trunk: Move user roles into individual modules.

Changelog

@@ -1,3 +1,4 @@
+- Move user roles into individual modules.
 - Make hald_log_t a log file.
 - Cryptsetup runs shell scripts.  Patch from Martin Orr.
 - Add file for enabling policy capabilities.

policy/modules/admin/acct.te

@@ -1,5 +1,5 @@
 
-policy_module(acct,1.1.0)
+policy_module(acct,1.1.1)
 
 ########################################
 #
@@ -66,9 +66,10 @@ logging_send_syslog_msg(acct_t)
 
 miscfiles_read_localization(acct_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(acct_t)
 userdom_dontaudit_use_unpriv_user_fds(acct_t)
 
+sysadm_dontaudit_search_home_dirs(acct_t)
+
 optional_policy(`
 	optional_policy(`
 		# for monthly cron job

policy/modules/admin/alsa.te

@@ -1,5 +1,5 @@
 
-policy_module(alsa,1.4.0)
+policy_module(alsa,1.4.1)
 
 ########################################
 #
@@ -60,8 +60,10 @@ miscfiles_read_localization(alsa_t)
 
 userdom_manage_unpriv_user_semaphores(alsa_t)
 userdom_manage_unpriv_user_shared_mem(alsa_t)
-userdom_search_generic_user_home_dirs(alsa_t)
-userdom_dontaudit_search_sysadm_home_dirs(alsa_t)
+
+sysadm_dontaudit_search_home_dirs(alsa_t)
+
+unprivuser_search_home_dirs(alsa_t)
 
 optional_policy(`
 	hal_use_fds(alsa_t)

policy/modules/admin/amanda.te

@@ -1,5 +1,5 @@
 
-policy_module(amanda,1.8.0)
+policy_module(amanda,1.8.1)
 
 #######################################
 #
@@ -181,7 +181,7 @@ manage_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
 manage_lnk_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
 manage_fifo_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
 manage_sock_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
-userdom_sysadm_home_dir_filetrans(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file })
+sysadm_home_dir_filetrans(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file })
 
 manage_dirs_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
 manage_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
@@ -228,4 +228,4 @@ logging_search_logs(amanda_recover_t)
 
 miscfiles_read_localization(amanda_recover_t)
 
-userdom_search_sysadm_home_content_dirs(amanda_recover_t)
+sysadm_search_home_content_dirs(amanda_recover_t)

policy/modules/admin/anaconda.te

@@ -1,5 +1,5 @@
 
-policy_module(anaconda,1.2.0)
+policy_module(anaconda,1.2.1)
 
 ########################################
 #
@@ -34,7 +34,7 @@ seutil_domtrans_semanage(anaconda_t)
 
 unconfined_domain(anaconda_t)
 
-userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
+unprivuser_home_dir_filetrans_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
 
 optional_policy(`
 	dmesg_domtrans(anaconda_t)

policy/modules/admin/bootloader.te

@@ -1,5 +1,5 @@
 
-policy_module(bootloader,1.7.0)
+policy_module(bootloader,1.7.1)
 
 ########################################
 #
@@ -212,6 +212,9 @@ optional_policy(`
 ')
 
 optional_policy(`
-	userdom_dontaudit_search_staff_home_dirs(bootloader_t)
-	userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
+	staff_dontaudit_search_home_dirs(bootloader_t)
+')
+
+optional_policy(`
+	sysadm_dontaudit_search_home_dirs(bootloader_t)
 ')

policy/modules/admin/dmesg.te

@@ -1,5 +1,5 @@
 
-policy_module(dmesg,1.1.0)
+policy_module(dmesg,1.1.1)
 
 ########################################
 #
@@ -50,9 +50,10 @@ logging_write_generic_logs(dmesg_t)
 
 miscfiles_read_localization(dmesg_t)
 
-userdom_use_sysadm_terms(dmesg_t)
 userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
 
+sysadm_use_terms(dmesg_t)
+
 optional_policy(`
 	seutil_sigchld_newrole(dmesg_t)
 ')

policy/modules/admin/firstboot.te

@@ -1,5 +1,5 @@
 
-policy_module(firstboot,1.6.0)
+policy_module(firstboot,1.6.1)
 
 gen_require(`
 	class passwd rootok;
@@ -88,13 +88,13 @@ modutils_read_module_config(firstboot_t)
 modutils_read_module_deps(firstboot_t)
 
 # Add/remove user home directories
-userdom_manage_generic_user_home_content_dirs(firstboot_t)
-userdom_manage_generic_user_home_content_files(firstboot_t)
-userdom_manage_generic_user_home_content_symlinks(firstboot_t)
-userdom_manage_generic_user_home_content_pipes(firstboot_t)
-userdom_manage_generic_user_home_content_sockets(firstboot_t)
-userdom_home_filetrans_generic_user_home_dir(firstboot_t)
-userdom_generic_user_home_dir_filetrans_generic_user_home_content(firstboot_t,{ dir file lnk_file fifo_file sock_file })
+unprivuser_manage_home_content_dirs(firstboot_t)
+unprivuser_manage_home_content_files(firstboot_t)
+unprivuser_manage_home_content_symlinks(firstboot_t)
+unprivuser_manage_home_content_pipes(firstboot_t)
+unprivuser_manage_home_content_sockets(firstboot_t)
+unprivuser_home_filetrans_home_dir(firstboot_t)
+unprivuser_home_dir_filetrans_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
 
 optional_policy(`
 	hal_dbus_chat(firstboot_t)

policy/modules/admin/kudzu.te

@@ -1,5 +1,5 @@
 
-policy_module(kudzu,1.5.0)
+policy_module(kudzu,1.5.1)
 
 ########################################
 #
@@ -122,9 +122,10 @@ modutils_domtrans_insmod(kudzu_t)
 
 sysnet_read_config(kudzu_t)
 
-userdom_search_sysadm_home_dirs(kudzu_t)
 userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
 
+sysadm_search_home_dirs(kudzu_t)
+
 optional_policy(`
 	gpm_getattr_gpmctl(kudzu_t)
 ')

policy/modules/admin/logrotate.te

@@ -1,5 +1,5 @@
 
-policy_module(logrotate,1.8.0)
+policy_module(logrotate,1.8.1)
 
 ########################################
 #
@@ -115,7 +115,6 @@ miscfiles_read_localization(logrotate_t)
 
 seutil_dontaudit_read_config(logrotate_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(logrotate_t)
 userdom_use_unpriv_users_fds(logrotate_t)
 
 cron_system_entry(logrotate_t, logrotate_exec_t)
@@ -123,6 +122,8 @@ cron_search_spool(logrotate_t)
 
 mta_send_mail(logrotate_t)
 
+sysadm_dontaudit_search_home_dirs(logrotate_t)
+
 ifdef(`distro_debian', `
 	allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
 	# for savelog

policy/modules/admin/logwatch.te

@@ -1,5 +1,5 @@
 
-policy_module(logwatch,1.7.0)
+policy_module(logwatch,1.7.1)
 
 #################################
 #
@@ -88,11 +88,10 @@ selinux_dontaudit_getattr_dir(logwatch_t)
 
 sysnet_dns_name_resolve(logwatch_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(logwatch_t)
-userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t)
-
 mta_send_mail(logwatch_t)
 
+sysadm_dontaudit_search_home_dirs(logwatch_t)
+
 optional_policy(`
 	apache_read_log(logwatch_t)
 ')

policy/modules/admin/mrtg.te

@@ -1,5 +1,5 @@
 
-policy_module(mrtg,1.3.0)
+policy_module(mrtg,1.3.1)
 
 ########################################
 #
@@ -115,7 +115,8 @@ selinux_dontaudit_getattr_dir(mrtg_t)
 sysnet_read_config(mrtg_t)
 
 userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
-userdom_use_sysadm_terms(mrtg_t)
+
+sysadm_use_terms(mrtg_t)
 
 ifdef(`enable_mls',`
 	corenet_udp_sendrecv_lo_if(mrtg_t)

policy/modules/admin/portage.if

@@ -272,7 +272,7 @@ interface(`portage_fetch_domain',`
 	sysnet_read_config($1)
 	sysnet_dns_name_resolve($1)
 
-	userdom_dontaudit_read_sysadm_home_content_files($1)
+	sysadm_dontaudit_read_home_content_files($1)
 
 	ifdef(`hide_broken_symptoms',`
 		dontaudit $1 portage_cache_t:file read;

policy/modules/admin/portage.te

@@ -1,5 +1,5 @@
 
-policy_module(portage,1.5.0)
+policy_module(portage,1.5.1)
 
 ########################################
 #

policy/modules/admin/readahead.te

@@ -1,5 +1,5 @@
 
-policy_module(readahead,1.5.0)
+policy_module(readahead,1.5.1)
 
 ########################################
 #
@@ -79,7 +79,8 @@ logging_dontaudit_search_audit_config(readahead_t)
 miscfiles_read_localization(readahead_t)
 
 userdom_dontaudit_use_unpriv_user_fds(readahead_t)
-userdom_dontaudit_search_sysadm_home_dirs(readahead_t)
+
+sysadm_dontaudit_search_home_dirs(readahead_t)
 
 optional_policy(`
 	cron_system_entry(readahead_t, readahead_exec_t)

policy/modules/admin/usermanage.te

@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.10.0)
+policy_module(usermanage,1.10.1)
 
