X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=policy%2Fmodules%2Fsystem%2Fuserdomain.if;h=db35b2e9b93284ed366bfa5068b010d7eadd63ea;hb=f5fe855dd86a1a5395d174f2e7e1c379595f618d;hp=018d762e467abd69dd40409a94bd160e86daea4e;hpb=bf764d18b718eab91665f1402f35d27fa1b541be;p=people%2Fstevee%2Fselinux-policy.git

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 018d762e..db35b2e9 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -34,6 +34,7 @@ template(`userdom_base_user_template',`
 
 	type $1_t, userdomain, $1_usertype;
 	domain_type($1_t)
+	role $1_r;
 	corecmd_shell_entry_type($1_t)
 	corecmd_bin_entry_type($1_t)
 	domain_user_exemption_target($1_t)
@@ -46,7 +47,10 @@ template(`userdom_base_user_template',`
 	term_user_tty($1_t, user_tty_device_t)
 	term_dontaudit_getattr_generic_ptys($1_t)
 
-	allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
+	allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
+	tunable_policy(`deny_ptrace',`',`
+		allow $1_usertype $1_usertype:process ptrace;
+	')
 	allow $1_usertype $1_usertype:fd use;
 	allow $1_usertype $1_t:key { create view read write search link setattr };
 
@@ -95,6 +99,7 @@ template(`userdom_base_user_template',`
 
 	files_read_etc_files($1_usertype)
 	files_list_mnt($1_usertype)
+	files_list_var($1_usertype)
 	files_read_mnt_files($1_usertype)
 	files_dontaudit_access_check_mnt($1_usertype)
 	files_read_etc_runtime_files($1_usertype)
@@ -123,7 +128,7 @@ template(`userdom_base_user_template',`
 
 	storage_rw_fuse($1_usertype)
 
-	auth_use_nsswitch($1_usertype)
+	auth_use_nsswitch($1_t)
 
 	init_stream_connect($1_usertype)
 	# The library functions always try to open read-write first,
@@ -142,12 +147,14 @@ template(`userdom_base_user_template',`
 	miscfiles_read_man_pages($1_usertype)
 	miscfiles_read_public_files($1_usertype)
 
-	tunable_policy(`allow_execmem',`
+	systemd_dbus_chat_logind($1_usertype)
+
+	tunable_policy(`deny_execmem',`', `
 		# Allow loading DSOs that require executable stack.
 		allow $1_t self:process execmem;
 	')
 
-	tunable_policy(`allow_execmem && allow_execstack',`
+	tunable_policy(`allow_execstack',`
 		# Allow making the stack executable via mprotect.
 		allow $1_t self:process execstack;
 	')
@@ -277,6 +284,8 @@ interface(`userdom_manage_home_role',`
 	relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
 	relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
 	filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+	userdom_filetrans_home_content($2)
+
 	files_list_home($2)
 
 	# cjp: this should probably be removed:
@@ -548,8 +557,8 @@ template(`userdom_change_password_template',`
 	')
 
 	optional_policy(`
-		usermanage_run_chfn($1_t, $1_r)
-		usermanage_run_passwd($1_t, $1_r)
+		usermanage_run_chfn($1_t,$1_r)
+		usermanage_run_passwd($1_t,$1_r)
 	')
 ')
 
@@ -643,11 +652,11 @@ template(`userdom_common_user_template',`
 	# for eject
 	storage_getattr_fixed_disk_dev($1_usertype)
 
-	auth_use_nsswitch($1_t)
-	auth_read_login_records($1_t)
-	auth_search_pam_console_data($1_t)
-	auth_run_pam($1_t, $1_r)
-	auth_run_utempter($1_t, $1_r)
+	auth_read_login_records($1_usertype)
+	auth_run_pam($1_t,$1_r)
+	auth_run_utempter($1_t,$1_r)
+	auth_filetrans_admin_home_content($1_t)
+	auth_filetrans_home_content($1_t)
 
 	init_read_utmp($1_usertype)
 
@@ -669,12 +678,6 @@ template(`userdom_common_user_template',`
 		term_getattr_all_ttys($1_t)
 	')
 
