rpms/selinux-policy/devel policy-20071130.patch,1.116,1.117

Sat Apr 5 12:01:43 UTC 2008

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv22032

Modified Files:
	policy-20071130.patch 
Log Message:
* Fri Apr 4 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-28
- Allow radvd to use fifo_file
- dontaudit setfiles reading links
- allow semanage sys_resource
- add allow_httpd_mod_auth_ntlm_winbind boolean
- Allow privhome apps including dovecot read on nfs and cifs home 
dirs if the boolean is set


policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.116
retrieving revision 1.117
diff -u -r1.116 -r1.117

--- policy-20071130.patch	5 Apr 2008 10:39:05 -0000	1.116
+++ policy-20071130.patch	5 Apr 2008 12:01:36 -0000	1.117
@@ -5108,8 +5108,8 @@
 +HOME_DIR/\.local.*			gen_context(system_u:object_r:user_nsplugin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if	2008-04-04 12:06:55.000000000 -0400
-@@ -0,0 +1,351 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if	2008-04-05 07:58:19.000000000 -0400
+@@ -0,0 +1,352 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@@ -5287,6 +5287,7 @@
 +	allow $2 nsplugin_t:process { getattr ptrace signal_perms };
 +	allow $2 nsplugin_t:unix_stream_socket connectto;
 +
++	userdom_delete_user_tmpfs_files($1, nsplugin_t)
 +	userdom_use_user_terminals($1, nsplugin_t)
 +	userdom_use_user_terminals($1, nsplugin_config_t)
 +')
@@ -5463,8 +5464,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-04-04 12:06:55.000000000 -0400
-@@ -0,0 +1,184 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-04-05 07:52:00.000000000 -0400
+@@ -0,0 +1,186 @@
 +
 +policy_module(nsplugin,1.0.0)
 +
@@ -5549,6 +5550,7 @@
 +fs_list_inotifyfs(nsplugin_t)
 +fs_manage_tmpfs_files(nsplugin_t)
 +fs_getattr_tmpfs(nsplugin_t)
++fs_getattr_xattr_fs(nsplugin_t)
 +
 +term_dontaudit_getattr_all_user_ptys(nsplugin_t)
 +term_dontaudit_getattr_all_user_ttys(nsplugin_t)
@@ -5597,6 +5599,7 @@
 +
 +optional_policy(`
 +	unconfined_execmem_signull(nsplugin_t)
++	unconfined_delete_tmpfs_files(nsplugin_t)
 +')
 +
 +optional_policy(`
@@ -8247,7 +8250,7 @@
 +/etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.if	2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.if	2008-04-05 07:45:49.000000000 -0400
 @@ -13,21 +13,16 @@
  #
  template(`apache_content_template',`
@@ -8810,9 +8813,9 @@
 +
 +	seutil_domtrans_setfiles($1)
 +
-+	manage_app_pattern($1, httpd_tmp_t)
-+	manage_app_pattern($1, httpd_php_tmp_t)
-+	manage_app_pattern($1, httpd_suexec_tmp_t)
++	manage_all_pattern($1, httpd_tmp_t)
++	manage_all_pattern($1, httpd_php_tmp_t)
++	manage_all_pattern($1, httpd_suexec_tmp_t)
 +	files_tmp_filetrans($1, httpd_tmp_t, { file dir })
 +
 +#	apache_set_booleans($1, $2, $3, httpd_bool_t )
@@ -26306,7 +26309,7 @@
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if	2008-04-04 12:06:56.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.if	2008-04-05 07:50:51.000000000 -0400
 @@ -99,7 +99,7 @@
  template(`authlogin_per_role_template',`
  
@@ -27324,7 +27327,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.3.1/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc	2008-04-04 12:06:56.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/libraries.fc	2008-04-05 07:22:08.000000000 -0400
 @@ -133,6 +133,7 @@
  /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27374,7 +27377,7 @@
  /var/ftp/lib(64)?(/.*)?				gen_context(system_u:object_r:lib_t,s0)
  /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
  