 ########################################
 #
@@ -159,7 +159,7 @@ libs_use_shared_libs(crack_t)
 
 logging_send_syslog_msg(crack_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(crack_t)
+sysadm_dontaudit_search_home_dirs(crack_t)
 
 ifdef(`distro_debian',`
 	# the package cracklib-runtime on Debian contains a daily maintenance
@@ -236,8 +236,9 @@ auth_use_nsswitch(groupadd_t)
 seutil_read_config(groupadd_t)
 
 userdom_use_unpriv_users_fds(groupadd_t)
+
 # for when /root is the cwd
-userdom_dontaudit_search_sysadm_home_dirs(groupadd_t)
+sysadm_dontaudit_search_home_dirs(groupadd_t)
 
 optional_policy(`
 	dpkg_use_fds(groupadd_t)
@@ -501,13 +502,11 @@ seutil_domtrans_semanage(useradd_t)
 seutil_domtrans_setfiles(useradd_t)
 
 userdom_use_unpriv_users_fds(useradd_t)
-# for when /root is the cwd
-userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
 # Add/remove user home directories
-userdom_home_filetrans_generic_user_home_dir(useradd_t)
 userdom_manage_all_users_home_content_dirs(useradd_t)
 userdom_manage_all_users_home_content_files(useradd_t)
-userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
+unprivuser_home_filetrans_home_dir(useradd_t)
+unprivuser_home_dir_filetrans_home_content(useradd_t,notdevfile_class_set)
 
 mta_manage_spool(useradd_t)
 

policy/modules/apps/calamaris.te

@@ -1,5 +1,5 @@
 
-policy_module(calamaris,1.2.0)
+policy_module(calamaris,1.2.1)
 
 ########################################
 #
@@ -67,7 +67,7 @@ miscfiles_read_localization(calamaris_t)
 
 sysnet_read_config(calamaris_t)
 
-userdom_dontaudit_list_sysadm_home_dirs(calamaris_t)
+sysadm_dontaudit_list_home_dirs(calamaris_t)
 
 squid_read_log(calamaris_t)
 

policy/modules/apps/games.te

@@ -1,5 +1,5 @@
 
-policy_module(games,1.6.0)
+policy_module(games,1.6.1)
 
 ########################################
 #
@@ -58,7 +58,8 @@ logging_send_syslog_msg(games_t)
 miscfiles_read_localization(games_t)
 
 userdom_dontaudit_use_unpriv_user_fds(games_t)
-userdom_dontaudit_search_sysadm_home_dirs(games_t)
+
+sysadm_dontaudit_search_home_dirs(games_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(games_t)

policy/modules/apps/mono.te

@@ -1,5 +1,5 @@
 
-policy_module(mono,1.4.0)
+policy_module(mono,1.4.1)
 
 ########################################
 #
@@ -17,7 +17,7 @@ init_system_domain(mono_t,mono_exec_t)
 
 allow mono_t self:process { execheap execmem };
 
-userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
+unprivuser_home_dir_filetrans_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
 
 init_dbus_chat_script(mono_t)
 

policy/modules/apps/uml.te

@@ -1,5 +1,5 @@
 
-policy_module(uml,1.5.0)
+policy_module(uml,1.5.1)
 
 ########################################
 #
@@ -57,7 +57,8 @@ logging_send_syslog_msg(uml_switch_t)
 miscfiles_read_localization(uml_switch_t)
 
 userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
-userdom_dontaudit_search_sysadm_home_dirs(uml_switch_t)
+
+sysadm_dontaudit_search_home_dirs(uml_switch_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(uml_switch_t)

policy/modules/apps/userhelper.if

@@ -161,8 +161,8 @@ template(`userhelper_per_role_template',`
 
 	tunable_policy(`! secure_mode',`
 		#if we are not in secure mode then we can transition to sysadm_t
-		userdom_bin_spec_domtrans_sysadm($1_userhelper_t)
-		userdom_entry_spec_domtrans_sysadm($1_userhelper_t)
+		sysadm_bin_spec_domtrans($1_userhelper_t)
+		sysadm_entry_spec_domtrans($1_userhelper_t)
 	')
 	
 	optional_policy(`

policy/modules/apps/userhelper.te

@@ -1,5 +1,5 @@
 
-policy_module(userhelper,1.3.0)
+policy_module(userhelper,1.3.1)
 
 ########################################
 #

policy/modules/apps/vmware.te

@@ -1,5 +1,5 @@
 
-policy_module(vmware,1.5.0)
+policy_module(vmware,1.5.1)
 
 ########################################
 #
@@ -87,7 +87,8 @@ miscfiles_read_localization(vmware_host_t)
 sysnet_dns_name_resolve(vmware_host_t)
 
 userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
-userdom_dontaudit_search_sysadm_home_dirs(vmware_host_t)
+
+sysadm_dontaudit_search_home_dirs(vmware_host_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(vmware_host_t)

policy/modules/roles/auditadm.fc

@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon

policy/modules/roles/auditadm.if

@@ -0,0 +1,45 @@
+## <summary>Audit administrator role</summary>
+
+########################################
+## <summary>
+##	Change to the generic user role.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`auditadm_role_change_template',`
+	userdom_role_change_template($1, auditadm)
+')
+
+########################################
+## <summary>
+##	Change from the generic user role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the generic user role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is a template to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`auditadm_role_change_to_template',`
+	userdom_role_change_template(auditadm, $1)
+')
+

policy/modules/roles/auditadm.te

@@ -0,0 +1,50 @@
+
+policy_module(auditadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role auditadm_r;
+
+userdom_unpriv_user_template(auditadm)
+
+########################################
+#
+# Local policy
+#
+
+allow auditadm_t self:capability { dac_read_search dac_override };
+
+corecmd_exec_shell(auditadm_t)
+
+domain_kill_all_domains(auditadm_t)
+
+logging_send_syslog_msg(auditadm_t)
+logging_read_generic_logs(auditadm_t)
+logging_manage_audit_log(auditadm_t)
+logging_manage_audit_config(auditadm_t)
+logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+
+seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+seutil_read_bin_policy(auditadm_t)
+
+optional_policy(`
+	consoletype_exec(auditadm_t)
+')
+
+optional_policy(`
+	dmesg_exec(auditadm_t)
+')
+
+optional_policy(`
+	secadm_role_change_template(auditadm)
+')
+
+optional_policy(`
+	sysadm_role_change_template(auditadm)
+	sysadm_dontaudit_read_home_content_files(auditadm_t)
+')
+

policy/modules/roles/metadata.xml

@@ -0,0 +1 @@
+<summary>Policy modules for user roles.</summary>

policy/modules/roles/secadm.fc

@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon

policy/modules/roles/secadm.if

@@ -0,0 +1,45 @@
+## <summary>Security administrator role</summary>
+
+########################################
+## <summary>
+##	Change to the generic user role.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`secadm_role_change_template',`
+	userdom_role_change_template($1, secadm)
+')
+
+########################################
+## <summary>
+##	Change from the generic user role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the generic user role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is a template to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`secadm_role_change_to_template',`
+	userdom_role_change_template(secadm, $1)
+')
+

policy/modules/roles/secadm.te

@@ -0,0 +1,62 @@
+
+policy_module(secadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role secadm_r;
+
+userdom_unpriv_user_template(secadm)
+userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+
+########################################
+#
+# Local policy
+#
+
+allow secadm_t self:capability { dac_read_search dac_override };
+
+corecmd_exec_shell(secadm_t)
+
+dev_relabel_all_dev_nodes(secadm_t)
+
+domain_obj_id_change_exemption(secadm_t)
+
+mls_process_read_up(secadm_t)
+mls_file_read_all_levels(secadm_t)
+mls_file_write_all_levels(secadm_t)
+mls_file_upgrade(secadm_t)
+mls_file_downgrade(secadm_t)
+
+auth_relabel_all_files_except_shadow(secadm_t)
+auth_relabel_shadow(secadm_t)
+
+init_exec(secadm_t)
+
+logging_read_audit_log(secadm_t)
+logging_read_generic_logs(secadm_t)
+logging_read_audit_config(secadm_t)
+
+optional_policy(`
+	aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+')
+
+optional_policy(`
+	auditadm_role_change_template(secadm)
+')
+
+optional_policy(`
+	netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+')
+
+optional_policy(`
+	staff_dontaudit_append_home_content_files(secadm_t)
+')
+
+optional_policy(`
+	sysadm_role_change_template(secadm)
+	sysadm_dontaudit_read_home_content_files(secadm_t)
+')
+

policy/modules/roles/staff.fc

@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon

policy/modules/roles/staff.if

@@ -0,0 +1,162 @@
+## <summary>Administrator's unprivileged user role</summary>
+
+########################################
+## <summary>
+##	Change to the staff role.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`staff_role_change_template',`
+	userdom_role_change_template($1, staff)
+')
+
+########################################
+## <summary>
+##	Change from the staff role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the staff role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is a template to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`staff_role_change_to_template',`
+	userdom_role_change_template(staff, $1)
+')
+
+########################################
+## <summary>
+##	Search the staff users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`staff_search_home_dirs',`
+	gen_require(`
+		type staff_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 staff_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the staff
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`staff_dontaudit_search_home_dirs',`
+	gen_require(`
+		type staff_home_dir_t;
+	')
+
+	dontaudit $1 staff_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete staff
+##	home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`staff_manage_home_dirs',`
+	gen_require(`
+		type staff_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 staff_home_dir_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to staff home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`staff_relabelto_home_dirs',`
+	gen_require(`
+		type staff_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 staff_home_dir_t:dir relabelto;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to append to the staff
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`staff_dontaudit_append_home_content_files',`
+	gen_require(`
+		type staff_home_t;
+	')
+
+	dontaudit $1 staff_home_t:file append;
+')
+
+########################################
+## <summary>
+##	Read files in the staff users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`staff_read_home_content_files',`
+	gen_require(`
+		type staff_home_dir_t, staff_home_t;
+	')
+
+	files_search_home($1)
+	allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms;
+	read_files_pattern($1, { staff_home_dir_t staff_home_t }, staff_home_t)
+	read_lnk_files_pattern($1, { staff_home_dir_t staff_home_t }, staff_home_t)
+')
+

