From e0ae206813122be0785457a1e19424c63e5a56f6 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Jul 23 2007 20:34:22 +0000
Subject: - Add ntpd_key_t to handle secret data


---

diff --git a/policy-20070703.patch b/policy-20070703.patch
index 3fecf74..f529417 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -1260,7 +1260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
  /usr/libexec/gconfd-2 	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.0.3/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/apps/gnome.if	2007-07-23 11:05:01.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/apps/gnome.if	2007-07-23 14:19:32.000000000 -0400
 @@ -33,6 +33,51 @@
  ## </param>
  #
@@ -1417,9 +1417,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
  ##	manage gnome homedir content (.config)
  ## </summary>
  ## <param name="userdomain_prefix">
-@@ -193,3 +284,23 @@
- 	allow $2 $1_gnome_home_t:dir manage_dir_perms;
- 	allow $2 $1_gnome_home_t:file manage_file_perms;
+@@ -190,6 +281,26 @@
+ 		type $1_gnome_home_t;
+ 	')
+ 
+-	allow $2 $1_gnome_home_t:dir manage_dir_perms;
+-	allow $2 $1_gnome_home_t:file manage_file_perms;
++	manage_dirs_pattern($2, $1_gnome_home_t, $1_gnome_home_t)
++	manage_files_pattern($2, $1_gnome_home_t, $1_gnome_home_t)
  ')
 +
 +########################################
@@ -1455,7 +1460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
  corecmd_executable_file(gconfd_exec_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.3/policy/modules/apps/java.if
 --- nsaserefpolicy/policy/modules/apps/java.if	2007-07-03 07:05:43.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/apps/java.if	2007-07-17 15:46:25.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/apps/java.if	2007-07-23 16:11:58.000000000 -0400
 @@ -32,7 +32,7 @@
  ##	</summary>
  ## </param>
@@ -1475,7 +1480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if 
  	allow $1_javaplugin_t $2:fd use;
  	# Unrestricted inheritance from the caller.
  	allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
-@@ -168,6 +167,55 @@
+@@ -168,6 +167,53 @@
  	optional_policy(`
  		xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
  	')
@@ -1512,7 +1517,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if 
 +template(`java_per_role_template',`
 +	gen_require(`
 +		type java_exec_t;
-+		attribute $1_usertype;
 +	')
 +
 +	type $1_java_t;
@@ -1520,7 +1524,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if 
 +	domain_entry_file($1_java_t,java_exec_t)
 +	role $3 types $1_java_t;
 +
-+	typeattribute $1_java_t $1_usertype;
 +	allow $1_java_t self:process { execheap execmem };
 +
 +	domtrans_pattern($2, java_exec_t, $1_java_t)
@@ -1531,7 +1534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if 
  ')
  
  ########################################
-@@ -221,3 +269,66 @@
+@@ -221,3 +267,66 @@
  	corecmd_search_bin($1)
  	domtrans_pattern($1, java_exec_t, java_t)
  ')
@@ -1623,8 +1626,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.3/policy/modules/apps/mono.if
 --- nsaserefpolicy/policy/modules/apps/mono.if	2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/apps/mono.if	2007-07-17 15:46:25.000000000 -0400
-@@ -18,3 +18,100 @@
++++ serefpolicy-3.0.3/policy/modules/apps/mono.if	2007-07-23 16:14:31.000000000 -0400
+@@ -18,3 +18,98 @@
  	corecmd_search_bin($1)
  	domtrans_pattern($1, mono_exec_t, mono_t)
  ')
@@ -1708,7 +1711,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if 
 +template(`mono_per_role_template',`
 +	gen_require(`
 +		type mono_exec_t;
-+		attribute $1_usertype;
 +	')
 +
 +	type $1_mono_t;
@@ -1716,7 +1718,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if 
 +	domain_entry_file($1_mono_t,mono_exec_t)
 +	role $3 types $1_mono_t;
 +
-+	typeattribute $1_mono_t $1_usertype;
 +	allow $1_mono_t self:process { execheap execmem };
 +
 +	domtrans_pattern($2, mono_exec_t, $1_mono_t)
@@ -1738,7 +1739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te 
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.3/policy/modules/apps/mozilla.if
 --- nsaserefpolicy/policy/modules/apps/mozilla.if	2007-07-03 07:05:43.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if	2007-07-20 17:26:25.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if	2007-07-23 16:25:26.000000000 -0400
 @@ -36,6 +36,8 @@
  	gen_require(`
  		type mozilla_conf_t, mozilla_exec_t;
@@ -1833,7 +1834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
  	
  	xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
  	xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
-@@ -213,133 +244,6 @@
+@@ -213,131 +244,8 @@
  		fs_manage_cifs_symlinks($1_mozilla_t)
  	')
  
@@ -1962,12 +1963,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 -		userdom_dontaudit_manage_user_tmp_files($1,$1_mozilla_t)
 -		userdom_dontaudit_manage_user_home_content_dirs($1,$1_mozilla_t)
 -
--	')
--
++	optional_policy(`
++		alsa_read_rw_config($1_mozilla_t)
+ 	')
+ 
  	optional_policy(`
- 		apache_read_user_scripts($1,$1_mozilla_t)
- 		apache_read_user_content($1,$1_mozilla_t)
-@@ -352,21 +256,23 @@
+@@ -352,21 +260,28 @@
  	optional_policy(`
  		cups_read_rw_config($1_mozilla_t)
  		cups_dbus_chat($1_mozilla_t)
@@ -1981,11 +1982,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 -		dbus_send_user_bus($1,$1_mozilla_t)
 +#		dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
 +#		dbus_send_user_bus($1,$1_mozilla_t)
++	')
++
++	optional_policy(`
++		gnome_exec_gconf($1_mozilla_t)
++		gnome_manage_user_gnome_config($1,$1_mozilla_t)
  	')
  
  	optional_policy(`
- 		gnome_stream_connect_gconf_template($1,$1_mozilla_t)
 +		gnome_domtrans_user_gconf($1,$1_mozilla_t)
+ 		gnome_stream_connect_gconf_template($1,$1_mozilla_t)
  	')
  
  	optional_policy(`
@@ -1994,7 +2000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
  	')
  
  	optional_policy(`
-@@ -386,25 +292,6 @@
+@@ -386,25 +301,6 @@
  		thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
  	')
  
@@ -2020,7 +2026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
  ')
  
  ########################################
-@@ -577,3 +464,27 @@
+@@ -577,3 +473,27 @@
  
  	allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
  ')
@@ -3175,7 +3181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.3/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/services/apache.te	2007-07-17 15:46:25.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/services/apache.te	2007-07-23 16:18:28.000000000 -0400
 @@ -30,6 +30,13 @@
  
