domtrans_helper',`
 ##	The type of the terminal allow the portmap domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`portmap_run_helper',`
 	gen_require(`
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@ -187,7 +187,7 @@ template(`postfix_user_domain_template',`

 ########################################
 ## <summary>
-##	The per-userdomain template for the postfix module.
+##	The per role template for the postfix module.
 ## </summary>
 ## <param name="prefix">
 ##	<summary>
@ -201,7 +201,7 @@ template(`postfix_user_domain_template',`
 ##	</summary>
 ## </param>
 #
-template(`postfix_per_userdomain_template',`
+template(`postfix_per_role_template',`
 	gen_require(`
 		attribute postfix_user_domains;
 		type postfix_postdrop_t;
@ -223,6 +223,7 @@ template(`postfix_per_userdomain_template',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`postfix_read_config',`
 	gen_require(`
@ -349,6 +350,7 @@ interface(`postfix_domtrans_map',`
 ##	The type of the terminal allow the postfix_map domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`postfix_run_map',`
 	gen_require(`
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@ -69,6 +69,7 @@ interface(`postgresql_domtrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`postgresql_read_config',`
 	gen_require(`
@ -104,6 +105,7 @@ interface(`postgresql_tcp_connect',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`postgresql_stream_connect',`
 	gen_require(`
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@ -107,6 +107,7 @@ interface(`ppp_domtrans',`
 ##	 Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`ppp_run_cond',`
 	gen_require(`
@ -130,6 +131,7 @@ interface(`ppp_run_cond',`
 ##	 Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`ppp_run',`
 	gen_require(`
--- a/policy/modules/services/pyzor.if
+++ b/policy/modules/services/pyzor.if
@ -47,7 +47,7 @@ interface(`pyzor_exec',`

 #######################################
 ## <summary>
-##	The per user domain template for the pyzor module.
+##	The per role template for the pyzor module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -68,7 +68,7 @@ interface(`pyzor_exec',`
 ##	</summary>
 ## </param>
 #
-template(`pyzor_per_userdomain_template',`
+template(`pyzor_per_role_template',`
 	type $1_pyzor_home_t;
 	userdom_user_home_content($1,$1_pyzor_home_t)

--- a/policy/modules/services/qmail.if
+++ b/policy/modules/services/qmail.if
@ -2,7 +2,7 @@

 #######################################
 ## <summary>
-##      The per user domain template for qmail
+##      The per role template for qmail
 ## </summary>
 ## <desc>
 ##      <p>
@ -28,7 +28,7 @@
 ##      </summary>
 ## </param>
 #
-template(`qmail_per_userdomain_template',`
+template(`qmail_per_role_template',`
 	gen_require(`
 		attribute qmail_user_domains;
 	')
@ -163,6 +163,7 @@ interface(`qmail_domtrans_queue',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`qmail_read_config',`
 	gen_require(`
--- a/policy/modules/services/razor.if
+++ b/policy/modules/services/razor.if
@ -101,11 +101,11 @@ template(`razor_common_domain_template',`

 #######################################
 ## <summary>
-##	The per user domain template for the razor module.
+##	The per role template for the razor module.
 ## </summary>
 ## <desc>
 ##	<p>
-##	The per user domain template for the razor module.
+##	The per role template for the razor module.
 ##	</p>
 ##	<p>
 ##	This template is invoked automatically for each user, and
@ -130,7 +130,7 @@ template(`razor_common_domain_template',`
 ##	</summary>
 ## </param>
 #
-template(`razor_per_userdomain_template',`
+template(`razor_per_role_template',`

 	type $1_razor_t;
 	domain_type($1_razor_t)
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@ -219,6 +219,7 @@ interface(`rpc_domtrans_nfsd',`
 ##      Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`rpc_read_nfs_content',`
 	gen_require(`
@ -239,6 +240,7 @@ interface(`rpc_read_nfs_content',`
 ##      Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`rpc_manage_nfs_rw_content',`
 	gen_require(`
@ -259,6 +261,7 @@ interface(`rpc_manage_nfs_rw_content',`
 ##      Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`rpc_manage_nfs_ro_content',`
 	gen_require(`
--- a/policy/modules/services/rsync.if
+++ b/policy/modules/services/rsync.if
@ -94,6 +94,7 @@ interface(`rsync_entry_domtrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`rsync_exec',`
 	gen_require(`
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@ -6,7 +6,7 @@

