Merge user_tmp patches to base patches

2014-06-17 09:30:08 +02:00 · 2014-06-17 09:30:08 +02:00 · c629d27ef4
commit c629d27ef4
parent 1c0c710fe4
3 changed files with 1402 additions and 960 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -11714,7 +11714,7 @@ index 0000000..a0fdbcb
 +')
 diff --git a/chrome.te b/chrome.te
 new file mode 100644
-index 0000000..b4f29e9
+index 0000000..c8338dc
 --- /dev/null
 +++ b/chrome.te
@@ -0,0 +1,249 @@
@ -11834,8 +11834,8 @@ index 0000000..b4f29e9
 +
 +sysnet_dns_name_resolve(chrome_sandbox_t)
 +
-+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_t)
-+userdom_execute_user_tmpfs_files(chrome_sandbox_t)
+userdom_execute_user_tmp_files(chrome_sandbox_t)
 +
 +userdom_use_user_ptys(chrome_sandbox_t)
 +userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
@ -11957,8 +11957,8 @@ index 0000000..b4f29e9
 +libs_legacy_use_shared_libs(chrome_sandbox_nacl_t)
 +
 +userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
-+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
-+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_execute_user_tmp_files(chrome_sandbox_nacl_t)
 +userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
 +userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
 +userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t)
@ -13945,7 +13945,7 @@ index 8e27a37..825f537 100644
 +	ps_process_pattern($1, colord_t)
 +')
 diff --git a/colord.te b/colord.te
-index 9f2dfb2..5425ddf 100644
+index 9f2dfb2..3d5988c 100644
 --- a/colord.te
 +++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.1.0)
@ -14028,7 +14028,7 @@ index 9f2dfb2..5425ddf 100644
 -	fs_getattr_cifs(colord_t)
 -	fs_read_cifs_files(colord_t)
 -')
-+userdom_rw_user_tmpfs_files(colord_t)
+userdom_rw_user_tmp_files(colord_t)
 +userdom_home_reader(colord_t)
 +userdom_list_user_home_content(colord_t)
 +userdom_read_inherited_user_home_content_files(colord_t)
@ -15300,7 +15300,7 @@ index 694a037..b836c07 100644
 +	allow $1 corosync_unit_file_t:service all_service_perms;
 ')
 diff --git a/corosync.te b/corosync.te
-index d5aa1e4..e827567 100644
+index d5aa1e4..837e0a8 100644
 --- a/corosync.te
 +++ b/corosync.te
@@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t)
@ -15326,8 +15326,8 @@ index d5aa1e4..e827567 100644
 userdom_read_user_tmp_files(corosync_t)
 -userdom_manage_user_tmpfs_files(corosync_t)
-+userdom_delete_user_tmpfs_files(corosync_t)
+userdom_delete_user_tmp_files(corosync_t)
-+userdom_rw_user_tmpfs_files(corosync_t)
+userdom_rw_user_tmp_files(corosync_t)
 +
 +optional_policy(`
 +	fs_manage_tmpfs_files(corosync_t)
@ -32769,7 +32769,7 @@ index 180f1b7..3c8757e 100644
 +	userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
 +')
 diff --git a/gpg.te b/gpg.te
-index 0e97e82..695e8fa 100644
+index 0e97e82..fe77236 100644
 --- a/gpg.te
 +++ b/gpg.te
@@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0)
@ -33177,9 +33177,9 @@ index 0e97e82..695e8fa 100644
 +# for .Xauthority
 +userdom_read_user_home_content_files(gpg_pinentry_t)
-+userdom_read_user_tmpfs_files(gpg_pinentry_t)
+userdom_read_user_tmp_files(gpg_pinentry_t)
 +# Bug: user pulseaudio files need open,read and unlink:
-+allow gpg_pinentry_t user_tmpfs_t:file unlink;
+allow gpg_pinentry_t user_tmp_t:file unlink;
 +userdom_signull_unpriv_users(gpg_pinentry_t)
