[selinux-policy] * Tue Apr 1 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-42 - Merge user_tmp_t and user_tmpfs_t tog
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Apr 1 10:33:28 UTC 2014
commit 33665e5aa5e5b103b0be3982236518b332120b40
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Apr 1 12:33:30 2014 +0200
* Tue Apr 1 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-42
- Merge user_tmp_t and user_tmpfs_t together to have only user_tmp_t
policy-rawhide-base-user_tmp.patch | 883 +++++++++++++++++++++++++++++++++
policy-rawhide-base.patch | 72 ++--
policy-rawhide-contrib-user_tmp.patch | 252 ++++++++++
policy-rawhide-contrib.patch | 123 +++--
selinux-policy.spec | 9 +-
5 files changed, 1258 insertions(+), 81 deletions(-)
---
diff --git a/policy-rawhide-base-user_tmp.patch b/policy-rawhide-base-user_tmp.patch
new file mode 100644
index 0000000..a7f20f6
--- /dev/null
+++ b/policy-rawhide-base-user_tmp.patch
@@ -0,0 +1,883 @@
+diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
+index 32514ee..91a6a37 100644
+--- a/policy/modules/admin/bootloader.te
++++ b/policy/modules/admin/bootloader.te
+@@ -154,7 +154,7 @@ modutils_domtrans_insmod(bootloader_t)
+ seutil_read_bin_policy(bootloader_t)
+ seutil_read_loadpolicy(bootloader_t)
+
+-userdom_getattr_user_tmpfs_files(bootloader_t)
++userdom_getattr_user_tmp_files(bootloader_t)
+ userdom_use_inherited_user_terminals(bootloader_t)
+ userdom_dontaudit_search_user_home_dirs(bootloader_t)
+
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index ae94e80..4d3b6b0 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -5199,6 +5199,7 @@ interface(`files_search_tmp',`
+ type tmp_t;
+ ')
+
++ fs_search_tmpfs($1)
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir search_dir_perms;
+ ')
+diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
+index a3fe7f6..13a745c 100644
+--- a/policy/modules/roles/unconfineduser.te
++++ b/policy/modules/roles/unconfineduser.te
+@@ -33,7 +33,6 @@ gen_tunable(unconfined_login, true)
+ userdom_base_user_template(unconfined)
+ userdom_manage_home_role(unconfined_r, unconfined_t)
+ userdom_manage_tmp_role(unconfined_r, unconfined_t)
+-userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
+ userdom_unpriv_type(unconfined_t)
+
+ type unconfined_exec_t;
+diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
+index e8dcfa7..eb9cefe 100644
+--- a/policy/modules/services/ssh.if
++++ b/policy/modules/services/ssh.if
+@@ -219,8 +219,9 @@ template(`ssh_server_template',`
+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
+ term_create_pty($1_t, $1_devpts_t)
+
+- manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+- fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
++ #manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
++ #fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
++ userdom_manage_tmp_role(system_r, sshd_t)
+
+ allow $1_t $1_var_run_t:file manage_file_perms;
+ files_pid_filetrans($1_t, $1_var_run_t, file)
+diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
+index a8b01bf..fc87b9e 100644
+--- a/policy/modules/services/ssh.te
++++ b/policy/modules/services/ssh.te
+@@ -89,7 +89,7 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
+ type ssh_tmpfs_t;
+ typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
+ typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
+-userdom_user_tmpfs_file(ssh_tmpfs_t)
++userdom_user_tmp_file(ssh_tmpfs_t)
+
+ type ssh_home_t;
+ typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
+@@ -127,7 +127,7 @@ manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+ manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+ manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+ manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+-fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
++#fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+ manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
+ manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
+@@ -292,7 +292,7 @@ auth_exec_login_program(sshd_t)
+
+ userdom_read_user_home_content_files(sshd_t)
+ userdom_read_user_home_content_symlinks(sshd_t)
+-userdom_manage_tmp_role(system_r, sshd_t)
++#userdom_manage_tmp_role(system_r, sshd_t)
+ userdom_spec_domtrans_unpriv_users(sshd_t)
+ userdom_signal_unpriv_users(sshd_t)
+ userdom_dyntransition_unpriv_users(sshd_t)
+diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
+index 4dda124..4eee56a 100644
+--- a/policy/modules/services/xserver.fc
++++ b/policy/modules/services/xserver.fc
+@@ -76,10 +76,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+ # /tmp
+ #
+
+-/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_tmp_t,s0)
+-/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
+-/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
+-/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
++/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
+
+ #
+ # /usr
+diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
+index bf98136..2469c27 100644
+--- a/policy/modules/services/xserver.if
++++ b/policy/modules/services/xserver.if
+@@ -220,7 +220,7 @@ interface(`xserver_non_drawing_client',`
+ interface(`xserver_user_client',`
+ refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
+ gen_require(`
+- type xdm_t, xdm_tmp_t;
++ type xdm_t;
+ type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
+ ')
+
+@@ -235,8 +235,8 @@ interface(`xserver_user_client',`
+ # for when /tmp/.X11-unix is created by the system
+ allow $1 xdm_t:fd use;
+ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+- allow $1 xdm_tmp_t:dir search_dir_perms;
+- allow $1 xdm_tmp_t:sock_file { read write };
++ userdom_search_user_tmp_dirs($1)
++ userdom_rw_user_tmp_sock_files($1)
+ dontaudit $1 xdm_t:tcp_socket { read write };
+
+ # Allow connections to X server.
+@@ -395,7 +395,7 @@ template(`xserver_object_types_template',`
+ #
+ template(`xserver_user_x_domain_template',`
+ gen_require(`
+- type xdm_t, xdm_tmp_t, xserver_tmpfs_t;
++ type xdm_t, xserver_tmpfs_t;
+ type xdm_home_t;
+ type xauth_home_t, iceauth_home_t, xserver_t;
+ ')
+@@ -413,8 +413,8 @@ template(`xserver_user_x_domain_template',`
+ # for when /tmp/.X11-unix is created by the system
+ allow $2 xdm_t:fd use;
+ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+- allow $2 xdm_tmp_t:dir search_dir_perms;
+- allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
++ userdom_search_user_tmp_dirs($2)
++ userdom_rw_user_tmp_sock_files($2)
+ dontaudit $2 xdm_t:tcp_socket { read write };
+
+ # Allow connections to X server.
