* Mon Nov 18 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-4

- Fix gnome_role_template() interface
2013-11-18 15:25:06 +01:00 · 2013-11-18 15:25:06 +01:00 · d20212ac4f
parent 4fc70e284d
commit d20212ac4f
3 changed files with 129 additions and 122 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -39649,7 +39649,7 @@ index db75976..65191bd 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..b8ac8d9 100644
+index 9dc60c6..35bd5a5 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -40770,7 +40770,7 @@ index 9dc60c6..b8ac8d9 100644
 	##############################
 	#
 	# Local policy
-@@ -907,38 +1155,98 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,60 +1155,144 @@ template(`userdom_restricted_xwindows_user_template',`
 	#
 	# Local policy
 	#
@ -40881,7 +40881,12 @@ index 9dc60c6..b8ac8d9 100644
 		')
 
 		optional_policy(`
-@@ -948,20 +1256,41 @@ template(`userdom_restricted_xwindows_user_template',`
+ 			gnome_role_template($1, $1_r, $1_t)
+        ')
+
+        optional_policy(`
+ 			wm_role_template($1, $1_r, $1_t)
+ 		')
 	')
 
 	optional_policy(`
@ -40901,7 +40906,6 @@ index 9dc60c6..b8ac8d9 100644
 -##	The template for creating a unprivileged user roughly
 -##	equivalent to a regular linux user.
 -## </summary>
-## <desc>
 +	optional_policy(`
 +		rtkit_scheduled($1_usertype)
 +	')
@ -40928,11 +40932,10 @@ index 9dc60c6..b8ac8d9 100644
 +##	The template for creating a unprivileged user roughly
 +##	equivalent to a regular linux user.
 +## </summary>
-+## <desc>
+ ## <desc>
 ##	<p>
 ##	The template for creating a unprivileged user roughly
- ##	equivalent to a regular linux user.
-@@ -987,27 +1316,33 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1319,33 @@ template(`userdom_unpriv_user_template', `
 	#
 
 	# Inherit rules for ordinary users.
@ -40970,7 +40973,7 @@ index 9dc60c6..b8ac8d9 100644
 			fs_manage_noxattr_fs_files($1_t)
 			fs_manage_noxattr_fs_dirs($1_t)
 			# Write floppies
-@@ -1018,23 +1353,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1356,60 @@ template(`userdom_unpriv_user_template', `
 		')
 	')
 
@ -40996,9 +40999,11 @@ index 9dc60c6..b8ac8d9 100644
 +
 +	tunable_policy(`selinuxuser_tcp_server',`
 +		corenet_tcp_bind_all_unreserved_ports($1_usertype)
-+	')
-+
-+	optional_policy(`
+ 	')
+ 
+ 	optional_policy(`
+-		netutils_run_ping_cond($1_t, $1_r)
+-		netutils_run_traceroute_cond($1_t, $1_r)
 +		cdrecord_role($1_r, $1_t)
 +	')
 +
@ -41018,11 +41023,9 @@ index 9dc60c6..b8ac8d9 100644
 +		systemd_dbus_chat_timedated($1_t)
 +		systemd_dbus_chat_hostnamed($1_t)
 +		systemd_dbus_chat_localed($1_t)
- 	')
- 
- 	optional_policy(`
-		netutils_run_ping_cond($1_t, $1_r)
-		netutils_run_traceroute_cond($1_t, $1_r)
+	')
+
+	optional_policy(`
 +		gpm_stream_connect($1_usertype)
 +	')
 +
@ -41041,7 +41044,7 @@ index 9dc60c6..b8ac8d9 100644
 	')
 
 	# Run pppd in pppd_t by default for user
-@@ -1043,7 +1415,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1418,9 @@ template(`userdom_unpriv_user_template', `
 	')
 
 	optional_policy(`
@ -41052,7 +41055,7 @@ index 9dc60c6..b8ac8d9 100644
 	')
 ')
 
-@@ -1079,7 +1453,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1456,9 @@ template(`userdom_unpriv_user_template', `
 template(`userdom_admin_user_template',`
 	gen_require(`
 		attribute admindomain;
@ -41063,7 +41066,7 @@ index 9dc60c6..b8ac8d9 100644
 	')
 