policy/modules/roles/staff.te

@@ -0,0 +1,30 @@
+
+policy_module(staff, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role staff_r;
+
+userdom_unpriv_user_template(staff)
+
+########################################
+#
+# Local policy
+#
+
+optional_policy(`
+	auditadm_role_change_template(staff)
+')
+
+optional_policy(`
+	secadm_role_change_template(staff)
+')
+
+optional_policy(`
+	sysadm_role_change_template(staff)
+	sysadm_dontaudit_use_terms(staff_t)
+')
+

policy/modules/roles/sysadm.fc

@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon

policy/modules/roles/sysadm.if

@@ -0,0 +1,547 @@
+## <summary>General system administration role</summary>
+
+########################################
+## <summary>
+##	Change to the generic user role.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`sysadm_role_change_template',`
+	userdom_role_change_template($1, sysadm)
+')
+
+########################################
+## <summary>
+##	Change from the generic user role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the generic user role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is a template to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`sysadm_role_change_to_template',`
+	userdom_role_change_template(sysadm, $1)
+')
+
+########################################
+## <summary>
+##	Execute a shell in the sysadm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_shell_domtrans',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	corecmd_shell_domtrans($1, sysadm_t)
+	allow sysadm_t $1:fd use;
+	allow sysadm_t $1:fifo_file rw_file_perms;
+	allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute a generic bin program in the sysadm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_bin_spec_domtrans',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	corecmd_bin_spec_domtrans($1, sysadm_t)
+	allow sysadm_t $1:fd use;
+	allow sysadm_t $1:fifo_file rw_file_perms;
+	allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute all entrypoint files in the sysadm domain. This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_entry_spec_domtrans',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	domain_entry_file_spec_domtrans($1, sysadm_t)
+	allow sysadm_t $1:fd use;
+	allow sysadm_t $1:fifo_file rw_file_perms;
+	allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Allow sysadm to execute a generic bin program in
+##	a specified domain.  This is an explicit transition,
+##	requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+##	<p>
+##	Allow sysadm to execute a generic bin program in
+##	a specified domain.
+##	</p>
+##	<p>
+##	This is a interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to execute in.
+##	</summary>
+## </param>
+#
+interface(`sysadm_bin_spec_domtrans_to',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	corecmd_bin_spec_domtrans(sysadm_t, $1)
+	allow $1 sysadm_t:fd use;
+	allow $1 sysadm_t:fifo_file rw_file_perms;
+	allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to sysadm users.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_sigchld',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Inherit and use sysadm file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_use_fds',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	allow $1 sysadm_t:fd use;
+')
+
+########################################
+## <summary>
+##	Read and write sysadm user unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_rw_pipes',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attepts to get the attributes
+##	of sysadm ttys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_dontaudit_getattr_ttys',`
+	gen_require(`
+		type sysadm_tty_device_t;
+	')
+
+	dontaudit $1 sysadm_tty_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Read and write sysadm ttys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_use_ttys',`
+	gen_require(`
+		type sysadm_tty_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	term_list_ptys($1)
+	allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to use sysadm ttys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_dontaudit_use_ttys',`
+	gen_require(`
+		type sysadm_tty_device_t;
+	')
+
+	dontaudit $1 sysadm_tty_device_t:chr_file { read write };
+')
+
+########################################
+## <summary>
+##	Read and write sysadm ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_use_ptys',`
+	gen_require(`
+		type sysadm_devpts_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	term_list_ptys($1)
+	allow $1 sysadm_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Dont audit attempts to read and write sysadm ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_dontaudit_use_ptys',`
+	gen_require(`
+		type sysadm_devpts_t;
+	')
+
+	dontaudit $1 sysadm_devpts_t:chr_file { read write };
+')
+
+########################################
+## <summary>
+##	Read and write sysadm ttys and ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_use_terms',`
+	sysadm_use_ttys($1)
+	sysadm_use_ptys($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to use sysadm ttys and ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_dontaudit_use_terms',`
+	sysadm_dontaudit_use_ttys($1)
+	sysadm_dontaudit_use_ptys($1)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the sysadm users
+##	home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_getattr_home_dirs',`
+	gen_require(`
+		type sysadm_home_dir_t;
+	')
+
+	allow $1 sysadm_home_dir_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of the sysadm users
+##	home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_dontaudit_getattr_home_dirs',`
+	gen_require(`
+		type sysadm_home_dir_t;
+	')
+
+	dontaudit $1 sysadm_home_dir_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Search the sysadm users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_search_home_dirs',`
+	gen_require(`
+		type sysadm_home_dir_t;
+	')
+
+	allow $1 sysadm_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the sysadm
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_dontaudit_search_home_dirs',`
+	gen_require(`
+		type sysadm_home_dir_t;
+	')
+
+	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the sysadm users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_list_home_dirs',`
+	gen_require(`
+		type sysadm_home_dir_t;
+	')
+
+	allow $1 sysadm_home_dir_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list the sysadm
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_dontaudit_list_home_dirs',`
+	gen_require(`
+		type sysadm_home_dir_t;
+	')
+
+	dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create objects in sysadm home directories
+##	with automatic file type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	If not specified, file is used.
+##	</summary>
+## </param>
+#
+interface(`sysadm_home_dir_filetrans',`
+	gen_require(`
+		type sysadm_home_dir_t;
+	')
+
+	filetrans_pattern($1, sysadm_home_dir_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Search the sysadm users home sub directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_search_home_content_dirs',`
+	gen_require(`
+		type sysadm_home_dir_t, sysadm_home_t;
+	')
+
+	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read files in the sysadm home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_read_home_content_files',`
+	gen_require(`
+		type sysadm_home_dir_t, sysadm_home_t;
+	')
+
+	files_search_home($1)
+	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
+	read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
+	read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read files in the sysadm
+##	home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_dontaudit_read_home_content_files',`
+	gen_require(`
+		type sysadm_home_dir_t, sysadm_home_t;
+	')
+
+	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+	dontaudit $1 sysadm_home_t:dir search_dir_perms;
+	dontaudit $1 sysadm_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read sysadm temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_read_tmp_files',`
+	gen_require(`
+		type sysadm_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 sysadm_tmp_t:dir list_dir_perms;
+	read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
+	read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
+')
+

policy/modules/roles/sysadm.te

@@ -0,0 +1,330 @@
+
+policy_module(sysadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow sysadm to debug or ptrace all processes.
+## </p>
+## </desc>
+gen_tunable(allow_ptrace,false)
+
+role sysadm_r;
+
+userdom_admin_user_template(sysadm)
+
+ifndef(`enable_mls',`
+	userdom_security_admin_template(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+########################################
+#
+# Local policy
+#
+
+corecmd_exec_shell(sysadm_t)
+
+mls_process_read_up(sysadm_t)
+
+init_exec(sysadm_t)
+
+# For sending reboot and wall messages
+userdom_use_unpriv_users_ptys(sysadm_t)
+userdom_use_unpriv_users_ttys(sysadm_t)
+
+ifdef(`direct_sysadm_daemon',`
+	optional_policy(`
+		init_run_daemon(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	')
+',`
+	ifdef(`distro_gentoo',`
+		optional_policy(`
+			seutil_init_script_run_runinit(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+		')
+	')
+')
+
+ifndef(`enable_mls',`
+	logging_manage_audit_log(sysadm_t)
+	logging_manage_audit_config(sysadm_t)
+	logging_run_auditctl(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+tunable_policy(`allow_ptrace',`
+	domain_ptrace_all_domains(sysadm_t)
+')
+
+optional_policy(`
+	amanda_run_recover(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	apache_run_helper(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	#apache_run_all_scripts(sysadm_t, sysadm_r)
+	#apache_domtrans_sys_script(sysadm_t)
+')
+
+optional_policy(`
+	# cjp: why is this not apm_run_client
+	apm_domtrans_client(sysadm_t)
+')
+
+optional_policy(`
+	apt_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	auditadm_role_change_template(sysadm)
+')
+
+optional_policy(`
+	backup_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	bind_run_ndc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	bootloader_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	certwatch_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	clock_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	clockspeed_run_cli(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	consoletype_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	cron_admin_template(sysadm, sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	cvs_exec(sysadm_t)
+')
+
+optional_policy(`
+	dcc_run_cdcc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	dcc_run_client(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	dcc_run_dbclean(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	ddcprobe_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	dmesg_exec(sysadm_t)
+')
+
+optional_policy(`
+	dmidecode_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	dpkg_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	ethereal_run_tethereal(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	ethereal_admin_template(sysadm, sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	firstboot_run(sysadm_t, sysadm_r, sysadm_tty_device_t)
+')
+
+optional_policy(`
+	fstools_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	hostname_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	# allow system administrator to use the ipsec script to look
+	# at things (e.g., ipsec auto --status)
+	# probably should create an ipsec_admin role for this kind of thing
+	ipsec_exec_mgmt(sysadm_t)
+	ipsec_stream_connect(sysadm_t)
+	# for lsof
+	ipsec_getattr_key_sockets(sysadm_t)
+')
+
+optional_policy(`
+	iptables_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	kudzu_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	libs_run_ldconfig(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	logrotate_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	lpd_run_checkpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	lpr_admin_template(sysadm, sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	lvm_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	modutils_run_depmod(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	modutils_run_insmod(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	modutils_run_update_mods(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	mount_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	mta_admin_template(sysadm, sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	munin_stream_connect(sysadm_t)
+')
+
+optional_policy(`
+	mysql_stream_connect(sysadm_t)
+')
+
+optional_policy(`
+	netutils_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	netutils_run_ping(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	netutils_run_traceroute(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	ntp_stub()
+	corenet_udp_bind_ntp_port(sysadm_t)
+')
+
+optional_policy(`
+	oav_run_update(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	pcmcia_run_cardctl(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	portage_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	portage_run_gcc_config(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	portmap_run_helper(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	quota_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	raid_domtrans_mdadm(sysadm_t)
+')
+
+optional_policy(`
+	rpc_domtrans_nfsd(sysadm_t)
+')
+
+optional_policy(`
+	rpm_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	rsync_exec(sysadm_t)
+')
+
+optional_policy(`
+	samba_run_net(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	samba_run_winbind_helper(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	secadm_role_change_template(sysadm)
+')
+
+optional_policy(`
+	seutil_run_setfiles(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	seutil_run_runinit(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	staff_role_change_template(sysadm)
+')
+
+optional_policy(`
+	sysnet_run_ifconfig(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	sysnet_run_dhcpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	tripwire_run_siggen(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	tripwire_run_tripwire(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	tripwire_run_twadmin(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	tripwire_run_twprint(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	tzdata_domtrans(sysadm_t)
+')
+
+optional_policy(`
+	unconfined_domtrans(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	# Add/remove user home directories
+	unprivuser_manage_home_dirs(sysadm_t)
+	unprivuser_home_filetrans_home_dir(sysadm_t)
+
+	unprivuser_role_change_template(sysadm)
+')
+
+optional_policy(`
+	usbmodules_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	usermanage_run_admin_passwd(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	usermanage_run_groupadd(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	usermanage_run_useradd(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	vpn_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	webalizer_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	yam_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')