 userdom_use_user_terminals(gpg_pinentry_t)
@ -36323,10 +36323,10 @@ index 0000000..9d32f23
 +')
 diff --git a/journalctl.te b/journalctl.te
 new file mode 100644
-index 0000000..1b313e8
+index 0000000..896cde4
 --- /dev/null
 +++ b/journalctl.te
-@@ -0,0 +1,47 @@
+@@ -0,0 +1,46 @@
 +policy_module(journalctl, 1.0.0)
 +
 +########################################
@ -36371,8 +36371,7 @@ index 0000000..1b313e8
 +userdom_list_user_home_dirs(journalctl_t)
 +userdom_read_user_home_content_files(journalctl_t)
 +userdom_use_inherited_user_ptys(journalctl_t)
-+userdom_write_inherited_user_tmp_files(journalctl_t)
+userdom_rw_inherited_user_tmp_files(journalctl_t)
 +userdom_rw_inherited_user_tmpfs_files(journalctl_t)
 +userdom_rw_inherited_user_home_content_files(journalctl_t)
 diff --git a/kde.fc b/kde.fc
 new file mode 100644
@ -38719,7 +38718,7 @@ index aa2a337..7ff229f 100644
 	files_search_var_lib($1)
 	admin_pattern($1, kismet_var_lib_t)
 diff --git a/kismet.te b/kismet.te
-index 8ad0d4d..c070420 100644
+index 8ad0d4d..4e66536 100644
 --- a/kismet.te
 +++ b/kismet.te
@@ -81,25 +81,22 @@ kernel_read_network_state(kismet_t)
@ -38752,7 +38751,7 @@ index 8ad0d4d..c070420 100644
 -userdom_use_user_terminals(kismet_t)
 +userdom_use_inherited_user_terminals(kismet_t)
-+userdom_read_user_tmpfs_files(kismet_t)
+userdom_read_user_tmp_files(kismet_t)
 optional_policy(`
 	dbus_system_bus_client(kismet_t)
@ -40502,7 +40501,7 @@ index dd8e01a..9cd6b0b 100644
 ## <param name="domain">
 ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index be0ab84..44689e1 100644
+index be0ab84..835c246 100644
 --- a/logrotate.te
 +++ b/logrotate.te
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
@ -40633,7 +40632,7 @@ index be0ab84..44689e1 100644
 auth_manage_login_records(logrotate_t)
 auth_use_nsswitch(logrotate_t)
-@@ -103,24 +133,39 @@ init_all_labeled_script_domtrans(logrotate_t)
+@@ -103,24 +133,40 @@ init_all_labeled_script_domtrans(logrotate_t)
 logging_manage_all_logs(logrotate_t)
 logging_send_syslog_msg(logrotate_t)
 logging_send_audit_msgs(logrotate_t)
@ -40660,8 +40659,9 @@ index be0ab84..44689e1 100644
 -mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
 +tunable_policy(`logrotate_use_nfs',`
-+		fs_read_nfs_files(logrotate_t)
+        fs_manage_nfs_files(logrotate_t)
-+		fs_read_nfs_symlinks(logrotate_t)
+        fs_manage_nfs_dirs(logrotate_t)
 +        fs_manage_nfs_symlinks(logrotate_t)
 +')
 -ifdef(`distro_debian',`
@ -40679,7 +40679,7 @@ index be0ab84..44689e1 100644
 ')
 optional_policy(`
-@@ -135,16 +180,17 @@ optional_policy(`
+@@ -135,16 +181,17 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(logrotate_t)
@ -40699,7 +40699,7 @@ index be0ab84..44689e1 100644
 ')
 optional_policy(`
-@@ -170,6 +216,11 @@ optional_policy(`
+@@ -170,6 +217,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -40711,7 +40711,7 @@ index be0ab84..44689e1 100644
 	fail2ban_stream_connect(logrotate_t)
 ')
-@@ -178,7 +229,7 @@ optional_policy(`
+@@ -178,7 +230,7 @@ optional_policy(`
 ')
 optional_policy(`
@ -40720,7 +40720,7 @@ index be0ab84..44689e1 100644
 ')
 optional_policy(`
-@@ -198,21 +249,26 @@ optional_policy(`
+@@ -198,21 +250,26 @@ optional_policy(`
 ')
 optional_policy(`
@ -40751,7 +40751,7 @@ index be0ab84..44689e1 100644
 ')
 optional_policy(`
-@@ -228,10 +284,21 @@ optional_policy(`