+@@ -429,7 +429,7 @@ template(`xserver_user_x_domain_template',`
+ xserver_ro_session($2, $3)
+ xserver_use_user_fonts($2)
+
+- xserver_read_xdm_tmp_files($2)
++ userdom_read_user_tmp_files($2)
+ xserver_read_xdm_pid($2)
+ xserver_xdm_append_log($2)
+
+@@ -817,12 +817,13 @@ interface(`xserver_manage_xdm_spool_files',`
+ #
+ interface(`xserver_stream_connect_xdm',`
+ gen_require(`
+- type xdm_t, xdm_tmp_t, xdm_var_run_t;
++ type xdm_t, xdm_var_run_t;
+ ')
+
+ files_search_tmp($1)
+ files_search_pids($1)
+- stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
++ stream_connect_pattern($1, { xdm_var_run_t }, { xdm_var_run_t }, xdm_t)
++ userdom_stream_connect($1)
+ ')
+
+ ########################################
+@@ -934,12 +935,8 @@ interface(`xserver_read_xdm_rw_config',`
+ ## </param>
+ #
+ interface(`xserver_search_xdm_tmp_dirs',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
+-
+- files_search_tmp($1)
+- allow $1 xdm_tmp_t:dir search_dir_perms;
++ refpolicywarn(`$0() has been deprecated, please use userdom_search_user_tmp_dirs instead.')
++ userdom_search_user_tmp_dirs($1)
+ ')
+
+ ########################################
+@@ -953,11 +950,8 @@ interface(`xserver_search_xdm_tmp_dirs',`
+ ## </param>
+ #
+ interface(`xserver_setattr_xdm_tmp_dirs',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
+-
+- allow $1 xdm_tmp_t:dir setattr_dir_perms;
++ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
++ userdom_dontaudit_setattr_user_tmp($1)
+ ')
+
+ ########################################
+@@ -971,11 +965,8 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+ ## </param>
+ #
+ interface(`xserver_dontaudit_xdm_tmp_dirs',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
+-
+- dontaudit $1 xdm_tmp_t:dir setattr_dir_perms;
++ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
++ userdom_dontaudit_setattr_user_tmp($1)
+ ')
+
+ ########################################
+@@ -990,13 +981,8 @@ interface(`xserver_dontaudit_xdm_tmp_dirs',`
+ ## </param>
+ #
+ interface(`xserver_create_xdm_tmp_sockets',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
+-
+- files_search_tmp($1)
+- allow $1 xdm_tmp_t:dir list_dir_perms;
+- create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++ refpolicywarn(`$0() has been deprecated, please use userdom_create_user_tmp_sockets instead.')
++ userdom_create_user_tmp_sockets($1)
+ ')
+
+ ########################################
+@@ -1317,12 +1303,8 @@ interface(`xserver_manage_xdm_etc_files',`
+ ## </param>
+ #
+ interface(`xserver_read_xdm_tmp_files',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
+-
+- files_search_tmp($1)
+- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++ refpolicywarn(`$0() has been deprecated, please use userdom_read_user_tmpfs_files instead.')
++ userdom_read_user_tmpfs_files($1)
+ ')
+
+ ########################################
+@@ -1336,12 +1318,8 @@ interface(`xserver_read_xdm_tmp_files',`
+ ## </param>
+ #
+ interface(`xserver_dontaudit_read_xdm_tmp_files',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
+-
+- dontaudit $1 xdm_tmp_t:dir search_dir_perms;
+- dontaudit $1 xdm_tmp_t:file read_file_perms;
++ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_read_user_tmp_files instead.')
++ userdom_dontaudit_read_user_tmp_files($1)
+ ')
+
+ ########################################
+@@ -1355,12 +1333,8 @@ interface(`xserver_dontaudit_read_xdm_tmp_files',`
+ ## </param>
+ #
+ interface(`xserver_rw_xdm_tmp_files',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
+-
+- allow $1 xdm_tmp_t:dir search_dir_perms;
+- allow $1 xdm_tmp_t:file rw_file_perms;
++ refpolicywarn(`$0() has been deprecated, please use userdom_rw_user_tmpfs_files instead.')
++ userdom_rw_user_tmpfs_files($1)
+ ')
+
+ ########################################
+@@ -1374,11 +1348,8 @@ interface(`xserver_rw_xdm_tmp_files',`
+ ## </param>
+ #
+ interface(`xserver_manage_xdm_tmp_files',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
+-
+- manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++ refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_files instead.')
++ userdom_manage_user_tmp_files($1)
+ ')
+
+ ########################################
+@@ -1392,11 +1363,8 @@ interface(`xserver_manage_xdm_tmp_files',`
+ ## </param>
+ #
+ interface(`xserver_relabel_xdm_tmp_dirs',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
+-
+- allow $1 xdm_tmp_t:dir relabel_dir_perms;
++ refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_tmp_dirs instead.')
++ userdom_relabel_user_tmp_dirs($1)
+ ')
+
+ ########################################
+@@ -1410,11 +1378,8 @@ interface(`xserver_relabel_xdm_tmp_dirs',`
+ ## </param>
+ #
+ interface(`xserver_manage_xdm_tmp_dirs',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
+-
+- manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
++ refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_dirs instead.')
++ userdom_manage_user_tmp_dirs($1)
+ ')
+
+ ########################################
+@@ -1429,11 +1394,8 @@ interface(`xserver_manage_xdm_tmp_dirs',`
+ ## </param>
+ #
+ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
+-
+- dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
++ refpolicywarn(`$0() has been deprecated, please use usedom_dontaudit_user_getattr_tmp_sockets instead.')
++ usedom_dontaudit_user_getattr_tmp_sockets($1)
+ ')
+
+ ########################################
+@@ -1946,11 +1908,8 @@ interface(`xserver_xdm_ioctl_log',`
+ ## </param>
+ #
+ interface(`xserver_append_xdm_tmp_files',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
+-
+- allow $1 xdm_tmp_t:file append_inherited_file_perms;
++ refpolicywarn(`$0() has been deprecated, please use userdom_append_user_tmp_files instead.')
++ userdom_append_user_tmp_files($1)
+ ')
+
+ ########################################
+@@ -2296,12 +2255,8 @@ interface(`xserver_filetrans_admin_home_content',`
+ ## </param>
+ #
+ interface(`xserver_xdm_tmp_filetrans',`
+- gen_require(`
+- type xdm_tmp_t;
+- ')
+-
+- filetrans_pattern($1, xdm_tmp_t, $2, $3, $4)
+- files_search_tmp($1)
++ refpolicywarn(`$0() has been deprecated, please use userdom_user_tmp_filetrans instead.')
++ userdom_user_tmp_filetrans($1,$2, $3, $4)
+ ')
+
+ ########################################
+diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
+index 2a244f6..2f471b4 100644
+--- a/policy/modules/services/xserver.te
++++ b/policy/modules/services/xserver.te
+@@ -231,12 +231,6 @@ files_type(xserver_var_lib_t)
+ type xserver_var_run_t;
+ files_pid_file(xserver_var_run_t)
+
+-type xdm_tmp_t;
+-files_tmp_file(xdm_tmp_t)
+-typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
+-typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
+-userdom_user_tmp_file(xserver_tmp_t)
+-
+ type xdm_tmpfs_t;
+ files_tmpfs_file(xdm_tmpfs_t)
+
+@@ -264,7 +258,7 @@ files_config_file(xserver_etc_t)
+ type xserver_tmpfs_t;
+ typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t };
+ typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
+-userdom_user_tmpfs_file(xserver_tmpfs_t)
++userdom_user_tmp_file(xserver_tmpfs_t)
+
+ type xsession_exec_t;
+ corecmd_executable_file(xsession_exec_t)
+@@ -470,14 +464,8 @@ read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
+ # this is ugly, daemons should not create files under /etc!
+ manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
+
+-manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file })
+-relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-can_exec(xdm_t, xdm_tmp_t)
++userdom_manage_all_user_tmp_content(xdm_t)
++userdom_exec_user_tmp_files(xdm_t)
+
+ manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+ manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+@@ -697,7 +685,7 @@ userdom_stream_connect(xdm_t)
+ userdom_manage_user_tmp_dirs(xdm_t)
+ userdom_manage_user_tmp_files(xdm_t)
+ userdom_manage_user_tmp_sockets(xdm_t)
+-userdom_manage_tmpfs_role(system_r, xdm_t)
++userdom_manage_tmp_role(system_r, xdm_t)
+
+ #userdom_home_manager(xdm_t)
+ tunable_policy(`xdm_write_home',`
+@@ -1347,9 +1335,8 @@ dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms;
+ read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
+
+ # Label pid and temporary files with derived types.
+-manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+-manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+-manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
++userdom_manage_user_tmp_files(xserver_t)
++userdom_manage_user_tmp_sockets(xserver_t)
+
+ # Run xkbcomp.
+ allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms;
+@@ -1589,7 +1576,6 @@ manage_files_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t)
+
+ stream_connect_pattern(x_userdomain, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ allow x_userdomain xserver_tmp_t:sock_file delete_sock_file_perms;
+-dontaudit x_userdomain xdm_tmp_t:sock_file setattr_sock_file_perms;
+ files_search_tmp(x_userdomain)
+
+ # Communicate via System V shared memory.
+@@ -1616,10 +1602,9 @@ allow x_userdomain xauth_home_t:file read_file_perms;
+ # for when /tmp/.X11-unix is created by the system
+ allow x_userdomain xdm_t:fd use;
+ allow x_userdomain xdm_t:fifo_file rw_inherited_fifo_file_perms;
+-allow x_userdomain xdm_tmp_t:dir search_dir_perms;
+-allow x_userdomain xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
++userdom_search_user_tmp_dirs(x_userdomain)
++userdom_rw_user_tmp_sock_files(x_userdomain)
+ dontaudit x_userdomain xdm_t:tcp_socket { read write };
+-dontaudit x_userdomain xdm_tmp_t:dir setattr_dir_perms;
+
+ allow x_userdomain xdm_t:dbus send_msg;
+ allow xdm_t x_userdomain:dbus send_msg;
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index cdc1c76..b446ca4 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -552,7 +552,7 @@ logging_manage_all_logs(syslogd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
+ userdom_search_user_home_dirs(syslogd_t)
+-userdom_rw_inherited_user_tmpfs_files(syslogd_t)
++userdom_rw_inherited_user_tmp_files(syslogd_t)
+
+ ifdef(`distro_gentoo',`
+ # default gentoo syslog-ng config appends kernel
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index 00b82b3..9933cad 100644
+--- a/policy/modules/system/mount.te
++++ b/policy/modules/system/mount.te
+@@ -413,7 +413,7 @@ allow mount_ecryptfs_t self:unix_stream_socket create_stream_socket_perms;
+ manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
+ manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
+ fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file })
+-userdom_rw_user_tmpfs_files(mount_ecryptfs_t)
++userdom_rw_user_tmp_files(mount_ecryptfs_t)
+
+ domain_use_interactive_fds(mount_ecryptfs_t)
+
+diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
+index e4eb903..7ef6be3 100644
+--- a/policy/modules/system/userdomain.fc
++++ b/policy/modules/system/userdomain.fc
+@@ -21,4 +21,10 @@ HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
+ HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
+ HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
+
++/tmp/\.X0-lock -- gen_context(system_u:object_r:user_tmp_t,s0)
++/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
++/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
++
++
++
+ /var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index b921b57..38df377 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -420,6 +420,7 @@ interface(`userdom_manage_tmp_role',`
+ manage_sock_files_pattern($2, user_tmp_type, user_tmp_type)
+ manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
+ files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
++ fs_tmpfs_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+ relabel_dirs_pattern($2, user_tmp_type, user_tmp_type)
+ relabel_files_pattern($2, user_tmp_type, user_tmp_type)
+ relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
+@@ -427,8 +428,6 @@ interface(`userdom_manage_tmp_role',`
+ relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
+ ')
+
+-
+-
+ #######################################
+ ## <summary>
+ ## Dontaudit search of user bin dirs.
+@@ -534,24 +533,8 @@ interface(`userdom_manage_tmpfs_files',`
+ ## <rolecap/>
+ #
+ interface(`userdom_manage_tmpfs_role',`
+- gen_require(`
+- attribute user_tmpfs_type;
+- type user_tmpfs_t;
+- ')
+-
+- role $1 types user_tmpfs_t;
+-
+- manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
+- manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+- manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+- manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+- manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+- fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+- relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
+- relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+- relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+- relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+- relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
++ refpolicywarn(`$0($*) has been deprecated, use userdom_manage_tmp_role() instead.')
++ userdom_manage_tmp_role($1,$2)
+ ')
+
+ #######################################
+@@ -994,7 +977,6 @@ template(`userdom_login_user_template', `
+ userdom_manage_home_role($1_r, $1_t)
+
+ userdom_manage_tmp_role($1_r, $1_usertype)
+- userdom_manage_tmpfs_role($1_r, $1_usertype)
+
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable($1_exec_content, true)
+@@ -1839,8 +1821,8 @@ interface(`userdom_user_tmp_file',`
+ ## </param>
+ #
+ interface(`userdom_user_tmpfs_file',`
+- files_tmpfs_file($1)
+- ubac_constrained($1)
++ refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_file() instead.')
++ userdom_user_tmp_file($1)
+ ')
+
+ ########################################
+@@ -1878,14 +1860,8 @@ interface(`userdom_user_tmp_content',`
+ ## </param>
+ #
+ interface(`userdom_user_tmpfs_content',`
+- gen_require(`
+- attribute user_tmpfs_type;
+- ')
+-
+- typeattribute $1 user_tmpfs_type;
+-
+- files_tmpfs_file($1)
+- ubac_constrained($1)
++ refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_content() instead.')