  ## <desc>
@@ -3499,7 +3505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  # httpd_rotatelogs local policy
  #
  
-@@ -728,3 +892,24 @@
+@@ -728,3 +892,26 @@
  logging_search_logs(httpd_rotatelogs_t)
  
  miscfiles_read_localization(httpd_rotatelogs_t)
@@ -3520,9 +3526,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +')
 +
 +
-+tunable_policy(`allow_httpd_dbus_avahi',`
-+	avahi_dbus_chat(httpd_t)
++optional_policy(`
 +	dbus_system_bus_client_template(httpd,httpd_t)
++	tunable_policy(`allow_httpd_dbus_avahi',`
++		avahi_dbus_chat(httpd_t)
++	')
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.0.3/policy/modules/services/apcupsd.fc
 --- nsaserefpolicy/policy/modules/services/apcupsd.fc	2007-05-30 11:47:29.000000000 -0400
@@ -5610,10 +5618,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
 +	samba_read_config(nscd_t)
 +	samba_read_var_files(nscd_t)
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.0.3/policy/modules/services/ntp.fc
+--- nsaserefpolicy/policy/modules/services/ntp.fc	2007-05-29 14:10:57.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/services/ntp.fc	2007-07-23 13:11:18.000000000 -0400
+@@ -17,3 +17,7 @@
+ /var/log/xntpd.*		--	gen_context(system_u:object_r:ntpd_log_t,s0)
+ 
+ /var/run/ntpd\.pid		--	gen_context(system_u:object_r:ntpd_var_run_t,s0)
++
++/etc/ntp/crypto(/.*)?         gen_context(system_u:object_r:ntpd_key_t,s0)
++/etc/ntp/keys              -- gen_context(system_u:object_r:ntpd_key_t,s0)
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.3/policy/modules/services/ntp.te
 --- nsaserefpolicy/policy/modules/services/ntp.te	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/services/ntp.te	2007-07-19 10:44:14.000000000 -0400
-@@ -36,6 +36,7 @@
++++ serefpolicy-3.0.3/policy/modules/services/ntp.te	2007-07-23 13:36:54.000000000 -0400
+@@ -25,6 +25,9 @@
+ type ntpdate_exec_t;
+ init_system_domain(ntpd_t,ntpdate_exec_t)
+ 
++type ntpd_key_t;
++files_type(ntpd_key_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -36,6 +39,7 @@
  dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
  allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
  allow ntpd_t self:fifo_file { read write getattr };
@@ -5621,7 +5650,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
  allow ntpd_t self:unix_dgram_socket create_socket_perms;
  allow ntpd_t self:unix_stream_socket create_socket_perms;
  allow ntpd_t self:tcp_socket create_stream_socket_perms;
-@@ -82,6 +83,8 @@
+@@ -49,6 +53,8 @@
+ manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t)
+ logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir })
+ 
++read_files_pattern(ntpd_t,ntpd_key_t,ntpd_key_t)
++
+ # for some reason it creates a file in /tmp
+ manage_dirs_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
+ manage_files_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
+@@ -82,6 +88,8 @@
  
  fs_getattr_all_fs(ntpd_t)
  fs_search_auto_mountpoints(ntpd_t)
@@ -5630,7 +5668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
  
  auth_use_nsswitch(ntpd_t)
  
-@@ -107,6 +110,8 @@
+@@ -107,6 +115,8 @@
  
  sysnet_read_config(ntpd_t)
  
@@ -5639,7 +5677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
  userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
  userdom_list_sysadm_home_dirs(ntpd_t)
  userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
-@@ -126,9 +131,14 @@
+@@ -126,9 +136,14 @@
  ')
  
  optional_policy(`
@@ -8886,7 +8924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.3/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/system/logging.te	2007-07-17 15:46:25.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/system/logging.te	2007-07-23 15:43:28.000000000 -0400
 @@ -7,10 +7,15 @@
  #
  
@@ -8989,7 +9027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  allow syslogd_t self:udp_socket create_socket_perms;
  allow syslogd_t self:tcp_socket create_stream_socket_perms;
  
-+allow syslogd_t syslog_conf_t:file read;
++allow syslogd_t syslog_conf_t:file r_file_perms;
 +
  # Create and bind to /dev/log or /var/run/log.
  allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
@@ -10369,178 +10407,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +corecmd_exec_all_executables(unconfined_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.3/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/system/userdomain.if	2007-07-23 11:53:11.000000000 -0400
-@@ -29,90 +29,99 @@
- 	')
++++ serefpolicy-3.0.3/policy/modules/system/userdomain.if	2007-07-23 16:30:24.000000000 -0400
+@@ -62,6 +62,10 @@
  
- 	attribute $1_file_type;
-+	attribute $1_usertype;
- 
--	type $1_t, userdomain;
-+	type $1_t, userdomain, $1_usertype;
- 	domain_type($1_t)
--	corecmd_shell_entry_type($1_t)
--	corecmd_bin_entry_type($1_t)
-+	corecmd_shell_entry_type($1_usertype)
-+	corecmd_bin_entry_type($1_usertype)
- 	domain_user_exemption_target($1_t)
- 	role $1_r types $1_t;
- 	allow system_r $1_r;
- 
- 	type $1_devpts_t;
--	term_user_pty($1_t,$1_devpts_t)
-+	term_user_pty($1_usertype,$1_devpts_t)
- 	files_type($1_devpts_t)
- 
- 	type $1_tty_device_t; 
--	term_user_tty($1_t,$1_tty_device_t)
-+	term_user_tty($1_usertype,$1_tty_device_t)
- 
--	allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession };
--	allow $1_t self:fd use;
--	allow $1_t self:fifo_file rw_fifo_file_perms;
--	allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
--	allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
--	allow $1_t self:shm create_shm_perms;
--	allow $1_t self:sem create_sem_perms;
--	allow $1_t self:msgq create_msgq_perms;
--	allow $1_t self:msg { send receive };
--	allow $1_t self:context contains;
--	dontaudit $1_t self:socket create;
--
--	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
--	term_create_pty($1_t,$1_devpts_t)
--
--	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
--
--	kernel_read_kernel_sysctls($1_t)
--	kernel_dontaudit_list_unlabeled($1_t)
--	kernel_dontaudit_getattr_unlabeled_files($1_t)
--	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
--	kernel_dontaudit_getattr_unlabeled_pipes($1_t)
--	kernel_dontaudit_getattr_unlabeled_sockets($1_t)
--	kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
--	kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
-+	allow $1_usertype self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession };
-+	allow $1_usertype self:fd use;
-+	allow $1_usertype self:fifo_file rw_fifo_file_perms;
-+	allow $1_usertype self:unix_dgram_socket { create_socket_perms sendto };
-+	allow $1_usertype self:unix_stream_socket { create_stream_socket_perms connectto };
-+	allow $1_usertype self:shm create_shm_perms;
-+	allow $1_usertype self:sem create_sem_perms;
-+	allow $1_usertype self:msgq create_msgq_perms;
-+	allow $1_usertype self:msg { send receive };
-+	allow $1_usertype self:context contains;
-+	dontaudit $1_usertype self:socket create;
-+
-+	allow $1_usertype $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
-+	term_create_pty($1_usertype,$1_devpts_t)
-+
-+	allow $1_usertype $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
-+
-+	application_exec_all($1_usertype)
-+
-+	auth_use_nsswitch($1_usertype)
-+
-+	kernel_read_kernel_sysctls($1_usertype)
-+	kernel_dontaudit_list_unlabeled($1_usertype)
-+	kernel_dontaudit_getattr_unlabeled_files($1_usertype)
-+	kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
-+	kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
-+	kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
-+	kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
-+	kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
- 
- 	# When the user domain runs ps, there will be a number of access
- 	# denials when ps tries to search /proc.  Do not audit these denials.
--	domain_dontaudit_read_all_domains_state($1_t)
--	domain_dontaudit_getattr_all_domains($1_t)
--	domain_dontaudit_getsession_all_domains($1_t)
--
--	files_read_etc_files($1_t)
--	files_read_etc_runtime_files($1_t)
--	files_read_usr_files($1_t)
-+	domain_dontaudit_read_all_domains_state($1_usertype)
-+	domain_dontaudit_getattr_all_domains($1_usertype)
-+	domain_dontaudit_getsession_all_domains($1_usertype)
-+
-+	files_read_etc_files($1_usertype)
-+	files_read_etc_runtime_files($1_usertype)
-+	files_read_usr_files($1_usertype)
- 	# Read directories and files with the readable_t type.
- 	# This type is a general type for "world"-readable files.
--	files_list_world_readable($1_t)
--	files_read_world_readable_files($1_t)
--	files_read_world_readable_symlinks($1_t)
--	files_read_world_readable_pipes($1_t)
--	files_read_world_readable_sockets($1_t)
-+	files_list_world_readable($1_usertype)
-+	files_read_world_readable_files($1_usertype)
-+	files_read_world_readable_symlinks($1_usertype)
-+	files_read_world_readable_pipes($1_usertype)
-+	files_read_world_readable_sockets($1_usertype)
- 	# old broswer_domain():
--	files_dontaudit_list_non_security($1_t)
--	files_dontaudit_getattr_non_security_files($1_t)
--	files_dontaudit_getattr_non_security_symlinks($1_t)
--	files_dontaudit_getattr_non_security_pipes($1_t)
--	files_dontaudit_getattr_non_security_sockets($1_t)
--	files_dontaudit_getattr_non_security_blk_files($1_t)
--	files_dontaudit_getattr_non_security_chr_files($1_t)
--
--	libs_use_ld_so($1_t)
--	libs_use_shared_libs($1_t)
--	libs_exec_ld_so($1_t)
-+	files_dontaudit_list_non_security($1_usertype)
-+	files_dontaudit_getattr_non_security_files($1_usertype)
-+	files_dontaudit_getattr_non_security_symlinks($1_usertype)
-+	files_dontaudit_getattr_non_security_pipes($1_usertype)
-+	files_dontaudit_getattr_non_security_sockets($1_usertype)
-+	files_dontaudit_getattr_non_security_blk_files($1_usertype)
-+	files_dontaudit_getattr_non_security_chr_files($1_usertype)
-+
-+	libs_use_ld_so($1_usertype)
-+	libs_use_shared_libs($1_usertype)
-+	libs_exec_ld_so($1_usertype)
- 
--	miscfiles_read_localization($1_t)
--	miscfiles_read_certs($1_t)
-+	miscfiles_read_localization($1_usertype)
-+	miscfiles_read_certs($1_usertype)
- 
--	sysnet_read_config($1_t)
-+	sysnet_read_config($1_usertype)
- 
- 	tunable_policy(`allow_execmem',`
- 		# Allow loading DSOs that require executable stack.
--		allow $1_t self:process execmem;
-+		allow $1_usertype self:process execmem;
- 	')
+ 	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
  