 	##############################
-@@ -1095,6 +1471,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1474,7 @@ template(`userdom_admin_user_template',`
 	role system_r types $1_t;
 
 	typeattribute $1_t admindomain;
@ -41071,7 +41074,7 @@ index 9dc60c6..b8ac8d9 100644
 
 	ifdef(`direct_sysadm_daemon',`
 		domain_system_change_exemption($1_t)
-@@ -1106,6 +1483,7 @@ template(`userdom_admin_user_template',`
+@@ -1106,6 +1486,7 @@ template(`userdom_admin_user_template',`
 	#
 
 	allow $1_t self:capability ~{ sys_module audit_control audit_write };
@ -41079,7 +41082,7 @@ index 9dc60c6..b8ac8d9 100644
 	allow $1_t self:process { setexec setfscreate };
 	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
 	allow $1_t self:tun_socket create;
-@@ -1114,6 +1492,9 @@ template(`userdom_admin_user_template',`
+@@ -1114,6 +1495,9 @@ template(`userdom_admin_user_template',`
 	# Skip authentication when pam_rootok is specified.
 	allow $1_t self:passwd rootok;
 
@ -41089,7 +41092,7 @@ index 9dc60c6..b8ac8d9 100644
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
 	kernel_getattr_message_if($1_t)
-@@ -1128,6 +1509,7 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1512,7 @@ template(`userdom_admin_user_template',`
 	kernel_sigstop_unlabeled($1_t)
 	kernel_signull_unlabeled($1_t)
 	kernel_sigchld_unlabeled($1_t)
@ -41097,7 +41100,7 @@ index 9dc60c6..b8ac8d9 100644
 
 	corenet_tcp_bind_generic_port($1_t)
 	# allow setting up tunnels
-@@ -1145,10 +1527,14 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1530,14 @@ template(`userdom_admin_user_template',`
 	dev_rename_all_blk_files($1_t)
 	dev_rename_all_chr_files($1_t)
 	dev_create_generic_symlinks($1_t)
@ -41112,7 +41115,7 @@ index 9dc60c6..b8ac8d9 100644
 	domain_dontaudit_ptrace_all_domains($1_t)
 	# signal all domains:
 	domain_kill_all_domains($1_t)
-@@ -1159,29 +1545,38 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1548,38 @@ template(`userdom_admin_user_template',`
 	domain_sigchld_all_domains($1_t)
 	# for lsof
 	domain_getattr_all_sockets($1_t)
@ -41155,7 +41158,7 @@ index 9dc60c6..b8ac8d9 100644
 
 	# The following rule is temporary until such time that a complete
 	# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1586,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1589,8 @@ template(`userdom_admin_user_template',`
 	# But presently necessary for installing the file_contexts file.
 	seutil_manage_bin_policy($1_t)
 
@ -41164,7 +41167,7 @@ index 9dc60c6..b8ac8d9 100644
 	userdom_manage_user_home_content_dirs($1_t)
 	userdom_manage_user_home_content_files($1_t)
 	userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1595,17 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1598,17 @@ template(`userdom_admin_user_template',`
 	userdom_manage_user_home_content_sockets($1_t)
 	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
 
@ -41183,7 +41186,7 @@ index 9dc60c6..b8ac8d9 100644
 	optional_policy(`
 		postgresql_unconfined($1_t)
 	')
-@@ -1240,7 +1641,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1644,7 @@ template(`userdom_admin_user_template',`
 ##	</summary>
 ## </param>
 #
@ -41192,7 +41195,7 @@ index 9dc60c6..b8ac8d9 100644
 	allow $1 self:capability { dac_read_search dac_override };
 
 	corecmd_exec_shell($1)
-@@ -1250,6 +1651,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1654,8 @@ template(`userdom_security_admin_template',`
 	dev_relabel_all_dev_nodes($1)
 
 	files_create_boot_flag($1)
@ -41201,7 +41204,7 @@ index 9dc60c6..b8ac8d9 100644
 
 	# Necessary for managing /boot/efi
 	fs_manage_dos_files($1)
-@@ -1262,8 +1665,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1668,10 @@ template(`userdom_security_admin_template',`
 	selinux_set_enforce_mode($1)
 	selinux_set_all_booleans($1)
 	selinux_set_parameters($1)
@ -41213,7 +41216,7 @@ index 9dc60c6..b8ac8d9 100644
 	auth_relabel_shadow($1)
 