policy/modules/roles/unprivuser.fc

@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon

policy/modules/roles/unprivuser.if

@@ -0,0 +1,325 @@
+## <summary>Generic unprivileged user role</summary>
+
+########################################
+## <summary>
+##	Change to the generic user role.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`unprivuser_role_change_template',`
+	userdom_role_change_template($1, user)
+')
+
+########################################
+## <summary>
+##	Change from the generic user role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the generic user role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is a template to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`unprivuser_role_change_to_template',`
+	userdom_role_change_template(user, $1)
+')
+
+########################################
+## <summary>
+##	Create generic user home directories
+##	with automatic file type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_home_filetrans_home_dir',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	files_home_filetrans($1,user_home_dir_t,dir)
+')
+
+########################################
+## <summary>
+##	Search generic user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_search_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	allow $1 user_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create objects in generic user home directories
+##	with automatic file type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	If not specified, file is used.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_home_dir_filetrans_home_content',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	files_search_home($1)
+	filetrans_pattern($1,user_home_dir_t,user_home_t,$2)
+')
+
+########################################
+## <summary>
+##	Don't audit search on the user home subdirectory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_dontaudit_search_home_dirs',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	dontaudit $1 user_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete generic user
+##	home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_manage_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 user_home_dir_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	subdirectories of generic user
+##	home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_manage_home_content_dirs',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	files_search_home($1)
+	manage_dirs_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+')
+
+########################################
+## <summary>
+##	Relabel to generic user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_relabelto_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 user_home_dir_t:dir relabelto;
+')
+
+########################################
+## <summary>
+##	Read files in generic user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_read_home_content_files',`
+	gen_require(`
+		type user_home_t, user_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 user_home_t:dir list_dir_perms;
+	read_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+')
+
+########################################
+## <summary>
+##	Mmap of generic user
+##	home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_mmap_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	files_search_home($1)
+	allow $1 user_home_t:file execute;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	in generic user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_manage_home_content_files',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	files_search_home($1)
+	manage_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to relabel generic user
+##	home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_dontaudit_relabel_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	dontaudit $1 user_home_t:file { relabelto relabelfrom };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic
+##	links in generic user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_manage_home_content_symlinks',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	files_search_home($1)
+	manage_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete named
+##	pipes in generic user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_manage_home_content_pipes',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	files_search_home($1)
+	manage_fifo_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete named
+##	sockets in generic user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_manage_home_content_sockets',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	files_search_home($1)
+	manage_sock_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+')
+

policy/modules/roles/unprivuser.te

@@ -0,0 +1,15 @@
+
+policy_module(unprivuser, 1.0.0)
+
+# this module should be named user, but that is
+# a compile error since user is a keyword.
+
+########################################
+#
+# Declarations
+#
+
+role user_r;
+
+userdom_unpriv_user_template(user)
+

policy/modules/services/afs.te

@@ -1,5 +1,5 @@
 
-policy_module(afs,1.2.0)
+policy_module(afs,1.2.1)
 
 ########################################
 #
@@ -186,8 +186,7 @@ seutil_read_config(afs_fsserver_t)
 
 sysnet_read_config(afs_fsserver_t)
 
-userdom_dontaudit_use_sysadm_ttys(afs_fsserver_t)
-userdom_dontaudit_use_sysadm_ptys(afs_fsserver_t)
+sysadm_dontaudit_use_terms(afs_fsserver_t)
 
 ########################################
 #
@@ -235,8 +234,7 @@ seutil_read_config(afs_kaserver_t)
 
 sysnet_read_config(afs_kaserver_t)
 
-userdom_dontaudit_use_sysadm_ttys(afs_kaserver_t)
-userdom_dontaudit_use_sysadm_ptys(afs_kaserver_t)
+sysadm_dontaudit_use_terms(afs_kaserver_t)
 
 ########################################
 #
@@ -277,8 +275,7 @@ miscfiles_read_localization(afs_ptserver_t)
 
 sysnet_read_config(afs_ptserver_t)
 
-userdom_dontaudit_use_sysadm_ttys(afs_ptserver_t)
-userdom_dontaudit_use_sysadm_ptys(afs_ptserver_t)
+sysadm_dontaudit_use_terms(afs_ptserver_t)
 
 ########################################
 #
@@ -319,5 +316,4 @@ miscfiles_read_localization(afs_vlserver_t)
 
 sysnet_read_config(afs_vlserver_t)
 
-userdom_dontaudit_use_sysadm_ttys(afs_vlserver_t)
-userdom_dontaudit_use_sysadm_ptys(afs_vlserver_t)
+sysadm_dontaudit_use_terms(afs_vlserver_t)

policy/modules/services/amavis.te

@@ -1,5 +1,5 @@
 
-policy_module(amavis,1.6.0)
+policy_module(amavis,1.6.1)
 
 ########################################
 #
@@ -143,8 +143,6 @@ miscfiles_read_localization(amavis_t)
 sysnet_dns_name_resolve(amavis_t)
 sysnet_use_ldap(amavis_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(amavis_t)
-
 # Cron handling
 cron_use_fds(amavis_t)
 cron_use_system_job_fds(amavis_t)
@@ -152,6 +150,8 @@ cron_rw_pipes(amavis_t)
 
 mta_read_config(amavis_t)
 
+sysadm_dontaudit_search_home_dirs(amavis_t)
+
 optional_policy(`
 	clamav_stream_connect(amavis_t)
 	clamav_domtrans_clamscan(amavis_t)

policy/modules/services/apache.te

@@ -1,5 +1,5 @@
 
-policy_module(apache,1.9.0)
+policy_module(apache,1.9.1)
 
 #
 # NOTES: 
@@ -419,9 +419,9 @@ tunable_policy(`httpd_tty_comm',`
 	# cjp: this is redundant:
 	term_use_controlling_term(httpd_t)
 
-	userdom_use_sysadm_terms(httpd_t)
+	sysadm_use_terms(httpd_t)
 ',`
-	userdom_dontaudit_use_sysadm_terms(httpd_t)
+	sysadm_dontaudit_use_terms(httpd_t)
 ')
 
 optional_policy(`
@@ -515,10 +515,7 @@ libs_use_shared_libs(httpd_helper_t)
 logging_send_syslog_msg(httpd_helper_t)
 
 tunable_policy(`httpd_tty_comm',`
-	# cjp: this is redundant:
-	term_use_controlling_term(httpd_helper_t)
-
-	userdom_use_sysadm_terms(httpd_helper_t)
+	sysadm_use_terms(httpd_helper_t)
 ')
 
 ########################################

policy/modules/services/apm.te

@@ -1,5 +1,5 @@
 
-policy_module(apm,1.6.0)
+policy_module(apm,1.6.1)
 
 ########################################
 #
@@ -139,9 +139,10 @@ modutils_read_module_config(apmd_t)
 seutil_dontaudit_read_config(apmd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(apmd_t)
-userdom_dontaudit_search_sysadm_home_dirs(apmd_t)
 userdom_dontaudit_search_all_users_home_content(apmd_t) # Excessive?
 