- 	tunable_policy(`allow_execmem && allow_execstack',`
++	application_exec_all($1_t)
++
++	auth_use_nsswitch($1_t)
++
+ 	kernel_read_kernel_sysctls($1_t)
+ 	kernel_dontaudit_list_unlabeled($1_t)
+ 	kernel_dontaudit_getattr_unlabeled_files($1_t)
+@@ -114,6 +118,10 @@
  		# Allow making the stack executable via mprotect.
--		allow $1_t self:process execstack;
-+		allow $1_usertype self:process execstack;
-+	')
+ 		allow $1_t self:process execstack;
+ 	')
 +
 +	optional_policy(`
-+		ssh_rw_stream_sockets($1_usertype)
- 	')
++		ssh_rw_stream_sockets($1_t)
++	')
  ')
  
-@@ -174,43 +183,35 @@
- 	#
+ #######################################
+@@ -183,14 +191,6 @@
+ 	read_sock_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
+ 	files_list_home($1_t)
  
- 	# read-only home directory
--	allow $1_t $1_home_dir_t:dir list_dir_perms;
--	allow $1_t $1_home_t:dir list_dir_perms;
--	allow $1_t $1_home_t:file entrypoint;
--	read_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
--	read_lnk_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
--	read_fifo_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
--	read_sock_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
--	files_list_home($1_t)
--
 -	# privileged home directory writers
 -	manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
 -	manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
@@ -10548,263 +10441,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -	manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
 -	manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
 -	filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
-+	allow $1_usertype $1_home_dir_t:dir list_dir_perms;
-+	allow $1_usertype $1_home_t:dir list_dir_perms;
-+	allow $1_usertype $1_home_t:file entrypoint;
-+	read_files_pattern($1_usertype,{ $1_home_t $1_home_dir_t },$1_home_t)
-+	read_lnk_files_pattern($1_usertype,{ $1_home_t $1_home_dir_t },$1_home_t)
-+	read_fifo_files_pattern($1_usertype,{ $1_home_t $1_home_dir_t },$1_home_t)
-+	read_sock_files_pattern($1_usertype,{ $1_home_t $1_home_dir_t },$1_home_t)
-+	files_list_home($1_usertype)
- 
- 	tunable_policy(`use_nfs_home_dirs',`
--		fs_list_nfs_dirs($1_t)
--		fs_read_nfs_files($1_t)
--		fs_read_nfs_symlinks($1_t)
--		fs_read_nfs_named_sockets($1_t)
--		fs_read_nfs_named_pipes($1_t)
-+		fs_list_nfs_dirs($1_usertype)
-+		fs_read_nfs_files($1_usertype)
-+		fs_read_nfs_symlinks($1_usertype)
-+		fs_read_nfs_named_sockets($1_usertype)
-+		fs_read_nfs_named_pipes($1_usertype)
- 	',`
--		fs_dontaudit_read_nfs_dirs($1_t)
--		fs_dontaudit_read_nfs_files($1_t)
-+		fs_dontaudit_read_nfs_dirs($1_usertype)
-+		fs_dontaudit_read_nfs_files($1_usertype)
- 	')
- 
- 	tunable_policy(`use_samba_home_dirs',`
--		fs_list_cifs_dirs($1_t)
--		fs_read_cifs_files($1_t)
--		fs_read_cifs_symlinks($1_t)
--		fs_read_cifs_named_sockets($1_t)
--		fs_read_cifs_named_pipes($1_t)
-+		fs_list_cifs_dirs($1_usertype)
-+		fs_read_cifs_files($1_usertype)
-+		fs_read_cifs_symlinks($1_usertype)
-+		fs_read_cifs_named_sockets($1_usertype)
-+		fs_read_cifs_named_pipes($1_usertype)
- 	',`
--		fs_dontaudit_list_cifs_dirs($1_t)
--		fs_dontaudit_read_cifs_files($1_t)
-+		fs_dontaudit_list_cifs_dirs($1_usertype)
-+		fs_dontaudit_read_cifs_files($1_usertype)
- 	')
- ')
- 
-@@ -269,43 +270,43 @@
- 	#
- 
- 	# full control of the home directory
--	allow $1_t $1_home_t:file entrypoint;
--	manage_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
--	manage_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
--	manage_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
--	manage_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
--	manage_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
--	relabel_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
--	relabel_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
--	relabel_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
--	relabel_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
--	relabel_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
--	filetrans_pattern($1_t,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
--	files_list_home($1_t)
-+	allow $1_usertype $1_home_t:file entrypoint;
-+	manage_dirs_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+	manage_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+	manage_lnk_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+	manage_sock_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+	manage_fifo_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+	relabel_dirs_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+	relabel_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+	relabel_lnk_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+	relabel_sock_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+	relabel_fifo_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+	filetrans_pattern($1_usertype,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
-+	files_list_home($1_usertype)
- 
- 	# cjp: this should probably be removed:
--	allow $1_t $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
-+	allow $1_usertype $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
- 
+-
  	tunable_policy(`use_nfs_home_dirs',`
--		fs_manage_nfs_dirs($1_t)
--		fs_manage_nfs_files($1_t)
--		fs_manage_nfs_symlinks($1_t)
--		fs_manage_nfs_named_sockets($1_t)
--		fs_manage_nfs_named_pipes($1_t)
-+		fs_manage_nfs_dirs($1_usertype)
-+		fs_manage_nfs_files($1_usertype)
-+		fs_manage_nfs_symlinks($1_usertype)
-+		fs_manage_nfs_named_sockets($1_usertype)
-+		fs_manage_nfs_named_pipes($1_usertype)
- 	',`
--		fs_dontaudit_manage_nfs_dirs($1_t)
--		fs_dontaudit_manage_nfs_files($1_t)
-+		fs_dontaudit_manage_nfs_dirs($1_usertype)
-+		fs_dontaudit_manage_nfs_files($1_usertype)
- 	')
- 
- 	tunable_policy(`use_samba_home_dirs',`
--		fs_manage_cifs_dirs($1_t)
