##
## Disable transitions to evolution domains.
diff --git a/refpolicy/policy/modules/apps/games.fc b/refpolicy/policy/modules/apps/games.fc
new file mode 100644
index 00000000..e35e2b52
--- /dev/null
+++ b/refpolicy/policy/modules/apps/games.fc
@@ -0,0 +1,67 @@
+#
+# /usr
+#
+/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
+
+ifdef(`distro_debian', `
+/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0)
+/var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
+', `
+/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/blackjack -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/glines -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnect -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnibbles -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnobots2 -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnome-stones -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnomine -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnotravex -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnotski -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gtali -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/iagno -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/mahjongg -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/same-gnome -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/sol -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/atlantik -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kasteroids -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/katomic -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kbackgammon -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kbattleship -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kblackbox -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kbounce -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kenolaba -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kfouleggs -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kgoldrunner -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kjumpingcube -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/klickety -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/klines -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kmahjongg -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kmines -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kolf -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/konquest -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kpat -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kpoker -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kreversi -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksame -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kshisen -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksirtet -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksmiletris -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksnake -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksokoban -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kspaceduel -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ktron -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ktuberling -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kwin4 -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kwin4proc -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/lskat -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/lskatproc -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/Maelstrom -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/civclient.* -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/civserver.* -- gen_context(system_u:object_r:games_exec_t,s0)
+')dnl end non-Debian section
diff --git a/refpolicy/policy/modules/apps/games.if b/refpolicy/policy/modules/apps/games.if
new file mode 100644
index 00000000..03310d0b
--- /dev/null
+++ b/refpolicy/policy/modules/apps/games.if
@@ -0,0 +1,174 @@
+## Games
+
+#######################################
+##
+## The per user domain template for the games module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for games.
+##
+##
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
+template(`games_per_userdomain_template',`
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_games_t;
+ domain_type($1_games_t)
+ role $3 types $1_games_t;
+
+ type $1_games_devpts_t;
+ term_pty($1_games_devpts_t)
+
+ type $1_games_tmpfs_t;
+ files_tmpfs_file($1_games_tmpfs_t)
+
+ type $1_games_tmp_t;
+ files_tmp_file($1_games_tmp_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ allow $1_games_t self:sem create_sem_perms;
+ allow $1_games_t self:tcp_socket create_stream_socket_perms;
+ allow $1_games_t self:udp_socket create_socket_perms;
+ allow $1_games_t self:tcp_socket { connectto sendto recvfrom };
+ allow $1_games_t self:tcp_socket { acceptfrom recvfrom };
+
+ allow $1_games_t $1_games_tmpfs_t:dir rw_dir_perms;
+ allow $1_games_t $1_games_tmpfs_t:file manage_file_perms;
+ allow $1_games_t $1_games_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_games_t $1_games_tmpfs_t:sock_file manage_file_perms;
+ allow $1_games_t $1_games_tmpfs_t:fifo_file manage_file_perms;
+ fs_tmpfs_filetrans($1_games_t,$1_games_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ allow $1_games_t $1_games_tmp_t:dir manage_dir_perms;
+ allow $1_games_t $1_games_tmp_t:file manage_file_perms;
+ files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir })
+
+ allow $1_games_t $1_games_devpts_t:chr_file { rw_file_perms setattr };
+ term_create_pty($1_games_t,$1_games_devpts_t)
+
+ allow $1_games_t games_data_t:dir rw_dir_perms;
+ allow $1_games_t games_data_t:file manage_file_perms;
+ allow $1_games_t games_data_t:lnk_file create_lnk_perms;
+
+ can_exec($1_games_t, games_exec_t)
+
+ allow $2 $1_games_t:unix_stream_socket connectto;
+ allow $1_games_t $2:unix_stream_socket connectto;
+
+ kernel_tcp_recvfrom($1_games_t)
+ kernel_tcp_recvfrom($1_games_t)
+ kernel_read_system_state($1_games_t)
+
+ corecmd_exec_bin($1_games_t)
+ corecmd_exec_sbin($1_games_t)
+
+ corenet_tcp_sendrecv_generic_if($1_games_t)