-	optional_policy(`
-		alsa_read_rw_config($1_usertype)
-		alsa_manage_home_files($1_t)
-		alsa_relabel_home_files($1_t)
-	')
-
 	optional_policy(`
 		# Allow graphical boot to check battery lifespan
 		apm_stream_connect($1_usertype)
@@ -684,10 +687,6 @@ template(`userdom_common_user_template',`
 		canna_stream_connect($1_usertype)
 	')
 
-	optional_policy(`
-		chrome_role($1_r, $1_usertype)
-	')
-
 	optional_policy(`
 		colord_read_lib_files($1_usertype)
 	')
@@ -720,11 +719,6 @@ template(`userdom_common_user_template',`
 			devicekit_dbus_chat_disk($1_usertype)
 		')
 
-		optional_policy(`
-			evolution_dbus_chat($1_usertype)
-			evolution_alarm_dbus_chat($1_usertype)
-		')
-
 		optional_policy(`
 			gnome_dbus_chat_gconfdefault($1_usertype)
 		')
@@ -785,10 +779,6 @@ template(`userdom_common_user_template',`
 		mta_filetrans_home_content($1_usertype)
 	')
 
-	optional_policy(`
-		nsplugin_role($1_r, $1_usertype)
-	')
-
 	optional_policy(`
 		tunable_policy(`allow_user_mysql_connect',`
 			mysql_stream_connect($1_t)
@@ -840,13 +830,11 @@ template(`userdom_common_user_template',`
 
 	optional_policy(`
 		seunshare_role_template($1, $1_r, $1_t)
-		usernetctl_run($1_t, $1_r)
 	')
 
 	optional_policy(`
 		slrnpull_search_spool($1_usertype)
 	')
-
 ')
 
 #######################################
@@ -905,7 +893,7 @@ template(`userdom_login_user_template', `
 	allow $1_t self:capability { setgid chown fowner };
 	dontaudit $1_t self:capability { sys_nice fsetid };
 
-	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
+	allow $1_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
 	dontaudit $1_t self:process setrlimit;
 	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
 
@@ -936,10 +924,10 @@ template(`userdom_login_user_template', `
 	auth_rw_cache($1_t)
 
 	application_exec_all($1_t)
-
 	# The library functions always try to open read-write first,
 	# then fall back to read-only if it fails.
 	init_dontaudit_rw_utmp($1_t)
+
 	# Stop warnings about access to /dev/console
 	init_dontaudit_use_fds($1_usertype)
 	init_dontaudit_use_script_fds($1_usertype)
@@ -1104,9 +1092,7 @@ template(`userdom_restricted_xwindows_user_template',`
 	 # bug: #682499
 	 optional_policy(`
 	 	gnome_read_usr_config($1_usertype)
-		gnome_role_gkeyringd($1, $1_r, $1_t)
-		# cjp: telepathy F15 bugs
-		telepathy_role($1_r, $1_t, $1)
+		gnome_role_gkeyringd($1, $1_r, $1_usertype)
 	')
 
 	optional_policy(`
@@ -1140,10 +1126,6 @@ template(`userdom_restricted_xwindows_user_template',`
 		')
 	')
 
-	optional_policy(`
-		openoffice_role_template($1, $1_r, $1_usertype)
-	')
-
 	optional_policy(`
 		policykit_role($1_r, $1_usertype)
 	')
@@ -1219,7 +1201,7 @@ template(`userdom_unpriv_user_template', `
 	storage_rw_fuse($1_t)
 
 	files_exec_usr_files($1_t)
-	# cjp: why?
+   # cjp: why?
 	files_read_kernel_symbol_table($1_t)
 
 	ifndef(`enable_mls',`
@@ -1262,10 +1244,6 @@ template(`userdom_unpriv_user_template', `
 		cron_role($1_r, $1_t)
 	')
 
-	optional_policy(`
-		games_rw_data($1_usertype)
-	')
-
 	optional_policy(`
 		gpg_role($1_r, $1_usertype)
 	')
@@ -1278,25 +1256,6 @@ template(`userdom_unpriv_user_template', `
 		gpm_stream_connect($1_usertype)
 	')
 