--		fs_manage_cifs_files($1_t)
--		fs_manage_cifs_symlinks($1_t)
--		fs_manage_cifs_named_sockets($1_t)
--		fs_manage_cifs_named_pipes($1_t)
-+		fs_manage_cifs_dirs($1_usertype)
-+		fs_manage_cifs_files($1_usertype)
-+		fs_manage_cifs_symlinks($1_usertype)
-+		fs_manage_cifs_named_sockets($1_usertype)
-+		fs_manage_cifs_named_pipes($1_usertype)
- 	',`
--		fs_dontaudit_manage_cifs_dirs($1_t)
--		fs_dontaudit_manage_cifs_files($1_t)
-+		fs_dontaudit_manage_cifs_dirs($1_usertype)
-+		fs_dontaudit_manage_cifs_files($1_usertype)
- 	')
- ')
- 
-@@ -323,14 +324,14 @@
+ 		fs_list_nfs_dirs($1_t)
+ 		fs_read_nfs_files($1_t)
+@@ -517,10 +517,6 @@
  ## <rolebase/>
  #
- template(`userdom_exec_home_template',`
--	can_exec($1_t,$1_home_t)
-+	can_exec($1_usertype,$1_home_t)
- 
- 	tunable_policy(`use_nfs_home_dirs',`
--		fs_exec_nfs_files($1_t)
-+		fs_exec_nfs_files($1_usertype)
- 	')
- 
- 	tunable_policy(`use_samba_home_dirs',`
--		fs_exec_cifs_files($1_t)
-+		fs_exec_cifs_files($1_usertype)
- 	')
- ')
- 
-@@ -348,7 +349,7 @@
- ## <rolebase/>
- #
- template(`userdom_poly_home_template',`
--	type_member $1_t $1_home_dir_t:dir $1_home_dir_t;
-+	type_member $1_usertype $1_home_dir_t:dir $1_home_dir_t;
- 	files_poly($1_home_dir_t)
- 	files_poly_parent($1_home_dir_t)
- 	files_poly_parent($1_home_t)
-@@ -382,12 +383,12 @@
- 	type $1_tmp_t, $1_file_type;
- 	files_tmp_file($1_tmp_t)
- 
--	manage_dirs_pattern($1_t,$1_tmp_t,$1_tmp_t)
--	manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
--	manage_lnk_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
--	manage_sock_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
--	manage_fifo_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
--	files_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file sock_file fifo_file })
-+	manage_dirs_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
-+	manage_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
-+	manage_lnk_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
-+	manage_sock_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
-+	manage_fifo_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
-+	files_tmp_filetrans($1_usertype, $1_tmp_t, { dir file lnk_file sock_file fifo_file })
- ')
- 
- #######################################
-@@ -403,7 +404,7 @@
- ## <rolebase/>
- #
- template(`userdom_exec_tmp_template',`
--	exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
-+	exec_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
- ')
- 
- #######################################
-@@ -419,7 +420,7 @@
- ## <rolebase/>
- #
- template(`userdom_poly_tmp_template',`
--	files_poly_member_tmp($1_t,tmp_t)
-+	files_poly_member_tmp($1_usertype,tmp_t)
- ')
- 
- #######################################
-@@ -452,12 +453,12 @@
- 	type $1_tmpfs_t, $1_file_type;
- 	files_tmpfs_file($1_tmpfs_t)
- 
--	manage_dirs_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
--	manage_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
--	manage_lnk_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
--	manage_sock_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
--	manage_fifo_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
--	fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-+	manage_dirs_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t)
-+	manage_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t)
-+	manage_lnk_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t)
-+	manage_sock_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t)
-+	manage_fifo_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t)
-+	fs_tmpfs_filetrans($1_usertype,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file })
- ')
- 
- #######################################
-@@ -518,10 +519,10 @@
- #
  template(`userdom_exec_generic_pgms_template',`
- 	gen_require(`
+-	gen_require(`
 -		type $1_t;
-+		attribute $1_usertype;
- 	')
- 
--	corecmd_exec_bin($1_t)
-+	corecmd_exec_bin($1_usertype)
+-	')
+-
+ 	corecmd_exec_bin($1_t)
  ')
  
- #######################################
-@@ -539,22 +540,28 @@
+@@ -538,9 +534,6 @@
+ ## <rolebase/>
  #
  template(`userdom_basic_networking_template',`
- 	gen_require(`
+-	gen_require(`
 -		type $1_t;
-+		attribute $1_usertype;
- 	')
+-	')
  
--	allow $1_t self:tcp_socket create_stream_socket_perms;
--	allow $1_t self:udp_socket create_socket_perms;
-+	allow $1_usertype self:tcp_socket create_stream_socket_perms;
-+	allow $1_usertype self:udp_socket create_socket_perms;
-+
-+	corenet_all_recvfrom_unlabeled($1_usertype)
-+	corenet_all_recvfrom_netlabel($1_usertype)
-+	corenet_tcp_sendrecv_all_if($1_usertype)
-+	corenet_udp_sendrecv_all_if($1_usertype)
-+	corenet_tcp_sendrecv_all_nodes($1_usertype)
-+	corenet_udp_sendrecv_all_nodes($1_usertype)
-+	corenet_tcp_sendrecv_all_ports($1_usertype)
-+	corenet_udp_sendrecv_all_ports($1_usertype)
-+	corenet_tcp_connect_all_ports($1_usertype)
-+	corenet_sendrecv_all_client_packets($1_usertype)
- 
--	corenet_all_recvfrom_unlabeled($1_t)
--	corenet_all_recvfrom_netlabel($1_t)
--	corenet_tcp_sendrecv_all_if($1_t)
--	corenet_udp_sendrecv_all_if($1_t)
--	corenet_tcp_sendrecv_all_nodes($1_t)
--	corenet_udp_sendrecv_all_nodes($1_t)
--	corenet_tcp_sendrecv_all_ports($1_t)
--	corenet_udp_sendrecv_all_ports($1_t)
--	corenet_tcp_connect_all_ports($1_t)
--	corenet_sendrecv_all_client_packets($1_t)
+ 	allow $1_t self:tcp_socket create_stream_socket_perms;
+ 	allow $1_t self:udp_socket create_socket_perms;
+@@ -555,6 +548,12 @@
+ 	corenet_udp_sendrecv_all_ports($1_t)
+ 	corenet_tcp_connect_all_ports($1_t)
+ 	corenet_sendrecv_all_client_packets($1_t)
++
 +	ifdef(`enable_mls',`
 +		# netlabel/CIPSO labeled networking 
-+		corenet_tcp_recv_netlabel($1_usertype)
-+		corenet_udp_recv_netlabel($1_usertype)
++		corenet_tcp_recv_netlabel($1_t)
++		corenet_udp_recv_netlabel($1_t)
 +	')
  ')
  