+@@ -228,10 +285,21 @@ optional_policy(`
 ')
 optional_policy(`
@ -40773,7 +40773,7 @@ index be0ab84..44689e1 100644
 	su_exec(logrotate_t)
 ')
-@@ -241,13 +308,11 @@ optional_policy(`
+@@ -241,13 +309,11 @@ optional_policy(`
 #######################################
 #
@ -45979,7 +45979,7 @@ index 6194b80..7490fe3 100644
 ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..ab5b577 100644
+index 11ac8e4..1025b89 100644
 --- a/mozilla.te
 +++ b/mozilla.te
@@ -6,17 +6,48 @@ policy_module(mozilla, 2.8.0)
@ -46424,7 +46424,7 @@ index 11ac8e4..ab5b577 100644
 ')
 optional_policy(`
-@@ -300,259 +331,253 @@ optional_policy(`
+@@ -300,259 +331,249 @@ optional_policy(`
 ########################################
 #
@ -46494,7 +46494,6 @@ index 11ac8e4..ab5b577 100644
 +manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
 +files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
 +userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
 +xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
 +can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
@ -46502,7 +46501,6 @@ index 11ac8e4..ab5b577 100644
 manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
 manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
 fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
 +userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
 +userdom_manage_home_texlive(mozilla_plugin_t)
 allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
@ -46704,8 +46702,6 @@ index 11ac8e4..ab5b577 100644
 +term_dontaudit_use_ptmx(mozilla_plugin_t)
 +userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t)
 +userdom_rw_user_tmpfs_files(mozilla_plugin_t)
 +userdom_delete_user_tmpfs_files(mozilla_plugin_t)
 userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
 +userdom_manage_user_tmp_sockets(mozilla_plugin_t)
 +userdom_manage_user_tmp_dirs(mozilla_plugin_t)
@ -46824,7 +46820,7 @@ index 11ac8e4..ab5b577 100644
 ')
 optional_policy(`
-@@ -560,7 +585,11 @@ optional_policy(`
+@@ -560,7 +581,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -46837,7 +46833,7 @@ index 11ac8e4..ab5b577 100644
 ')
 optional_policy(`
-@@ -568,108 +597,136 @@ optional_policy(`
+@@ -568,108 +593,136 @@ optional_policy(`
 ')
 optional_policy(`
@ -47095,7 +47091,7 @@ index 5fa77c7..2e01c7d 100644
 	domain_system_change_exemption($1)
 	role_transition $2 mpd_initrc_exec_t system_r;
 diff --git a/mpd.te b/mpd.te
-index fe72523..92632e8 100644
+index fe72523..953e3bf 100644
 --- a/mpd.te
 +++ b/mpd.te
@@ -62,6 +62,12 @@ files_type(mpd_var_lib_t)
@ -47166,7 +47162,7 @@ index fe72523..92632e8 100644
 +	userdom_stream_connect(mpd_t)
 +	userdom_read_home_audio_files(mpd_t)
 +	userdom_list_user_tmp(mpd_t)
-+	userdom_read_user_tmpfs_files(mpd_t)
+	userdom_read_user_tmp_files(mpd_t)
 +	userdom_dontaudit_setattr_user_tmp(mpd_t)
 +')
 +
@ -63894,7 +63890,7 @@ index 3078ce9..d2f68fa 100644
 		hal_dontaudit_write_log(plymouth_t)
 		hal_dontaudit_rw_pipes(plymouth_t)
 diff --git a/podsleuth.te b/podsleuth.te
-index 9123f71..5bf10ce 100644
+index 9123f71..c06ace5 100644
 --- a/podsleuth.te
 +++ b/podsleuth.te
@@ -29,7 +29,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
@ -63915,7 +63911,7 @@ index 9123f71..5bf10ce 100644
 fs_mount_dos_fs(podsleuth_t)
 fs_unmount_dos_fs(podsleuth_t)