-	optional_policy(`
-		execmem_role_template($1, $1_r, $1_t)
-	')
-
-	optional_policy(`
-		java_role_template($1, $1_r, $1_t)
-
-	optional_policy(`
-		netutils_run_ping_cond($1_t, $1_r)
-		netutils_run_traceroute_cond($1_t, $1_r)
-	')
-
-	optional_policy(`
-		mono_role_template($1, $1_r, $1_t)
-
-	optional_policy(`
-		ppp_run_cond($1_t, $1_r)
-	')
-
 	optional_policy(`
 		mount_run_fusermount($1_t, $1_r)
 		mount_read_pid_files($1_t)
@@ -1308,12 +1267,19 @@ template(`userdom_unpriv_user_template', `
 
 	optional_policy(`
 		postfix_run_postdrop($1_t, $1_r)
+		postfix_search_spool($1_t)
 	')
 
 	# Run pppd in pppd_t by default for user
 	optional_policy(`
 		ppp_run_cond($1_t, $1_r)
 	')
+
+	optional_policy(`
+		vdagent_getattr_log($1_t)
+		vdagent_getattr_exec($1_t)
+		vdagent_stream_connect($1_t)
+	')
 ')
 
 #######################################
@@ -1374,7 +1340,10 @@ template(`userdom_admin_user_template',`
 	# $1_t local policy
 	#
 
-	allow $1_t self:capability ~{ sys_module audit_control audit_write };
+	allow $1_t self:capability ~{ sys_ptrace sys_module audit_control audit_write };
+	tunable_policy(`deny_ptrace',`',`
+		allow $1_t self:capability sys_ptrace;
+	')
 	allow $1_t self:capability2 syslog;
 	allow $1_t self:process { setexec setfscreate };
 	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
@@ -1455,9 +1424,10 @@ template(`userdom_admin_user_template',`
 
 	auth_getattr_shadow($1_t)
 	# Manage almost all files
-	auth_manage_all_files_except_shadow($1_t)
+	files_manage_non_security_dirs($1_t)
+	files_manage_non_security_files($1_t)
 	# Relabel almost all files
-	auth_relabel_all_files_except_shadow($1_t)
+	files_relabel_non_security_files($1_t)
 
 	init_telinit($1_t)
 
@@ -1476,6 +1446,8 @@ template(`userdom_admin_user_template',`
 	# But presently necessary for installing the file_contexts file.
 	seutil_manage_bin_policy($1_t)
 
+	systemd_config_all_services($1_t)
+
 	userdom_manage_user_home_content_dirs($1_t)
 	userdom_manage_user_home_content_files($1_t)
 	userdom_manage_user_home_content_symlinks($1_t)
@@ -1551,7 +1523,7 @@ template(`userdom_security_admin_template',`
 	selinux_set_parameters($1)
 	selinux_read_policy($1)
 
-	auth_relabel_all_files_except_shadow($1)
+	files_relabel_all_files($1)
 	auth_relabel_shadow($1)
 
 	init_exec($1)
@@ -1566,15 +1538,20 @@ template(`userdom_security_admin_template',`
 	seutil_manage_file_contexts($1)
 	seutil_manage_module_store($1)
 	seutil_manage_config($1)
-
 	seutil_run_checkpolicy($1,$2)
 	seutil_run_loadpolicy($1,$2)
 	seutil_run_semanage($1,$2)
 	seutil_run_setsebool($1,$2)
 	seutil_run_setfiles($1, $2)
 
+	seutil_manage_bin_policy($1)
+    seutil_manage_default_contexts($1)
+    seutil_manage_file_contexts($1)
+    seutil_manage_module_store($1)
+    seutil_manage_config($1)
+
 	optional_policy(`
-		aide_run($1, $2)
+		aide_run($1,$2)
 	')
 
 	optional_policy(`
@@ -1585,12 +1562,12 @@ template(`userdom_security_admin_template',`
 		dmesg_exec($1)
 	')
 
-	optional_policy(`
-		ipsec_run_setkey($1, $2)
+	optional_policy(`	
+		ipsec_run_setkey($1,$2)
 	')
 
 	optional_policy(`
-		netlabel_run_mgmt($1, $2)
+		netlabel_run_mgmt($1,$2)
 	')
 
 	optional_policy(`
@@ -2617,7 +2594,7 @@ interface(`userdom_user_home_content_filetrans',`
 		type user_home_dir_t, user_home_t;
 	')
 