+sysadm_dontaudit_search_home_dirs(apmd_t)
+
 ifdef(`distro_redhat',`
 	allow apmd_t apmd_lock_t:file manage_file_perms;
 	files_lock_filetrans(apmd_t,apmd_lock_t,file)

policy/modules/services/arpwatch.te

@@ -1,5 +1,5 @@
 
-policy_module(arpwatch,1.5.0)
+policy_module(arpwatch,1.5.1)
 
 ########################################
 #
@@ -81,10 +81,11 @@ logging_send_syslog_msg(arpwatch_t)
 miscfiles_read_localization(arpwatch_t)
 
 userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
-userdom_dontaudit_search_sysadm_home_dirs(arpwatch_t)
 
 mta_send_mail(arpwatch_t)
 
+sysadm_dontaudit_search_home_dirs(arpwatch_t)
+
 optional_policy(`
 	seutil_sigchld_newrole(arpwatch_t)
 ')

policy/modules/services/asterisk.te

@@ -1,5 +1,5 @@
 
-policy_module(asterisk,1.4.0)
+policy_module(asterisk,1.4.1)
 
 ########################################
 #
@@ -126,7 +126,8 @@ miscfiles_read_localization(asterisk_t)
 sysnet_read_config(asterisk_t)
 
 userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
-userdom_dontaudit_search_sysadm_home_dirs(asterisk_t)
+
+sysadm_dontaudit_search_home_dirs(asterisk_t)
 
 optional_policy(`
 	nis_use_ypbind(asterisk_t)

policy/modules/services/audioentropy.te

@@ -1,5 +1,5 @@
 
-policy_module(audio_entropy,1.3.0)
+policy_module(audio_entropy,1.3.1)
 
 ########################################
 #
@@ -49,7 +49,8 @@ logging_send_syslog_msg(entropyd_t)
 miscfiles_read_localization(entropyd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
-userdom_dontaudit_search_sysadm_home_dirs(entropyd_t)
+
+sysadm_dontaudit_search_home_dirs(entropyd_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(entropyd_t)

policy/modules/services/automount.te

@@ -1,5 +1,5 @@
 
-policy_module(automount,1.8.0)
+policy_module(automount,1.8.1)
 
 ########################################
 #
@@ -145,7 +145,8 @@ sysnet_use_ldap(automount_t)
 sysnet_read_config(automount_t)
 
 userdom_dontaudit_use_unpriv_user_fds(automount_t)
-userdom_dontaudit_search_sysadm_home_dirs(automount_t)
+
+sysadm_dontaudit_search_home_dirs(automount_t)
 
 optional_policy(`
 	bind_search_cache(automount_t)

policy/modules/services/avahi.te

@@ -1,5 +1,5 @@
 
-policy_module(avahi,1.8.0)
+policy_module(avahi,1.8.1)
 
 ########################################
 #
@@ -78,7 +78,8 @@ logging_send_syslog_msg(avahi_t)
 miscfiles_read_localization(avahi_t)
 
 userdom_dontaudit_use_unpriv_user_fds(avahi_t)
-userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
+
+sysadm_dontaudit_search_home_dirs(avahi_t)
 
 optional_policy(`
 	dbus_system_bus_client_template(avahi,avahi_t)

policy/modules/services/bind.te

@@ -1,5 +1,5 @@
 
-policy_module(bind,1.6.0)
+policy_module(bind,1.6.1)
 
 ########################################
 #
@@ -147,7 +147,8 @@ miscfiles_read_certs(named_t)
 sysnet_read_config(named_t)
 
 userdom_dontaudit_use_unpriv_user_fds(named_t)
-userdom_dontaudit_search_sysadm_home_dirs(named_t)
+
+sysadm_dontaudit_search_home_dirs(named_t)
 
 tunable_policy(`named_write_master_zones',`
 	manage_dirs_pattern(named_t,named_zone_t,named_zone_t)

policy/modules/services/bluetooth.te

@@ -1,5 +1,5 @@
 
-policy_module(bluetooth,2.1.0)
+policy_module(bluetooth,2.1.1)
 
 ########################################
 #
@@ -121,8 +121,9 @@ miscfiles_read_fonts(bluetooth_t)
 sysnet_read_config(bluetooth_t)
 
 userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
-userdom_dontaudit_use_sysadm_ptys(bluetooth_t)
-userdom_dontaudit_search_sysadm_home_dirs(bluetooth_t)
+
+sysadm_dontaudit_use_ptys(bluetooth_t)
+sysadm_dontaudit_search_home_dirs(bluetooth_t)
 
 optional_policy(`
 	dbus_system_bus_client_template(bluetooth,bluetooth_t)

policy/modules/services/canna.te

@@ -1,5 +1,5 @@
 
-policy_module(canna,1.6.0)
+policy_module(canna,1.6.1)
 
 ########################################
 #
@@ -78,7 +78,8 @@ miscfiles_read_localization(canna_t)
 sysnet_read_config(canna_t)
 
 userdom_dontaudit_use_unpriv_user_fds(canna_t)
-userdom_dontaudit_search_sysadm_home_dirs(canna_t)
+
+sysadm_dontaudit_search_home_dirs(canna_t)
 
 optional_policy(`
 	nis_use_ypbind(canna_t)

policy/modules/services/comsat.te

@@ -1,5 +1,5 @@
 
-policy_module(comsat,1.4.0)
+policy_module(comsat,1.4.1)
 
 ########################################
 #
@@ -69,10 +69,10 @@ logging_send_syslog_msg(comsat_t)
 
 miscfiles_read_localization(comsat_t)
 
-userdom_dontaudit_getattr_sysadm_ttys(comsat_t)
-
 mta_getattr_spool(comsat_t)
 
+sysadm_dontaudit_getattr_ttys(comsat_t)
+
 optional_policy(`
 	kerberos_use(comsat_t)
 ')

policy/modules/services/courier.te

@@ -1,5 +1,5 @@
 
-policy_module(courier,1.4.0)
+policy_module(courier,1.4.1)
 
 ########################################
 #
@@ -65,10 +65,11 @@ miscfiles_read_localization(courier_authdaemon_t)
 
 # should not be needed!
 userdom_search_unpriv_users_home_dirs(courier_authdaemon_t)
-userdom_dontaudit_search_sysadm_home_dirs(courier_authdaemon_t)
 
 courier_domtrans_pop(courier_authdaemon_t)
 
+sysadm_dontaudit_search_home_dirs(courier_authdaemon_t)
+
 ########################################
 #
 # Calendar (PCP) local policy

policy/modules/services/cups.te

@@ -1,5 +1,5 @@
 
-policy_module(cups,1.9.0)
+policy_module(cups,1.9.1)
 
 ########################################
 #
@@ -357,11 +357,12 @@ miscfiles_read_localization(cupsd_config_t)
 seutil_dontaudit_search_config(cupsd_config_t)
 
 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
-userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t)
+
+cups_stream_connect(cupsd_config_t)
 
 lpd_read_config(cupsd_config_t)
 
-cups_stream_connect(cupsd_config_t)
+sysadm_dontaudit_search_home_dirs(cupsd_config_t)
 
 ifdef(`distro_redhat',`
 	init_getattr_script_files(cupsd_config_t)
@@ -561,11 +562,12 @@ miscfiles_read_localization(hplip_t)
 sysnet_read_config(hplip_t)
 
 userdom_dontaudit_use_unpriv_user_fds(hplip_t)
-userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
 userdom_dontaudit_search_all_users_home_content(hplip_t)
 
 lpd_read_config(cupsd_t)
 
+sysadm_dontaudit_search_home_dirs(hplip_t)
+
 optional_policy(`
 	seutil_sigchld_newrole(hplip_t)
 ')

policy/modules/services/cyrus.te

@@ -1,5 +1,5 @@
 
-policy_module(cyrus,1.5.0)
+policy_module(cyrus,1.5.1)
 
 ########################################
 #
@@ -108,12 +108,13 @@ miscfiles_read_certs(cyrus_t)
 sysnet_read_config(cyrus_t)
 
 userdom_dontaudit_use_unpriv_user_fds(cyrus_t)
-userdom_dontaudit_search_sysadm_home_dirs(cyrus_t)
 userdom_use_unpriv_users_fds(cyrus_t)
 
 mta_manage_spool(cyrus_t)
 mta_send_mail(cyrus_t)
 
+sysadm_dontaudit_search_home_dirs(cyrus_t)
+
 optional_policy(`
 	cron_system_entry(cyrus_t,cyrus_exec_t)
 ')

policy/modules/services/dante.te

@@ -1,5 +1,5 @@
 
-policy_module(dante,1.4.0)
+policy_module(dante,1.4.1)
 
 ########################################
 #
@@ -72,7 +72,8 @@ miscfiles_read_localization(dante_t)
 sysnet_read_config(dante_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dante_t)
-userdom_dontaudit_search_sysadm_home_dirs(dante_t)
+
+sysadm_dontaudit_search_home_dirs(dante_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(dante_t)

policy/modules/services/dbus.te

@@ -1,5 +1,5 @@
 
-policy_module(dbus,1.8.0)
+policy_module(dbus,1.8.1)
 
 gen_require(`
 	class dbus all_dbus_perms;
@@ -106,7 +106,8 @@ seutil_read_default_contexts(system_dbusd_t)
 seutil_sigchld_newrole(system_dbusd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
-userdom_dontaudit_search_sysadm_home_dirs(system_dbusd_t)
+
+sysadm_dontaudit_search_home_dirs(system_dbusd_t)
 
 tunable_policy(`read_default_t',`
 	files_list_default(system_dbusd_t)

policy/modules/services/dcc.te

@@ -1,5 +1,5 @@
 
-policy_module(dcc,1.5.0)
+policy_module(dcc,1.5.1)
 