-@@ -304,3 +311,9 @@
+@@ -304,3 +311,11 @@
  /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
  /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
  /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
@@ -27384,9 +27387,11 @@
 +
 +/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib64/jvm/java(.*/)bin(/.*)?/.*\.so 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/oracle/.*/lib/libnnz10\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.3.1/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/libraries.te	2008-04-04 17:42:06.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/libraries.te	2008-04-05 07:34:59.000000000 -0400
 @@ -23,6 +23,9 @@
  init_system_domain(ldconfig_t,ldconfig_exec_t)
  role system_r types ldconfig_t;
@@ -27434,7 +27439,7 @@
  ifdef(`hide_broken_symptoms',`
  	optional_policy(`
  		unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
-@@ -102,4 +114,12 @@
+@@ -102,4 +114,10 @@
  	# and executes ldconfig on it.  If you dont allow this kernel installs 
  	# blow up.
  	rpm_manage_script_tmp_files(ldconfig_t)
@@ -27443,8 +27448,6 @@
 +')
 +
 +optional_policy(`
-+	# run mkinitrd as unconfined user
-+	unconfined_manage_tmp_files(ldconfig_t)
 +	unconfined_domain(ldconfig_t) 
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.3.1/policy/modules/system/locallogin.te
@@ -29839,7 +29842,7 @@
 +/usr/sbin/sysreport	 	    --	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.3.1/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.if	2008-04-04 12:06:56.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.if	2008-04-05 07:51:46.000000000 -0400
 @@ -12,14 +12,13 @@
  #
  interface(`unconfined_domain_noaudit',`
@@ -29934,7 +29937,7 @@
  	')
  
  	allow $1 unconfined_t:dbus acquire_svc;
-@@ -589,7 +612,120 @@
+@@ -589,49 +612,209 @@
  
  ########################################
  ## <summary>
@@ -30053,94 +30056,120 @@
 +########################################
 +## <summary>
 +##	Allow apps to set rlimits on userdomain
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`unconfined_set_rlimitnh',`
++	gen_require(`
++		type unconfined_t;
++	')
++
++	allow $1 unconfined_t:process rlimitinh;
++')
++
++########################################
++## <summary>
++##	Allow the specified domain to read/write to
++##	unconfined with a unix domain stream sockets.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`unconfined_rw_stream_sockets',`
++	gen_require(`
++		type unconfined_t;
++	')
++
++	allow $1 unconfined_t:unix_stream_socket { read write };
++')
++
++########################################
++## <summary>
++##	Read/write unconfined tmpfs files.
  ## </summary>
++## <desc>
++##	<p>
++##	Read/write unconfined tmpfs files.
++##	</p>
++## </desc>
  ## <param name="domain">
  ##	<summary>
-@@ -597,20 +733,18 @@
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
 -interface(`unconfined_read_home_content_files',`
-+interface(`unconfined_set_rlimitnh',`
++interface(`unconfined_rw_tmpfs_files',`
  	gen_require(`
 -		type unconfined_home_dir_t, unconfined_home_t;
-+		type unconfined_t;
++		type unconfined_tmpfs_t;
  	')
  
 -	files_search_home($1)
 -	allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
 -	read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
 -	read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
-+	allow $1 unconfined_t:process rlimitinh;
++	fs_search_tmpfs($1)
++	allow $1 unconfined_tmpfs_t:dir list_dir_perms;
++	rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
++	read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
  ')
  
  ########################################
  ## <summary>
 -##	Read unconfined users temporary files.
-+##	Allow the specified domain to read/write to
-+##	unconfined with a unix domain stream sockets.
++##	Delete unconfined tmpfs files.
  ## </summary>
++## <desc>
++##	<p>
++##	Read/write unconfined tmpfs files.
++##	</p>
++## </desc>
  ## <param name="domain">
  ##	<summary>
-@@ -618,31 +752,54 @@
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
 -interface(`unconfined_read_tmp_files',`
-+interface(`unconfined_rw_stream_sockets',`
++interface(`unconfined_delete_tmpfs_files',`
  	gen_require(`
 -		type unconfined_tmp_t;
-+		type unconfined_t;
++		type unconfined_tmpfs_t;
  	')
  
 -	files_search_tmp($1)
 -	allow $1 unconfined_tmp_t:dir list_dir_perms;
 -	read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
 -	read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
-+	allow $1 unconfined_t:unix_stream_socket { read write };
++	fs_search_tmpfs($1)
++	allow $1 unconfined_tmpfs_t:dir list_dir_perms;
++	delete_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
++	read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
  ')
  