-	filetrans_pattern($1, user_home_t, $2, $3)
+	filetrans_pattern($1, user_home_t, $2, $3, $4)
 	allow $1 user_home_dir_t:dir search_dir_perms;
 	files_search_home($1)
 ')
@@ -2968,7 +2945,7 @@ interface(`userdom_user_tmp_filetrans',`
 		type user_tmp_t;
 	')
 
-	filetrans_pattern($1, user_tmp_t, $2, $3)
+	filetrans_pattern($1, user_tmp_t, $2, $3, $4)
 	files_search_tmp($1)
 ')
 
@@ -2997,6 +2974,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
 	files_tmp_filetrans($1, user_tmp_t, $2)
 ')
 
+#######################################
+## <summary>
+##  Getattr user tmpfs files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`userdom_getattr_user_tmpfs_files',`
+    gen_require(`
+        type user_tmpfs_t;
+    ')
+
+    getattr_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+    fs_search_tmpfs($1)
+')
+
 ########################################
 ## <summary>
 ##	Read user tmpfs files.
@@ -3039,6 +3035,42 @@ interface(`userdom_rw_user_tmpfs_files',`
 	fs_search_tmpfs($1)
 ')
 
+########################################
+## <summary>
+##	Read/Write inherited user tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_rw_inherited_user_tmpfs_files',`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+
+	allow $1 user_tmpfs_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute user tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_execute_user_tmpfs_files',`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+
+	allow $1 user_tmpfs_t:file execute;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of a user domain tty.
@@ -3248,8 +3280,8 @@ interface(`userdom_dontaudit_use_user_terminals',`
 		type user_tty_device_t, user_devpts_t;
 	')
 
-	dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
-	dontaudit $1 user_devpts_t:chr_file rw_term_perms;
+	dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+	dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms;
 ')
 
 
@@ -3340,6 +3372,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
 	allow unpriv_userdomain $1:process sigchld;
 ')
 
+#####################################
+## <summary>
+##  Allow domain dyntrans to unpriv userdomain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`userdom_dyntransition_unpriv_users',`
+    gen_require(`
+        attribute unpriv_userdomain;
+    ')
+
+    allow $1 unpriv_userdomain:process dyntransition;
+')
+
 ########################################
 ## <summary>
 ##	Execute an Xserver session in all unprivileged user domains.  This
@@ -3363,24 +3413,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
 	allow unpriv_userdomain $1:process sigchld;
 ')
 
-#######################################
-## <summary>
-##	Read and write unpriviledged user SysV sempaphores.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`userdom_rw_unpriv_user_semaphores',`
-	gen_require(`
-		attribute unpriv_userdomain;
-	')
-
-	allow $1 unpriv_userdomain:sem rw_sem_perms;
-')
-
 ########################################
 ## <summary>
 ##	Manage unpriviledged user SysV sempaphores.
@@ -3399,25 +3431,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
 	allow $1 unpriv_userdomain:sem create_sem_perms;
 ')
 
-#######################################
-## <summary>
-##	Read and write unpriviledged user SysV shared
-##	memory segments.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`userdom_rw_unpriv_user_shared_mem',`
-	gen_require(`
-		attribute unpriv_userdomain;
-	')
-
-	allow $1 unpriv_userdomain:shm rw_shm_perms;
-')
-
 ########################################
 ## <summary>
 ##	Manage unpriviledged user SysV shared
@@ -3504,24 +3517,6 @@ interface(`userdom_search_user_home_content',`
 	allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
 ')
 
-########################################
-## <summary>
-##	Send signull to unprivileged user domains.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`userdom_signull_unpriv_users',`
-	gen_require(`
-		attribute unpriv_userdomain;
-	')
-
-	allow $1 unpriv_userdomain:process signull;
-')
-
 ########################################
 ## <summary>
 ##	Send general signals to unprivileged user domains.
@@ -3712,7 +3707,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
 		type user_tty_device_t;
 	')
 
-	dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
+	dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
 ')
 
