Allow iptables to read shorewall tmp files

Change chfn and passwd to use auth_use_pam so they can send dbus messages to fprintd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port

policy/modules/admin/shorewall.if

@@ -133,6 +133,25 @@ interface(`shorewall_rw_lib_files',`
         rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
 ')
 
+#######################################
+## <summary>
+##      Read shorewall tmp files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`shorewall_read_tmp_files',`
+        gen_require(`
+                type shorewall_tmp_t;
+        ')
+
+        files_search_tmp($1)
+        read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t)
+')
+
 #######################################
 ## <summary>
 ##	All of the rules required to administrate 

policy/modules/admin/usermanage.te

@@ -90,9 +90,7 @@ fs_search_auto_mountpoints(chfn_t)
 # for SSP
 dev_read_urand(chfn_t)
 
-auth_domtrans_chk_passwd(chfn_t)
-auth_dontaudit_read_shadow(chfn_t)
-auth_use_nsswitch(chfn_t)
+auth_use_pam(chfn_t)
 
 # allow checking if a shell is executable
 corecmd_check_exec_shell(chfn_t)
@@ -297,11 +295,10 @@ term_use_all_ttys(passwd_t)
 term_use_all_ptys(passwd_t)
 term_use_generic_ptys(passwd_t)
 
-auth_domtrans_chk_passwd(passwd_t)
 auth_manage_shadow(passwd_t)
 auth_relabel_shadow(passwd_t)
 auth_etc_filetrans_shadow(passwd_t)
-auth_use_nsswitch(passwd_t)
+auth_use_pam(passwd_t)
 
 # allow checking if a shell is executable
 corecmd_check_exec_shell(passwd_t)

policy/modules/apps/execmem.fc

@@ -10,6 +10,7 @@
 /usr/bin/runhaskell	--	gen_context(system_u:object_r:execmem_exec_t,s0)
 /usr/bin/sbcl	     	--	gen_context(system_u:object_r:execmem_exec_t,s0)
 /usr/bin/skype		--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/vlc		--	gen_context(system_u:object_r:execmem_exec_t,s0)
 /usr/bin/valgrind	--	gen_context(system_u:object_r:execmem_exec_t,s0)
 /usr/sbin/vboxadd-service 	--	gen_context(system_u:object_r:execmem_exec_t,s0)
 /usr/sbin/VBox.* 	--	gen_context(system_u:object_r:execmem_exec_t,s0)

policy/modules/apps/gnome.if

@@ -524,6 +524,24 @@ template(`gnome_read_home_config',`
 	read_files_pattern($1, config_home_t, config_home_t)
 ')
 
+########################################
+## <summary>
+##	manage gnome homedir content (.config)
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`gnome_manage_home_config',`
+	gen_require(`
+		type config_home_t;
+	')
+
+	manage_files_pattern($1, config_home_t, config_home_t)
+')
+
 ########################################
 ## <summary>
 ##	Read/Write all inherited gnome home config 

policy/modules/apps/mozilla.if

@@ -216,6 +216,8 @@ interface(`mozilla_run_plugin',`
 
 	mozilla_domtrans_plugin($1)
 	role $2 types mozilla_plugin_t;
+
+	allow mozilla_plugin_t $1:process signull;	
 ')
 
 ########################################

policy/modules/apps/mozilla.te

@@ -42,6 +42,10 @@ role system_r types mozilla_plugin_t;
 type mozilla_plugin_tmp_t;
 files_tmp_file(mozilla_plugin_tmp_t)
 
+type mozilla_plugin_tmpfs_t;
+files_tmpfs_file(mozilla_plugin_tmpfs_t)
+ubac_constrained(mozilla_plugin_tmpfs_t)
+
 permissive mozilla_plugin_t;
 
 ########################################
@@ -292,7 +296,7 @@ optional_policy(`
 #
 # mozilla_plugin local policy
 #
-allow mozilla_plugin_t self:process setsched;
+allow mozilla_plugin_t self:process { setsched signal_perms execmem };
 
 allow mozilla_plugin_t self:sem create_sem_perms;
 allow mozilla_plugin_t self:shm create_shm_perms;
@@ -305,6 +309,12 @@ manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t
 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
 files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file })
 