++ userdom_user_tmp_content($1)
+ ')
+
+ ########################################
+@@ -2400,6 +2376,43 @@ interface(`userdom_setattr_user_tmp_files',`
+
+ ########################################
+ ## <summary>
++## Create a user tmp sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_create_user_tmp_sockets',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 user_tmp_t:dir list_dir_perms;
++ create_sock_files_pattern($1, user_tmp_t, user_tmp_t)
++')
++
++########################################
++## <summary>
++## Dontaudit getattr on user tmp sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`usedom_dontaudit_user_getattr_tmp_sockets',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++ dontaudit $1 user_tmp_t:sock_file getattr_sock_file_perms;
++')
++
++########################################
++## <summary>
+ ## Relabel user tmp files.
+ ## </summary>
+ ## <param name="domain">
+@@ -2416,6 +2429,26 @@ interface(`userdom_relabel_user_tmp_files',`
+
+ allow $1 user_tmp_t:file relabel_file_perms;
+ ')
++
++########################################
++## <summary>
++## Relabel user tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_relabel_user_tmp_dirs',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:dir relabel_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to set the
+@@ -3068,6 +3101,25 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+ ## </summary>
+ ## </param>
+ #
++interface(`userdom_getattr_user_tmp_files',`
++ gen_require(`
++ attribute user_tmp_type;
++ ')
++
++ getattr_files_pattern($1, user_tmp_type, user_tmp_type)
++ files_search_tmp($1)
++')
++
++########################################
++## <summary>
++## Read user temporary files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+ interface(`userdom_read_user_tmp_files',`
+ gen_require(`
+ attribute user_tmp_type;
+@@ -3080,6 +3132,23 @@ interface(`userdom_read_user_tmp_files',`
+
+ ########################################
+ ## <summary>
++## Read user temporary files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_append_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++ allow $1 user_tmp_t:file append_inherited_file_perms;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to read users
+ ## temporary files.
+ ## </summary>
+@@ -3135,6 +3204,25 @@ interface(`userdom_rw_user_tmp_files',`
+ rw_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+ ')
++########################################
++## <summary>
++## Read and write user temporary files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_rw_user_tmp_sock_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:dir list_dir_perms;
++ allow $1 user_tmp_t:sock_file rw_inherited_sock_file_perms;
++ files_search_tmp($1)
++')
+
+ ########################################
+ ## <summary>
+@@ -3352,12 +3440,8 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+ ## </param>
+ #
+ interface(`userdom_getattr_user_tmpfs_files',`
+- gen_require(`
+- type user_tmpfs_t;
+- ')
+-
+- getattr_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- fs_search_tmpfs($1)
++ refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.')
++ userdom_getattr_user_tmp_files($1)
+ ')
+
+ ########################################
+@@ -3371,14 +3455,8 @@ interface(`userdom_getattr_user_tmpfs_files',`
+ ## </param>
+ #
+ interface(`userdom_read_user_tmpfs_files',`
+- gen_require(`
+- type user_tmpfs_t;
+- ')
+-
+- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- allow $1 user_tmpfs_t:dir list_dir_perms;
+- fs_search_tmpfs($1)
++ refpolicywarn(`$0($*) has been deprecated, use userdom_read_user_tmp_files() instead.')
++ userdom_read_user_tmp_files($1)
+ ')
+
+ ########################################
+@@ -3392,14 +3470,8 @@ interface(`userdom_read_user_tmpfs_files',`
+ ## </param>
+ #
+ interface(`userdom_rw_user_tmpfs_files',`
+- gen_require(`
+- type user_tmpfs_t;
+- ')
+-
+- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- allow $1 user_tmpfs_t:dir list_dir_perms;
+- fs_search_tmpfs($1)
++ refpolicywarn(`$0($*) has been deprecated, use userdom_rw_user_tmp_files() instead.')
++ userdom_rw_user_tmp_files($1)
+ ')
+
+ ########################################
+@@ -3413,11 +3485,8 @@ interface(`userdom_rw_user_tmpfs_files',`
+ ## </param>
+ #
+ interface(`userdom_rw_inherited_user_tmpfs_files',`
+- gen_require(`
+- type user_tmpfs_t;
+- ')
+-
+- allow $1 user_tmpfs_t:file rw_inherited_file_perms;
++ refpolicywarn(`$0($*) has been deprecated, use userdom_rw_inherited_user_tmp_files instead.')
++ userdom_rw_inherited_user_tmp_files($1)
+ ')
+
+ ########################################
+@@ -3431,11 +3500,26 @@ interface(`userdom_rw_inherited_user_tmpfs_files',`
+ ## </param>
+ #
+ interface(`userdom_execute_user_tmpfs_files',`
++ refpolicywarn(`$0($*) has been deprecated, use userdom_execute_user_tmp_files instead.')
++ userdom_execute_user_tmp_files($1)
++')
++
++########################################
++## <summary>
++## Execute user tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_execute_user_tmp_files',`
+ gen_require(`
+- type user_tmpfs_t;
++ type user_tmp_t;
+ ')
+
+- allow $1 user_tmpfs_t:file execute;
++ allow $1 user_tmp_t:file execute;
+ ')
+
+ ########################################
+@@ -5188,16 +5272,8 @@ interface(`userdom_list_all_user_tmp_content',`
+ ## </param>
+ #
+ interface(`userdom_manage_all_user_tmpfs_content',`
+- gen_require(`
+- attribute user_tmpfs_type;
+- ')
+-
+- manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
+- manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
+- manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
+- manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
+- manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
+- fs_search_tmpfs($1)
++ refpolicywarn(`$0($*) has been deprecated, use userdom_manage_all_user_tmp_content instead.')
++ userdom_manage_all_user_tmp_content($1)
+ ')
+
+ ########################################
+@@ -5411,11 +5487,8 @@ interface(`userdom_dontaudit_setattr_user_tmp',`
+ ## </param>
+ #
+ interface(`userdom_dontaudit_setattr_user_tmpfs',`
+- gen_require(`
+- type user_tmpfs_t;
+- ')
+-
+- dontaudit $1 user_tmpfs_t:file setattr;
++ refpolicywarn(`$0($*) has been deprecated, use userdom_dontaudit_setattr_user_tmp() instead.')
++ userdom_dontaudit_setattr_user_tmp($1)
+ ')
+
+ ########################################
+@@ -5519,11 +5592,8 @@ interface(`userdom_delete_user_tmp_files',`
+ ## </param>
+ #
+ interface(`userdom_delete_user_tmpfs_files',`
+- gen_require(`
+- type user_tmpfs_t;
+- ')
+-
+- allow $1 user_tmpfs_t:file delete_file_perms;
++ refpolicywarn(`$0($*) has been deprecated, use userdom_delete_user_tmpfs_files instead.')