-@@ -76,8 +76,6 @@ fs_getattr_tmpfs(podsleuth_t)
+@@ -76,13 +76,11 @@ fs_getattr_tmpfs(podsleuth_t)
 fs_list_tmpfs(podsleuth_t)
 fs_rw_removable_blk_files(podsleuth_t)
@ -63924,6 +63920,12 @@ index 9123f71..5bf10ce 100644
 sysnet_dns_name_resolve(podsleuth_t)
 userdom_signal_unpriv_users(podsleuth_t)
 userdom_signull_unpriv_users(podsleuth_t)
 -userdom_read_user_tmpfs_files(podsleuth_t)
 +userdom_read_user_tmp_files(podsleuth_t)
 optional_policy(`
 	dbus_system_bus_client(podsleuth_t)
 diff --git a/policykit.fc b/policykit.fc
 index 1d76c72..93d09d9 100644
 --- a/policykit.fc
@ -70235,7 +70237,7 @@ index 45843b5..116be8a 100644
 +	ps_process_pattern($1, pulseaudio_t)
 ')
 diff --git a/pulseaudio.te b/pulseaudio.te
-index 6643b49..1d2470f 100644
+index 6643b49..64ac070 100644
 --- a/pulseaudio.te
 +++ b/pulseaudio.te
@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.6.0)
@ -70382,7 +70384,8 @@ index 6643b49..1d2470f 100644
 -miscfiles_read_localization(pulseaudio_t)
 -
- userdom_read_user_tmpfs_files(pulseaudio_t)
+-userdom_read_user_tmpfs_files(pulseaudio_t)
 +userdom_read_user_tmp_files(pulseaudio_t)
 userdom_search_user_home_dirs(pulseaudio_t)
 userdom_write_user_tmp_sockets(pulseaudio_t)
@ -70490,8 +70493,9 @@ index 6643b49..1d2470f 100644
 -# TODO: ~/.cache
 userdom_manage_user_home_content_files(pulseaudio_client)
- userdom_read_user_tmpfs_files(pulseaudio_client)
+-userdom_read_user_tmpfs_files(pulseaudio_client)
 -# userdom_delete_user_tmpfs_files(pulseaudio_client)
 +userdom_read_user_tmp_files(pulseaudio_client)
 tunable_policy(`use_nfs_home_dirs',`
 -	fs_getattr_nfs(pulseaudio_client)
@ -72557,7 +72561,7 @@ index eaf56b8..c32349e 100644
 #
 interface(`qemu_entry_type',`
 diff --git a/qemu.te b/qemu.te
-index 4f90743..8c1e989 100644
+index 4f90743..958c0ef 100644
 --- a/qemu.te
 +++ b/qemu.te
@@ -6,28 +6,58 @@ policy_module(qemu, 1.8.0)
@ -72620,7 +72624,7 @@ index 4f90743..8c1e989 100644
 +storage_raw_read_removable_device(qemu_t)
 +
 +userdom_search_user_home_content(qemu_t)
-+userdom_read_user_tmpfs_files(qemu_t)
+userdom_read_user_tmp_files(qemu_t)
 +userdom_stream_connect(qemu_t)
 +
 tunable_policy(`qemu_full_network',`
@ -78463,7 +78467,7 @@ index c8bdea2..1337d42 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
 ')
 diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..aa30a92 100644
+index 6cf79c4..113697f 100644
 --- a/rhcs.te
 +++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@ -78502,7 +78506,7 @@ index 6cf79c4..aa30a92 100644
 attribute cluster_domain;
 attribute cluster_log;
 attribute cluster_pid;
-@@ -44,34 +73,283 @@ type foghorn_initrc_exec_t;
+@@ -44,34 +73,282 @@ type foghorn_initrc_exec_t;
 init_script_file(foghorn_initrc_exec_t)
 rhcs_domain_template(gfs_controld)
@ -78656,9 +78660,8 @@ index 6cf79c4..aa30a92 100644
 +init_rw_script_tmp_files(cluster_t)
 +init_manage_script_status_files(cluster_t)
 +
-+userdom_read_user_tmp_files(cluster_t)
+userdom_delete_user_tmp_files(cluster_t)
-+userdom_delete_user_tmpfs_files(cluster_t)
+userdom_rw_user_tmp_files(cluster_t)
 +userdom_rw_user_tmpfs_files(cluster_t)
 +userdom_kill_all_users(cluster_t)
 +
 +tunable_policy(`cluster_can_network_connect',`
@ -78790,7 +78793,7 @@ index 6cf79c4..aa30a92 100644
 ')
 #####################################
-@@ -79,9 +357,11 @@ optional_policy(`
