[selinux-policy: 1242/3172] patch from dan Mon, 20 Feb 2006 17:19:34 -0500

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:52:29 UTC 2010 

commit 02bcb8b32d47a5e2ae15ab3caabea8943391ef45
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Feb 22 21:21:26 2006 +0000

    patch from dan Mon, 20 Feb 2006 17:19:34 -0500

 refpolicy/Changelog                            |    1 +
 refpolicy/policy/modules/admin/su.if           |   19 ++--
 refpolicy/policy/modules/admin/su.te           |    2 +-
 refpolicy/policy/modules/apps/slocate.te       |    4 +-
 refpolicy/policy/modules/kernel/devices.if     |   38 ++++++++
 refpolicy/policy/modules/kernel/devices.te     |    2 +-
 refpolicy/policy/modules/services/cron.if      |    2 +-
 refpolicy/policy/modules/services/cron.te      |    6 +-
 refpolicy/policy/modules/services/cups.if      |   19 ++++
 refpolicy/policy/modules/services/cups.te      |    2 +-
 refpolicy/policy/modules/services/ssh.if       |    2 +
 refpolicy/policy/modules/services/ssh.te       |    2 +-
 refpolicy/policy/modules/system/authlogin.te   |    4 +-
 refpolicy/policy/modules/system/selinuxutil.fc |    7 +-
 refpolicy/policy/modules/system/selinuxutil.if |  121 ++++++++++++++++++++++++
 refpolicy/policy/modules/system/selinuxutil.te |   67 ++++++++++++--
 refpolicy/policy/modules/system/userdomain.if  |   13 +++
 refpolicy/policy/modules/system/userdomain.te  |    8 +-
 18 files changed, 287 insertions(+), 32 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index c3fe2dc..e3cb5e1 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Add semanage policy for semodule from Dan Walsh.
 - Remove allow_execmem from targeted policy domain_base_type().
 - Add users_extra and seusers support.
 - Postfix fixes from Serge Hallyn.
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index b73cdf5..63baa2e 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -220,6 +220,14 @@ template(`su_per_userdomain_template',`
 		nscd_socket_use($1_su_t)
 	')
 
+	# Modify .Xauthority file (via xauth program).
+	optional_policy(`xserver',`
+#		file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
+#		file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
+#		file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
+		xserver_domtrans_user_xauth($1, $1_su_t)
+	')
+
 	ifdef(`TODO',`
 	# Caused by su - init scripts
 	dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
@@ -235,17 +243,6 @@ template(`su_per_userdomain_template',`
 	dontaudit $1_su_t home_dir_type:dir { search write };
 	')
 
-	# Modify .Xauthority file (via xauth program).
-	ifdef(`xauth.te', `
-	file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
-	file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
-	file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
-	domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
-	')
-
-	ifdef(`cyrus.te', `
-	allow $1_su_t cyrus_var_lib_t:dir search;
-	')
 	ifdef(`ssh.te', `
 	# Access sshd cookie files.
 	allow $1_su_t sshd_tmp_t:file rw_file_perms;
diff --git a/refpolicy/policy/modules/admin/su.te b/refpolicy/policy/modules/admin/su.te
index a3d8488..15ce8c0 100644
--- a/refpolicy/policy/modules/admin/su.te
+++ b/refpolicy/policy/modules/admin/su.te
@@ -1,5 +1,5 @@
 
-policy_module(su,1.2.1)
+policy_module(su,1.2.2)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/apps/slocate.te b/refpolicy/policy/modules/apps/slocate.te
index 7c71035..8cbc4f9 100644
--- a/refpolicy/policy/modules/apps/slocate.te
+++ b/refpolicy/policy/modules/apps/slocate.te
@@ -1,5 +1,5 @@
 
-policy_module(slocate,1.0.1)
+policy_module(slocate,1.0.2)
 
 #################################
 #
@@ -38,6 +38,8 @@ files_list_all(locate_t)
 files_getattr_all_files(locate_t)
 files_read_etc_runtime_files(locate_t)
 files_read_etc_files(locate_t)
+# mls Higher level directories will be refused, so dontaudit
+files_dontaudit_getattr_all_dirs(locate_t)
 
 fs_getattr_xattr_fs(locate_t)
 
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 45a9d27..6f131b4 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -1058,6 +1058,44 @@ interface(`dev_rw_crypto',`
 
 ########################################
 ## <summary>
+##	getattr the dri devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_dri_dev',`
+	gen_require(`
+		type device_t, dri_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 dri_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Setattr the dri devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_dri_dev',`
+	gen_require(`
+		type device_t, dri_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 dri_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
 ##	Read and write the dri devices.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index b1a555b..ac5c603 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.0.3)
+policy_module(devices,1.0.4)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index ccaf8b9..289c073 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -544,7 +544,7 @@ interface(`cron_rw_system_job_pipes',`
 		type system_crond_t;
 	')
 
-	allow $1 system_crond_t:file rw_file_perms;
+	allow $1 system_crond_t:fifo_file rw_file_perms;
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index b1ebb3d..370168b 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
 
-policy_module(cron,1.2.1)
+policy_module(cron,1.2.2)
 
 gen_require(`
 	class passwd rootok;
@@ -392,6 +392,10 @@ ifdef(`targeted_policy',`
 		nscd_socket_use(system_crond_t)
 	')
 
+	optional_policy(`postfix',`
+		postfix_read_config(system_crond_t)
+	')	
+
 	optional_policy(`prelink',`
 		prelink_read_cache(system_crond_t)
 		prelink_manage_log(system_crond_t)
diff --git a/refpolicy/policy/modules/services/cups.if b/refpolicy/policy/modules/services/cups.if
index 4c63008..1c8220f 100644
--- a/refpolicy/policy/modules/services/cups.if
+++ b/refpolicy/policy/modules/services/cups.if
@@ -169,6 +169,25 @@ interface(`cups_read_log',`
 
 ########################################
 ## <summary>
+##	Write cups log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_write_log',`
+	gen_require(`
+		type cupsd_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 cupsd_log_t:file write;
+')
+
+########################################
+## <summary>
 ##	Connect to ptal over an unix domain stream socket.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 327f202..8429050 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
 
-policy_module(cups,1.2.1)
+policy_module(cups,1.2.2)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 085171e..813060c 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -279,6 +279,8 @@ template(`ssh_per_userdomain_template',`
 
 	allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull;
 
+	allow $1_ssh_agent_t self:unix_stream_socket { connectto rw_socket_perms };
+
 	allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
 
 	# for ssh-add
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index 9828be8..79cae69 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -1,5 +1,5 @@
 
-policy_module(ssh,1.2.0)
+policy_module(ssh,1.2.1)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index defb023..69d9c27 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.2.1)
+policy_module(authlogin,1.2.2)
 
 ########################################
 #
@@ -153,6 +153,8 @@ kernel_read_system_state(pam_console_t)
 dev_read_sysfs(pam_console_t)
 dev_getattr_apm_bios_dev(pam_console_t)
 dev_setattr_apm_bios_dev(pam_console_t)
+dev_getattr_dri_dev(pam_console_t)
+dev_setattr_dri_dev(pam_console_t)
 dev_getattr_framebuffer_dev(pam_console_t)
 dev_setattr_framebuffer_dev(pam_console_t)
 dev_getattr_misc_dev(pam_console_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.fc b/refpolicy/policy/modules/system/selinuxutil.fc
index 8364ca4..58c4f9e 100644
--- a/refpolicy/policy/modules/system/selinuxutil.fc
+++ b/refpolicy/policy/modules/system/selinuxutil.fc
@@ -4,13 +4,13 @@
 # /etc
 #
 /etc/selinux(/.*)?			gen_context(system_u:object_r:selinux_config_t,s0)
-
 /etc/selinux/([^/]*/)?contexts(/.*)?	gen_context(system_u:object_r:default_context_t,s0)
-
 /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
-
 /etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
 /etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
+/etc/selinux([^/]*/)?modules/(active|tmp|previous)(/.*)?     --	gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux([^/]*/)?modules/semanage.read.LOCK    --	gen_context(system_u:object_r:semanage_read_lock_t,s0)
+/etc/selinux([^/]*/)?modules/semanage.trans.LOCK   --	gen_context(system_u:object_r:semanage_trans_lock_t,s0)
 /etc/selinux/([^/]*/)?users(/.*)?	--	gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
 
 #
@@ -35,6 +35,7 @@
 /usr/sbin/load_policy		--	gen_context(system_u:object_r:load_policy_exec_t,s0)
 /usr/sbin/run_init		--	gen_context(system_u:object_r:run_init_exec_t,s0)
 /usr/sbin/setfiles.*		--	gen_context(system_u:object_r:setfiles_exec_t,s0)
+/usr/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
 
 ifdef(`distro_debian', `
 /usr/share/selinux(/.*)?		gen_context(system_u:object_r:policy_src_t,s0)
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index bb82023..d6a3b65 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -778,3 +778,124 @@ interface(`seutil_manage_src_policy',`
 	allow $1 policy_src_t:dir create_dir_perms;
 	allow $1 policy_src_t:file create_file_perms;
 ')
+
+########################################
+## <summary>
+##	Execute a domain transition to run semanage.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`seutil_domtrans_semanage',`
+	gen_require(`
+		type semanage_t, semanage_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	domain_auto_trans($1,semanage_exec_t,semanage_t)
+
+	allow $1 semanage_t:fd use;
+	allow semanage_t $1:fd use;
+	allow semanage_t $1:fifo_file rw_file_perms;
+	allow semanage_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute semanage in the semanage domain, and
+##	allow the specified role the semanage domain,
+##	and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the checkpolicy domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the semanage domain to use.
+##	</summary>
+## </param>
+#
+interface(`seutil_run_semanage',`
+	gen_require(`
+		type semanage_t;
+	')
+
+	seutil_domtrans_semanage($1)
+	role $2 types semanage_t;
+	allow semanage_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Full management of the semanage
+##	module store.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_manage_module_store',`
+	gen_require(`
+		type selinux_config_t, semanage_store_t;
+	')
+
+	files_search_etc($1)
+	allow $1 selinux_config_t:dir rw_dir_perms;
+	type_transition $1 selinux_config_t:dir semanage_store_t;
+
+	allow $1 semanage_store_t:dir create_dir_perms;
+	allow $1 semanage_store_t:file create_file_perms;
+')
+
+#######################################
+## <summary>
+##	Get read lock on module store
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`seutil_get_semanage_read_lock',`
+	gen_require(`
+		type selinux_config_t, semanage_read_lock_t;
+	')
+
+	files_search_etc($1)
+	allow $1 selinux_config_t:dir search_dir_perms;
+	allow $1 semanage_read_lock_t:file rw_file_perms;
+')
+
+#######################################
+## <summary>
+##	Get trans lock on module store
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`seutil_get_semanage_trans_lock',`
+	gen_require(`
+		type selinux_config_t, semanage_trans_lock_t;
+	')
+
+	files_search_etc($1)
+	allow $1 selinux_config_t:dir search_dir_perms;
+	allow $1 semanage_trans_lock_t:file rw_file_perms;
+')
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index aeb7218..187e4c4 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.1.5)
+policy_module(selinuxutil,1.1.6)
 
 gen_require(`
 	bool secure_mode;
@@ -89,6 +89,22 @@ domain_type(run_init_t)
 domain_entry_file(run_init_t,run_init_exec_t)
 domain_system_change_exemption(run_init_t)
 
+type semanage_t;
+domain_type(semanage_t)
+
+type semanage_exec_t;
+domain_entry_file(semanage_t, semanage_exec_t)
+role system_r types semanage_t;
+
+type semanage_store_t;
+files_type(semanage_store_t)
+
+type semanage_read_lock_t;
+files_type(semanage_read_lock_t)
+
+type semanage_trans_lock_t; 
+files_type(semanage_trans_lock_t)
+
 type setfiles_t, can_relabelto_binary_policy;
 domain_obj_id_change_exemption(setfiles_t)
 domain_type(setfiles_t)
@@ -466,6 +482,47 @@ ifdef(`targeted_policy',`',`
 
 ########################################
 #
+# semodule local policy
+#
+
+allow semanage_t self:unix_stream_socket create_stream_socket_perms;
+
+allow semanage_t policy_config_t:file { read write };
+
+kernel_read_system_state(semanage_t)
+kernel_read_kernel_sysctls(semanage_t)
+
+corecmd_exec_bin(semanage_t)
+corecmd_exec_sbin(semanage_t)
+
+files_read_etc_files(semanage_t)
+files_read_usr_files(semanage_t)
+files_list_pids(semanage_t)
+
+mls_file_write_down(semanage_t)
+mls_rangetrans_target(semanage_t)
+
+selinux_get_enforce_mode(semanage_t)
+
+term_use_all_terms(semanage_t)
+
+libs_use_ld_so(semanage_t)
+libs_use_shared_libs(semanage_t)
+libs_use_lib_files(semanage_t)
+
+seutil_search_default_contexts(semanage_t)
+seutil_rw_file_contexts(semanage_t)
+seutil_domtrans_setfiles(semanage_t)
+seutil_domtrans_loadpolicy(semanage_t)
+seutil_read_config(semanage_t)
+seutil_manage_bin_policy(semanage_t)
+seutil_use_newrole_fds(semanage_t)
+seutil_manage_module_store(semanage_t)
+seutil_get_semanage_trans_lock(semanage_t)
+seutil_get_semanage_read_lock(semanage_t)
+
+########################################
+#
 # Setfiles local policy
 #
 