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+
 kernel_read_kernel_sysctls(mozilla_plugin_t)
 kernel_read_system_state(mozilla_plugin_t)
 kernel_request_load_module(mozilla_plugin_t)
@@ -313,6 +323,8 @@ corecmd_exec_bin(mozilla_plugin_t)
 corecmd_exec_shell(mozilla_plugin_t)
 
 dev_read_urand(mozilla_plugin_t)
+dev_read_video_dev(mozilla_plugin_t)
+dev_read_sysfs(mozilla_plugin_t)
 
 domain_use_interactive_fds(mozilla_plugin_t)
 domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
@@ -324,18 +336,35 @@ files_read_usr_files(mozilla_plugin_t)
 fs_rw_tmpfs_files(mozilla_plugin_t)
 
 miscfiles_read_localization(mozilla_plugin_t)
+miscfiles_read_fonts(mozilla_plugin_t)
 
 term_getattr_all_ttys(mozilla_plugin_t)
 term_getattr_all_ptys(mozilla_plugin_t)
 
 userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+userdom_stream_connect(mozilla_plugin_t)
+userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
+
+optional_policy(`
+	dbus_read_lib_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+	gnome_manage_home_config(mozilla_plugin_t)
+')
 
 optional_policy(`
 	nsplugin_domtrans(mozilla_plugin_t)
 	nsplugin_rw_exec(mozilla_plugin_t)
+	nsplugin_manage_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+	pulseaudio_rw_home_files(mozilla_plugin_t)
 ')
 
 optional_policy(`
 	xserver_read_xdm_pid(mozilla_plugin_t)
 	xserver_stream_connect(mozilla_plugin_t)
 ')
+

policy/modules/apps/nsplugin.te

@@ -129,6 +129,7 @@ fs_rw_anon_inodefs_files(nsplugin_t)
 fs_list_inotifyfs(nsplugin_t)
 
 storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
+storage_dontaudit_getattr_removable_dev(nsplugin_t)
 
 term_dontaudit_getattr_all_ptys(nsplugin_t)
 term_dontaudit_getattr_all_ttys(nsplugin_t)

policy/modules/apps/telepathy.te

@@ -53,6 +53,7 @@ exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
 userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
 userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
+can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
 
 corenet_sendrecv_http_client_packets(telepathy_msn_t)
 corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
@@ -72,6 +73,8 @@ kernel_read_system_state(telepathy_msn_t)
 
 auth_use_nsswitch(telepathy_msn_t)
 
+libs_exec_ldconfig(telepathy_msn_t)
+
 logging_send_syslog_msg(telepathy_msn_t)
 
 miscfiles_read_certs(telepathy_msn_t)
@@ -122,7 +125,7 @@ corenet_tcp_connect_vnc_port(telepathy_gabble_t)
 dev_read_rand(telepathy_gabble_t)
 dev_read_urand(telepathy_gabble_t)
 
-files_read_etc_files(telepathy_gabble_t)
+files_read_config_files(telepathy_gabble_t)
 files_read_usr_files(telepathy_gabble_t)
 
 miscfiles_read_certs(telepathy_gabble_t)

policy/modules/apps/vmware.te

@@ -160,7 +160,10 @@ netutils_domtrans_ping(vmware_host_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(vmware_host_t)
+')
 
+optional_policy(`
+	shutdown_domtrans(vmware_host_t)
 ')
 
 optional_policy(`

policy/modules/kernel/corecommands.fc

@@ -115,6 +115,8 @@ ifdef(`distro_debian',`
 /etc/mysql/debian-start		--	gen_context(system_u:object_r:bin_t,s0)
 ')
 
+/etc/vmware-tools(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
 #
 # /lib
 #

policy/modules/kernel/devices.fc

@@ -159,7 +159,6 @@ ifdef(`distro_suse', `
 
 /dev/mvideo/.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 
-/dev/hugepages(/.*)?		<<none>>
 /dev/mqueue(/.*)?		<<none>>
 /dev/pts(/.*)?			<<none>>
 

policy/modules/kernel/devices.if

@@ -316,6 +316,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
 	dontaudit $1 device_t:file getattr;
 ')
 
+########################################
+## <summary>
+##	read generic files in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_read_generic_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	read_files_pattern($1, device_t, device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write generic files in /dev.

policy/modules/kernel/filesystem.fc

@@ -4,4 +4,8 @@
 /cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
 /cgroup/.*		<<none>>
 
+/sys/fs/cgroup	-d	gen_context(system_u:object_r:cgroup_t,s0)
 /sys/fs/cgroup(/.*)?	<<none>>
+
+/dev/hugepages	-d	gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)?		<<none>>

policy/modules/services/apache.if

@@ -18,6 +18,7 @@ template(`apache_content_template',`
 		type httpd_t, httpd_suexec_t, httpd_log_t;
 		type httpd_sys_content_t;
 	')
+
 	#This type is for webpages
 	type httpd_$1_content_t; # customizable;
 	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
@@ -32,6 +33,8 @@ template(`apache_content_template',`
 	domain_type(httpd_$1_script_t)
 	role system_r types httpd_$1_script_t;
 
