@@ -34649,7 +34746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1164,7 +1183,6 @@ +@@ -1164,7 +1179,6 @@ # Need the following rule to allow users to run vpnc corenet_tcp_bind_xserver_port($1_t) @@ -34657,7 +34754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1182,32 +1200,45 @@ +@@ -1182,32 +1196,45 @@ ') ') @@ -34715,7 +34812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1284,8 +1315,6 @@ +@@ -1284,8 +1311,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -34724,7 +34821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1307,8 +1336,6 @@ +@@ -1307,8 +1332,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -34733,7 +34830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1363,13 +1390,6 @@ +@@ -1363,13 +1386,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -34747,7 +34844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` userhelper_exec($1_t) ') -@@ -1422,6 +1442,7 @@ +@@ -1422,6 +1438,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -34755,7 +34852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1787,10 +1808,14 @@ +@@ -1787,10 +1804,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -34771,7 +34868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1886,11 +1911,11 @@ +@@ -1886,11 +1907,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -34785,7 +34882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1920,11 +1945,11 @@ +@@ -1920,11 +1941,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -34799,7 +34896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1968,12 +1993,12 @@ +@@ -1968,12 +1989,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -34815,7 +34912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2003,10 +2028,11 @@ +@@ -2003,10 +2024,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -34829,7 +34926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2038,11 +2064,48 @@ +@@ -2038,11 +2060,48 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -34880,7 +34977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2074,10 +2137,10 @@ +@@ -2074,10 +2133,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -34893,7 +34990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2107,11 +2170,11 @@ +@@ -2107,11 +2166,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -34907,7 +35004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2141,11 +2204,11 @@ +@@ -2141,11 +2200,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -34922,7 +35019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2175,10 +2238,14 @@ +@@ -2175,10 +2234,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -34939,7 +35036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2208,11 +2275,11 @@ +@@ -2208,11 +2271,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -34953,7 +35050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2242,11 +2309,11 @@ +@@ -2242,11 +2305,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -34967,7 +35064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2276,10 +2343,10 @@ +@@ -2276,10 +2339,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -34980,7 +35077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2311,12 +2378,12 @@ +@@ -2311,12 +2374,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -34996,7 +35093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2348,10 +2415,10 @@ +@@ -2348,10 +2411,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -35009,7 +35106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2383,12 +2450,12 @@ +@@ -2383,12 +2446,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -35025,7 +35122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2420,12 +2487,12 @@ +@@ -2420,12 +2483,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -35041,7 +35138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2457,12 +2524,12 @@ +@@ -2457,12 +2520,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -35057,7 +35154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2507,11 +2574,11 @@ +@@ -2507,11 +2570,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -35071,7 +35168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2556,11 +2623,11 @@ +@@ -2556,11 +2619,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -35085,7 +35182,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2600,11 +2667,11 @@ +@@ -2600,11 +2663,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -35099,7 +35196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2634,11 +2701,11 @@ +@@ -2634,11 +2697,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -35113,7 +35210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2668,11 +2735,11 @@ +@@ -2668,11 +2731,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -35127,7 +35224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2704,10 +2771,10 @@ +@@ -2704,10 +2767,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -35140,7 +35237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2739,10 +2806,10 @@ +@@ -2739,10 +2802,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -35153,7 +35250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2772,12 +2839,12 @@ +@@ -2772,12 +2835,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -35169,7 +35266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2809,10 +2876,10 @@ +@@ -2809,10 +2872,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -35182,7 +35279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2844,10 +2911,48 @@ +@@ -2844,10 +2907,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -35233,7 +35330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2877,12 +2982,12 @@ +@@ -2877,12 +2978,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -35249,7 +35346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2914,10 +3019,10 @@ +@@ -2914,10 +3015,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -35262,7 +35359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2949,12 +3054,12 @@ +@@ -2949,12 +3050,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -35278,7 +35375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2986,11 +3091,11 @@ +@@ -2986,11 +3087,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -35292,7 +35389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3022,11 +3127,11 @@ +@@ -3022,11 +3123,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -35306,7 +35403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3058,11 +3163,11 @@ +@@ -3058,11 +3159,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -35320,7 +35417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3094,11 +3199,11 @@ +@@ -3094,11 +3195,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -35334,7 +35431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3130,11 +3235,11 @@ +@@ -3130,11 +3231,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -35348,7 +35445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3179,10 +3284,10 @@ +@@ -3179,10 +3280,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -35361,7 +35458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3223,10 +3328,10 @@ +@@ -3223,10 +3324,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -35374,7 +35471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3254,24 +3359,24 @@ +@@ -3254,24 +3355,24 @@ ## ## # @@ -35403,7 +35500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##
##
## This is a templated interface, and should only
-@@ -3290,17 +3395,89 @@
+@@ -3290,12 +3391,84 @@
##
##
#
@@ -35419,11 +35516,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ allow $2 $1_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
+ read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
- ')
-
- ########################################
- ##