 #######################################
 ## <summary>
-##	The per user domain template for the samba module.
+##	The per role template for the samba module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -27,7 +27,7 @@
 ##	</summary>
 ## </param>
 #
-template(`samba_per_userdomain_template',`
+template(`samba_per_role_template',`
 	gen_require(`
 		type smbd_t;
 	')
@ -86,6 +86,7 @@ interface(`samba_domtrans_net',`
 ##	The type of the terminal allow the samba_net domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`samba_run_net',`
 	gen_require(`
@ -131,6 +132,7 @@ interface(`samba_domtrans_smbmount',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`samba_read_config',`
 	gen_require(`
@ -151,6 +153,7 @@ interface(`samba_read_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`samba_rw_config',`
 	gen_require(`
@ -170,6 +173,7 @@ interface(`samba_rw_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`samba_read_log',`
 	gen_require(`
@ -339,6 +343,7 @@ interface(`samba_domtrans_winbind_helper',`
 ##	The type of the terminal allow the winbind_helper domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`samba_run_winbind_helper',`
 	gen_require(`
--- a/policy/modules/services/sendmail.if
+++ b/policy/modules/services/sendmail.if
@ -83,6 +83,7 @@ interface(`sendmail_rw_unix_stream_sockets',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`sendmail_manage_log',`
 	gen_require(`
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@ -2,11 +2,11 @@

 #######################################
 ## <summary>
-##	The per user domain template for the spamassassin module.
+##	The per role template for the spamassassin module.
 ## </summary>
 ## <desc>
 ##	<p>
-##	The per user domain template for the spamassassin module.
+##	The per role template for the spamassassin module.
 ##	</p>
 ##	<p>
 ##	This template is invoked automatically for each user, and
@ -33,7 +33,7 @@
 #
 # cjp: when tunables are available, spamc stuff should be
 # toggled on activation of spamc, and similarly for spamd.
-template(`spamassassin_per_userdomain_template',`
+template(`spamassassin_per_role_template',`

 	##############################
 	#
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@ -33,6 +33,7 @@ interface(`squid_domtrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`squid_read_config',`
 	gen_require(`
@ -52,6 +53,7 @@ interface(`squid_read_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`squid_read_log',`
 	gen_require(`
@ -93,6 +95,7 @@ interface(`squid_append_log',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`squid_manage_logs',`
 	gen_require(`
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@ -185,7 +185,7 @@ template(`ssh_basic_client_template',`

 #######################################
 ## <summary>
-##	The per user domain template for the ssh module.
+##	The per role template for the ssh module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -216,7 +216,7 @@ template(`ssh_basic_client_template',`
 ##	</summary>
 ## </param>
 #
-template(`ssh_per_userdomain_template',`
+template(`ssh_per_role_template',`
 	gen_require(`
 		type ssh_agent_exec_t, ssh_keysign_exec_t;
 	')
--- a/policy/modules/services/sysstat.if
+++ b/policy/modules/services/sysstat.if
@ -9,6 +9,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`sysstat_manage_log',`
 	gen_require(`
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@ -189,7 +189,7 @@ template(`xserver_common_domain_template',`

 #######################################
 ## <summary>
-##	The per user domain template for the xserver module.
+##	The per role template for the xserver module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -220,7 +220,7 @@ template(`xserver_common_domain_template',`
 ##	</summary>
 ## </param>
 #
-template(`xserver_per_userdomain_template',`
+template(`xserver_per_role_template',`

 	##############################
 	#
--- a/policy/modules/services/zebra.if
+++ b/policy/modules/services/zebra.if
@ -9,6 +9,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`zebra_read_config',`
 	gen_require(`
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@ -64,7 +64,7 @@ template(`authlogin_common_auth_domain_template',`

 #######################################
 ## <summary>
-##	The per user domain template for the authlogin module.
+##	The per role template for the authlogin module.
 ## </summary>
 ## <desc>
 ##	<p>
@ -96,7 +96,7 @@ template(`authlogin_common_auth_domain_template',`
 ##	</summary>
 ## </param>
 #
-template(`authlogin_per_userdomain_template',`
+template(`authlogin_per_role_template',`

 	gen_require(`
 		type system_chkpwd_t, shadow_t;
@ -609,6 +609,7 @@ interface(`auth_rw_faillog',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`auth_read_lastlog',`
 	gen_require(`
@ -991,6 +992,7 @@ interface(`auth_read_all_dirs_except_shadow',`
 ##	must be negated by the caller.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`auth_read_all_files_except_shadow',`
 	gen_require(`
@ -1174,6 +1176,7 @@ interface(`auth_setattr_login_records',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`auth_read_login_records',`
 	gen_require(`
--- a/Show More
+++ b/Show More