  #######################################
-@@ -571,32 +578,29 @@
+@@ -571,32 +570,29 @@
  #
  template(`userdom_xwindows_client_template',`
  	gen_require(`
@@ -10835,30 +10510,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -		# Needed for escd, remove if we get escd policy
 -		xserver_manage_xdm_tmp_files($1_t)
 -	')
-+	dev_rw_xserver_misc($1_usertype)
-+	dev_rw_power_management($1_usertype)
-+	dev_read_input($1_usertype)
-+	dev_read_misc($1_usertype)
-+	dev_write_misc($1_usertype)
++	dev_rw_xserver_misc($1_t)
++	dev_rw_power_management($1_t)
++	dev_read_input($1_t)
++	dev_read_misc($1_t)
++	dev_write_misc($1_t)
 +	# open office is looking for the following
-+	dev_getattr_agp_dev($1_usertype)
-+	dev_dontaudit_rw_dri($1_usertype)
++	dev_getattr_agp_dev($1_t)
++	dev_dontaudit_rw_dri($1_t)
 +	# GNOME checks for usb and other devices:
-+	dev_rw_usbfs($1_usertype)
-+	xserver_user_client_template($1,$1_usertype,$1_tmpfs_t)
-+	xserver_xsession_entry_type($1_usertype)
-+	xserver_dontaudit_write_log($1_usertype)
-+	xserver_stream_connect_xdm($1_usertype)
++	dev_rw_usbfs($1_t)
++	xserver_user_client_template($1,$1_t,$1_tmpfs_t)
++	xserver_xsession_entry_type($1_t)
++	xserver_dontaudit_write_log($1_t)
++	xserver_stream_connect_xdm($1_t)
 +	# certain apps want to read xdm.pid file
-+	xserver_read_xdm_pid($1_usertype)
++	xserver_read_xdm_pid($1_t)
 +	# gnome-session creates socket under /tmp/.ICE-unix/
-+	xserver_create_xdm_tmp_sockets($1_usertype)
++	xserver_create_xdm_tmp_sockets($1_t)
 +	# Needed for escd, remove if we get escd policy
-+	xserver_manage_xdm_tmp_files($1_usertype)
++	xserver_manage_xdm_tmp_files($1_t)
  ')
  
  #######################################
-@@ -672,281 +676,335 @@
+@@ -672,67 +668,39 @@
  		attribute unpriv_userdomain;
  	')
  
@@ -10898,95 +10573,62 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -	allow $1_t self:context contains;
 -
  	# evolution and gnome-session try to create a netlink socket
--	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
--	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-+	dontaudit $1_usertype self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-+	dontaudit $1_usertype self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+ 	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+ 	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
  
--	allow $1_t unpriv_userdomain:fd use;
-+	allow $1_usertype unpriv_userdomain:fd use;
+ 	allow $1_t unpriv_userdomain:fd use;
  
 -	kernel_read_system_state($1_t)
 -	kernel_read_network_state($1_t)
 -	kernel_read_net_sysctls($1_t)
  	# Very permissive allowing every domain to see every type:
--	kernel_get_sysvipc_info($1_t)
+ 	kernel_get_sysvipc_info($1_t)
 -	# Find CDROM devices:
 -	kernel_read_device_sysctls($1_t)
--
--	corenet_udp_bind_all_nodes($1_t)
--	corenet_udp_bind_generic_port($1_t)
-+	kernel_get_sysvipc_info($1_usertype)
+ 
+ 	corenet_udp_bind_all_nodes($1_t)
+ 	corenet_udp_bind_generic_port($1_t)
  
 -	dev_read_sysfs($1_t)
--	dev_read_rand($1_t)
+ 	dev_read_rand($1_t)
 -	dev_read_urand($1_t)
--	dev_write_sound($1_t)
--	dev_read_sound($1_t)
--	dev_read_sound_mixer($1_t)
--	dev_write_sound_mixer($1_t)
-+	corenet_udp_bind_all_nodes($1_usertype)
-+	corenet_udp_bind_generic_port($1_usertype)
+ 	dev_write_sound($1_t)
+ 	dev_read_sound($1_t)
+ 	dev_read_sound_mixer($1_t)
+ 	dev_write_sound_mixer($1_t)
  
 -	domain_use_interactive_fds($1_t)
 -	# Command completion can fire hundreds of denials
 -	domain_dontaudit_exec_all_entry_files($1_t)
-+	dev_read_rand($1_usertype)
-+	dev_write_sound($1_usertype)
-+	dev_read_sound($1_usertype)
-+	dev_read_sound_mixer($1_usertype)
-+	dev_write_sound_mixer($1_usertype)
- 
--	files_exec_etc_files($1_t)
--	files_search_locks($1_t)
-+	files_exec_etc_files($1_usertype)
-+	files_search_locks($1_usertype)
+-
+ 	files_exec_etc_files($1_t)
+ 	files_search_locks($1_t)
  	# Check to see if cdrom is mounted
--	files_search_mnt($1_t)
-+	files_search_mnt($1_usertype)
- 	# cjp: perhaps should cut back on file reads:
--	files_read_var_files($1_t)
--	files_read_var_symlinks($1_t)
--	files_read_generic_spool($1_t)
--	files_read_var_lib_files($1_t)
-+	files_read_var_files($1_usertype)
-+	files_read_var_symlinks($1_usertype)
-+	files_read_generic_spool($1_usertype)
-+	files_read_var_lib_files($1_usertype)
+@@ -745,12 +713,6 @@
  	# Stat lost+found.
--	files_getattr_lost_found_dirs($1_t)
--
+ 	files_getattr_lost_found_dirs($1_t)
+ 
 -	fs_get_all_fs_quotas($1_t)
 -	fs_getattr_all_fs($1_t)
 -	fs_getattr_all_dirs($1_t)
 -	fs_search_auto_mountpoints($1_t)
 -	fs_list_inotifyfs($1_t)
-+	files_getattr_lost_found_dirs($1_usertype)
- 
- 	# cjp: some of this probably can be removed
--	selinux_get_fs_mount($1_t)
--	selinux_validate_context($1_t)
--	selinux_compute_access_vector($1_t)
--	selinux_compute_create_context($1_t)
--	selinux_compute_relabel_context($1_t)
--	selinux_compute_user_contexts($1_t)
-+	selinux_get_fs_mount($1_usertype)
-+	selinux_validate_context($1_usertype)
-+	selinux_compute_access_vector($1_usertype)
-+	selinux_compute_create_context($1_usertype)
-+	selinux_compute_relabel_context($1_usertype)
-+	selinux_compute_user_contexts($1_usertype)
- 
- 	# for eject
--	storage_getattr_fixed_disk_dev($1_t)
 -
--	auth_read_login_records($1_t)
+ 	# cjp: some of this probably can be removed
+ 	selinux_get_fs_mount($1_t)
+ 	selinux_validate_context($1_t)
+@@ -763,31 +725,16 @@
+ 	storage_getattr_fixed_disk_dev($1_t)
+ 
+ 	auth_read_login_records($1_t)
 -	auth_dontaudit_write_login_records($1_t)
--	auth_search_pam_console_data($1_t)
--	auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
--	auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
--
--	init_read_utmp($1_t)
+ 	auth_search_pam_console_data($1_t)
+ 	auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ 	auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
++	auth_run_upd_passwd($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
++	auth_read_key($1_t)
+ 
+ 	init_read_utmp($1_t)
 -	# The library functions always try to open read-write first,
 -	# then fall back to read-only if it fails. 
 -	init_dontaudit_write_utmp($1_t)
@@ -10995,80 +10637,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -	init_dontaudit_use_script_fds($1_t)
 -
 -	libs_exec_lib_files($1_t)
-+	storage_getattr_fixed_disk_dev($1_usertype)
- 
+-
 -	logging_dontaudit_getattr_all_logs($1_t)
 -
 -	miscfiles_read_man_pages($1_t)
 -	# for running TeX programs
 -	miscfiles_read_tetex_data($1_t)
 -	miscfiles_exec_tetex_data($1_t)
--
--	seutil_read_file_contexts($1_t)
--	seutil_read_default_contexts($1_t)
+ 
+ 	seutil_read_file_contexts($1_t)
+ 	seutil_read_default_contexts($1_t)
 -	seutil_read_config($1_t)
--	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
--	seutil_exec_checkpolicy($1_t)
--	seutil_exec_setfiles($1_t)
-+	auth_read_login_records($1_usertype)
-+	auth_search_pam_console_data($1_usertype)
-+	auth_run_pam($1_usertype,$1_r,{ $1_tty_device_t $1_devpts_t })
-+	auth_run_utempter($1_usertype,$1_r,{ $1_tty_device_t $1_devpts_t })
-+	auth_run_upd_passwd($1_usertype,$1_r,{ $1_tty_device_t $1_devpts_t })
-+	auth_read_key($1_usertype)
-+
-+	init_read_utmp($1_usertype)
-+
-+	seutil_read_file_contexts($1_usertype)
-+	seutil_read_default_contexts($1_usertype)
-+	seutil_run_newrole($1_usertype,$1_r,{ $1_devpts_t $1_tty_device_t })
-+	seutil_exec_checkpolicy($1_usertype)
-+	seutil_exec_setfiles($1_usertype)
- 	# for when the network connection is killed
- 	# this is needed when a login role can change
- 	# to this one.
--	seutil_dontaudit_signal_newrole($1_t)
-+	seutil_dontaudit_signal_newrole($1_usertype)
- 
- 	tunable_policy(`read_default_t',`
--		files_list_default($1_t)
--		files_read_default_files($1_t)
--		files_read_default_symlinks($1_t)
--		files_read_default_sockets($1_t)
--		files_read_default_pipes($1_t)
+ 	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+ 	seutil_exec_checkpolicy($1_t)
+ 	seutil_exec_setfiles($1_t)
+@@ -802,19 +749,12 @@
+ 		files_read_default_symlinks($1_t)
+ 		files_read_default_sockets($1_t)
+ 		files_read_default_pipes($1_t)
 -	',`
 -		files_dontaudit_list_default($1_t)
 -		files_dontaudit_read_default_files($1_t)
-+		files_list_default($1_usertype)
-+		files_read_default_files($1_usertype)
-+		files_read_default_symlinks($1_usertype)
-+		files_read_default_sockets($1_usertype)
-+		files_read_default_pipes($1_usertype)
  	')
  
