fix up entrypoints

refpolicy/policy/modules/apps/games.if

@@ -41,6 +41,7 @@ template(`games_per_userdomain_template',`
 
 	type $1_games_t;
 	domain_type($1_games_t)
+	domain_entry_file($1_games_t,games_exec_t)
 	role $3 types $1_games_t;
 
 	type $1_games_devpts_t;

refpolicy/policy/modules/apps/java.if

@@ -44,6 +44,7 @@ template(`java_per_userdomain_template',`
 
 	type $1_javaplugin_t;
 	domain_type($1_javaplugin_t)
+	domain_entry_file($1_javaplugin_t,java_exec_t)
 	role $3 types $1_javaplugin_t;
 	
 	type $1_javaplugin_tmp_t;

refpolicy/policy/modules/services/dbus.if

@@ -49,11 +49,6 @@ interface(`dbus_stub',`
 ## </param>
 #
 template(`dbus_per_userdomain_template',`
-	gen_require(`
-		type system_dbusd_t, dbusd_etc_t;
-		type system_dbusd_exec_t;
-		class dbus { send_msg acquire_svc };
-	')
 
 	##############################
 	#
@@ -61,6 +56,7 @@ template(`dbus_per_userdomain_template',`
 	#
 	type $1_dbusd_t;
 	domain_type($1_dbusd_t)
+	domain_entry_file($1_dbusd_t,system_dbusd_exec_t)
 	role $3 types $1_dbusd_t;
 
 	type $1_dbusd_$1_t;

refpolicy/policy/modules/system/ipsec.te

@@ -26,6 +26,7 @@ files_pid_file(ipsec_var_run_t)
 type ipsec_mgmt_t;
 type ipsec_mgmt_exec_t;
 init_system_domain(ipsec_mgmt_t,ipsec_mgmt_exec_t)
+corecmd_shell_entry_type(ipsec_mgmt_t)
 role system_r types ipsec_mgmt_t;
 
 type ipsec_mgmt_lock_t;

refpolicy/policy/modules/system/userdomain.if

@@ -31,6 +31,8 @@ template(`base_user_template',`
 	type $1_t, userdomain;
 	domain_type($1_t)
 	corecmd_shell_entry_type($1_t)
+	corecmd_bin_entry_type($1_t)
+	corecmd_sbin_entry_type($1_t)
 	domain_user_exemption_target($1_t)
 	role $1_r types $1_t;
 	allow system_r $1_r;
@@ -105,7 +107,7 @@ template(`base_user_template',`
 	can_exec($1_t,$1_home_t)
 
 	# full control of the home directory
-	allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto };
+	allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto entrypoint };
 	allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
 	allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
 	allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };