[selinux-policy: 2838/3172] Policy fixes

[Daniel J Walsh]

commit 2d4a79a0611f2446eb1e27a4afbad7d0258267ba
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Mon Aug 30 08:57:06 2010 -0400

    Policy fixes

 policy/modules/apps/gnome.if           |   20 +++++++++++++++++++-
 policy/modules/roles/unconfineduser.te |    6 +++++-
 policy/modules/services/icecast.te     |    1 +
 policy/modules/system/udev.te          |    4 ++++
 4 files changed, 29 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index 852f36f..92ab0c3 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -471,7 +471,7 @@ interface(`gnome_stream_connect',`
 
 ########################################
 ## <summary>
-##	read gnome homedir content (.config)
+##	list gnome homedir content (.config)
 ## </summary>
 ## <param name="user_domain">
 ##	<summary>
@@ -489,6 +489,24 @@ template(`gnome_list_home_config',`
 
 ########################################
 ## <summary>
+##	read gnome homedir content (.config)
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`gnome_read_home_config',`
+	gen_require(`
+		type config_home_t;
+	')
+
+	read_files_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
 ##	Read/Write all inherited gnome home config 
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index faef468..821d0dd 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -186,7 +186,11 @@ optional_policy(`
 	')
 
 	optional_policy(`
-		xserver_rw_shm(unconfined_usertype)
+		gen_require(`
+			type user_tmpfs_t;
+		')
+	
+		xserver_rw_session(unconfined_usertype, user_tmpfs_t)
 		xserver_run_xauth(unconfined_usertype, unconfined_r)
 		xserver_dbus_chat_xdm(unconfined_usertype)
 	')
diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
index fbcdd74..f441c9a 100644
--- a/policy/modules/services/icecast.te
+++ b/policy/modules/services/icecast.te
@@ -40,6 +40,7 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
 kernel_read_system_state(icecast_t)
 
 corenet_tcp_bind_soundd_port(icecast_t)
+corenet_tcp_connect_soundd_port(icecast_t)
 
 # Init script handling
 domain_use_interactive_fds(icecast_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a5d4a43..6581e4b 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -245,6 +245,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	gnome_read_home_config(udev_t)
+')
+
+optional_policy(`
 	lvm_domtrans(udev_t)
 ')