From: dwalsh@redhat.com (Daniel J Walsh)
Date: Wed, 04 Mar 2009 13:05:13 -0500
Subject: [refpolicy] system_userdomain.patch
Message-ID: <49AEC2D9.1030800@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F11/system_userdomain.patch

The biggest change in this patch is the addition of the $1_usertype.

Instead of using $1_t for all user access,  I use $1_usertype.  This
allows me to make $1_java_t == $1_t + { execmem execstack}. Similar for
$1_mono_t.

Changed many templates to interfaces, since they were not defining new
types.

Added labeling for symbolic links of homedirs

Labeling for /dev/shm files.


My labeling of /root

added userhomereader attribute in order to allow tunables within tunables.

Added user_home_type handling so we can define additionaly types to the
home dir and still allow users to manage them.  (ssh_home_t for example.)


Removed a couple of old booleans that really do not make sense
user_dmesg?  Should be only applied to a particular type staff_t maybe,
not all users.  guest_t will never run dmesg.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmuwtgACgkQrlYvE4MpobNoAwCgjcErx5UIQQS91KBMYMnhAl3F
HlgAoLRQrISDwEe00jx73VWzQnq3sBpI
=TwUE
-----END PGP SIGNATURE-----