  ########################################
  ## <summary>
 -##	Write unconfined users temporary files.
-+##	Read/write unconfined tmpfs files.
++##	Get the process group of unconfined.
  ## </summary>
-+## <desc>
-+##	<p>
-+##	Read/write unconfined tmpfs files.
-+##	</p>
-+## </desc>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+@@ -639,10 +822,10 @@
  ##	</summary>
  ## </param>
  #
 -interface(`unconfined_write_tmp_files',`
-+interface(`unconfined_rw_tmpfs_files',`
++interface(`unconfined_getpgid',`
  	gen_require(`
 -		type unconfined_tmp_t;
-+		type unconfined_tmpfs_t;
-+	')
-+
-+	fs_search_tmpfs($1)
-+	allow $1 unconfined_tmpfs_t:dir list_dir_perms;
-+	rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
-+	read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Get the process group of unconfined.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`unconfined_getpgid',`
-+	gen_require(`
 +		type unconfined_t;
  	')
  
@@ -30484,7 +30513,7 @@
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-04-04 16:27:53.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-04-05 07:57:03.000000000 -0400
 @@ -29,9 +29,14 @@
  	')
  
@@ -32271,28 +32300,159 @@
  ')
  
  ########################################
-@@ -3254,6 +3357,42 @@
+@@ -3254,24 +3357,24 @@
  ##	</summary>
  ## </param>
  #
+-template(`userdom_rw_user_tmpfs_files',`
 +template(`userdom_read_user_tmpfs_files',`
-+	gen_require(`
+ 	gen_require(`
+ 		type $1_tmpfs_t;
+ 	')
+ 
+ 	fs_search_tmpfs($2)
+ 	allow $2 $1_tmpfs_t:dir list_dir_perms;
+-	rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
++	read_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
+ 	read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List users untrusted directories.
++##	Read/write user tmpfs files.
+ ## </summary>
+ ## <desc>
+ ##	<p>
+-##	List users untrusted directories.
++##	Read/write user tmpfs files.
+ ##	</p>
+ ##	<p>
+ ##	This is a templated interface, and should only
+@@ -3290,23 +3393,24 @@
+ ##	</summary>
+ ## </param>
+ #
+-template(`userdom_list_user_untrusted_content',`
++template(`userdom_rw_user_tmpfs_files',`
+ 	gen_require(`
+-		type $1_untrusted_content_t;
 +		type $1_tmpfs_t;
-+	')
-+
+ 	')
+ 
+-	allow $2 $1_untrusted_content_t:dir list_dir_perms;
 +	fs_search_tmpfs($2)
 +	allow $2 $1_tmpfs_t:dir list_dir_perms;
-+	read_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
++	rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
 +	read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to list user
+-##	untrusted directories.
++##	Unlink user tmpfs files.
+ ## </summary>
+ ## <desc>
+ ##	<p>
+-##	Do not audit attempts to read user
+-##	untrusted directories.
++##	Read/write user tmpfs files.
+ ##	</p>
+ ##	<p>
+ ##	This is a templated interface, and should only
+@@ -3321,25 +3425,28 @@
+ ## </param>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-template(`userdom_dontaudit_list_user_untrusted_content',`
++template(`userdom_delete_user_tmpfs_files',`
+ 	gen_require(`
+-		type $1_untrusted_content_t;
++		type $1_tmpfs_t;
+ 	')
+ 
+-	dontaudit $2 $1_untrusted_content_t:dir list_dir_perms;
++	fs_search_tmpfs($2)
++	allow $2 $1_tmpfs_t:dir list_dir_perms;
++	delete_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
++	read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read user untrusted files.
++##	List users untrusted directories.
+ ## </summary>
+ ## <desc>
+ ##	<p>
+-##	Read user untrusted files.
++##	List users untrusted directories.
+ ##	</p>
+ ##	<p>
+ ##	This is a templated interface, and should only
+@@ -3358,18 +3465,86 @@
+ ##	</summary>
+ ## </param>
+ #
+-template(`userdom_read_user_untrusted_content_files',`
++template(`userdom_list_user_untrusted_content',`
+ 	gen_require(`
+ 		type $1_untrusted_content_t;
+ 	')
+ 
+ 	allow $2 $1_untrusted_content_t:dir list_dir_perms;
+-	read_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Manage user untrusted files.
++##	Do not audit attempts to list user
++##	untrusted directories.
++## </summary>
++## <desc>
++##	<p>
++##	Do not audit attempts to read user
++##	untrusted directories.
++##	</p>
++##	<p>
++##	This is a templated interface, and should only
++##	be called from a per-userdomain template.
++##	</p>
++## </desc>
++## <param name="userdomain_prefix">
++##	<summary>
++##	The prefix of the user domain (e.g., user
++##	is the prefix for user_t).
++##	</summary>
++## </param>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++template(`userdom_dontaudit_list_user_untrusted_content',`
++	gen_require(`
++		type $1_untrusted_content_t;
++	')
++
++	dontaudit $2 $1_untrusted_content_t:dir list_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Read/write user tmpfs files.
++##	Read user untrusted files.
 +## </summary>
 +## <desc>
 +##	<p>
-+##	Read/write user tmpfs files.
++##	Read user untrusted files.
 +##	</p>
 +##	<p>
 +##	This is a templated interface, and should only
@@ -32311,10 +32471,22 @@
 +##	</summary>
 +## </param>
 +#
- template(`userdom_rw_user_tmpfs_files',`
- 	gen_require(`
- 		type $1_tmpfs_t;
-@@ -4231,11 +4370,11 @@
++template(`userdom_read_user_untrusted_content_files',`
++	gen_require(`
++		type $1_untrusted_content_t;
++	')
++
++	allow $2 $1_untrusted_content_t:dir list_dir_perms;
++	read_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t)
++')
++
++########################################
++## <summary>
++##	Manage user untrusted files.
+ ## </summary>
+ ## <desc>
+ ##      <p>
+@@ -4231,11 +4406,11 @@
  #
  interface(`userdom_search_staff_home_dirs',`
  	gen_require(`
@@ -32328,7 +32500,7 @@
  ')
  