  	tunable_policy(`user_direct_mouse',`
--		dev_read_mouse($1_t)
--	')
--
--	tunable_policy(`user_ttyfile_stat',`
--		term_getattr_all_user_ttys($1_t)
-+		dev_read_mouse($1_usertype)
- 	')
- 
- 	optional_policy(`
--		alsa_read_rw_config($1_t)
-+		alsa_read_rw_config($1_usertype)
+ 		dev_read_mouse($1_t)
  	')
  
+-	tunable_policy(`user_ttyfile_stat',`
+-		term_getattr_all_user_ttys($1_t)
+-	')
+-
  	optional_policy(`
- 		# Allow graphical boot to check battery lifespan
--		apm_stream_connect($1_t)
-+		apm_stream_connect($1_usertype)
+ 		alsa_read_rw_config($1_t)
  	')
- 
- 	optional_policy(`
--		canna_stream_connect($1_t)
-+		canna_stream_connect($1_usertype)
+@@ -829,34 +769,14 @@
  	')
  
  	optional_policy(`
@@ -11077,23 +10680,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -	')
 -
 -	optional_policy(`
--		allow $1_t self:dbus send_msg;
--		dbus_system_bus_client_template($1,$1_t)
-+		allow $1_usertype self:dbus send_msg;
-+		dbus_system_bus_client_template($1,$1_usertype)
+ 		allow $1_t self:dbus send_msg;
+ 		dbus_system_bus_client_template($1,$1_t)
  
  		optional_policy(`
 -			bluetooth_dbus_chat($1_t)
-+			evolution_dbus_chat($1,$1_usertype)
-+			evolution_alarm_dbus_chat($1,$1_usertype)
- 		')
- 
--		optional_policy(`
--			evolution_dbus_chat($1,$1_t)
--			evolution_alarm_dbus_chat($1,$1_t)
 -		')
 -
 -		optional_policy(`
+ 			evolution_dbus_chat($1,$1_t)
+ 			evolution_alarm_dbus_chat($1,$1_t)
+ 		')
+ 
+-		optional_policy(`
 -			cups_dbus_chat_config($1_t)
 -		')
 -
@@ -11107,45 +10706,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	optional_policy(`
--		inetd_use_fds($1_t)
--		inetd_rw_tcp_sockets($1_t)
-+		inetd_use_fds($1_usertype)
-+		inetd_rw_tcp_sockets($1_usertype)
- 	')
- 
- 	optional_policy(`
--		inn_read_config($1_t)
--		inn_read_news_lib($1_t)
--		inn_read_news_spool($1_t)
-+		inn_read_config($1_usertype)
-+		inn_read_news_lib($1_usertype)
-+		inn_read_news_spool($1_usertype)
- 	')
- 
- 	optional_policy(`
--		locate_read_lib_files($1_t)
-+		locate_read_lib_files($1_usertype)
+@@ -884,17 +804,19 @@
  	')
  
- 	# for running depmod as part of the kernel packaging process
  	optional_policy(`
--		modutils_read_module_config($1_t)
-+		modutils_read_module_config($1_usertype)
- 	')
- 
- 	optional_policy(`
--		mta_rw_spool($1_t)
+-		nis_use_ypbind($1_t)
 -	')
 -
 -	optional_policy(`
--		nis_use_ypbind($1_t)
-+		mta_rw_spool($1_usertype)
- 	')
- 
- 	optional_policy(`
  		tunable_policy(`allow_user_mysql_connect',`
--			mysql_stream_connect($1_t)
-+			mysql_stream_connect($1_usertype)
+ 			mysql_stream_connect($1_t)
  		')
  	')
  
@@ -11153,53 +10723,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -		nscd_socket_use($1_t)
 +	 optional_policy(`
 +	          tunable_policy(`allow_user_postgresql_connect',`
-+			postgresql_stream_connect($1_usertype)
++			postgresql_stream_connect($1_t)
 +		  ')
 +        ')
 +
 +	tunable_policy(`user_ttyfile_stat',`
-+		term_getattr_all_user_ttys($1_usertype)
++		term_getattr_all_user_ttys($1_t)
  	')
  
  	optional_policy(`
- 		# to allow monitoring of pcmcia status
--		pcmcia_read_pid($1_t)
-+		pcmcia_read_pid($1_usertype)
- 	')
- 
- 	optional_policy(`
--		pcscd_read_pub_files($1_t)
--		pcscd_stream_connect($1_t)
-+		pcscd_read_pub_files($1_usertype)
-+		pcscd_stream_connect($1_usertype)
+@@ -908,39 +830,210 @@
  	')
  
  	optional_policy(`
 -		tunable_policy(`allow_user_postgresql_connect',`
 -			postgresql_stream_connect($1_t)
 -		')
-+		resmgr_stream_connect($1_usertype)
++		resmgr_stream_connect($1_t)
  	')
  
  	optional_policy(`
 -		quota_dontaudit_getattr_db($1_t)
-+		rpc_dontaudit_getattr_exports($1_usertype)
-+		rpc_manage_nfs_rw_content($1_usertype)
++		rpc_dontaudit_getattr_exports($1_t)
++		rpc_manage_nfs_rw_content($1_t)
  	')
  
  	optional_policy(`
 -		resmgr_stream_connect($1_t)
-+		samba_stream_connect_winbind($1_usertype)
++		samba_stream_connect_winbind($1_t)
  	')
  