+	search_dirs_pattern($1, httpd_sys_content_t, httpd_script_exec_type)
+
 	# This type is used for executable scripts files
 	type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
 	corecmd_shell_entry_type(httpd_$1_script_t)

policy/modules/services/apm.te

@@ -228,13 +228,9 @@ optional_policy(`
 	udev_read_state(apmd_t) #necessary?
 ')
 
-ifdef(`enforcing',`
 optional_policy(`
 	unconfined_domain(apmd_t)
 ')
-', `
-   permissive apmd_t;
-')
 
 optional_policy(`
 	vbetool_domtrans(apmd_t)

policy/modules/services/clamav.te

@@ -183,12 +183,15 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
 # log files (own logfiles only)
 manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
 allow freshclam_t freshclam_var_log_t:dir setattr;
-allow freshclam_t clamd_var_log_t:dir search_dir_perms;
+read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
 logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
 
 kernel_read_kernel_sysctls(freshclam_t)
 kernel_read_system_state(freshclam_t)
 
+corecmd_exec_shell(freshclam_t)
+corecmd_exec_bin(freshclam_t)
+
 corenet_all_recvfrom_unlabeled(freshclam_t)
 corenet_all_recvfrom_netlabel(freshclam_t)
 corenet_tcp_sendrecv_generic_if(freshclam_t)

policy/modules/services/devicekit.te

@@ -182,17 +182,11 @@ optional_policy(`
 	virt_manage_images(devicekit_disk_t)
 ')
 
-ifdef(`enforcing',`
 optional_policy(`
 	unconfined_domain(devicekit_t)
 	unconfined_domain(devicekit_power_t)
 	unconfined_domain(devicekit_disk_t)
 ')
-', `
-	permissive devicekit_t;
-	permissive devicekit_power_t;
-	permissive devicekit_disk_t;
-')
 
 ########################################
 #
@@ -251,6 +245,7 @@ modutils_domtrans_insmod(devicekit_power_t)
 
 sysnet_read_config(devicekit_power_t)
 sysnet_domtrans_ifconfig(devicekit_power_t)
+sysnet_domtrans_dhcpc(devicekit_power_t)
 
 userdom_read_all_users_state(devicekit_power_t)
 

policy/modules/services/icecast.te

@@ -5,6 +5,14 @@ policy_module(icecast, 1.0.0)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow icecast to connect to all ports, not just
+## sound ports.
+## </p>
+## </desc>
+gen_tunable(icecast_connect_any, false)
+
 type icecast_t;
 type icecast_exec_t;
 init_daemon_domain(icecast_t, icecast_exec_t)
@@ -42,6 +50,12 @@ kernel_read_system_state(icecast_t)
 corenet_tcp_bind_soundd_port(icecast_t)
 corenet_tcp_connect_soundd_port(icecast_t)
 
+tunable_policy(`icecast_connect_any',`
+	corenet_tcp_connect_all_ports(icecast_t)
+	corenet_tcp_bind_all_ports(icecast_t)
+	corenet_sendrecv_all_packets(icecast_t)
+')
+
 # Init script handling
 domain_use_interactive_fds(icecast_t)
 

policy/modules/services/openvpn.te

@@ -51,7 +51,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
 allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow openvpn_t self:udp_socket create_socket_perms;
 allow openvpn_t self:tcp_socket server_stream_socket_perms;
-allow openvpn_t self:tun_socket create;
+allow openvpn_t self:tun_socket { create_socket_perms relabelfrom };
 allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
 
 can_exec(openvpn_t, openvpn_etc_t)

policy/modules/services/piranha.te

@@ -114,6 +114,10 @@ optional_policy(`
 	apache_exec(piranha_web_t)
 ')
 
+optional_policy(`
+	gnome_dontaudit_search_config(piranha_web_t)
+')
+
 optional_policy(`
         sasl_connect(piranha_web_t)
 ')

policy/modules/services/policykit.te

@@ -107,7 +107,7 @@ optional_policy(`
 # polkit_auth local policy
 #
 
-allow policykit_auth_t self:capability { setgid setuid };
+allow policykit_auth_t self:capability { ipc_lock setgid setuid };
 dontaudit policykit_auth_t self:capability sys_tty_config;
 allow policykit_auth_t self:process { getattr getsched signal };
 allow policykit_auth_t self:fifo_file rw_fifo_file_perms;

policy/modules/services/rgmanager.te

@@ -209,13 +209,9 @@ optional_policy(`
 	virt_stream_connect(rgmanager_t)
 ')
 