 	init_exec($1)
-@@ -1274,29 +1679,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1682,31 @@ template(`userdom_security_admin_template',`
 	logging_read_audit_config($1)
 
 	seutil_manage_bin_policy($1)
@ -41256,7 +41259,7 @@ index 9dc60c6..b8ac8d9 100644
 	')
 
 	optional_policy(`
-@@ -1357,14 +1764,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1767,17 @@ interface(`userdom_user_home_content',`
 	gen_require(`
 		attribute user_home_content_type;
 		type user_home_t;
@ -41275,7 +41278,7 @@ index 9dc60c6..b8ac8d9 100644
 ')
 
 ########################################
-@@ -1405,6 +1815,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1405,6 +1818,51 @@ interface(`userdom_user_tmpfs_file',`
 ## <summary>
 ##	Allow domain to attach to TUN devices created by administrative users.
 ## </summary>
@ -41327,7 +41330,7 @@ index 9dc60c6..b8ac8d9 100644
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
-@@ -1509,11 +1964,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +1967,31 @@ interface(`userdom_search_user_home_dirs',`
 	')
 
 	allow $1 user_home_dir_t:dir search_dir_perms;
@ -41359,7 +41362,7 @@ index 9dc60c6..b8ac8d9 100644
 ##	Do not audit attempts to search user home directories.
 ## </summary>
 ## <desc>
-@@ -1555,6 +2030,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2033,14 @@ interface(`userdom_list_user_home_dirs',`
 
 	allow $1 user_home_dir_t:dir list_dir_perms;
 	files_search_home($1)
@ -41374,7 +41377,7 @@ index 9dc60c6..b8ac8d9 100644
 ')
 
 ########################################
-@@ -1570,9 +2053,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2056,11 @@ interface(`userdom_list_user_home_dirs',`
 interface(`userdom_dontaudit_list_user_home_dirs',`
 	gen_require(`
 		type user_home_dir_t;
@ -41386,7 +41389,7 @@ index 9dc60c6..b8ac8d9 100644
 ')
 
 ########################################
-@@ -1629,6 +2114,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1629,6 +2117,42 @@ interface(`userdom_relabelto_user_home_dirs',`
 	allow $1 user_home_dir_t:dir relabelto;
 ')
 
@ -41429,7 +41432,7 @@ index 9dc60c6..b8ac8d9 100644
 ########################################
 ## <summary>
 ##	Create directories in the home dir root with
-@@ -1708,6 +2229,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1708,6 +2232,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
 	')
 
 	dontaudit $1 user_home_t:dir search_dir_perms;
@ -41438,7 +41441,7 @@ index 9dc60c6..b8ac8d9 100644
 ')
 
 ########################################
-@@ -1741,10 +2264,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2267,12 @@ interface(`userdom_list_all_user_home_content',`
 #
 interface(`userdom_list_user_home_content',`
 	gen_require(`
@ -41453,7 +41456,7 @@ index 9dc60c6..b8ac8d9 100644
 ')
 
 ########################################
-@@ -1769,7 +2294,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2297,25 @@ interface(`userdom_manage_user_home_content_dirs',`
 
 ########################################
 ## <summary>
@ -41480,7 +41483,7 @@ index 9dc60c6..b8ac8d9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1779,53 +2322,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1779,53 +2325,70 @@ interface(`userdom_manage_user_home_content_dirs',`
 #
 interface(`userdom_delete_all_user_home_content_dirs',`
 	gen_require(`
@ -41563,7 +41566,7 @@ index 9dc60c6..b8ac8d9 100644
 ##	Do not audit attempts to set the
 ##	attributes of user home files.
 ## </summary>
-@@ -1845,6 +2405,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1845,6 +2408,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
 