  	optional_policy(`
 -		rpc_dontaudit_getattr_exports($1_t)
 -		rpc_manage_nfs_rw_content($1_t)
-+		slrnpull_search_spool($1_usertype)
-+	')
-+
-+	optional_policy(`
-+		usernetctl_run($1_usertype,$1_r,{ $1_devpts_t $1_tty_device_t })
++		slrnpull_search_spool($1_t)
+ 	')
+ 
+ 	optional_policy(`
+-		rpm_read_db($1_t)
+-		rpm_dontaudit_manage_db($1_t)
++		usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 +	')
 +')
 +
@@ -11224,8 +10787,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +template(`userdom_privhome_user_template',`
 +	gen_require(`
 +		type $1_home_dir_t,  $1_home_t;
- 	')
- 
++	')
++
 +	# privileged home directory writers
 +	manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
 +	manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
@@ -11267,140 +10830,90 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	role $1_r types $1_t;
 +	allow system_r $1_r;
 +
-+	allow $1_usertype self:capability { setgid chown fowner };
-+	dontaudit $1_usertype self:capability { sys_nice fsetid };
++	allow $1_t self:capability { setgid chown fowner };
++	dontaudit $1_t self:capability { sys_nice fsetid };
 +
-+	allow $1_usertype self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
-+	dontaudit $1_usertype self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
++	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
++	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
 +
-+	allow $1_usertype self:context contains;
++	allow $1_t self:context contains;
 +
 +	##############################
 +	#
 +	# User domain Local policy
 +	#
 +
-+	auth_dontaudit_write_login_records($1_usertype)
++	auth_dontaudit_write_login_records($1_t)
 +
 +	# Find CDROM devices:
-+	kernel_read_device_sysctls($1_usertype)
-+	kernel_read_network_state($1_usertype)
-+	kernel_read_net_sysctls($1_usertype)
-+	kernel_read_system_state($1_usertype)
++	kernel_read_device_sysctls($1_t)
++	kernel_read_network_state($1_t)
++	kernel_read_net_sysctls($1_t)
++	kernel_read_system_state($1_t)
 +
-+	dev_read_sysfs($1_usertype)
-+	dev_read_urand($1_usertype)
++	dev_read_sysfs($1_t)
++	dev_read_urand($1_t)
 +
 +	domain_use_interactive_fds($1_t)
 +	# Command completion can fire hundreds of denials
-+	domain_dontaudit_exec_all_entry_files($1_usertype)
++	domain_dontaudit_exec_all_entry_files($1_t)
 +
 +	# Stat lost+found.
-+	files_getattr_lost_found_dirs($1_usertype)
++	files_getattr_lost_found_dirs($1_t)
 +
-+	fs_get_all_fs_quotas($1_usertype)
-+	fs_getattr_all_fs($1_usertype)
-+	fs_getattr_all_dirs($1_usertype)
-+	fs_search_auto_mountpoints($1_usertype)
-+	fs_list_inotifyfs($1_usertype)
++	fs_get_all_fs_quotas($1_t)
++	fs_getattr_all_fs($1_t)
++	fs_getattr_all_dirs($1_t)
++	fs_search_auto_mountpoints($1_t)
++	fs_list_inotifyfs($1_t)
 +
 +	# Stop warnings about access to /dev/console
-+	init_dontaudit_rw_utmp($1_usertype)
-+	init_dontaudit_use_fds($1_usertype)
-+	init_dontaudit_use_script_fds($1_usertype)
++	init_dontaudit_rw_utmp($1_t)
++	init_dontaudit_use_fds($1_t)
++	init_dontaudit_use_script_fds($1_t)
 +
-+	libs_exec_lib_files($1_usertype)
++	libs_exec_lib_files($1_t)
 +
-+	logging_dontaudit_getattr_all_logs($1_usertype)
++	logging_dontaudit_getattr_all_logs($1_t)
 +
-+	miscfiles_read_man_pages($1_usertype)
++	miscfiles_read_man_pages($1_t)
 +	# for running TeX programs
-+	miscfiles_read_tetex_data($1_usertype)
-+	miscfiles_exec_tetex_data($1_usertype)
++	miscfiles_read_tetex_data($1_t)
++	miscfiles_exec_tetex_data($1_t)
 +
-+	seutil_read_config($1_usertype)
++	seutil_read_config($1_t)
 +
-+	files_dontaudit_list_default($1_usertype)
-+	files_dontaudit_read_default_files($1_usertype)
++	files_dontaudit_list_default($1_t)
++	files_dontaudit_read_default_files($1_t)
 +
 +	userdom_poly_home_template($1)
 +	userdom_poly_tmp_template($1)
 +
- 	optional_policy(`
--		rpm_read_db($1_t)
--		rpm_dontaudit_manage_db($1_t)
-+		cups_stream_connect($1_usertype)
-+		cups_stream_connect_ptal($1_usertype)
++	optional_policy(`
++		cups_stream_connect($1_t)
++		cups_stream_connect_ptal($1_t)
  	')
  
  	optional_policy(`
 -		samba_stream_connect_winbind($1_t)
-+		kerberos_use($1_usertype)
++		kerberos_use($1_t)
  	')
  
  	optional_policy(`
 -		slrnpull_search_spool($1_t)
-+		quota_dontaudit_getattr_db($1_usertype)
- 	')
- 
- 	optional_policy(`
--		usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
-+		rpm_read_db($1_usertype)
-+		rpm_dontaudit_manage_db($1_usertype)
- 	')
- ')
- 
-+
- #######################################
- ## <summary>
--##	The template for creating a unprivileged user.
-+##	The template for creating a unprivileged login user.
- ## </summary>
- ## <desc>
- ##	<p>
-@@ -962,21 +1020,16 @@
- ##	</summary>
- ## </param>
- #
--template(`userdom_unpriv_user_template', `
--
-+template(`userdom_unpriv_login_user', `
- 	gen_require(`
-+		attribute unpriv_userdomain;
- 		attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
- 	')
--
--	##############################
--	#
--	# Declarations
--	#
--
--	# Inherit rules for ordinary users.
--	userdom_common_user_template($1)
-+	userdom_login_user_template($1)
-+	userdom_privhome_user_template($1)
- 
- 	typeattribute $1_t unpriv_userdomain;
-+
- 	domain_interactive_fd($1_t)
- 
- 	typeattribute $1_devpts_t user_ptynode;
-@@ -985,36 +1038,68 @@
- 	typeattribute $1_tmp_t user_tmpfile;
- 	typeattribute $1_tty_device_t user_ttynode;
- 
--	userdom_poly_home_template($1)
--	userdom_poly_tmp_template($1)
-+	auth_exec_pam($1_t)
++		quota_dontaudit_getattr_db($1_t)
++	')
 +
 +	optional_policy(`
-+		loadkeys_run($1_t,$1_r,$1_tty_device_t)
-+	')
++		rpm_read_db($1_t)
++		rpm_dontaudit_manage_db($1_t)
+ 	')
 +')
 +
++
 +#######################################
 +## <summary>
-+##	The template for creating a unprivileged user.
++##	The template for creating a unprivileged login user.
 +## </summary>
 +## <desc>
 +##	<p>
@@ -11416,78 +10929,85 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+template(`userdom_unpriv_user_template', `
++template(`userdom_unpriv_login_user', `
++	gen_require(`
++		attribute unpriv_userdomain;
++		attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
++	')
++	userdom_login_user_template($1)
++	userdom_privhome_user_template($1)
++
++	typeattribute $1_t unpriv_userdomain;
++
++	domain_interactive_fd($1_t)
 +
++	typeattribute $1_devpts_t user_ptynode;
++	typeattribute $1_home_dir_t user_home_dir_type;
++	typeattribute $1_home_t user_home_type;
++	typeattribute $1_tmp_t user_tmpfile;
++	typeattribute $1_tty_device_t user_ttynode;
++
++	auth_exec_pam($1_t)
+ 
+ 	optional_policy(`
+-		usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
++		loadkeys_run($1_t,$1_r,$1_tty_device_t)
+ 	')
+ ')
+ 
+@@ -964,9 +1057,7 @@
+ #
+ template(`userdom_unpriv_user_template', `
+ 
+-	gen_require(`
+-		attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
+-	')
 +	userdom_unpriv_login_user($1)
  