@@ -525,12 +582,8 @@ logging_send_syslog_msg(setfiles_t)
 
 miscfiles_read_localization(setfiles_t)
 
+seutil_get_semanage_read_lock(setfiles_t)
+
 userdom_use_all_users_fds(setfiles_t)
 # for config files in a home directory
 userdom_read_all_users_home_content_files(setfiles_t)
-
-ifdef(`TODO',`
-# for upgrading glibc and other shared objects - without this the upgrade
-# scripts will put things in a state such that setfiles can not be run!
-allow setfiles_t lib_t:file { read execute };
-') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 9cb8e88..4738506 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -145,6 +145,7 @@ template(`base_user_template',`
 	allow $1_t unpriv_userdomain:fd use;
 
 	kernel_read_kernel_sysctls($1_t)
+	kernel_read_net_sysctls($1_t)
 	kernel_dontaudit_list_unlabeled($1_t)
 	kernel_dontaudit_getattr_unlabeled_files($1_t)
 	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
@@ -414,6 +415,8 @@ template(`base_user_template',`
 	optional_policy(`rpm',`
 		files_getattr_var_lib_dirs($1_t)
 		files_search_var_lib($1_t)
+		rpm_read_db($1_t)
+		rpm_dontaudit_manage_db($1_t)
 	')
 
 	optional_policy(`samba',`
@@ -3944,6 +3947,8 @@ interface(`userdom_manage_generic_user_home_content_dirs',`
 		type user_home_t;
 	')
 
+	files_search_home($1)
+	allow $1 user_home_dir_t:dir search_dir_perms;
 	allow $1 user_home_t:dir create_dir_perms;
 ')
 
@@ -3963,6 +3968,8 @@ interface(`userdom_manage_generic_user_home_content_files',`
 		type user_home_t;
 	')
 
+	files_search_home($1)
+	allow $1 user_home_dir_t:dir search_dir_perms;
 	allow $1 user_home_t:dir rw_dir_perms;
 	allow $1 user_home_t:file create_file_perms;
 ')
@@ -3983,6 +3990,8 @@ interface(`userdom_manage_generic_user_home_content_symlinks',`
 		type user_home_t;
 	')
 
+	files_search_home($1)
+	allow $1 user_home_dir_t:dir search_dir_perms;
 	allow $1 user_home_t:dir rw_dir_perms;
 	allow $1 user_home_t:lnk_file create_lnk_perms;
 ')
@@ -4003,6 +4012,8 @@ interface(`userdom_manage_generic_user_home_content_pipes',`
 		type user_home_t;
 	')
 
+	files_search_home($1)
+	allow $1 user_home_dir_t:dir search_dir_perms;
 	allow $1 user_home_t:dir rw_dir_perms;
 	allow $1 user_home_t:fifo_file create_file_perms;
 ')
@@ -4023,6 +4034,8 @@ interface(`userdom_manage_generic_user_home_content_sockets',`
 		type user_home_t;
 	')
 
+	files_search_home($1)
+	allow $1 user_home_dir_t:dir search_dir_perms;
 	allow $1 user_home_t:dir rw_dir_perms;
 	allow $1 user_home_t:sock_file create_file_perms;
 ')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 6f8a6e2..6db0b1b 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.2.8)
+policy_module(userdomain,1.2.9)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
@@ -70,12 +70,12 @@ ifdef(`targeted_policy',`
 	unconfined_alias_domain(sysadm_t)
 
 	# User home directory type.
-	type user_home_t alias { staff_home_t sysadm_home_t }, home_type;
+	type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type;
 	files_type(user_home_t)
 	files_associate_tmp(user_home_t)
 	fs_associate_tmpfs(user_home_t)
 
-	type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type;
+	type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type, user_home_dir_type;
 	files_type(user_home_dir_t)
 	files_associate_tmp(user_home_dir_t)
 	fs_associate_tmpfs(user_home_dir_t)
@@ -363,6 +363,7 @@ ifdef(`targeted_policy',`
 			seutil_manage_bin_policy(secadm_t)
 			seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
 			seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
+			seutil_run_semanage(secadm_t,secadm_r,admin_terminal)
 			seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
 			seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
 		', `
@@ -373,6 +374,7 @@ ifdef(`targeted_policy',`
 			seutil_manage_bin_policy(sysadm_t)
 			seutil_run_checkpolicy(sysadm_t,sysadm_r,admin_terminal)
 			seutil_run_loadpolicy(sysadm_t,sysadm_r,admin_terminal)
+			seutil_run_semanage(sysadm_t,sysadm_r,admin_terminal)
 			seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
 		')
 	')

More information about the scm-commits mailing list