++ userdom_delete_user_tmpfs_files($1)
+ ')
+
+ ########################################
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 7283238..6cc7d53 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -97,19 +97,18 @@ dev_node(user_devpts_t)
+ files_type(user_devpts_t)
+ ubac_constrained(user_devpts_t)
+
+-type user_tmp_t, user_tmp_type;
++type user_tmp_t, user_tmp_type, user_tmpfs_type;
+ typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t wine_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
+ typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
++typealias user_tmp_t alias { user_tmpfs_t staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
++typealias user_tmp_t alias xdm_tmp_t;
++typealias user_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
+ files_tmp_file(user_tmp_t)
++files_tmpfs_file(user_tmp_t)
+ userdom_user_home_content(user_tmp_t)
+ files_poly_parent(user_tmp_t)
+ files_mountpoint(user_tmp_t)
+
+-type user_tmpfs_t, user_tmpfs_type;
+-typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
+-files_tmpfs_file(user_tmpfs_t)
+-userdom_user_home_content(user_tmpfs_t)
+-
+ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
+ dev_node(user_tty_device_t)
+ ubac_constrained(user_tty_device_t)
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index e709893..5053e10 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -22663,7 +22663,7 @@ index cc877c7..a8b01bf 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 8274418..522a2f0 100644
+index 8274418..4dda124 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -22766,12 +22766,13 @@ index 8274418..522a2f0 100644
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -92,18 +130,31 @@ ifndef(`distro_debian',`
+@@ -92,18 +130,32 @@ ifndef(`distro_debian',`
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/lightdm-data(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
@@ -22802,7 +22803,7 @@ index 8274418..522a2f0 100644
/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -112,6 +163,16 @@ ifndef(`distro_debian',`
+@@ -112,6 +164,16 @@ ifndef(`distro_debian',`
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -24472,7 +24473,7 @@ index 6bf0ecc..bf98136 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..95dde04 100644
+index 8b40377..2a244f6 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -24723,7 +24724,7 @@ index 8b40377..95dde04 100644
')
########################################
-@@ -248,48 +324,90 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -248,48 +324,91 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -24786,6 +24787,7 @@ index 8b40377..95dde04 100644
+userdom_use_inherited_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
+userdom_read_all_users_state(xauth_t)
++userdom_search_user_home_dirs(xauth_t)
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority")
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l")
@@ -24825,7 +24827,7 @@ index 8b40377..95dde04 100644
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -300,64 +418,109 @@ optional_policy(`
+@@ -300,64 +419,109 @@ optional_policy(`
# XDM Local policy
#
@@ -24945,7 +24947,7 @@ index 8b40377..95dde04 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +529,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +530,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -24978,7 +24980,7 @@ index 8b40377..95dde04 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +562,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +563,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -25032,7 +25034,7 @@ index 8b40377..95dde04 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +615,28 @@ files_list_mnt(xdm_t)
+@@ -431,9 +616,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -25061,7 +25063,7 @@ index 8b40377..95dde04 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +645,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +646,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -25110,7 +25112,7 @@ index 8b40377..95dde04 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +692,149 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +693,153 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -25200,6 +25202,10 @@ index 8b40377..95dde04 100644
+')
+
+optional_policy(`
++ remotelogin_signull(xdm_t)
++')
++
++optional_policy(`
+ spamassassin_filetrans_home_content(xdm_t)
+ spamassassin_filetrans_admin_home_content(xdm_t)
+')
@@ -25266,7 +25272,7 @@ index 8b40377..95dde04 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -503,11 +848,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -503,11 +853,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -25293,7 +25299,7 @@ index 8b40377..95dde04 100644
')
optional_policy(`
-@@ -517,9 +877,34 @@ optional_policy(`
+@@ -517,9 +882,34 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@@ -25329,7 +25335,7 @@ index 8b40377..95dde04 100644
')
')
-@@ -530,6 +915,20 @@ optional_policy(`
+@@ -530,6 +920,20 @@ optional_policy(`
')
optional_policy(`
@@ -25350,7 +25356,7 @@ index 8b40377..95dde04 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +946,78 @@ optional_policy(`
+@@ -547,28 +951,78 @@ optional_policy(`
')
optional_policy(`
@@ -25438,7 +25444,7 @@ index 8b40377..95dde04 100644
')
optional_policy(`
-@@ -580,6 +1029,14 @@ optional_policy(`
+@@ -580,6 +1034,14 @@ optional_policy(`
')
optional_policy(`
@@ -25453,7 +25459,7 @@ index 8b40377..95dde04 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1051,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1056,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -25462,7 +25468,7 @@ index 8b40377..95dde04 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1061,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1066,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -25475,7 +25481,7 @@ index 8b40377..95dde04 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1078,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1083,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -25491,7 +25497,7 @@ index 8b40377..95dde04 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1094,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1099,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -25502,7 +25508,7 @@ index 8b40377..95dde04 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1109,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1114,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -25539,7 +25545,7 @@ index 8b40377..95dde04 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1155,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1160,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -25571,7 +25577,7 @@ index 8b40377..95dde04 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1188,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1193,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -25586,7 +25592,7 @@ index 8b40377..95dde04 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1209,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1214,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -25610,7 +25616,7 @@ index 8b40377..95dde04 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1228,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1233,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -25619,7 +25625,7 @@ index 8b40377..95dde04 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1272,44 @@ optional_policy(`