+ corenet_udp_sendrecv_generic_if($1_games_t)
+ corenet_raw_sendrecv_generic_if($1_games_t)
+ corenet_tcp_sendrecv_all_nodes($1_games_t)
+ corenet_udp_sendrecv_all_nodes($1_games_t)
+ corenet_raw_sendrecv_all_nodes($1_games_t)
+ corenet_tcp_sendrecv_all_ports($1_games_t)
+ corenet_udp_sendrecv_all_ports($1_games_t)
+ corenet_non_ipsec_sendrecv($1_games_t)
+ corenet_tcp_bind_all_nodes($1_games_t)
+ corenet_udp_bind_all_nodes($1_games_t)
+ corenet_tcp_bind_generic_port($1_games_t)
+ corenet_tcp_connect_generic_port($1_games_t)
+
+ dev_read_sound($1_games_t)
+ dev_write_sound($1_games_t)
+ dev_read_input($1_games_t)
+ dev_read_mouse($1_games_t)
+ dev_read_urand($1_games_t)
+
+ files_list_var($1_games_t)
+ files_search_var_lib($1_games_t)
+ files_dontaudit_search_var($1_games_t)
+ files_read_etc_files($1_games_t)
+ files_read_usr_files($1_games_t)
+ files_read_var_files($1_games_t)
+
+ init_dontaudit_rw_utmp($1_games_t)
+
+ logging_dontaudit_search_logs($1_games_t)
+
+ libs_use_shared_libs($1_games_t)
+ libs_use_ld_so($1_games_t)
+
+ miscfiles_read_man_pages($1_games_t)
+ miscfiles_read_localization($1_games_t)
+
+ sysnet_read_config($1_games_t)
+
+ userdom_manage_user_tmp_dirs($1,$1_games_t)
+ userdom_manage_user_tmp_files($1,$1_games_t)
+ userdom_manage_user_tmp_symlinks($1,$1_games_t)
+ userdom_manage_user_tmp_sockets($1,$1_games_t)
+ # Suppress .icons denial until properly implemented
+ userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
+
+ # Type transition
+ tunable_policy(`!disable_games_trans',`
+ domain_auto_trans($2, games_exec_t, $1_games_t)
+ ')
+
+ tunable_policy(`allow_execmem',`
+ allow $1_games_t self:process execmem;
+ ')
+
+ optional_policy(`nscd',`
+ nscd_socket_use($1_games_t)
+ ')
+
+ optional_policy(`xserver',`
+ xserver_user_client_template($1,$1_games_t,$1_games_tmpfs_t)
+ xserver_create_xdm_tmp_sockets($1_games_t)
+ xserver_read_xdm_lib_files($1_games_t)
+ ')
+
+ ifdef(`TODO',`
+ gnome_application($1_games, $1)
+ gnome_file_dialog($1_games, $1)
+ # Access /home/user/.gnome2
+ # FIXME: Change to use per app types
+ allow $1_games_t $1_gnome_settings_t:dir create_dir_perms;
+ allow $1_games_t $1_gnome_settings_t:file create_file_perms;
+ allow $1_games_t $1_gnome_settings_t:lnk_file create_lnk_perms;
+ #missing policy
+ optional_policy(`mozilla', `
+ dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
+ ')
+ ')
+')
diff --git a/refpolicy/policy/modules/apps/games.te b/refpolicy/policy/modules/apps/games.te
new file mode 100644
index 00000000..d1a8a34a
--- /dev/null
+++ b/refpolicy/policy/modules/apps/games.te
@@ -0,0 +1,84 @@
+
+policy_module(games,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type games_data_t;
+files_type(games_data_t)
+
+# games_t is for system operation of games, generic games daemons and
+# games recovery scripts
+type games_t;
+type games_exec_t;
+init_system_domain(games_t,games_exec_t)
+
+type games_var_run_t;
+files_pid_file(games_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit games_t self:capability sys_tty_config;
+allow games_t self:process signal_perms;
+
+allow games_t games_data_t:dir rw_dir_perms;
+allow games_t games_data_t:file manage_file_perms;
+allow games_t games_data_t:lnk_file create_lnk_perms;
+
+allow games_t games_var_run_t:file manage_file_perms;
+allow games_t games_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(games_t,games_var_run_t,file)
+
+can_exec(games_t,games_exec_t)
+
+kernel_read_kernel_sysctls(games_t)
+kernel_list_proc(games_t)
+kernel_read_proc_symlinks(games_t)
+
+dev_read_sysfs(games_t)
+
+fs_getattr_all_fs(games_t)
+fs_search_auto_mountpoints(games_t)
+
+term_dontaudit_use_console(games_t)
+
+domain_use_interactive_fds(games_t)
+
+init_use_fds(games_t)
+init_use_script_ptys(games_t)
+
+libs_use_ld_so(games_t)
+libs_use_shared_libs(games_t)
+
+logging_send_syslog_msg(games_t)
+
+miscfiles_read_localization(games_t)
+
+userdom_dontaudit_use_unpriv_user_fds(games_t)
+userdom_dontaudit_search_sysadm_home_dirs(games_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(games_t)
+ term_dontaudit_use_generic_ptys(games_t)
+ files_dontaudit_read_root_files(games_t)
+')
+
+optional_policy(`selinuxutil',`
+ seutil_sigchld_newrole(games_t)
+')
+
+optional_policy(`udev',`
+ udev_read_db(games_t)
+')
+
+ifdef(`TODO',`
+ #WHY!!!
+ #allow initrc_t games_data_t:dir r_dir_perms;
+ #allow initrc_t games_data_t:file r_file_perms;
+ #allow initrc_t games_data_t:lnk_file { getattr read };
+')
diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if
index e4ea8848..6cf46cb8 100644
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@@ -711,6 +711,24 @@ interface(`xserver_read_xdm_pid',`
allow $1 xdm_var_run_t:file r_file_perms;
')
+########################################
+##
+## Read XDM var lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`xserver_read_xdm_lib_files',`
+ gen_require(`
+ type xdm_var_lib_t;
+ ')
+
+ allow $1 xdm_var_lib_t:file { getattr read };
+')
+
########################################
##
## Execute the X server in the XDM X server domain.
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index 2d7bfba0..d362fda6 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
-policy_module(xserver,1.1.0)
+policy_module(xserver,1.1.1)
########################################
#
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index 10d4d26a..7bc0d88d 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -165,6 +165,24 @@ interface(`logging_search_logs',`
allow $1 var_log_t:dir search;
')
+#######################################
+##
+## Do not audit attempts to search the var log directory.
+##
+##
+##
+## Domain not to audit.
+##
+##
+#
+interface(`logging_dontaudit_search_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ dontaudit $1 var_log_t:dir search;
+')
+
#######################################
##
## List the contents of the generic log directory (/var/log).
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 90a956f7..80e22527 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
-policy_module(logging,1.3.0)
+policy_module(logging,1.3.1)
########################################
#