-ifdef(`enforcing',`
 optional_policy(`
 	unconfined_domain(rgmanager_t)
 ')
-', `
-	permissive rgmanager_t;
-')
 
 optional_policy(`
 	xen_domtrans_xm(rgmanager_t)

policy/modules/services/rwho.te

@@ -55,6 +55,9 @@ files_read_etc_files(rwho_t)
 init_read_utmp(rwho_t)
 init_dontaudit_write_utmp(rwho_t)
 
+logging_send_syslog_msg(rwho_t)
+
 miscfiles_read_localization(rwho_t)
 
 sysnet_dns_name_resolve(rwho_t)
+

policy/modules/services/virt.te

@@ -446,13 +446,9 @@ optional_policy(`
 	udev_read_db(virtd_t)
 ')
 
-ifdef(`enforcing',`
 optional_policy(`
 	unconfined_domain(virtd_t)
 ')
-', `
-   permissive virtd_t;
-')
 
 ########################################
 #

policy/modules/services/xserver.if

@@ -1283,6 +1283,7 @@ interface(`xserver_stream_connect',`
 
 	files_search_tmp($1)
 	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
+	allow xserver $1:shm rw_shm_perms;
 ')
 
 ########################################

policy/modules/services/xserver.te

@@ -775,6 +775,7 @@ optional_policy(`
 optional_policy(`
 	plymouthd_search_spool(xdm_t)
 	plymouthd_exec_plymouth(xdm_t)
+	plymouthd_stream_connect(xdm_t)
 ')
 
 optional_policy(`
@@ -1093,14 +1094,10 @@ optional_policy(`
 	udev_read_db(xserver_t)
 ')
 
-ifdef(`enforcing',`
 optional_policy(`
 	unconfined_domain(xserver_t)
 	unconfined_domtrans(xserver_t)
 ')
-', `
-   permissive xserver_t;
-')
 
 optional_policy(`
 	userhelper_search_config(xserver_t)

policy/modules/system/authlogin.if

@@ -66,6 +66,10 @@ interface(`auth_use_pam',`
 		optional_policy(`
 			consolekit_dbus_chat($1)
 		')
+
+		optional_policy(`
+			fprintd_dbus_chat($1)
+		')
 	')
 
 	optional_policy(`

policy/modules/system/fstools.te

@@ -154,13 +154,9 @@ seutil_read_config(fsadm_t)
 term_use_all_terms(fsadm_t)
 
 ifdef(`distro_redhat',`
-ifdef(`enforcing',`
 	optional_policy(`
 		unconfined_domain(fsadm_t)
 	')
-', `
-   permissive fsadm_t;
-')
 ')
 
 optional_policy(`

policy/modules/system/init.if

@@ -745,6 +745,7 @@ interface(`init_telinit',`
 			type init_t;
 		')
 
+		allow $1 init_t:process signal;
 		# upstart uses a datagram socket instead of initctl pipe
 		allow $1 self:unix_dgram_socket create_socket_perms;
 		allow $1 init_t:unix_dgram_socket sendto;

policy/modules/system/iptables.te

@@ -135,6 +135,7 @@ optional_policy(`
 
 optional_policy(`
 	shorewall_rw_lib_files(iptables_t)
+	shorewall_read_tmp_files(iptables_t)
 ')
 
 optional_policy(`

policy/modules/system/libraries.if

@@ -44,6 +44,26 @@ interface(`libs_run_ldconfig',`
 	role $2 types ldconfig_t;
 ')
 
+########################################
+## <summary>
+##	Execute ldconfig in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`libs_exec_ldconfig',`
+	gen_require(`
+		type ldconfig_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, ldconfig_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Use the dynamic link/loader for automatic loading

policy/modules/system/libraries.te

@@ -151,10 +151,6 @@ optional_policy(`
 	rpm_manage_script_tmp_files(ldconfig_t)
 ')
 
-ifdef(`enforcing',`
 optional_policy(`
 	unconfined_domain(ldconfig_t)
 ')'
-, `
-	permissive ldconfig_t;
-')

policy/modules/system/lvm.te

@@ -142,13 +142,9 @@ lvm_domtrans(clvmd_t)
 lvm_read_config(clvmd_t)
 
 ifdef(`distro_redhat',`
-ifdef(`enforcing',`
 	optional_policy(`
 		unconfined_domain(clvmd_t)
 	')
-', `
-	permissive clvmd_t;
-')
 ')
 
 optional_policy(`
@@ -326,13 +322,9 @@ ifdef(`distro_redhat',`
 	# this is from the initrd:
 	files_rw_isid_type_dirs(lvm_t)
 