  ########################################
-@@ -4251,10 +4390,10 @@
+@@ -4251,10 +4426,10 @@
  #
  interface(`userdom_dontaudit_search_staff_home_dirs',`
  	gen_require(`
@@ -32341,7 +32513,7 @@
  ')
  
  ########################################
-@@ -4270,11 +4409,11 @@
+@@ -4270,11 +4445,11 @@
  #
  interface(`userdom_manage_staff_home_dirs',`
  	gen_require(`
@@ -32355,7 +32527,7 @@
  ')
  
  ########################################
-@@ -4289,16 +4428,16 @@
+@@ -4289,16 +4464,16 @@
  #
  interface(`userdom_relabelto_staff_home_dirs',`
  	gen_require(`
@@ -32375,7 +32547,7 @@
  ##	users home directory.
  ## </summary>
  ## <param name="domain">
-@@ -4307,12 +4446,27 @@
+@@ -4307,12 +4482,27 @@
  ##	</summary>
  ## </param>
  #
@@ -32406,7 +32578,7 @@
  ')
  
  ########################################
-@@ -4327,13 +4481,13 @@
+@@ -4327,13 +4517,13 @@
  #
  interface(`userdom_read_staff_home_content_files',`
  	gen_require(`
@@ -32424,7 +32596,7 @@
  ')
  
  ########################################
-@@ -4531,10 +4685,10 @@
+@@ -4531,10 +4721,10 @@
  #
  interface(`userdom_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -32437,7 +32609,7 @@
  ')
  
  ########################################
-@@ -4551,10 +4705,10 @@
+@@ -4551,10 +4741,10 @@
  #
  interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -32450,7 +32622,7 @@
  ')
  
  ########################################
-@@ -4569,10 +4723,10 @@
+@@ -4569,10 +4759,10 @@
  #
  interface(`userdom_search_sysadm_home_dirs',`
  	gen_require(`
@@ -32463,7 +32635,7 @@
  ')
  
  ########################################
-@@ -4588,10 +4742,10 @@
+@@ -4588,10 +4778,10 @@
  #
  interface(`userdom_dontaudit_search_sysadm_home_dirs',`
  	gen_require(`
@@ -32476,7 +32648,7 @@
  ')
  
  ########################################
-@@ -4606,10 +4760,10 @@
+@@ -4606,10 +4796,10 @@
  #
  interface(`userdom_list_sysadm_home_dirs',`
  	gen_require(`
@@ -32489,7 +32661,7 @@
  ')
  
  ########################################
-@@ -4625,10 +4779,10 @@
+@@ -4625,10 +4815,10 @@
  #
  interface(`userdom_dontaudit_list_sysadm_home_dirs',`
  	gen_require(`
@@ -32502,7 +32674,7 @@
  ')
  
  ########################################
-@@ -4644,12 +4798,11 @@
+@@ -4644,12 +4834,11 @@
  #
  interface(`userdom_dontaudit_read_sysadm_home_content_files',`
  	gen_require(`
@@ -32518,7 +32690,7 @@
  ')
  
  ########################################
-@@ -4676,10 +4829,10 @@
+@@ -4676,10 +4865,10 @@
  #
  interface(`userdom_sysadm_home_dir_filetrans',`
  	gen_require(`
@@ -32531,7 +32703,7 @@
  ')
  