 ########################################
 #
@@ -273,7 +273,8 @@ sysnet_read_config(dccd_t)
 sysnet_dns_name_resolve(dccd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dccd_t)
-userdom_dontaudit_search_sysadm_home_dirs(dccd_t)
+
+sysadm_dontaudit_search_home_dirs(dccd_t)
 
 optional_policy(`
 	nscd_socket_use(dccd_t)
@@ -346,7 +347,8 @@ sysnet_read_config(dccifd_t)
 sysnet_dns_name_resolve(dccifd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
-userdom_dontaudit_search_sysadm_home_dirs(dccifd_t)
+
+sysadm_dontaudit_search_home_dirs(dccifd_t)
 
 optional_policy(`
 	nscd_socket_use(dccifd_t)
@@ -418,7 +420,8 @@ sysnet_read_config(dccm_t)
 sysnet_dns_name_resolve(dccm_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dccm_t)
-userdom_dontaudit_search_sysadm_home_dirs(dccm_t)
+
+sysadm_dontaudit_search_home_dirs(dccm_t)
 
 optional_policy(`
 	nscd_socket_use(dccm_t)

policy/modules/services/ddclient.te

@@ -1,5 +1,5 @@
 
-policy_module(ddclient,1.4.0)
+policy_module(ddclient,1.4.1)
 
 ########################################
 #
@@ -98,7 +98,8 @@ sysnet_exec_ifconfig(ddclient_t)
 sysnet_read_config(ddclient_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ddclient_t)
-userdom_dontaudit_search_sysadm_home_dirs(ddclient_t)
+
+sysadm_dontaudit_search_home_dirs(ddclient_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(ddclient_t)

policy/modules/services/dhcp.te

@@ -1,5 +1,5 @@
 
-policy_module(dhcp,1.5.0)
+policy_module(dhcp,1.5.1)
 
 ########################################
 #
@@ -99,7 +99,8 @@ sysnet_read_config(dhcpd_t)
 sysnet_read_dhcp_config(dhcpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
-userdom_dontaudit_search_sysadm_home_dirs(dhcpd_t)
+
+sysadm_dontaudit_search_home_dirs(dhcpd_t)
 
 ifdef(`distro_gentoo',`
 	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };

policy/modules/services/distcc.te

@@ -1,5 +1,5 @@
 
-policy_module(distcc,1.5.0)
+policy_module(distcc,1.5.1)
 
 ########################################
 #
@@ -81,7 +81,8 @@ miscfiles_read_localization(distccd_t)
 sysnet_read_config(distccd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(distccd_t)
-userdom_dontaudit_search_sysadm_home_dirs(distccd_t)
+
+sysadm_dontaudit_search_home_dirs(distccd_t)
 
 optional_policy(`
 	nis_use_ypbind(distccd_t)

policy/modules/services/dnsmasq.te

@@ -1,5 +1,5 @@
 
-policy_module(dnsmasq,1.5.0)
+policy_module(dnsmasq,1.5.1)
 
 ########################################
 #
@@ -81,7 +81,8 @@ miscfiles_read_localization(dnsmasq_t)
 sysnet_read_config(dnsmasq_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
-userdom_dontaudit_search_sysadm_home_dirs(dnsmasq_t)
+
+sysadm_dontaudit_search_home_dirs(dnsmasq_t)
 
 optional_policy(`
 	nis_use_ypbind(dnsmasq_t)

policy/modules/services/dovecot.te

@@ -1,5 +1,5 @@
 
-policy_module(dovecot,1.8.0)
+policy_module(dovecot,1.8.1)
 
 ########################################
 #
@@ -113,11 +113,12 @@ miscfiles_read_certs(dovecot_t)
 miscfiles_read_localization(dovecot_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
-userdom_dontaudit_search_sysadm_home_dirs(dovecot_t)
 userdom_priveleged_home_dir_manager(dovecot_t)
 
 mta_manage_spool(dovecot_t)
 
+sysadm_dontaudit_search_home_dirs(dovecot_t)
+
 optional_policy(`
 	kerberos_use(dovecot_t)
 ')

policy/modules/services/exim.te

@@ -1,5 +1,5 @@
 
-policy_module(exim,1.1.0)
+policy_module(exim,1.1.1)
 
 ########################################
 #
@@ -102,12 +102,13 @@ miscfiles_read_localization(exim_t)
 
 sysnet_dns_name_resolve(exim_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(exim_t)
-userdom_dontaudit_search_generic_user_home_dirs(exim_t)
+unprivuser_dontaudit_search_home_dirs(exim_t)
 
 mta_read_aliases(exim_t)
 mta_rw_spool(exim_t)
 
+sysadm_dontaudit_search_home_dirs(exim_t)
+
 tunable_policy(`exim_read_user_files',`
 	userdom_read_unpriv_users_home_content_files(exim_t)
 	userdom_read_unpriv_users_tmp_files(exim_t)

policy/modules/services/fetchmail.te

@@ -1,5 +1,5 @@
 
-policy_module(fetchmail,1.5.1)
+policy_module(fetchmail,1.5.2)
 
 ########################################
 #
@@ -83,7 +83,8 @@ miscfiles_read_certs(fetchmail_t)
 sysnet_read_config(fetchmail_t)
 
 userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
-userdom_dontaudit_search_sysadm_home_dirs(fetchmail_t)
+
+sysadm_dontaudit_search_home_dirs(fetchmail_t)
 
 optional_policy(`
 	procmail_domtrans(fetchmail_t)

policy/modules/services/finger.te

@@ -1,5 +1,5 @@
 
-policy_module(finger,1.6.0)
+policy_module(finger,1.6.1)
 
 ########################################
 #
@@ -91,12 +91,12 @@ sysnet_read_config(fingerd_t)
 
 miscfiles_read_localization(fingerd_t)
 
-userdom_read_unpriv_users_home_content_files(fingerd_t)
-userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
-userdom_dontaudit_search_sysadm_home_dirs(fingerd_t)
 # stop it accessing sub-directories, prevents checking a Maildir for new mail,
 # have to change this when we create a type for Maildir
-userdom_dontaudit_search_generic_user_home_dirs(fingerd_t)
+userdom_read_unpriv_users_home_content_files(fingerd_t)
+userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
+
+sysadm_dontaudit_search_home_dirs(fingerd_t)
 
 optional_policy(`
 	cron_system_entry(fingerd_t, fingerd_exec_t)

policy/modules/services/ftp.te

@@ -1,5 +1,5 @@
 
-policy_module(ftp,1.7.0)
+policy_module(ftp,1.7.1)
 
 ########################################
 #
@@ -179,9 +179,10 @@ seutil_dontaudit_search_config(ftpd_t)
 sysnet_read_config(ftpd_t)
 sysnet_use_ldap(ftpd_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
 userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
 
+sysadm_dontaudit_search_home_dirs(ftpd_t)
+
 tunable_policy(`allow_ftpd_anon_write',`
 	miscfiles_manage_public_files(ftpd_t)
 ')

policy/modules/services/gatekeeper.te

@@ -1,5 +1,5 @@
 
-policy_module(gatekeeper,1.4.0)
+policy_module(gatekeeper,1.4.1)
 
 ########################################
 #
@@ -88,7 +88,8 @@ miscfiles_read_localization(gatekeeper_t)
 sysnet_read_config(gatekeeper_t)
 
 userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
-userdom_dontaudit_search_sysadm_home_dirs(gatekeeper_t)
+
+sysadm_dontaudit_search_home_dirs(gatekeeper_t)
 
 optional_policy(`
 	nis_use_ypbind(gatekeeper_t)

policy/modules/services/gpm.te

@@ -1,5 +1,5 @@
 
-policy_module(gpm,1.4.0)
+policy_module(gpm,1.4.1)
 
 ########################################
 #
@@ -69,7 +69,8 @@ logging_send_syslog_msg(gpm_t)
 miscfiles_read_localization(gpm_t)
 
 userdom_dontaudit_use_unpriv_user_fds(gpm_t)
-userdom_dontaudit_search_sysadm_home_dirs(gpm_t)
+
+sysadm_dontaudit_search_home_dirs(gpm_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(gpm_t)

policy/modules/services/hal.te

@@ -1,5 +1,5 @@
 
-policy_module(hal,1.9.1)
+policy_module(hal,1.9.2)
 
 ########################################
 #
@@ -193,7 +193,8 @@ seutil_read_file_contexts(hald_t)
 sysnet_read_config(hald_t)
 
 userdom_dontaudit_use_unpriv_user_fds(hald_t)
-userdom_dontaudit_search_sysadm_home_dirs(hald_t)
+
+sysadm_dontaudit_search_home_dirs(hald_t)
 
 optional_policy(`
 	alsa_domtrans(hald_t)

policy/modules/services/howl.te

@@ -1,5 +1,5 @@
 
-policy_module(howl,1.5.0)
+policy_module(howl,1.5.1)
 