 ########################################
 ## <summary>
@ -41589,7 +41592,7 @@ index 9dc60c6..b8ac8d9 100644
 ##	Mmap user home files.
 ## </summary>
 ## <param name="domain">
-@@ -1875,14 +2454,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1875,14 +2457,36 @@ interface(`userdom_mmap_user_home_content_files',`
 interface(`userdom_read_user_home_content_files',`
 	gen_require(`
 		type user_home_dir_t, user_home_t;
@ -41627,7 +41630,7 @@ index 9dc60c6..b8ac8d9 100644
 ##	Do not audit attempts to read user home files.
 ## </summary>
 ## <param name="domain">
-@@ -1893,11 +2494,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1893,11 +2497,14 @@ interface(`userdom_read_user_home_content_files',`
 #
 interface(`userdom_dontaudit_read_user_home_content_files',`
 	gen_require(`
@ -41645,7 +41648,7 @@ index 9dc60c6..b8ac8d9 100644
 ')
 
 ########################################
-@@ -1938,7 +2542,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2545,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
 
 ########################################
 ## <summary>
@ -41654,7 +41657,7 @@ index 9dc60c6..b8ac8d9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1946,10 +2550,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2553,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
 ##	</summary>
 ## </param>
 #
@ -41667,7 +41670,7 @@ index 9dc60c6..b8ac8d9 100644
 	')
 
 	userdom_search_user_home_content($1)
-@@ -1958,7 +2561,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2564,7 @@ interface(`userdom_delete_all_user_home_content_files',`
 
 ########################################
 ## <summary>
@ -41676,7 +41679,7 @@ index 9dc60c6..b8ac8d9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1966,12 +2569,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,17 +2572,71 @@ interface(`userdom_delete_all_user_home_content_files',`
 ##	</summary>
 ## </param>
 #
@ -41689,10 +41692,11 @@ index 9dc60c6..b8ac8d9 100644
 
 -	allow $1 user_home_t:file delete_file_perms;
 +	allow $1 user_home_type:file delete_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to write user home files.
 +##	Delete sock files in a user home subdirectory.
 +## </summary>
 +## <param name="domain">
@ -41743,10 +41747,15 @@ index 9dc60c6..b8ac8d9 100644
 +	')
 +
 +	allow $1 user_home_type:dir_file_class_set delete_file_perms;
- ')
- 
- ########################################
-@@ -2007,8 +2664,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write user home files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2007,8 +2667,7 @@ interface(`userdom_read_user_home_content_symlinks',`
 		type user_home_dir_t, user_home_t;
 	')
 
@ -41756,7 +41765,7 @@ index 9dc60c6..b8ac8d9 100644
 ')
 
 ########################################
-@@ -2024,21 +2680,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2683,14 @@ interface(`userdom_read_user_home_content_symlinks',`
 #
 interface(`userdom_exec_user_home_content_files',`
 	gen_require(`
@ -41770,19 +41779,18 @@ index 9dc60c6..b8ac8d9 100644
 -
 -	tunable_policy(`use_nfs_home_dirs',`
 -		fs_exec_nfs_files($1)
+-	')
+-
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_exec_cifs_files($1)
 +	exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
 +	dontaudit $1 user_home_type:sock_file execute;
 	')
- 
-	tunable_policy(`use_samba_home_dirs',`
-		fs_exec_cifs_files($1)
-	')
 -')
-
+ 
 ########################################
 ## <summary>
- ##	Do not audit attempts to execute user home files.
-@@ -2120,7 +2770,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2773,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
 
 ########################################
 ## <summary>
@ -41791,7 +41799,7 @@ index 9dc60c6..b8ac8d9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2128,19 +2778,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2781,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
 ##	</summary>
 ## </param>
 #
@ -41815,7 +41823,7 @@ index 9dc60c6..b8ac8d9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2148,12 +2796,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2799,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
 ##	</summary>
 ## </param>
 #
@ -41831,7 +41839,7 @@ index 9dc60c6..b8ac8d9 100644
 ')
 
 ########################################
-@@ -2390,11 +3038,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2390,11 +3041,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
 #
 interface(`userdom_read_user_tmp_files',`
 	gen_require(`
@ -41846,7 +41854,7 @@ index 9dc60c6..b8ac8d9 100644
 	files_search_tmp($1)
 ')
 
-@@ -2414,7 +3062,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3065,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
 		type user_tmp_t;
 	')
 
@ -41855,7 +41863,7 @@ index 9dc60c6..b8ac8d9 100644
 ')
 