  ########################################
-@@ -4694,10 +4847,10 @@
+@@ -4694,10 +4883,10 @@
  #
  interface(`userdom_search_sysadm_home_content_dirs',`
  	gen_require(`
@@ -32544,7 +32716,7 @@
  ')
  
  ########################################
-@@ -4712,13 +4865,13 @@
+@@ -4712,13 +4901,13 @@
  #
  interface(`userdom_read_sysadm_home_content_files',`
  	gen_require(`
@@ -32562,7 +32734,7 @@
  ')
  
  ########################################
-@@ -4754,11 +4907,49 @@
+@@ -4754,11 +4943,49 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
@@ -32613,7 +32785,7 @@
  ')
  
  ########################################
-@@ -4778,6 +4969,14 @@
+@@ -4778,6 +5005,14 @@
  
  	files_list_home($1)
  	allow $1 home_dir_type:dir list_dir_perms;
@@ -32628,7 +32800,7 @@
  ')
  
  ########################################
-@@ -4839,6 +5038,26 @@
+@@ -4839,6 +5074,26 @@
  
  ########################################
  ## <summary>
@@ -32655,7 +32827,7 @@
  ##	Create, read, write, and delete all directories
  ##	in all users home directories.
  ## </summary>
-@@ -4859,6 +5078,25 @@
+@@ -4859,6 +5114,25 @@
  
  ########################################
  ## <summary>
@@ -32681,7 +32853,7 @@
  ##	Create, read, write, and delete all files
  ##	in all users home directories.
  ## </summary>
-@@ -4879,6 +5117,26 @@
+@@ -4879,6 +5153,26 @@
  
  ########################################
  ## <summary>
@@ -32708,7 +32880,7 @@
  ##	Create, read, write, and delete all symlinks
  ##	in all users home directories.
  ## </summary>
-@@ -5115,7 +5373,7 @@
+@@ -5115,7 +5409,7 @@
  #
  interface(`userdom_relabelto_generic_user_home_dirs',`
  	gen_require(`
@@ -32717,7 +32889,7 @@
  	')
  
  	files_search_home($1)
-@@ -5304,6 +5562,50 @@
+@@ -5304,6 +5598,50 @@
  
  ########################################
  ## <summary>
@@ -32768,7 +32940,7 @@
  ##	Create, read, write, and delete directories in
  ##	unprivileged users home directories.
  ## </summary>
-@@ -5509,6 +5811,42 @@
+@@ -5509,6 +5847,42 @@
  
  ########################################
  ## <summary>
@@ -32811,11 +32983,34 @@
  ##	Read and write unprivileged user ttys.
  ## </summary>
  ## <param name="domain">
-@@ -5674,6 +6012,42 @@
+@@ -5674,7 +6048,7 @@
  
  ########################################
  ## <summary>
+-##	Send a dbus message to all user domains.
 +##	Manage keys for all user domains.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5682,18 +6056,54 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_dbus_send_all_users',`
++interface(`userdom_manage_all_users_keys',`
+ 	gen_require(`
+ 		attribute userdomain;
+-		class dbus send_msg;
+ 	')
+ 
+-	allow $1 userdomain:dbus send_msg;
++	allow $1 userdomain:key manage_key_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Unconfined access to user domains.  (Deprecated)
++##	dontaudit search keys for all user domains.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -32823,17 +33018,17 @@
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_manage_all_users_keys',`
++interface(`userdom_dontaudit_search_all_users_keys',`
 +	gen_require(`
 +		attribute userdomain;
 +	')
 +
-+	allow $1 userdomain:key manage_key_perms;
++	dontaudit $1 userdomain:key search;
 +')
 +
 +########################################
 +## <summary>
-+##	dontaudit search keys for all user domains.
++##	Send a dbus message to all user domains.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -32841,20 +33036,22 @@
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_dontaudit_search_all_users_keys',`
++interface(`userdom_dbus_send_all_users',`
 +	gen_require(`
 +		attribute userdomain;
++		class dbus send_msg;
 +	')
 +
-+	dontaudit $1 userdomain:key search;
++	allow $1 userdomain:dbus send_msg;
 +')
 +
 +########################################
 +## <summary>
- ##	Send a dbus message to all user domains.
++##	Unconfined access to user domains.  (Deprecated)
  ## </summary>
  ## <param name="domain">
-@@ -5704,3 +6078,370 @@
+ ##	<summary>
+@@ -5704,3 +6114,370 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')