+@@ -785,17 +1277,44 @@ optional_policy(`
')
optional_policy(`
@@ -25666,7 +25672,7 @@ index 8b40377..95dde04 100644
')
optional_policy(`
-@@ -803,6 +1317,10 @@ optional_policy(`
+@@ -803,6 +1322,10 @@ optional_policy(`
')
optional_policy(`
@@ -25677,7 +25683,7 @@ index 8b40377..95dde04 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,10 +1336,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,10 +1341,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -25691,7 +25697,7 @@ index 8b40377..95dde04 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -829,7 +1347,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -829,7 +1352,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -25700,7 +25706,7 @@ index 8b40377..95dde04 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1360,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1365,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -25735,7 +25741,7 @@ index 8b40377..95dde04 100644
')
optional_policy(`
-@@ -912,7 +1425,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1430,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -25744,7 +25750,7 @@ index 8b40377..95dde04 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1479,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1484,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -25776,7 +25782,7 @@ index 8b40377..95dde04 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1525,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1530,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
diff --git a/policy-rawhide-contrib-user_tmp.patch b/policy-rawhide-contrib-user_tmp.patch
new file mode 100644
index 0000000..052ec5c
--- /dev/null
+++ b/policy-rawhide-contrib-user_tmp.patch
@@ -0,0 +1,252 @@
+diff --git a/chrome.te b/chrome.te
+index fb60ffc..7d937cb 100644
+--- a/chrome.te
++++ b/chrome.te
+@@ -114,8 +114,8 @@ miscfiles_read_fonts(chrome_sandbox_t)
+
+ sysnet_dns_name_resolve(chrome_sandbox_t)
+
+-userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
+-userdom_execute_user_tmpfs_files(chrome_sandbox_t)
++userdom_rw_inherited_user_tmp_files(chrome_sandbox_t)
++userdom_execute_user_tmp_files(chrome_sandbox_t)
+
+ userdom_use_user_ptys(chrome_sandbox_t)
+ userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
+@@ -236,8 +236,8 @@ init_read_state(chrome_sandbox_nacl_t)
+ libs_legacy_use_shared_libs(chrome_sandbox_nacl_t)
+
+ userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
+-userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
+-userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
++userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
++userdom_execute_user_tmp_files(chrome_sandbox_nacl_t)
+ userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
+ userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
+ userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t)
+diff --git a/colord.te b/colord.te
+index 5425ddf..3d5988c 100644
+--- a/colord.te
++++ b/colord.te
+@@ -112,7 +112,7 @@ logging_send_syslog_msg(colord_t)
+
+ systemd_read_logind_sessions_files(colord_t)
+
+-userdom_rw_user_tmpfs_files(colord_t)
++userdom_rw_user_tmp_files(colord_t)
+ userdom_home_reader(colord_t)
+ userdom_list_user_home_content(colord_t)
+ userdom_read_inherited_user_home_content_files(colord_t)
+diff --git a/corosync.te b/corosync.te
+index e827567..837e0a8 100644
+--- a/corosync.te
++++ b/corosync.te
+@@ -108,8 +108,8 @@ logging_send_syslog_msg(corosync_t)
+ miscfiles_read_localization(corosync_t)
+
+ userdom_read_user_tmp_files(corosync_t)
+-userdom_delete_user_tmpfs_files(corosync_t)
+-userdom_rw_user_tmpfs_files(corosync_t)
++userdom_delete_user_tmp_files(corosync_t)
++userdom_rw_user_tmp_files(corosync_t)
+
+ optional_policy(`
+ fs_manage_tmpfs_files(corosync_t)
+diff --git a/gpg.te b/gpg.te
+index 695e8fa..fe77236 100644
+--- a/gpg.te
++++ b/gpg.te
+@@ -364,9 +364,9 @@ miscfiles_read_fonts(gpg_pinentry_t)
+
+ # for .Xauthority
+ userdom_read_user_home_content_files(gpg_pinentry_t)
+-userdom_read_user_tmpfs_files(gpg_pinentry_t)
++userdom_read_user_tmp_files(gpg_pinentry_t)
+ # Bug: user pulseaudio files need open,read and unlink:
+-allow gpg_pinentry_t user_tmpfs_t:file unlink;
++allow gpg_pinentry_t user_tmp_t:file unlink;
+ userdom_signull_unpriv_users(gpg_pinentry_t)
+ userdom_use_user_terminals(gpg_pinentry_t)
+
+diff --git a/journalctl.te b/journalctl.te
+index 5de3229..e1d6594 100644
+--- a/journalctl.te
++++ b/journalctl.te
+@@ -36,8 +36,7 @@ fs_getattr_all_fs(journalctl_t)
+ userdom_list_user_home_dirs(journalctl_t)
+ userdom_read_user_home_content_files(journalctl_t)
+ userdom_use_inherited_user_ptys(journalctl_t)
+-userdom_write_inherited_user_tmp_files(journalctl_t)
+-userdom_rw_inherited_user_tmpfs_files(journalctl_t)
++userdom_rw_inherited_user_tmp_files(journalctl_t)
+ userdom_rw_inherited_user_home_content_files(journalctl_t)
+
+ miscfiles_read_localization(journalctl_t)
+diff --git a/kismet.te b/kismet.te
+index c070420..4e66536 100644
+--- a/kismet.te
++++ b/kismet.te
+@@ -96,7 +96,7 @@ corenet_tcp_connect_rtsclient_port(kismet_t)
+ auth_use_nsswitch(kismet_t)
+
+ userdom_use_inherited_user_terminals(kismet_t)
+-userdom_read_user_tmpfs_files(kismet_t)
++userdom_read_user_tmp_files(kismet_t)
+
+ optional_policy(`
+ dbus_system_bus_client(kismet_t)
+diff --git a/mozilla.te b/mozilla.te
+index ad56dac..01dc360 100644
+--- a/mozilla.te
++++ b/mozilla.te
+@@ -357,7 +357,6 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin
+ manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+ files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+ userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+-xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+ can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
+
+ manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+@@ -365,7 +364,6 @@ manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugi
+ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+ manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+ fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+-userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+ userdom_manage_home_texlive(mozilla_plugin_t)
+
+ allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
+@@ -484,8 +482,6 @@ term_getattr_ptmx(mozilla_plugin_t)
+ term_dontaudit_use_ptmx(mozilla_plugin_t)
+
+ userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t)
+-userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+-userdom_delete_user_tmpfs_files(mozilla_plugin_t)
+ userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
+ userdom_manage_user_tmp_sockets(mozilla_plugin_t)
+ userdom_manage_user_tmp_dirs(mozilla_plugin_t)
+diff --git a/mpd.te b/mpd.te
+index 92632e8..953e3bf 100644
+--- a/mpd.te
++++ b/mpd.te
+@@ -172,7 +172,7 @@ tunable_policy(`mpd_enable_homedirs',`
+ userdom_stream_connect(mpd_t)
+ userdom_read_home_audio_files(mpd_t)
+ userdom_list_user_tmp(mpd_t)
+- userdom_read_user_tmpfs_files(mpd_t)
++ userdom_read_user_tmp_files(mpd_t)
+ userdom_dontaudit_setattr_user_tmp(mpd_t)
+ ')
+
+diff --git a/podsleuth.te b/podsleuth.te
+index 5bf10ce..c06ace5 100644
+--- a/podsleuth.te
++++ b/podsleuth.te