-ifdef(`enforcing',`
 	optional_policy(`
 		unconfined_domain(lvm_t)
 	')
-', `
-	permissive lvm_t;
-')
 ')
 
 optional_policy(`

policy/modules/system/modutils.te

@@ -99,14 +99,10 @@ optional_policy(`
 	rpm_manage_script_tmp_files(depmod_t)
 ')
 
-ifdef(`enforcing',`
 optional_policy(`
 	# Read System.map from home directories.
 	unconfined_domain(depmod_t)
 ')
-', `
-	permissive depmod_t;
-')
 
 ########################################
 #
@@ -247,14 +243,10 @@ optional_policy(`
 	rpm_rw_pipes(insmod_t)
 ')
 
-ifdef(`enforcing',`
 optional_policy(`
 	unconfined_domain(insmod_t)
 	unconfined_dontaudit_rw_pipes(insmod_t)
 ')
-', `
-	permissive insmod_t;
-')
 
 optional_policy(`
 	virt_dontaudit_write_pipes(insmod_t)

policy/modules/system/raid.te

@@ -53,6 +53,7 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
 dev_read_realtime_clock(mdadm_t)
 # unfortunately needed for DMI decoding:
 dev_read_raw_memory(mdadm_t)
+dev_read_generic_files(mdadm_t)
 
 domain_use_interactive_fds(mdadm_t)
 
@@ -60,7 +61,8 @@ files_read_etc_files(mdadm_t)
 files_read_etc_runtime_files(mdadm_t)
 files_dontaudit_getattr_tmpfs_files(mdadm_t)
 
-fs_search_auto_mountpoints(mdadm_t)
+fs_list_hugetlbfs(mdadm_t)
+fs_list_auto_mountpoints(mdadm_t)
 fs_dontaudit_list_tmpfs(mdadm_t)
 
 mls_file_read_all_levels(mdadm_t)
@@ -97,10 +99,6 @@ optional_policy(`
 	udev_read_db(mdadm_t)
 ')
 
-ifdef(`enforcing',`
 optional_policy(`
 	unconfined_domain(mdadm_t)
 ')
-', `
-	permissive mdadm_t;
-')

policy/modules/system/selinuxutil.te

@@ -536,10 +536,6 @@ ifdef(`hide_broken_symptoms',`
 	')
 ')
 
-ifdef(`enforcing',`
 optional_policy(`
 	unconfined_domain(setfiles_mac_t)
 ')
-', `
-	permissive lvm_t;
-')

policy/modules/system/sosreport.te

@@ -149,10 +149,6 @@ optional_policy(`
 	xserver_stream_connect(sosreport_t)
 ')
 
-ifdef(`enforcing',`
 optional_policy(`
 	unconfined_domain(sosreport_t)
 ')
-', `
-	permissive sosreport_t;
-')

policy/modules/system/udev.te

@@ -196,13 +196,9 @@ ifdef(`distro_redhat',`
 	# for arping used for static IP addresses on PCMCIA ethernet
 	netutils_domtrans(udev_t)
 
-	ifdef(`enforcing',`
 	optional_policy(`
 		unconfined_domain(udev_t)
 	')
-	', `
-	   permissive udev_t;
-	')
 ')
 
 optional_policy(`

policy/modules/system/userdomain.fc

@@ -8,6 +8,7 @@ HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
 /dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 HOME_DIR/bin(/.*)?	gen_context(system_u:object_r:home_bin_t,s0)
 HOME_DIR/local/bin(/.*)?	gen_context(system_u:object_r:home_bin_t,s0)
+HOME_DIR/Audio(/.*)?    gen_context(system_u:object_r:audio_home_t,s0)
 HOME_DIR/Music(/.*)?    gen_context(system_u:object_r:audio_home_t,s0)
 HOME_DIR/\.cert(/.*)?	gen_context(system_u:object_r:home_cert_t,s0)
 HOME_DIR/\.pki(/.*)?		gen_context(system_u:object_r:home_cert_t,s0)

policy/modules/system/userdomain.if

@@ -3205,7 +3205,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
 		type user_devpts_t;
 	')
 
-	dontaudit $1 user_devpts_t:chr_file rw_file_perms;
+	dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
 ')
 
 ########################################