 ########################################
-@@ -2661,6 +3309,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3312,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
 	files_tmp_filetrans($1, user_tmp_t, $2, $3)
 ')
 
@ -41881,7 +41889,7 @@ index 9dc60c6..b8ac8d9 100644
 ########################################
 ## <summary>
 ##	Read user tmpfs files.
-@@ -2677,13 +3344,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2677,13 +3347,14 @@ interface(`userdom_read_user_tmpfs_files',`
 	')
 
 	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@ -41897,7 +41905,7 @@ index 9dc60c6..b8ac8d9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2704,7 +3372,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2704,7 +3375,7 @@ interface(`userdom_rw_user_tmpfs_files',`
 
 ########################################
 ## <summary>
@ -41906,7 +41914,7 @@ index 9dc60c6..b8ac8d9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2712,14 +3380,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2712,14 +3383,30 @@ interface(`userdom_rw_user_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
@ -41941,7 +41949,7 @@ index 9dc60c6..b8ac8d9 100644
 ')
 
 ########################################
-@@ -2814,6 +3498,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3501,24 @@ interface(`userdom_use_user_ttys',`
 
 ########################################
 ## <summary>
@ -41966,7 +41974,7 @@ index 9dc60c6..b8ac8d9 100644
 ##	Read and write a user domain pty.
 ## </summary>
 ## <param name="domain">
-@@ -2832,22 +3534,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3537,34 @@ interface(`userdom_use_user_ptys',`
 
 ########################################
 ## <summary>
@ -42009,7 +42017,7 @@ index 9dc60c6..b8ac8d9 100644
 ## </desc>
 ## <param name="domain">
 ##	<summary>
-@@ -2856,14 +3570,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3573,33 @@ interface(`userdom_use_user_ptys',`
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
@ -42047,7 +42055,7 @@ index 9dc60c6..b8ac8d9 100644
 ')
 
 ########################################
-@@ -2882,8 +3615,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3618,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
 		type user_tty_device_t, user_devpts_t;
 	')
 
@ -42077,7 +42085,7 @@ index 9dc60c6..b8ac8d9 100644
 ')
 
 ########################################
-@@ -2955,69 +3707,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3710,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
 	allow unpriv_userdomain $1:process sigchld;
 ')
 
@ -42178,7 +42186,7 @@ index 9dc60c6..b8ac8d9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3025,12 +3776,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +3779,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
 ##	</summary>
 ## </param>
 #
@ -42193,7 +42201,7 @@ index 9dc60c6..b8ac8d9 100644
 ')
 
 ########################################
-@@ -3094,7 +3845,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +3848,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 
 	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
 	allow unpriv_userdomain $1:fd use;
@ -42202,7 +42210,7 @@ index 9dc60c6..b8ac8d9 100644
 	allow unpriv_userdomain $1:process sigchld;
 ')
 
-@@ -3110,29 +3861,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +3864,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 #
 interface(`userdom_search_user_home_content',`
 	gen_require(`
@ -42236,7 +42244,7 @@ index 9dc60c6..b8ac8d9 100644
 ')
 
 ########################################
-@@ -3214,7 +3949,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +3952,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
 		type user_devpts_t;
 	')
 
@ -42263,7 +42271,7 @@ index 9dc60c6..b8ac8d9 100644
 ')
 
 ########################################
-@@ -3269,12 +4022,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4025,13 @@ interface(`userdom_write_user_tmp_files',`
 		type user_tmp_t;
 	')
 
@ -42279,7 +42287,7 @@ index 9dc60c6..b8ac8d9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3282,46 +4036,122 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,44 +4039,120 @@ interface(`userdom_write_user_tmp_files',`
 ##	</summary>
 ## </param>
 #
@ -42334,8 +42342,7 @@ index 9dc60c6..b8ac8d9 100644
 #
 -interface(`userdom_getattr_all_users',`
 +interface(`userdom_dontaudit_rw_user_tmp_pipes',`
- 	gen_require(`
-		attribute userdomain;
+	gen_require(`
 +		type user_tmp_t;
 +	')
 +
@ -42410,12 +42417,10 @@ index 9dc60c6..b8ac8d9 100644
 +## </param>
 +#
 +interface(`userdom_getattr_all_users',`
-+	gen_require(`
-+		attribute userdomain;
+ 	gen_require(`
+ 		attribute userdomain;
 	')
- 
- 	allow $1 userdomain:process getattr;
-@@ -3382,6 +4212,42 @@ interface(`userdom_signal_all_users',`
+@@ -3382,6 +4215,42 @@ interface(`userdom_signal_all_users',`
 	allow $1 userdomain:process signal;
 ')
 