 ########################################
@@ -3844,6 +3839,24 @@ interface(`userdom_sigchld_all_users',`
 	allow $1 userdomain:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Read keys for all user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_read_all_users_keys',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:key read;
+')
+
 ########################################
 ## <summary>
 ##	Create keys for all user domains.
@@ -3928,10 +3941,43 @@ template(`userdom_unpriv_usertype',`
 	typeattribute $2  $1_usertype;
 	typeattribute $2  unpriv_userdomain;
 	typeattribute $2  userdomain;
-
+	
+	auth_use_nsswitch($2)
 	ubac_constrained($2)
 ')
 
+#######################################
+## <summary>
+##  Define this type as a Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="userdomain_prefix">
+##  <summary>
+##  The prefix of the user domain (e.g., user
+##  is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+template(`userdom_unpriv_type',`
+    gen_require(`
+        attribute unpriv_userdomain, userdomain;
+    ')
+    typeattribute $2  unpriv_userdomain;
+    typeattribute $2  userdomain;
+
+    auth_use_nsswitch($2)
+    ubac_constrained($2)
+')
+
 ########################################
 ## <summary>
 ##	Connect to users over an unix stream socket.
@@ -3966,7 +4012,9 @@ interface(`userdom_ptrace_all_users',`
 		attribute userdomain;
 	')
 
-	allow $1 userdomain:process ptrace;
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 userdomain:process ptrace;
+	')
 ')
 
 ########################################
@@ -4135,6 +4183,25 @@ interface(`userdom_read_admin_home_files',`
 	read_files_pattern($1, admin_home_t, admin_home_t)
 ')
 
+########################################
+## <summary>
+##	Delete admin home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_delete_admin_home_files',`
+	gen_require(`
+		type admin_home_t;
+	')
+
+	allow $1 admin_home_t:file delete_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Execute admin home files.
@@ -4602,6 +4669,29 @@ interface(`userdom_read_home_certs',`
 	read_lnk_files_pattern($1, home_cert_t, home_cert_t)
 ')
 
+########################################
+## <summary>
+##	Manage system SSL certificates in the users homedir.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_home_certs',`
+	gen_require(`
+		type home_cert_t;
+	')
+
+	allow $1 home_cert_t:dir list_dir_perms;
+	manage_files_pattern($1, home_cert_t, home_cert_t)
+	manage_lnk_files_pattern($1, home_cert_t, home_cert_t)
+
+	userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
+	userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
+')
+
 #######################################
 ## <summary>
 ##  Dontaudit Write system SSL certificates in the users homedir.
@@ -4732,6 +4822,24 @@ interface(`userdom_dontaudit_setattr_user_tmp',`
 	dontaudit $1 user_tmp_t:dir setattr;
 ')
 
+########################################
+## <summary>
+##	Read all inherited users files in /tmp
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_read_inherited_user_tmp_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	allow $1 user_tmp_t:file read_inherited_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Write all inherited users files in /tmp
@@ -4935,3 +5043,86 @@ interface(`userdom_dontaudit_read_all_user_tmp_content_files',`
 	dontaudit $1 user_tmp_type:file read_file_perms;
 ')
 
+#######################################
+## <summary>
+## Read and write unpriviledged user SysV sempaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_rw_unpriv_user_semaphores',`
+   gen_require(`
+       attribute unpriv_userdomain;
+   ')
+
+   allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+##	Transition to userdom named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_filetrans_home_content',`
+	gen_require(`
+		type home_bin_t, home_cert_t;
+		type audio_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin")
+	userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Audio")
+	userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music")
+	userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
+	userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
+	userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
+	gnome_config_filetrans($1, home_cert_t, dir, "certificates")
+
+	#optional_policy(`
+	#	gnome_admin_home_gconf_filetrans($1, home_bin_t, dir, "bin")
+	#')
+')
+
+########################################
+## <summary>
+##	Make the specified type able to read content in user home dirs
+## </summary>
+## <param name="type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_home_reader',`
+	gen_require(`
+		attribute userdom_home_reader_type;
+	')
+
+	typeattribute $1 userdom_home_reader_type;
+')
+
+
+########################################
+## <summary>
+##	Make the specified type able to manage content in user home dirs
+## </summary>
+## <param name="type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_home_manager',`
+	gen_require(`
+		attribute userdom_home_manager_type;
+	')
+
+	typeattribute $1 userdom_home_manager_type;
+')