+@@ -79,9 +356,11 @@ optional_policy(`
 # dlm_controld local policy
 #
@ -78803,7 +78806,7 @@ index 6cf79c4..aa30a92 100644
 stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
 stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
-@@ -98,16 +378,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,16 +377,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
 init_rw_script_tmp_files(dlm_controld_t)
@ -78837,7 +78840,7 @@ index 6cf79c4..aa30a92 100644
 manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
 files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -118,9 +412,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +411,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
 stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@ -78848,7 +78851,7 @@ index 6cf79c4..aa30a92 100644
 corecmd_exec_bin(fenced_t)
 corecmd_exec_shell(fenced_t)
-@@ -140,6 +433,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+@@ -140,6 +432,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
 corenet_sendrecv_zented_server_packets(fenced_t)
 corenet_tcp_bind_zented_port(fenced_t)
@ -78857,7 +78860,7 @@ index 6cf79c4..aa30a92 100644
 corenet_tcp_sendrecv_zented_port(fenced_t)
 corenet_sendrecv_http_client_packets(fenced_t)
-@@ -148,9 +443,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +442,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
 dev_read_sysfs(fenced_t)
 dev_read_urand(fenced_t)
@ -78868,7 +78871,7 @@ index 6cf79c4..aa30a92 100644
 storage_raw_read_fixed_disk(fenced_t)
 storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +453,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +452,7 @@ term_getattr_pty_fs(fenced_t)
 term_use_generic_ptys(fenced_t)
 term_use_ptmx(fenced_t)
@ -78877,7 +78880,7 @@ index 6cf79c4..aa30a92 100644
 tunable_policy(`fenced_can_network_connect',`
 	corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +475,8 @@ optional_policy(`
+@@ -182,7 +474,8 @@ optional_policy(`
 ')
 optional_policy(`
@ -78887,7 +78890,7 @@ index 6cf79c4..aa30a92 100644
 ')
 optional_policy(`
-@@ -190,12 +484,12 @@ optional_policy(`
+@@ -190,12 +483,12 @@ optional_policy(`
 ')
 optional_policy(`
@ -78903,7 +78906,7 @@ index 6cf79c4..aa30a92 100644
 ')
 optional_policy(`
-@@ -203,6 +497,13 @@ optional_policy(`
+@@ -203,6 +496,13 @@ optional_policy(`
 	snmp_manage_var_lib_dirs(fenced_t)
 ')
@ -78917,7 +78920,7 @@ index 6cf79c4..aa30a92 100644
 #######################################
 #
 # foghorn local policy
-@@ -221,16 +522,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +521,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
 corenet_tcp_connect_agentx_port(foghorn_t)
 corenet_tcp_sendrecv_agentx_port(foghorn_t)
@ -78938,7 +78941,7 @@ index 6cf79c4..aa30a92 100644
 	snmp_stream_connect(foghorn_t)
 ')
-@@ -257,6 +560,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +559,8 @@ storage_getattr_removable_dev(gfs_controld_t)
 init_rw_script_tmp_files(gfs_controld_t)
@ -78947,7 +78950,7 @@ index 6cf79c4..aa30a92 100644
 optional_policy(`
 	lvm_exec(gfs_controld_t)
 	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +580,54 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +579,54 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
 dev_list_sysfs(groupd_t)
@ -79004,7 +79007,7 @@ index 6cf79c4..aa30a92 100644
 ######################################
 #
 # qdiskd local policy
-@@ -321,6 +670,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +669,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
 auth_use_nsswitch(qdiskd_t)
@ -86711,7 +86714,7 @@ index 0000000..03bdcef
 +')
 diff --git a/sandboxX.te b/sandboxX.te
 new file mode 100644
-index 0000000..956922c
+index 0000000..499e739
 --- /dev/null
 +++ b/sandboxX.te
@@ -0,0 +1,500 @@
@ -87132,8 +87135,8 @@ index 0000000..956922c
 +selinux_compute_user_contexts(sandbox_web_type)
 +seutil_read_default_contexts(sandbox_web_type)
 +
-+userdom_rw_user_tmpfs_files(sandbox_web_type)
+userdom_rw_user_tmp_files(sandbox_web_type)
-+userdom_delete_user_tmpfs_files(sandbox_web_type)
+userdom_delete_user_tmp_files(sandbox_web_type)
 +
 +optional_policy(`
 +	alsa_read_rw_config(sandbox_web_type)
@ -97216,10 +97219,10 @@ index 0000000..c1fd8b4
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..7f7e7ff
+index 0000000..ebb001b
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,159 @@
+@@ -0,0 +1,158 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@ -97268,7 +97271,7 @@ index 0000000..7f7e7ff
 +userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails")
 +userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
 +userdom_dontaudit_access_check_user_content(thumb_t)
-+userdom_rw_inherited_user_tmpfs_files(thumb_t)
+userdom_rw_inherited_user_tmp_files(thumb_t)
 +userdom_manage_home_texlive(thumb_t)
 +
 +manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
@ -97277,7 +97280,6 @@ index 0000000..7f7e7ff
 +exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
 +files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
 +userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
 +xserver_xdm_tmp_filetrans(thumb_t, thumb_tmp_t, sock_file)
 +
 +manage_dirs_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t)
 +manage_files_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t)
@ -98866,7 +98868,7 @@ index c416a83..cd83b89 100644
 +/usr/sbin/userhelper		--	gen_context(system_u:object_r:userhelper_exec_t,s0)
 +/usr/bin/consolehelper		--	gen_context(system_u:object_r:consolehelper_exec_t,s0)
 diff --git a/userhelper.if b/userhelper.if
-index 98b51fd..35d784a 100644
+index 98b51fd..b25ec0d 100644
 --- a/userhelper.if
 +++ b/userhelper.if
@@ -1,4 +1,4 @@
@ -99163,7 +99165,7 @@ index 98b51fd..35d784a 100644
 +
 +	auth_use_pam($1_consolehelper_t)
 +
-+	userdom_manage_tmpfs_role($2, $1_consolehelper_t)
+	userdom_manage_tmp_role($2, $1_consolehelper_t)
 +
 +	optional_policy(`
 +		dbus_connect_session_bus($1_consolehelper_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -25,8 +25,6 @@ Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
 patch: policy-rawhide-base.patch
 patch1: policy-rawhide-contrib.patch
 patch2: policy-rawhide-base-user_tmp.patch
 patch3: policy-rawhide-contrib-user_tmp.patch
 Source1: modules-targeted-base.conf 
 Source31: modules-targeted-contrib.conf
 Source2: booleans-targeted.conf
@ -321,11 +319,9 @@ Based off of reference policy: Checked out revision  2.20091117
 %prep 
 %setup -n serefpolicy-contrib-%{version} -q -b 29
 %patch1 -p1
 %patch3 -p1
 contrib_path=`pwd`
 %setup -n serefpolicy-%{version} -q
 %patch -p1
 %patch2 -p1
 refpolicy_path=`pwd`
 cp $contrib_path/* $refpolicy_path/policy/modules/contrib