@ -42458,7 +42463,7 @@ index 9dc60c6..b8ac8d9 100644
 ########################################
 ## <summary>
 ##	Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4268,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4271,24 @@ interface(`userdom_sigchld_all_users',`
 
 ########################################
 ## <summary>
@ -42483,7 +42488,7 @@ index 9dc60c6..b8ac8d9 100644
 ##	Create keys for all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -3435,4 +4319,1630 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4322,1630 @@ interface(`userdom_dbus_send_all_users',`
 	')
 
 	allow $1 userdomain:dbus send_msg;
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -26393,10 +26393,10 @@ index e39de43..5818f74 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index ab09d61..4b2e5f6 100644
+index ab09d61..d2cd4bf 100644
 --- a/gnome.if
 +++ b/gnome.if
-@@ -1,52 +1,77 @@
+@@ -1,52 +1,78 @@
 -## <summary>GNU network object model environment.</summary>
 +## <summary>GNU network object model environment (GNOME)</summary>
 
@ -26491,16 +26491,20 @@ index ab09d61..4b2e5f6 100644
 		attribute gnomedomain, gkeyringd_domain;
 		attribute_role gconfd_roles;
 -		type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
-+		type gkeyringd_exec_t, gkeyring_gnome_home_t, gkeyring_tmp_t;
+        type gnome_home_t;
+		type gkeyringd_exec_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t;
 		type gconfd_t, gconfd_exec_t, gconf_tmp_t;
 		type gconf_home_t;
 +        class dbus send_msg;
 	')
 
 	########################################
-@@ -79,9 +104,11 @@ template(`gnome_role_template',`
- 	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
- 	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
+@@ -76,12 +102,12 @@ template(`gnome_role_template',`
+ 
+ 	allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
+ 	allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
+-	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
+-	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
 
 -	allow $3 gconfd_t:process { ptrace signal_perms };
 +	allow $3 gconfd_t:process { signal_perms };
@ -26511,28 +26515,24 @@ index ab09d61..4b2e5f6 100644
 	########################################
 	#
 	# Gkeyringd policy
-@@ -89,37 +116,91 @@ template(`gnome_role_template',`
+@@ -89,37 +115,85 @@ template(`gnome_role_template',`
 
 	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
 
 -	allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
 -	allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms };
-+	allow $3 { gnome_home_t gkeyring_gnome_home_t gkeyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
-+	allow $3 { gnome_home_t gkeyring_gnome_home_t }:file { relabel_file_perms manage_file_perms };
+	allow $3 { gnome_home_t gkeyringd_gnome_home_t gkeyringd_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
+	allow $3 { gnome_home_t gkeyringd_gnome_home_t }:file { relabel_file_perms manage_file_perms };
 
 -	userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome")
 -	userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2")
 -	userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private")
-+	userdom_home_manager($1_gkeyringd_t)
- 	
+-	
 -	gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings")
-+    gnome_home_dir_filetrans($3, gnome_home_t, ".gnome")
-+    gnome_home_dir_filetrans($3, gnome_home_t, ".gnome2")
-+    gnome_home_dir_filetrans($3, gnome_home_t, ".gnome2_private")
-+	gnome_home_dir_filetrans($3, gkeyring_gnome_home_t, "keyrings")
+	userdom_home_manager($1_gkeyringd_t)
 