 ########################################
 #
@@ -69,7 +69,8 @@ miscfiles_read_localization(howl_t)
 sysnet_read_config(howl_t)
 
 userdom_dontaudit_use_unpriv_user_fds(howl_t)
-userdom_dontaudit_search_sysadm_home_dirs(howl_t)
+
+sysadm_dontaudit_search_home_dirs(howl_t)
 
 optional_policy(`
 	nis_use_ypbind(howl_t)

policy/modules/services/i18n_input.te

@@ -1,5 +1,5 @@
 
-policy_module(i18n_input,1.5.0)
+policy_module(i18n_input,1.5.1)
 
 ########################################
 #
@@ -77,9 +77,10 @@ miscfiles_read_localization(i18n_input_t)
 sysnet_read_config(i18n_input_t)
 
 userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
-userdom_dontaudit_search_sysadm_home_dirs(i18n_input_t)
 userdom_read_unpriv_users_home_content_files(i18n_input_t)
 
+sysadm_dontaudit_search_home_dirs(i18n_input_t)
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_read_nfs_files(i18n_input_t)
 	fs_read_nfs_symlinks(i18n_input_t)

policy/modules/services/imaze.te

@@ -1,5 +1,5 @@
 
-policy_module(imaze,1.4.0)
+policy_module(imaze,1.4.1)
 
 ########################################
 #
@@ -88,7 +88,8 @@ miscfiles_read_localization(imazesrv_t)
 sysnet_read_config(imazesrv_t)
 
 userdom_use_unpriv_users_fds(imazesrv_t)
-userdom_dontaudit_search_sysadm_home_dirs(imazesrv_t)
+
+sysadm_dontaudit_search_home_dirs(imazesrv_t)
 
 optional_policy(`
 	nis_use_ypbind(imazesrv_t)

policy/modules/services/inetd.te

@@ -1,5 +1,5 @@
 
-policy_module(inetd,1.6.0)
+policy_module(inetd,1.6.1)
 
 ########################################
 #
@@ -145,7 +145,8 @@ mls_process_set_level(inetd_t)
 sysnet_read_config(inetd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(inetd_t)
-userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
+
+sysadm_dontaudit_search_home_dirs(inetd_t)
 
 ifdef(`enable_mls',`
 	corenet_tcp_recvfrom_netlabel(inetd_t)

policy/modules/services/inn.te

@@ -1,5 +1,5 @@
 
-policy_module(inn,1.5.0)
+policy_module(inn,1.5.1)
 
 ########################################
 #
@@ -105,7 +105,8 @@ seutil_dontaudit_search_config(innd_t)
 sysnet_read_config(innd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(innd_t)
-userdom_dontaudit_search_sysadm_home_dirs(innd_t)
+
+sysadm_dontaudit_search_home_dirs(innd_t)
 
 mta_send_mail(innd_t)
 

policy/modules/services/ircd.te

@@ -1,5 +1,5 @@
 
-policy_module(ircd,1.4.0)
+policy_module(ircd,1.4.1)
 
 ########################################
 #
@@ -82,7 +82,8 @@ miscfiles_read_localization(ircd_t)
 sysnet_read_config(ircd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ircd_t)
-userdom_dontaudit_search_sysadm_home_dirs(ircd_t)
+
+sysadm_dontaudit_search_home_dirs(ircd_t)
 
 optional_policy(`
 	nis_use_ypbind(ircd_t)

policy/modules/services/irqbalance.te

@@ -1,5 +1,5 @@
 
-policy_module(irqbalance,1.2.0)
+policy_module(irqbalance,1.2.1)
 
 ########################################
 #
@@ -50,7 +50,8 @@ logging_send_syslog_msg(irqbalance_t)
 miscfiles_read_localization(irqbalance_t)
 
 userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
-userdom_dontaudit_search_sysadm_home_dirs(irqbalance_t)
+
+sysadm_dontaudit_search_home_dirs(irqbalance_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(irqbalance_t)

policy/modules/services/jabber.te

@@ -1,5 +1,5 @@
 
-policy_module(jabber,1.4.0)
+policy_module(jabber,1.4.1)
 
 ########################################
 #
@@ -80,7 +80,8 @@ miscfiles_read_localization(jabberd_t)
 sysnet_read_config(jabberd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
-userdom_dontaudit_search_sysadm_home_dirs(jabberd_t)
+
+sysadm_dontaudit_search_home_dirs(jabberd_t)
 
 optional_policy(`
 	nis_use_ypbind(jabberd_t)

policy/modules/services/kerberos.te

@@ -1,5 +1,5 @@
 
-policy_module(kerberos,1.6.0)
+policy_module(kerberos,1.6.1)
 
 ########################################
 #
@@ -129,7 +129,8 @@ miscfiles_read_localization(kadmind_t)
 sysnet_read_config(kadmind_t)
 
 userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
-userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
+
+sysadm_dontaudit_search_home_dirs(kadmind_t)
 
 optional_policy(`
 	nis_use_ypbind(kadmind_t)
@@ -225,7 +226,8 @@ miscfiles_read_localization(krb5kdc_t)
 sysnet_read_config(krb5kdc_t)
 
 userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
-userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
+
+sysadm_dontaudit_search_home_dirs(krb5kdc_t)
 
 optional_policy(`
 	nis_use_ypbind(krb5kdc_t)

policy/modules/services/ldap.te

@@ -1,5 +1,5 @@
 
-policy_module(ldap,1.6.0)
+policy_module(ldap,1.6.1)
 
 ########################################
 #
@@ -114,7 +114,8 @@ miscfiles_read_certs(slapd_t)
 miscfiles_read_localization(slapd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(slapd_t)
-userdom_dontaudit_search_sysadm_home_dirs(slapd_t)
+
+sysadm_dontaudit_search_home_dirs(slapd_t)
 
 optional_policy(`
 	kerberos_use(slapd_t)

policy/modules/services/lpd.te

@@ -1,5 +1,5 @@
 
-policy_module(lpd,1.9.0)
+policy_module(lpd,1.9.1)
 
 ########################################
 #
@@ -200,7 +200,8 @@ miscfiles_read_localization(lpd_t)
 sysnet_read_config(lpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(lpd_t)
-userdom_dontaudit_search_sysadm_home_dirs(lpd_t)
+
+sysadm_dontaudit_search_home_dirs(lpd_t)
 
 optional_policy(`
 	nis_use_ypbind(lpd_t)

policy/modules/services/mailman.te

@@ -1,5 +1,5 @@
 
-policy_module(mailman,1.4.0)
+policy_module(mailman,1.4.1)
 
 ########################################
 #
@@ -99,12 +99,11 @@ files_dontaudit_search_pids(mailman_queue_t)
 # for su
 seutil_dontaudit_search_config(mailman_queue_t)
 
+su_exec(mailman_queue_t)
+
 # some of the following could probably be changed to dontaudit, someone who
 # knows mailman well should test this out and send the changes
-userdom_search_sysadm_home_dirs(mailman_queue_t)
-userdom_getattr_sysadm_home_dirs(mailman_queue_t)
-
-su_exec(mailman_queue_t)
+sysadm_search_home_dirs(mailman_queue_t)
 
 optional_policy(`
 	cron_system_entry(mailman_queue_t,mailman_queue_exec_t)

policy/modules/services/monop.te

@@ -1,5 +1,5 @@
 
-policy_module(monop,1.4.0)
+policy_module(monop,1.4.1)
 
 ########################################
 #
@@ -74,7 +74,8 @@ miscfiles_read_localization(monopd_t)
 sysnet_read_config(monopd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(monopd_t)
-userdom_dontaudit_search_sysadm_home_dirs(monopd_t)
+
+sysadm_dontaudit_search_home_dirs(monopd_t)
 
 optional_policy(`
 	nis_use_ypbind(monopd_t)

policy/modules/services/mta.te

@@ -1,5 +1,5 @@
 
-policy_module(mta,1.9.0)
+policy_module(mta,1.9.1)
 
 ########################################
 #
@@ -49,8 +49,8 @@ dev_read_urand(system_mail_t)
 
 init_use_script_ptys(system_mail_t)
 
-userdom_use_sysadm_terms(system_mail_t)
-userdom_dontaudit_search_sysadm_home_dirs(system_mail_t)
+sysadm_use_terms(system_mail_t)
+sysadm_dontaudit_search_home_dirs(system_mail_t)
 
 optional_policy(`
 	apache_read_squirrelmail_data(system_mail_t)

policy/modules/services/munin.te

@@ -1,5 +1,5 @@
 
-policy_module(munin,1.4.0)
+policy_module(munin,1.4.1)
 
 ########################################
 #
@@ -96,7 +96,8 @@ miscfiles_read_localization(munin_t)
 sysnet_read_config(munin_t)
 
 userdom_dontaudit_use_unpriv_user_fds(munin_t)
-userdom_dontaudit_search_sysadm_home_dirs(munin_t)
+
+sysadm_dontaudit_search_home_dirs(munin_t)
 
 optional_policy(`
 	# for accessing the output directory

policy/modules/services/mysql.te

@@ -1,5 +1,5 @@
 
-policy_module(mysql,1.7.0)
+policy_module(mysql,1.7.1)
 
 ########################################
 #
@@ -100,8 +100,9 @@ miscfiles_read_localization(mysqld_t)
 sysnet_read_config(mysqld_t)
 
 userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+
 # for /root/.my.cnf - should not be needed:
-userdom_read_sysadm_home_content_files(mysqld_t)
+sysadm_read_home_content_files(mysqld_t)
 
 ifdef(`distro_redhat',`
 	# because Fedora has the sock_file in the database directory

policy/modules/services/nagios.te

@@ -1,5 +1,5 @@
 
-policy_module(nagios,1.5.0)
+policy_module(nagios,1.5.1)
 
 ########################################
 #
@@ -103,10 +103,11 @@ logging_send_syslog_msg(nagios_t)
 miscfiles_read_localization(nagios_t)
 
 userdom_dontaudit_use_unpriv_user_fds(nagios_t)
-userdom_dontaudit_search_sysadm_home_dirs(nagios_t)
 
 mta_send_mail(nagios_t)
 
+sysadm_dontaudit_search_home_dirs(nagios_t)
+
 optional_policy(`
 	netutils_domtrans_ping(nagios_t)
 	netutils_signal_ping(nagios_t)

policy/modules/services/nessus.te

@@ -1,5 +1,5 @@
 
-policy_module(nessus,1.4.0)
+policy_module(nessus,1.4.1)
 
 ########################################
 #
@@ -94,7 +94,8 @@ miscfiles_read_localization(nessusd_t)
 sysnet_read_config(nessusd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
-userdom_dontaudit_search_sysadm_home_dirs(nessusd_t)
+
+sysadm_dontaudit_search_home_dirs(nessusd_t)
 
 optional_policy(`
 	nis_use_ypbind(nessusd_t)

policy/modules/services/networkmanager.te

@@ -1,5 +1,5 @@
 
-policy_module(networkmanager,1.9.0)
+policy_module(networkmanager,1.9.1)
 
 ########################################
 #
@@ -109,11 +109,12 @@ sysnet_manage_config(NetworkManager_t)
 sysnet_etc_filetrans_config(NetworkManager_t)
 
 userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
-userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t)
 userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
 # Read gnome-keyring
 userdom_read_unpriv_users_home_content_files(NetworkManager_t)
 
+sysadm_dontaudit_search_home_dirs(NetworkManager_t)
+
 optional_policy(`
 	bind_domtrans(NetworkManager_t)
 	bind_manage_cache(NetworkManager_t)

policy/modules/services/nis.te

@@ -1,5 +1,5 @@
 
-policy_module(nis,1.6.0)
+policy_module(nis,1.6.1)
 
 ########################################
 #
@@ -111,7 +111,8 @@ miscfiles_read_localization(ypbind_t)
 sysnet_read_config(ypbind_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
-userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
+
+sysadm_dontaudit_search_home_dirs(ypbind_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(ypbind_t)
@@ -192,7 +193,8 @@ miscfiles_read_localization(yppasswdd_t)
 sysnet_read_config(yppasswdd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
-userdom_dontaudit_search_sysadm_home_dirs(yppasswdd_t)
+
+sysadm_dontaudit_search_home_dirs(yppasswdd_t)
 
 optional_policy(`
 	hostname_exec(yppasswdd_t)
@@ -275,7 +277,8 @@ nis_domtrans_ypxfr(ypserv_t)
 sysnet_read_config(ypserv_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
-userdom_dontaudit_search_sysadm_home_dirs(ypserv_t)
+
+sysadm_dontaudit_search_home_dirs(ypserv_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(ypserv_t)

policy/modules/services/nscd.te

@@ -1,5 +1,5 @@
 
-policy_module(nscd,1.6.0)
+policy_module(nscd,1.6.1)
 
 gen_require(`
 	class nscd all_nscd_perms;
@@ -104,7 +104,8 @@ seutil_sigchld_newrole(nscd_t)
 sysnet_read_config(nscd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(nscd_t)
-userdom_dontaudit_search_sysadm_home_dirs(nscd_t)
+
+sysadm_dontaudit_search_home_dirs(nscd_t)
 
 optional_policy(`
 	udev_read_db(nscd_t)

policy/modules/services/nsd.te

@@ -1,5 +1,5 @@
 
-policy_module(nsd,1.4.0)
+policy_module(nsd,1.4.1)
 
 ########################################
 #
@@ -96,7 +96,8 @@ miscfiles_read_localization(nsd_t)
 sysnet_read_config(nsd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(nsd_t)
-userdom_dontaudit_search_sysadm_home_dirs(nsd_t)
+
+sysadm_dontaudit_search_home_dirs(nsd_t)
 
 optional_policy(`
 	nis_use_ypbind(nsd_t)
@@ -172,7 +173,7 @@ miscfiles_read_localization(nsd_crond_t)
 
 sysnet_read_config(nsd_crond_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(nsd_crond_t)
+sysadm_dontaudit_search_home_dirs(nsd_crond_t)
 
 optional_policy(`
 	cron_system_entry(nsd_crond_t,nsd_exec_t)

policy/modules/services/ntop.te

@@ -1,5 +1,5 @@
 
-policy_module(ntop,1.5.0)
+policy_module(ntop,1.5.1)
 
 ########################################
 #
@@ -92,7 +92,8 @@ miscfiles_read_localization(ntop_t)
 sysnet_read_config(ntop_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ntop_t)
-userdom_dontaudit_search_sysadm_home_dirs(ntop_t)
+
+sysadm_dontaudit_search_home_dirs(ntop_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(ntop_t)

policy/modules/services/ntp.te

@@ -1,5 +1,5 @@
 
-policy_module(ntp,1.5.0)
+policy_module(ntp,1.5.1)
 
 ########################################
 #
@@ -106,8 +106,8 @@ logging_send_syslog_msg(ntpd_t)
 miscfiles_read_localization(ntpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
-userdom_list_sysadm_home_dirs(ntpd_t)
-userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
+
+sysadm_list_home_dirs(ntpd_t)
 
 optional_policy(`
 	# for cron jobs

policy/modules/services/oav.te

@@ -1,5 +1,5 @@
 
-policy_module(oav,1.5.0)
+policy_module(oav,1.5.1)
 
 ########################################
 #
@@ -142,7 +142,8 @@ miscfiles_read_localization(scannerdaemon_t)
 sysnet_read_config(scannerdaemon_t)
 
 userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t)
-userdom_dontaudit_search_sysadm_home_dirs(scannerdaemon_t)
+
+sysadm_dontaudit_search_home_dirs(scannerdaemon_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(scannerdaemon_t)

policy/modules/services/oddjob.te

@@ -1,5 +1,5 @@
 
-policy_module(oddjob,1.4.0)
+policy_module(oddjob,1.4.1)
 
 ########################################
 #
@@ -78,10 +78,12 @@ libs_use_shared_libs(oddjob_mkhomedir_t)
 
 miscfiles_read_localization(oddjob_mkhomedir_t)
 
+staff_manage_home_dirs(oddjob_mkhomedir_t)
+
 # Add/remove user home directories
-userdom_home_filetrans_generic_user_home_dir(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_content_dirs(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_content_files(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_dirs(oddjob_mkhomedir_t)
-userdom_manage_staff_home_dirs(oddjob_mkhomedir_t)
-userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set)
+unprivuser_home_filetrans_home_dir(oddjob_mkhomedir_t)
+unprivuser_manage_home_content_dirs(oddjob_mkhomedir_t)
+unprivuser_manage_home_content_files(oddjob_mkhomedir_t)
+unprivuser_manage_home_dirs(oddjob_mkhomedir_t)
+unprivuser_home_dir_filetrans_home_content(oddjob_mkhomedir_t,notdevfile_class_set)
+

policy/modules/services/openct.te

@@ -1,5 +1,5 @@
 
-policy_module(openct,1.2.1)
+policy_module(openct,1.2.2)
 
 ########################################
 #
@@ -51,7 +51,8 @@ logging_send_syslog_msg(openct_t)
 miscfiles_read_localization(openct_t)
 
 userdom_dontaudit_use_unpriv_user_fds(openct_t)
-userdom_dontaudit_search_sysadm_home_dirs(openct_t)
+
+sysadm_dontaudit_search_home_dirs(openct_t)
 
 openct_exec(openct_t)
 

policy/modules/services/pegasus.te

@@ -1,5 +1,5 @@
 
-policy_module(pegasus,1.5.1)
+policy_module(pegasus,1.5.2)
 
 ########################################
 #
@@ -122,7 +122,8 @@ sysnet_read_config(pegasus_t)
 sysnet_domtrans_ifconfig(pegasus_t)
 
 userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
-userdom_dontaudit_search_sysadm_home_dirs(pegasus_t)
+
+sysadm_dontaudit_search_home_dirs(pegasus_t)
 
 optional_policy(`
 	rpm_exec(pegasus_t)

policy/modules/services/perdition.te

@@ -1,5 +1,5 @@
 
-policy_module(perdition,1.4.0)
+policy_module(perdition,1.4.1)
 
 ########################################
 #
@@ -68,7 +68,8 @@ miscfiles_read_localization(perdition_t)
 sysnet_read_config(perdition_t)
 
 userdom_dontaudit_use_unpriv_user_fds(perdition_t)
-userdom_dontaudit_search_sysadm_home_dirs(perdition_t)
+
+sysadm_dontaudit_search_home_dirs(perdition_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(perdition_t)

policy/modules/services/portmap.te

@@ -1,5 +1,5 @@
 
-policy_module(portmap,1.6.0)
+policy_module(portmap,1.6.1)
 
 ########################################
 #
@@ -87,7 +87,8 @@ miscfiles_read_localization(portmap_t)
 sysnet_read_config(portmap_t)
 
 userdom_dontaudit_use_unpriv_user_fds(portmap_t)
-userdom_dontaudit_search_sysadm_home_dirs(portmap_t)
+
+sysadm_dontaudit_search_home_dirs(portmap_t)
 
 optional_policy(`
 	nis_use_ypbind(portmap_t)