- ricci_modclusterd_t needs to bind to rpc ports 500-1023

- Allow dbus to use setrlimit to increase resoueces - Mozilla_plugin is leaking to sandbox - Allow confined users to connect to lircd over unix domain stream socket whic - Allow awstats to read squid logs - seunshare needs to manage tmp_t - apcupsd cgi scripts have a new directory
2011-02-01 18:30:35 +00:00 · 2011-02-01 18:30:35 +00:00 · ebce355dea
parent 73e5debe55
commit ebce355dea
2 changed files with 234 additions and 95 deletions
--- a/policy-F15.patch
+++ b/policy-F15.patch
@ -2196,6 +2196,21 @@ index ebf4b26..f663276 100644
 optional_policy(`
 	dbus_system_bus_client(vpnc_t)
 diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te
 index 1f42250..3d36ae2 100644
 --- a/policy/modules/apps/awstats.te
 +++ b/policy/modules/apps/awstats.te
@@ -70,6 +70,10 @@ optional_policy(`
 	nscd_dontaudit_search_pid(awstats_t)
 ')
 +optional_policy(`
 +	squid_read_log(awstats_t)
 +')
 +
 ########################################
 #
 # awstats cgi script policy
 diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
 index 1403835..2e9a72c 100644
 --- a/policy/modules/apps/cdrecord.te
@ -4697,7 +4712,7 @@ index 93ac529..aafece7 100644
 /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
 +/usr/lib(64)?/xulrunner[^/]*/plugin-container		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..76caa60 100644
+index 9a6d67d..dba7755 100644
 --- a/policy/modules/apps/mozilla.if
 +++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@ -4828,7 +4843,7 @@ index 9a6d67d..76caa60 100644
 ##	Send and receive messages from
 ##	mozilla over dbus.
 ## </summary>
-@@ -204,3 +295,22 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -204,3 +295,40 @@ interface(`mozilla_rw_tcp_sockets',`
 	allow $1 mozilla_t:tcp_socket rw_socket_perms;
 ')
@ -4851,6 +4866,24 @@ index 9a6d67d..76caa60 100644
 +	allow $1 mozilla_plugin_tmpfs_t:file unlink;
 +')
 +
 +########################################
 +## <summary>
 +##	Dontaudit read/write to a mozilla_plugin leaks
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`mozilla_plugin_dontaudit_leaks',`
 +	gen_require(`
 +		type mozilla_plugin_t;
 +	')
 +
 +	dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
 +')
 +
 diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
 index 2a91fa8..2fad053 100644
 --- a/policy/modules/apps/mozilla.te
@ -7064,10 +7097,10 @@ index 0000000..5f09eb9
 +')
 diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
 new file mode 100644
-index 0000000..5259647
+index 0000000..f29f417
 --- /dev/null
 +++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,451 @@
+@@ -0,0 +1,452 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
@ -7517,6 +7550,7 @@ index 0000000..5259647
 +	mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
 +	mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
 +	mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
 +	mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
 +')
 +
 diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
@ -7629,10 +7663,10 @@ index 1dc7a85..7455c19 100644
 +	')
 ')
 diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 7590165..e5ef7b3 100644
+index 7590165..63db4fd 100644
 --- a/policy/modules/apps/seunshare.te
 +++ b/policy/modules/apps/seunshare.te
-@@ -5,40 +5,45 @@ policy_module(seunshare, 1.1.0)
+@@ -5,40 +5,47 @@ policy_module(seunshare, 1.1.0)
 # Declarations
 #
@ -7668,6 +7702,7 @@ index 7590165..e5ef7b3 100644
 +files_search_all(seunshare_domain)
 +files_read_etc_files(seunshare_domain)
 +files_mounton_all_poly_members(seunshare_domain)
 +files_manage_generic_tmp_dirs(seunshare_domain)
 -auth_use_nsswitch(seunshare_t)
 +fs_manage_cgroup_dirs(seunshare_domain)
@ -7692,6 +7727,7 @@ index 7590165..e5ef7b3 100644
 	optional_policy(`
 -		mozilla_dontaudit_manage_user_home_files(seunshare_t)
 +		mozilla_dontaudit_manage_user_home_files(seunshare_domain)
 +		mozilla_plugin_dontaudit_leaks(seunshare_domain)
 	')
 ')
 +
@ -16690,6 +16726,15 @@ index 08dfa0c..61f340d 100644
 +	userdom_read_user_home_content_files(httpd_suexec_t)
 +	userdom_read_user_home_content_files(httpd_user_script_t)
 ')
 diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
 index cd07b96..a87d1dd 100644
 --- a/policy/modules/services/apcupsd.fc
 +++ b/policy/modules/services/apcupsd.fc
@@ -13,3 +13,4 @@
 /var/www/apcupsd/upsfstats\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
 /var/www/apcupsd/upsimage\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
 /var/www/apcupsd/upsstats\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
 +/var/www/cgi-bin/apcgui(/.*)?		gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
 diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
 index d052bf0..8478eca 100644
 --- a/policy/modules/services/apcupsd.te
@ -21077,9 +21122,18 @@ index 0d5711c..bbc1a8f 100644
 +	delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
 +')
 diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 98e5af6..3c13628 100644
+index 98e5af6..a7472fc 100644
 --- a/policy/modules/services/dbus.te
 +++ b/policy/modules/services/dbus.te
@@ -52,7 +52,7 @@ ifdef(`enable_mls',`
 # dac_override: /var/run/dbus is owned by messagebus on Debian
 # cjp: dac_override should probably go in a distro_debian
 -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
 +allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
 dontaudit system_dbusd_t self:capability sys_tty_config;
 allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
 allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
@@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
 read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
@ -34881,7 +34935,7 @@ index f7826f9..3128dd8 100644
 +	admin_pattern($1, ricci_var_run_t)
 +')
 diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
-index 33e72e8..29e7311 100644
+index 33e72e8..052a1ff 100644
 --- a/policy/modules/services/ricci.te
 +++ b/policy/modules/services/ricci.te
@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
@ -34938,6 +34992,15 @@ index 33e72e8..29e7311 100644
 	unconfined_use_fds(ricci_t)
 ')
@@ -193,7 +202,7 @@ corecmd_exec_shell(ricci_modcluster_t)
 corecmd_exec_bin(ricci_modcluster_t)
 corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
 -corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
 +corenet_tcp_bind_all_rpc_ports(ricci_modclusterd_t)
 domain_read_all_domains_state(ricci_modcluster_t)
@@ -241,8 +250,7 @@ optional_policy(`
 ')
@ -50195,7 +50258,7 @@ index db75976..392d1ee 100644
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 +HOME_DIR/\.debug(/.*)?	<<none>>
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..97b04f2 100644
+index 28b88de..bc98180 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@ -50763,7 +50826,7 @@ index 28b88de..97b04f2 100644
 	')
 	tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +647,110 @@ template(`userdom_common_user_template',`
+@@ -574,67 +647,114 @@ template(`userdom_common_user_template',`
 	')
 	optional_policy(`
@ -50872,6 +50935,10 @@ index 28b88de..97b04f2 100644
 	optional_policy(`
 -		locate_read_lib_files($1_t)
 +		lircd_stream_connect($1_usertype)
 +	')
 +
 +	optional_policy(`
 +		locate_read_lib_files($1_usertype)
 	')
@ -50879,20 +50946,20 @@ index 28b88de..97b04f2 100644
 	optional_policy(`
 -		modutils_read_module_config($1_t)
 +		modutils_read_module_config($1_usertype)
 +	')
 +
 +	optional_policy(`
 +		mta_rw_spool($1_usertype)
 +		mta_manage_queue($1_usertype)
 	')
 	optional_policy(`
 -		mta_rw_spool($1_t)
 +		mta_rw_spool($1_usertype)
 +		mta_manage_queue($1_usertype)
 +	')
 +
 +	optional_policy(`
 +		nsplugin_role($1_r, $1_usertype)
 	')
 	optional_policy(`
-@@ -650,41 +766,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +770,50 @@ template(`userdom_common_user_template',`
 	optional_policy(`
 		# to allow monitoring of pcmcia status
@ -50954,7 +51021,7 @@ index 28b88de..97b04f2 100644
 ')
 #######################################
-@@ -712,13 +837,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +841,26 @@ template(`userdom_login_user_template', `
 	userdom_base_user_template($1)
@ -50963,12 +51030,12 @@ index 28b88de..97b04f2 100644
 +
 +	userdom_manage_tmp_role($1_r, $1_usertype)
 +	userdom_manage_tmpfs_role($1_r, $1_usertype)
 +
 +	ifelse(`$1',`unconfined',`',`
 +		gen_tunable(allow_$1_exec_content, true)
 -	userdom_manage_tmp_role($1_r, $1_t)
 -	userdom_manage_tmpfs_role($1_r, $1_t)
 +	ifelse(`$1',`unconfined',`',`
 +		gen_tunable(allow_$1_exec_content, true)
 +
 +		tunable_policy(`allow_$1_exec_content',`
 +			userdom_exec_user_tmp_files($1_usertype)
 +			userdom_exec_user_home_content_files($1_usertype)
@ -50986,7 +51053,7 @@ index 28b88de..97b04f2 100644
 	userdom_change_password_template($1)
-@@ -736,72 +874,71 @@ template(`userdom_login_user_template', `
+@@ -736,72 +878,71 @@ template(`userdom_login_user_template', `
 	allow $1_t self:context contains;
@ -51053,49 +51120,49 @@ index 28b88de..97b04f2 100644
 -	miscfiles_exec_tetex_data($1_t)
 +	miscfiles_read_tetex_data($1_usertype)
 +	miscfiles_exec_tetex_data($1_usertype)
 +
 +	seutil_read_config($1_usertype)
 -	seutil_read_config($1_t)
-+	seutil_read_config($1_usertype)
+	optional_policy(`
 +		cups_read_config($1_usertype)
 +		cups_stream_connect($1_usertype)
 +		cups_stream_connect_ptal($1_usertype)
 +	')
 	optional_policy(`
 -		cups_read_config($1_t)
 -		cups_stream_connect($1_t)
 -		cups_stream_connect_ptal($1_t)
 +		cups_read_config($1_usertype)
 +		cups_stream_connect($1_usertype)
 +		cups_stream_connect_ptal($1_usertype)
 	')
 	optional_policy(`
 -		kerberos_use($1_t)
 +		kerberos_use($1_usertype)
 +		kerberos_connect_524($1_usertype)
 	')
 	optional_policy(`
-		mta_dontaudit_read_spool_symlinks($1_t)
+-		kerberos_use($1_t)
 +		mta_dontaudit_read_spool_symlinks($1_usertype)
 	')
 	optional_policy(`
-		quota_dontaudit_getattr_db($1_t)
+-		mta_dontaudit_read_spool_symlinks($1_t)
 +		quota_dontaudit_getattr_db($1_usertype)
 	')
 	optional_policy(`
 -		quota_dontaudit_getattr_db($1_t)
 +		rpm_read_db($1_usertype)
 +		rpm_dontaudit_manage_db($1_usertype)
 +		rpm_read_cache($1_usertype)
 	')
 	optional_policy(`
 -		rpm_read_db($1_t)
 -		rpm_dontaudit_manage_db($1_t)
 +		rpm_read_db($1_usertype)
 +		rpm_dontaudit_manage_db($1_usertype)
 +		rpm_read_cache($1_usertype)
 +	')
 +
 +	optional_policy(`
 +		oddjob_run_mkhomedir($1_t, $1_r)
 	')
 ')
-@@ -833,6 +970,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +974,9 @@ template(`userdom_restricted_user_template',`
 	typeattribute $1_t unpriv_userdomain;
 	domain_interactive_fd($1_t)
@ -51105,7 +51172,7 @@ index 28b88de..97b04f2 100644
 	##############################
 	#
 	# Local policy
-@@ -874,45 +1014,107 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1018,107 @@ template(`userdom_restricted_xwindows_user_template',`
 	#
 	auth_role($1_r, $1_t)
@ -51224,7 +51291,7 @@ index 28b88de..97b04f2 100644
 	')
 ')
-@@ -947,7 +1149,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1153,7 @@ template(`userdom_unpriv_user_template', `
 	#
 	# Inherit rules for ordinary users.
@ -51233,7 +51300,7 @@ index 28b88de..97b04f2 100644
 	userdom_common_user_template($1)
 	##############################
-@@ -956,54 +1158,77 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1162,77 @@ template(`userdom_unpriv_user_template', `
 	#
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
@ -51314,20 +51381,20 @@ index 28b88de..97b04f2 100644
 +
 +	optional_policy(`
 +		java_role_template($1, $1_r, $1_t)
 +	')
 +
 +	optional_policy(`
 +		mono_role_template($1, $1_r, $1_t)
 	')
 -	# Run pppd in pppd_t by default for user
 	optional_policy(`
 -		ppp_run_cond($1_t,$1_r)
-+		mount_run_fusermount($1_t, $1_r)
+		mono_role_template($1, $1_r, $1_t)
 	')
 	optional_policy(`
 -		setroubleshoot_stream_connect($1_t)
 +		mount_run_fusermount($1_t, $1_r)
 +	')
 +
 +	optional_policy(`
 +		wine_role_template($1, $1_r, $1_t)
 +	')
 +
@ -51341,7 +51408,7 @@ index 28b88de..97b04f2 100644
 	')
 ')
-@@ -1039,7 +1264,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1268,7 @@ template(`userdom_unpriv_user_template', `
 template(`userdom_admin_user_template',`
 	gen_require(`
 		attribute admindomain;
@ -51350,7 +51417,7 @@ index 28b88de..97b04f2 100644
 	')
 	##############################
-@@ -1074,6 +1299,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1303,9 @@ template(`userdom_admin_user_template',`
 	# Skip authentication when pam_rootok is specified.
 	allow $1_t self:passwd rootok;
@ -51360,7 +51427,7 @@ index 28b88de..97b04f2 100644
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
 	kernel_getattr_message_if($1_t)
-@@ -1088,6 +1316,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1320,7 @@ template(`userdom_admin_user_template',`
 	kernel_sigstop_unlabeled($1_t)
 	kernel_signull_unlabeled($1_t)
 	kernel_sigchld_unlabeled($1_t)
@ -51368,7 +51435,7 @@ index 28b88de..97b04f2 100644
 	corenet_tcp_bind_generic_port($1_t)
 	# allow setting up tunnels
-@@ -1119,10 +1348,13 @@ template(`userdom_admin_user_template',`
+@@ -1119,10 +1352,13 @@ template(`userdom_admin_user_template',`
 	domain_sigchld_all_domains($1_t)
 	# for lsof
 	domain_getattr_all_sockets($1_t)
@ -51382,7 +51449,7 @@ index 28b88de..97b04f2 100644
 	fs_set_all_quotas($1_t)
 	fs_exec_noxattr($1_t)
-@@ -1142,6 +1374,7 @@ template(`userdom_admin_user_template',`
+@@ -1142,6 +1378,7 @@ template(`userdom_admin_user_template',`
 	logging_send_syslog_msg($1_t)
 	modutils_domtrans_insmod($1_t)
@ -51390,7 +51457,7 @@ index 28b88de..97b04f2 100644
 	# The following rule is temporary until such time that a complete
 	# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1443,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1447,8 @@ template(`userdom_security_admin_template',`
 	dev_relabel_all_dev_nodes($1)
 	files_create_boot_flag($1)
@ -51399,7 +51466,7 @@ index 28b88de..97b04f2 100644
 	# Necessary for managing /boot/efi
 	fs_manage_dos_files($1)
-@@ -1237,6 +1472,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1476,7 @@ template(`userdom_security_admin_template',`
 	seutil_run_checkpolicy($1,$2)
 	seutil_run_loadpolicy($1,$2)
 	seutil_run_semanage($1,$2)
@ -51407,7 +51474,7 @@ index 28b88de..97b04f2 100644
 	seutil_run_setfiles($1, $2)
 	optional_policy(`
-@@ -1279,11 +1515,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1519,37 @@ template(`userdom_security_admin_template',`
 interface(`userdom_user_home_content',`
 	gen_require(`
 		type user_home_t;
@ -51445,7 +51512,7 @@ index 28b88de..97b04f2 100644
 	ubac_constrained($1)
 ')
-@@ -1395,6 +1657,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1661,7 @@ interface(`userdom_search_user_home_dirs',`
 	')
 	allow $1 user_home_dir_t:dir search_dir_perms;
@ -51453,7 +51520,7 @@ index 28b88de..97b04f2 100644
 	files_search_home($1)
 ')
-@@ -1441,6 +1704,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1708,14 @@ interface(`userdom_list_user_home_dirs',`
 	allow $1 user_home_dir_t:dir list_dir_perms;
 	files_search_home($1)
@ -51468,7 +51535,7 @@ index 28b88de..97b04f2 100644
 ')
 ########################################
-@@ -1456,9 +1727,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1731,11 @@ interface(`userdom_list_user_home_dirs',`
 interface(`userdom_dontaudit_list_user_home_dirs',`
 	gen_require(`
 		type user_home_dir_t;
@ -51480,34 +51547,57 @@ index 28b88de..97b04f2 100644
 ')
 ########################################
-@@ -1515,6 +1788,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1792,10 @@ interface(`userdom_relabelto_user_home_dirs',`
 	allow $1 user_home_dir_t:dir relabelto;
 ')
 +
-+########################################
+ ########################################
-+## <summary>
+ ## <summary>
 -##	Create directories in the home dir root with
 -##	the user home directory type.
 +##	Relabel to user home files.
-+## </summary>
+ ## </summary>
-+## <param name="domain">
+ ## <param name="domain">
-+##	<summary>
+ ##	<summary>
-+##	Domain allowed access.
+@@ -1526,35 +1803,71 @@ interface(`userdom_relabelto_user_home_dirs',`
-+##	</summary>
+ ##	</summary>
-+## </param>
+ ## </param>
-+#
+ #
 -interface(`userdom_home_filetrans_user_home_dir',`
 +interface(`userdom_relabelto_user_home_files',`
-+	gen_require(`
+ 	gen_require(`
 -		type user_home_dir_t;
 +		type user_home_t;
-+	')
+ 	')
-+
+ 
 -	files_home_filetrans($1, user_home_dir_t, dir)
 +	allow $1 user_home_t:file relabelto;
-+')
+ ')
-+########################################
+-
-+## <summary>
+ ########################################
 ## <summary>
 -##	Do a domain transition to the specified
 -##	domain when executing a program in the
 -##	user home directory.
 +##	Relabel user home files.
-+## </summary>
+ ## </summary>
 -## <desc>
 -##	<p>
 -##	Do a domain transition to the specified
 -##	domain when executing a program in the
 -##	user home directory.
 -##	</p>
 -##	<p>
 -##	No interprocess communication (signals, pipes,
 -##	etc.) is provided by this interface since
 -##	the domains are not owned by this module.
 -##	</p>
 -## </desc>
 -## <param name="source_domain">
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
 -##	Domain allowed to transition.
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
@ -51520,10 +51610,50 @@ index 28b88de..97b04f2 100644
 +	allow $1 user_home_t:file relabel_file_perms;
 +')
 +
- ########################################
+########################################
- ## <summary>
+## <summary>
- ##	Create directories in the home dir root with
+##	Create directories in the home dir root with
-@@ -1589,6 +1898,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+##	the user home directory type.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`userdom_home_filetrans_user_home_dir',`
 +	gen_require(`
 +		type user_home_dir_t;
 +	')
 +
 +	files_home_filetrans($1, user_home_dir_t, dir)
 +')
 +
 +########################################
 +## <summary>
 +##	Do a domain transition to the specified
 +##	domain when executing a program in the
 +##	user home directory.
 +## </summary>
 +## <desc>
 +##	<p>
 +##	Do a domain transition to the specified
 +##	domain when executing a program in the
 +##	user home directory.
 +##	</p>
 +##	<p>
 +##	No interprocess communication (signals, pipes,
 +##	etc.) is provided by this interface since
 +##	the domains are not owned by this module.
 +##	</p>
 +## </desc>
 +## <param name="source_domain">
 +##	<summary>
 +##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 ## <param name="target_domain">
@@ -1589,6 +1902,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
 	')
 	dontaudit $1 user_home_t:dir search_dir_perms;
@ -51532,7 +51662,7 @@ index 28b88de..97b04f2 100644
 ')
 ########################################
-@@ -1603,10 +1914,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1918,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
 #
 interface(`userdom_list_user_home_content',`
 	gen_require(`
@ -51547,7 +51677,7 @@ index 28b88de..97b04f2 100644
 ')
 ########################################
-@@ -1649,6 +1962,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1966,25 @@ interface(`userdom_delete_user_home_content_dirs',`
 ########################################
 ## <summary>
@ -51573,7 +51703,7 @@ index 28b88de..97b04f2 100644
 ##	Do not audit attempts to set the
 ##	attributes of user home files.
 ## </summary>
-@@ -1700,12 +2032,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2036,32 @@ interface(`userdom_read_user_home_content_files',`
 		type user_home_dir_t, user_home_t;
 	')
@ -51606,7 +51736,7 @@ index 28b88de..97b04f2 100644
 ##	Do not audit attempts to read user home files.
 ## </summary>
 ## <param name="domain">
-@@ -1716,11 +2068,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2072,14 @@ interface(`userdom_read_user_home_content_files',`
 #
 interface(`userdom_dontaudit_read_user_home_content_files',`
 	gen_require(`
@ -51624,7 +51754,7 @@ index 28b88de..97b04f2 100644
 ')
 ########################################
-@@ -1810,8 +2165,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2169,7 @@ interface(`userdom_read_user_home_content_symlinks',`
 		type user_home_dir_t, user_home_t;
 	')
@ -51634,7 +51764,7 @@ index 28b88de..97b04f2 100644
 ')
 ########################################
-@@ -1827,20 +2181,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2185,14 @@ interface(`userdom_read_user_home_content_symlinks',`
 #
 interface(`userdom_exec_user_home_content_files',`
 	gen_require(`
@ -51659,7 +51789,7 @@ index 28b88de..97b04f2 100644
 ########################################
 ## <summary>
-@@ -2182,7 +2530,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2534,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
 		type user_tmp_t;
 	')
@ -51668,7 +51798,7 @@ index 28b88de..97b04f2 100644
 ')
 ########################################
-@@ -2435,13 +2783,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2787,14 @@ interface(`userdom_read_user_tmpfs_files',`
 	')
 	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@ -51684,7 +51814,7 @@ index 28b88de..97b04f2 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2462,26 +2811,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2815,6 @@ interface(`userdom_rw_user_tmpfs_files',`
 ########################################
 ## <summary>
@ -51711,7 +51841,7 @@ index 28b88de..97b04f2 100644
 ##	Get the attributes of a user domain tty.
 ## </summary>
 ## <param name="domain">
-@@ -2815,7 +3144,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3148,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
 	allow unpriv_userdomain $1:fd use;
@ -51720,7 +51850,7 @@ index 28b88de..97b04f2 100644
 	allow unpriv_userdomain $1:process sigchld;
 ')
-@@ -2831,11 +3160,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3164,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 #
 interface(`userdom_search_user_home_content',`
 	gen_require(`
@ -51736,7 +51866,7 @@ index 28b88de..97b04f2 100644
 ')
 ########################################
-@@ -2917,7 +3248,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3252,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
 		type user_devpts_t;
 	')
@ -51745,7 +51875,7 @@ index 28b88de..97b04f2 100644
 ')
 ########################################
-@@ -2972,7 +3303,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3307,45 @@ interface(`userdom_write_user_tmp_files',`
 		type user_tmp_t;
 	')
@ -51792,7 +51922,7 @@ index 28b88de..97b04f2 100644
 ')
 ########################################
-@@ -3009,6 +3378,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3382,7 @@ interface(`userdom_read_all_users_state',`
 	')
 	read_files_pattern($1, userdomain, userdomain)
@ -51800,7 +51930,7 @@ index 28b88de..97b04f2 100644
 	kernel_search_proc($1)
 ')
-@@ -3139,3 +3509,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3513,1058 @@ interface(`userdom_dbus_send_all_users',`
 	allow $1 userdomain:dbus send_msg;
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.13
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -472,6 +472,15 @@ exit 0
 %endif
 %changelog
 * Tue Feb 1 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-7
 - ricci_modclusterd_t needs to bind to rpc ports 500-1023
 - Allow dbus to use setrlimit to increase resoueces
 - Mozilla_plugin is leaking to sandbox
 - Allow confined users  to connect to lircd over unix domain stream socket which allow to use remote control
 - Allow awstats to read squid logs
 - seunshare needs to manage tmp_t
 - apcupsd cgi scripts have a new directory
 * Thu Jan 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-6
 - Fix xserver_dontaudit_read_xdm_pid
 - Change oracle_port_t to oracledb_port_t to prevent conflict with satellite