+@@ -80,7 +80,7 @@ sysnet_dns_name_resolve(podsleuth_t)
+
+ userdom_signal_unpriv_users(podsleuth_t)
+ userdom_signull_unpriv_users(podsleuth_t)
+-userdom_read_user_tmpfs_files(podsleuth_t)
++userdom_read_user_tmp_files(podsleuth_t)
+
+ optional_policy(`
+ dbus_system_bus_client(podsleuth_t)
+diff --git a/pulseaudio.te b/pulseaudio.te
+index 1d2470f..64ac070 100644
+--- a/pulseaudio.te
++++ b/pulseaudio.te
+@@ -97,7 +97,7 @@ auth_use_nsswitch(pulseaudio_t)
+
+ logging_send_syslog_msg(pulseaudio_t)
+
+-userdom_read_user_tmpfs_files(pulseaudio_t)
++userdom_read_user_tmp_files(pulseaudio_t)
+
+ userdom_search_user_home_dirs(pulseaudio_t)
+ userdom_write_user_tmp_sockets(pulseaudio_t)
+@@ -224,7 +224,7 @@ pulseaudio_signull(pulseaudio_client)
+
+ userdom_manage_user_home_content_files(pulseaudio_client)
+
+-userdom_read_user_tmpfs_files(pulseaudio_client)
++userdom_read_user_tmp_files(pulseaudio_client)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(pulseaudio_client)
+diff --git a/qemu.te b/qemu.te
+index 8c1e989..958c0ef 100644
+--- a/qemu.te
++++ b/qemu.te
+@@ -52,7 +52,7 @@ storage_raw_write_removable_device(qemu_t)
+ storage_raw_read_removable_device(qemu_t)
+
+ userdom_search_user_home_content(qemu_t)
+-userdom_read_user_tmpfs_files(qemu_t)
++userdom_read_user_tmp_files(qemu_t)
+ userdom_stream_connect(qemu_t)
+
+ tunable_policy(`qemu_full_network',`
+diff --git a/rhcs.te b/rhcs.te
+index ec50831..eb9e2ac 100644
+--- a/rhcs.te
++++ b/rhcs.te
+@@ -219,9 +219,8 @@ init_read_script_state(cluster_t)
+ init_rw_script_tmp_files(cluster_t)
+ init_manage_script_status_files(cluster_t)
+
+-userdom_read_user_tmp_files(cluster_t)
+-userdom_delete_user_tmpfs_files(cluster_t)
+-userdom_rw_user_tmpfs_files(cluster_t)
++userdom_delete_user_tmp_files(cluster_t)
++userdom_rw_user_tmp_files(cluster_t)
+ userdom_kill_all_users(cluster_t)
+
+ tunable_policy(`cluster_can_network_connect',`
+diff --git a/sandboxX.te b/sandboxX.te
+index 956922c..499e739 100644
+--- a/sandboxX.te
++++ b/sandboxX.te
+@@ -415,8 +415,8 @@ selinux_compute_relabel_context(sandbox_web_type)
+ selinux_compute_user_contexts(sandbox_web_type)
+ seutil_read_default_contexts(sandbox_web_type)
+
+-userdom_rw_user_tmpfs_files(sandbox_web_type)
+-userdom_delete_user_tmpfs_files(sandbox_web_type)
++userdom_rw_user_tmp_files(sandbox_web_type)
++userdom_delete_user_tmp_files(sandbox_web_type)
+
+ optional_policy(`
+ alsa_read_rw_config(sandbox_web_type)
+diff --git a/thumb.te b/thumb.te
+index 0e30ce2..bd82684 100644
+--- a/thumb.te
++++ b/thumb.te
+@@ -46,7 +46,7 @@ manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
+ userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails")
+ userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
+ userdom_dontaudit_access_check_user_content(thumb_t)
+-userdom_rw_inherited_user_tmpfs_files(thumb_t)
++userdom_rw_inherited_user_tmp_files(thumb_t)
+ userdom_manage_home_texlive(thumb_t)
+
+ manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+@@ -55,7 +55,6 @@ manage_sock_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+ exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+ files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
+ userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
+-xserver_xdm_tmp_filetrans(thumb_t, thumb_tmp_t, sock_file)
+
+ manage_dirs_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t)
+ manage_files_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t)
+diff --git a/userhelper.if b/userhelper.if
+index 35d784a..b25ec0d 100644
+--- a/userhelper.if
++++ b/userhelper.if
+@@ -315,7 +315,7 @@ template(`userhelper_console_role_template',`
+
+ auth_use_pam($1_consolehelper_t)
+
+- userdom_manage_tmpfs_role($2, $1_consolehelper_t)
++ userdom_manage_tmp_role($2, $1_consolehelper_t)
+
+ optional_policy(`
+ dbus_connect_session_bus($1_consolehelper_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 8e54661..c10d55a 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index 1a93dc5..2eebc19 100644
+index 1a93dc5..36f5a1f 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,31 +1,43 @@
+@@ -1,31 +1,44 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -50,6 +50,7 @@ index 1a93dc5..2eebc19 100644
+/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
++/var/spool/faf(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+/var/spool/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/spool/rhsm/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
@@ -70,7 +71,7 @@ index 1a93dc5..2eebc19 100644
-/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
-index 058d908..1e5378d 100644
+index 058d908..2f6c3a9 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,26 @@
@@ -346,7 +347,7 @@ index 058d908..1e5378d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -288,39 +407,173 @@ interface(`abrt_manage_pid_files',`
+@@ -288,39 +407,174 @@ interface(`abrt_manage_pid_files',`
## </param>
## <param name="role">
## <summary>
@@ -446,6 +447,7 @@ index 058d908..1e5378d 100644
+ manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++ manage_sock_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+')
+
+#####################################
@@ -11478,10 +11480,10 @@ index 0000000..a0fdbcb
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..748f5d5
+index 0000000..fb60ffc
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,247 @@
+@@ -0,0 +1,248 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -11610,6 +11612,7 @@ index 0000000..748f5d5
+userdom_manage_home_certs(chrome_sandbox_t)
+
+optional_policy(`
++ gnome_exec_config_home_files(chrome_sandbox_t)
+ gnome_read_generic_cache_files(chrome_sandbox_t)
+ gnome_rw_inherited_config(chrome_sandbox_t)
+ gnome_read_home_config(chrome_sandbox_t)
@@ -25916,10 +25919,10 @@ index cf0e567..fed8792 100644
+ apache_read_log(fail2ban_client_t)
+')
diff --git a/fcoe.te b/fcoe.te
-index ce358fb..aabd04f 100644
+index ce358fb..65ade3f 100644
--- a/fcoe.te
+++ b/fcoe.te
-@@ -20,25 +20,27 @@ files_pid_file(fcoemon_var_run_t)
+@@ -20,25 +20,31 @@ files_pid_file(fcoemon_var_run_t)
# Local policy
#
@@ -25951,6 +25954,10 @@ index ce358fb..aabd04f 100644
optional_policy(`
lldpad_dgram_send(fcoemon_t)
')
++
++optional_policy(`
++ networkmanager_dgram_send(fcoemon_t)
++')
diff --git a/fetchmail.fc b/fetchmail.fc
index 133b8ee..a47a12f 100644
--- a/fetchmail.fc
@@ -29241,7 +29248,7 @@ index e39de43..6a6db28 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index ab09d61..8bcb6ba 100644
+index ab09d61..5f39122 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,52 +1,78 @@
@@ -30288,7 +30295,7 @@ index ab09d61..8bcb6ba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -706,12 +820,948 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -706,12 +820,966 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary>
## </param>
#
@@ -30845,6 +30852,24 @@ index ab09d61..8bcb6ba 100644
+ can_exec($1, gstreamer_home_t)
+')
+
++######################################
++## <summary>
++## Allow to execute config home content files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_exec_config_home_files',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ can_exec($1, config_home_t)
++')
++
+#######################################
+## <summary>
+## file name transition gstreamer home content files.
