Fix sandbox tcp_socket calls to create_stream_socket_perms

Dontaudit sandbox_xserver_t trying to get the kernel to load modules
telepathy_msn sends dbus messages to networkmanager
mailman_t trys to read /root/.config
xserver tries to getpgid on processes that start it.
pam_systemd causes /var/run/users to be called for all login programs.  Must allow them to create directories

policy/modules/apps/sandbox.te

@@ -45,6 +45,8 @@ manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xs
 manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
 fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
+kernel_dontaudit_request_load_module(sandbox_xserver_t)
+
 corecmd_exec_bin(sandbox_xserver_t)
 corecmd_exec_shell(sandbox_xserver_t)
 
@@ -238,7 +240,7 @@ userdom_use_user_ptys(sandbox_x_t)
 #
 # sandbox_x_client_t local policy
 #
-allow sandbox_x_client_t self:tcp_socket create_socket_perms;
+allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
 allow sandbox_x_client_t self:udp_socket create_socket_perms;
 allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
 allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
@@ -272,7 +274,7 @@ allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
 allow sandbox_web_type self:process setsched;
 dontaudit sandbox_web_type self:process setrlimit;
 
-allow sandbox_web_type self:tcp_socket create_socket_perms;
+allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
 allow sandbox_web_type self:udp_socket create_socket_perms;
 allow sandbox_web_type self:dbus { acquire_svc send_msg };
 allow sandbox_web_type self:netlink_selinux_socket create_socket_perms;

policy/modules/apps/telepathy.te

@@ -80,6 +80,9 @@ sysnet_read_config(telepathy_msn_t)
 
 optional_policy(`
         dbus_system_bus_client(telepathy_msn_t)
+	optional_policy(`
+		networkmanager_dbus_chat(telepathy_msn_t)
+	')
 ')
 
 optional_policy(`

policy/modules/services/devicekit.te

@@ -239,6 +239,7 @@ files_read_etc_files(devicekit_power_t)
 files_read_usr_files(devicekit_power_t)
 
 fs_list_inotifyfs(devicekit_power_t)
+fs_getattr_all_fs(devicekit_power_t)
 
 term_use_all_terms(devicekit_power_t)
 

policy/modules/services/mailman.te

@@ -80,6 +80,10 @@ optional_policy(`
 	courier_read_spool(mailman_mail_t)
 ')
 
+optional_policy(`
+	gnome_dontaudit_search_config(mailman_mail_t)
+')
+
 optional_policy(`
 	cron_read_pipes(mailman_mail_t)
 ')

policy/modules/services/xserver.if

@@ -1164,6 +1164,8 @@ interface(`xserver_domtrans',`
 
  	allow $1 xserver_t:process siginh;
 	domtrans_pattern($1, xserver_exec_t, xserver_t)
+
+	allow xserver_t $1:process getpgid;
 ')
 
 ########################################

policy/modules/system/authlogin.if

@@ -113,6 +113,7 @@ interface(`auth_login_pgm_domain',`
 	userdom_manage_all_users_keys($1)
 
 	files_list_var_lib($1)
+	manage_dirs_pattern($1, var_auth_t, var_auth_t)
 	manage_files_pattern($1, var_auth_t, var_auth_t)
 
 	manage_dirs_pattern($1, auth_cache_t, auth_cache_t)