  	##############################
  	#
--	# Local policy
-+	# Declarations
+@@ -976,25 +1067,11 @@
+ 	# Inherit rules for ordinary users.
+ 	userdom_common_user_template($1)
+ 
+-	typeattribute $1_t unpriv_userdomain;
+-	domain_interactive_fd($1_t)
+-
+-	typeattribute $1_devpts_t user_ptynode;
+-	typeattribute $1_home_dir_t user_home_dir_type;
+-	typeattribute $1_home_t user_home_type;
+-	typeattribute $1_tmp_t user_tmpfile;
+-	typeattribute $1_tty_device_t user_ttynode;
+-
+-	userdom_poly_home_template($1)
+-	userdom_poly_tmp_template($1)
+-
+ 	##############################
+ 	#
+ 	# Local policy
  	#
  
 -	corecmd_exec_all_executables($1_t)
-+	# Inherit rules for ordinary users.
-+	userdom_common_user_template($1)
-+
-+	##############################
-+	#
-+	# Local policy
-+	#
- 
+-
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
--	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-+	corenet_dontaudit_tcp_bind_all_reserved_ports($1_usertype)
+ 	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
  	# Need the following rule to allow users to run vpnc
--	corenet_tcp_bind_xserver_port($1_t)
-+	corenet_tcp_bind_xserver_port($1_usertype)
- 
--	files_exec_usr_files($1_t)
-+	files_exec_usr_files($1_usertype)
- 	# cjp: why?
--	files_read_kernel_symbol_table($1_t)
-+	files_read_kernel_symbol_table($1_usertype)
- 
- 	ifndef(`enable_mls',`
--		fs_exec_noxattr($1_t)
-+		fs_exec_noxattr($1_usertype)
- 
- 		tunable_policy(`user_rw_noexattrfile',`
--			fs_manage_noxattr_fs_files($1_t)
--			fs_manage_noxattr_fs_dirs($1_t)
-+			fs_manage_noxattr_fs_files($1_usertype)
-+			fs_manage_noxattr_fs_dirs($1_usertype)
- 			# Write floppies 
--			storage_raw_read_removable_device($1_t)
--			storage_raw_write_removable_device($1_t)
-+			storage_raw_read_removable_device($1_usertype)
-+			storage_raw_write_removable_device($1_usertype)
- 		',`
--			storage_raw_read_removable_device($1_t)
-+			storage_raw_read_removable_device($1_usertype)
- 		')
+@@ -1033,14 +1110,6 @@
  	')
  
-@@ -1028,16 +1113,8 @@
- 	# the same domain and outside users)  disabling this forces FTP passive mode
- 	# and may change other protocols
- 	tunable_policy(`user_tcp_server',`
--		corenet_tcp_bind_all_nodes($1_t)
--		corenet_tcp_bind_generic_port($1_t)
+ 	optional_policy(`
+-		kerberos_use($1_t)
 -	')
 -
 -	optional_policy(`
--		kerberos_use($1_t)
+-		loadkeys_run($1_t,$1_r,$1_tty_device_t)
 -	')
 -
 -	optional_policy(`
--		loadkeys_run($1_t,$1_r,$1_tty_device_t)
-+		corenet_tcp_bind_all_nodes($1_usertype)
-+		corenet_tcp_bind_generic_port($1_usertype)
+ 		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ 		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
  	')
- 
- 	optional_policy(`
-@@ -1054,17 +1131,6 @@
+@@ -1054,17 +1123,6 @@
  		setroubleshoot_stream_connect($1_t)
  	')
  
@@ -11505,7 +11025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -1102,6 +1168,8 @@
+@@ -1102,6 +1160,8 @@
  		class passwd { passwd chfn chsh rootok crontab };
  	')
  
@@ -11514,7 +11034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	##############################
  	#
  	# Declarations
-@@ -1127,7 +1195,7 @@
+@@ -1127,7 +1187,7 @@
  	# $1_t local policy
  	#
  
@@ -11523,7 +11043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	allow $1_t self:process { setexec setfscreate };
  
  	# Set password information for other users.
-@@ -1139,8 +1207,6 @@
+@@ -1139,8 +1199,6 @@
  	# Manipulate other users crontab.
  	allow $1_t self:passwd crontab;
  
@@ -11532,7 +11052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1902,6 +1968,41 @@
+@@ -1902,6 +1960,41 @@
  
  ########################################
  ## <summary>
@@ -11574,7 +11094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Do not audit attempts to set the
  ##	attributes of user home files.
  ## </summary>
-@@ -3078,7 +3179,7 @@
+@@ -3078,7 +3171,7 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -11583,7 +11103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -5323,7 +5424,7 @@
+@@ -5323,7 +5416,7 @@
  		attribute user_tmpfile;
  	')
  
@@ -11592,7 +11112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -5548,6 +5649,26 @@
+@@ -5548,6 +5641,26 @@
  
  ########################################
  ## <summary>
@@ -11619,7 +11139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Unconfined access to user domains.  (Deprecated)
  ## </summary>
  ## <param name="domain">
-@@ -5559,3 +5680,234 @@
+@@ -5559,3 +5672,233 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -11788,14 +11308,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +# Should be optional but policy will not build because of compiler problems
 +# Must be before xwindows calls
 +#optional_policy(`
-+	gnome_per_role_template($1, $1_usertype, $1_r)
++	gnome_per_role_template($1, $1_t, $1_r)
 +	gnome_exec_gconf($1_t)
 +#')
 +
 +userdom_xwindows_client_template($1)
-+allow xguest_usertype xguest_usertype:unix_stream_socket { create_stream_socket_perms connectto };
 +
-+logging_send_syslog_msg($1_usertype)
++logging_send_syslog_msg($1_t)
 +
 +optional_policy(`
 +	alsa_read_rw_config($1_t)
@@ -11803,13 +11322,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +authlogin_per_role_template($1, $1_t, $1_r)
 +
-+dev_read_sound($1_usertype)
-+dev_write_sound($1_usertype)
++dev_read_sound($1_t)
++dev_write_sound($1_t)
 +
 +optional_policy(`
-+	dbus_per_role_template($1, $1_usertype, $1_r)
-+	dbus_system_bus_client_template($1, $1_usertype)
-+	allow $1_usertype self:dbus send_msg;
++	dbus_per_role_template($1, $1_t, $1_r)
++	dbus_system_bus_client_template($1, $1_t)
++	allow $1_t self:dbus send_msg;
 +')
 +
 +optional_policy(`
@@ -11829,7 +11348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +')
 +
 +# gnome keyring wants to read this. Needs to be exlicitly granted
-+dev_dontaudit_read_rand($1_usertype)
++dev_dontaudit_read_rand($1_t)
 +
 +')
 +
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a52c8db..2c3b1f7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.3
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -359,6 +359,9 @@ exit 0
 %endif
 
 %changelog
+* Mon Jul 23 2007 Dan Walsh <dwalsh@redhat.com> 3.0.3-5
+- Add ntpd_key_t to handle secret data
+
 * Fri Jul 20 2007 Dan Walsh <dwalsh@redhat.com> 3.0.3-4
 - Add anon_inodefs
 - Allow unpriv user exec pam_exec_t