@@ -51038,7 +51063,7 @@ index 86dc29d..1cd0d0e 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..63b8998 100644
+index 55f2009..5fa2fb5 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -51295,7 +51320,7 @@ index 55f2009..63b8998 100644
')
')
-@@ -231,18 +263,27 @@ optional_policy(`
+@@ -231,10 +263,11 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -51304,16 +51329,14 @@ index 55f2009..63b8998 100644
optional_policy(`
- gnome_stream_connect_all_gkeyringd(NetworkManager_t)
-+ hal_write_log(NetworkManager_t)
++ fcoe_dgram_send_fcoemon(NetworkManager_t)
')
optional_policy(`
-- hal_write_log(NetworkManager_t)
-+ howl_signal(NetworkManager_t)
+@@ -246,10 +279,26 @@ optional_policy(`
')
optional_policy(`
-- howl_signal(NetworkManager_t)
+ gnome_dontaudit_search_config(NetworkManager_t)
+')
+
@@ -51323,10 +51346,10 @@ index 55f2009..63b8998 100644
+
+optional_policy(`
+ iodined_domtrans(NetworkManager_t)
- ')
-
- optional_policy(`
-@@ -250,6 +291,10 @@ optional_policy(`
++')
++
++optional_policy(`
+ ipsec_domtrans_mgmt(NetworkManager_t)
ipsec_kill_mgmt(NetworkManager_t)
ipsec_signal_mgmt(NetworkManager_t)
ipsec_signull_mgmt(NetworkManager_t)
@@ -51337,7 +51360,7 @@ index 55f2009..63b8998 100644
')
optional_policy(`
-@@ -257,15 +302,19 @@ optional_policy(`
+@@ -257,15 +306,19 @@ optional_policy(`
')
optional_policy(`
@@ -51359,7 +51382,7 @@ index 55f2009..63b8998 100644
')
optional_policy(`
-@@ -274,10 +323,17 @@ optional_policy(`
+@@ -274,10 +327,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -51377,7 +51400,7 @@ index 55f2009..63b8998 100644
')
optional_policy(`
-@@ -289,6 +345,7 @@ optional_policy(`
+@@ -289,6 +349,7 @@ optional_policy(`
')
optional_policy(`
@@ -51385,7 +51408,7 @@ index 55f2009..63b8998 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +353,7 @@ optional_policy(`
+@@ -296,7 +357,7 @@ optional_policy(`
')
optional_policy(`
@@ -51394,7 +51417,7 @@ index 55f2009..63b8998 100644
')
optional_policy(`
-@@ -307,6 +364,7 @@ optional_policy(`
+@@ -307,6 +368,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -51402,7 +51425,7 @@ index 55f2009..63b8998 100644
')
optional_policy(`
-@@ -320,14 +378,20 @@ optional_policy(`
+@@ -320,14 +382,20 @@ optional_policy(`
')
optional_policy(`
@@ -51428,7 +51451,7 @@ index 55f2009..63b8998 100644
')
optional_policy(`
-@@ -357,6 +421,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +425,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -75520,7 +75543,7 @@ index 327baf0..d8691bd 100644
+
# Remote login currently has no file contexts.
diff --git a/remotelogin.if b/remotelogin.if
-index a9ce68e..31be971 100644
+index a9ce68e..92520aa 100644
--- a/remotelogin.if
+++ b/remotelogin.if
@@ -1,4 +1,4 @@
@@ -75544,24 +75567,23 @@ index a9ce68e..31be971 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -36,44 +35,3 @@ interface(`remotelogin_signal',`
+@@ -39,8 +38,7 @@ interface(`remotelogin_signal',`
- allow $1 remote_login_t:process signal;
- ')
--
--########################################
--## <summary>
+ ########################################
+ ## <summary>
-## Create, read, write, and delete
-## remote login temporary content.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
++## allow Domain to signal remote login domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -48,32 +46,10 @@ interface(`remotelogin_signal',`
+ ## </summary>
+ ## </param>
+ #
-interface(`remotelogin_manage_tmp_content',`
-- gen_require(`
++interface(`remotelogin_signull',`
+ gen_require(`
- type remote_login_tmp_t;
- ')
-
@@ -75583,12 +75605,14 @@ index a9ce68e..31be971 100644
-interface(`remotelogin_relabel_tmp_content',`
- gen_require(`
- type remote_login_tmp_t;
-- ')
--
++ type remote_login_t;
+ ')
+
- files_search_tmp($1)
- allow $1 remote_login_tmp_t:dir relabel_dir_perms;
- allow $1 remote_login_tmp_t:file relabel_file_perms;
--')
++ allow $1 remote_login_t:process signull;
+ ')
diff --git a/remotelogin.te b/remotelogin.te
index ae30871..43fd6e8 100644
--- a/remotelogin.te
@@ -98158,7 +98182,7 @@ index 31c752e..ef52235 100644
init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/vdagent.te b/vdagent.te
-index 87da8a2..9148a0d 100644
+index 87da8a2..13f2f44 100644
--- a/vdagent.te
+++ b/vdagent.te
@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
@@ -98169,7 +98193,7 @@ index 87da8a2..9148a0d 100644
allow vdagent_t self:fifo_file rw_fifo_file_perms;
allow vdagent_t self:unix_stream_socket { accept listen };
-@@ -39,20 +40,21 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+@@ -39,23 +40,26 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
logging_log_filetrans(vdagent_t, vdagent_log_t, file)
@@ -98195,6 +98219,11 @@ index 87da8a2..9148a0d 100644
userdom_read_all_users_state(vdagent_t)
++xserver_read_xdm_state(vdagent_t)
++
+ optional_policy(`
+ dbus_system_bus_client(vdagent_t)
+
diff --git a/vhostmd.if b/vhostmd.if
index 22edd58..c3a5364 100644
--- a/vhostmd.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3cd932e..617d83b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,12 +19,14 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 41%{?dist}
+Release: 42%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
patch: policy-rawhide-base.patch
patch1: policy-rawhide-contrib.patch
+patch2: policy-rawhide-base-user_tmp.patch
+patch3: policy-rawhide-contrib-user_tmp.patch
Source1: modules-targeted-base.conf
Source31: modules-targeted-contrib.conf
Source2: booleans-targeted.conf
@@ -319,9 +321,11 @@ Based off of reference policy: Checked out revision 2.20091117
%prep
%setup -n serefpolicy-contrib-%{version} -q -b 29
%patch1 -p1
+%patch3 -p1
contrib_path=`pwd`
%setup -n serefpolicy-%{version} -q
%patch -p1
+%patch2 -p1
refpolicy_path=`pwd`
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
@@ -584,6 +588,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Apr 1 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-42
+- Merge user_tmp_t and user_tmpfs_t together to have only user_tmp_t
+
* Thu Mar 27 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-41
- Turn on gear_port_t
- Add gear policy and remove permissive domains.
More information about the scm-commits
mailing list