 -	allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
-+	allow $3 gkeyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+	allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
 
 	ps_process_pattern($3, $1_gkeyringd_t)
 -	allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
@ -26566,7 +26566,6 @@ index ab09d61..4b2e5f6 100644
 	optional_policy(`
 -		dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
 +        dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
-+		dbus_session_bus_client($1_gkeyringd_t)
 +		gnome_manage_generic_home_dirs($1_gkeyringd_t)
 +		gnome_read_generic_data_home_files($1_gkeyringd_t)
 +		gnome_read_generic_data_home_dirs($1_gkeyringd_t)
@ -26615,7 +26614,7 @@ index ab09d61..4b2e5f6 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -127,18 +208,18 @@ template(`gnome_role_template',`
+@@ -127,18 +201,18 @@ template(`gnome_role_template',`
 ##	</summary>
 ## </param>
 #
@ -26639,7 +26638,7 @@ index ab09d61..4b2e5f6 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -146,119 +227,114 @@ interface(`gnome_exec_gconf',`
+@@ -146,119 +220,114 @@ interface(`gnome_exec_gconf',`
 ##	</summary>
 ## </param>
 #
@ -26796,7 +26795,7 @@ index ab09d61..4b2e5f6 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -266,15 +342,21 @@ interface(`gnome_create_generic_home_dirs',`
+@@ -266,15 +335,21 @@ interface(`gnome_create_generic_home_dirs',`
 ##	</summary>
 ## </param>
 #
@ -26823,7 +26822,7 @@ index ab09d61..4b2e5f6 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -282,57 +364,89 @@ interface(`gnome_setattr_config_dirs',`
+@@ -282,57 +357,89 @@ interface(`gnome_setattr_config_dirs',`
 ##	</summary>
 ## </param>
 #
@ -26931,7 +26930,7 @@ index ab09d61..4b2e5f6 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -340,15 +454,18 @@ interface(`gnome_read_generic_home_content',`
+@@ -340,15 +447,18 @@ interface(`gnome_read_generic_home_content',`
 ##	</summary>
 ## </param>
 #
@ -26955,7 +26954,7 @@ index ab09d61..4b2e5f6 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -356,22 +473,18 @@ interface(`gnome_manage_config',`
+@@ -356,22 +466,18 @@ interface(`gnome_manage_config',`
 ##	</summary>
 ## </param>
 #
@ -26983,7 +26982,7 @@ index ab09d61..4b2e5f6 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -379,53 +492,37 @@ interface(`gnome_manage_generic_home_content',`
+@@ -379,53 +485,37 @@ interface(`gnome_manage_generic_home_content',`
 ##	</summary>
 ## </param>
 #
@ -27045,7 +27044,7 @@ index ab09d61..4b2e5f6 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -433,17 +530,18 @@ interface(`gnome_home_filetrans',`
+@@ -433,17 +523,18 @@ interface(`gnome_home_filetrans',`
 ##	</summary>
 ## </param>
 #
@ -27068,7 +27067,7 @@ index ab09d61..4b2e5f6 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -451,23 +549,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
+@@ -451,23 +542,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
 ##	</summary>
 ## </param>
 #
@ -27096,7 +27095,7 @@ index ab09d61..4b2e5f6 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -475,82 +568,73 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -475,82 +561,73 @@ interface(`gnome_read_generic_gconf_home_content',`
 ##	</summary>
 ## </param>
 #
@ -27203,7 +27202,7 @@ index ab09d61..4b2e5f6 100644
 ##	</summary>
 ## </param>
 ## <param name="name" optional="true">
-@@ -559,52 +643,77 @@ interface(`gnome_home_filetrans_gconf_home',`
+@@ -559,52 +636,77 @@ interface(`gnome_home_filetrans_gconf_home',`
 ##	</summary>
 ## </param>
 #
@ -27302,7 +27301,7 @@ index ab09d61..4b2e5f6 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -612,93 +721,86 @@ interface(`gnome_gconf_home_filetrans',`
+@@ -612,93 +714,86 @@ interface(`gnome_gconf_home_filetrans',`
 ##	</summary>
 ## </param>
 #
@ -27427,7 +27426,7 @@ index ab09d61..4b2e5f6 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -706,12 +808,912 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -706,12 +801,912 @@ interface(`gnome_stream_connect_gkeyringd',`
 ##	</summary>
 ## </param>
 #
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -575,6 +575,9 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Mon Nov 18 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-4
+- Fix gnome_role_template() interface
+
 * Thu Nov 14 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-3
 - Add policy-rawhide-contrib-apache-content.patch to re-write apache_content_template() by dwalsh