Add back upstream changes in userdomain.if

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index d7d04d9ba341c505e1789c451d1d84731ff47e01..b0955cf38bf5ffafc0e6a0831c795700dafc4f49 100644 (file)
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -932,6 +932,11 @@ template(`userdom_login_user_template', `
        auth_dontaudit_write_login_records($1_t)
        auth_rw_cache($1_t)
 
+       application_exec_all($1_t)
+       # The library functions always try to open read-write first,
+       # then fall back to read-only if it fails.
+       init_dontaudit_rw_utmp($1_t)
+
        # Stop warnings about access to /dev/console
        init_dontaudit_use_fds($1_usertype)
        init_dontaudit_use_script_fds($1_usertype)
@@ -1013,7 +1018,7 @@ template(`userdom_restricted_user_template',`
        #
 
        optional_policy(`
-               loadkeys_run($1_t,$1_r)
+               loadkeys_run($1_t, $1_r)
        ')
 ')
 
@@ -1210,6 +1215,24 @@ template(`userdom_unpriv_user_template', `
 
        storage_rw_fuse($1_t)
 
+       files_exec_usr_files($1_t)
+   # cjp: why?
+       files_read_kernel_symbol_table($1_t)
+
+       ifndef(`enable_mls',`
+               fs_exec_noxattr($1_t)
+
+               tunable_policy(`user_rw_noexattrfile',`
+                       fs_manage_noxattr_fs_files($1_t)
+                       fs_manage_noxattr_fs_dirs($1_t)
+                       # Write floppies
+                       storage_raw_read_removable_device($1_t)
+                       storage_raw_write_removable_device($1_t)
+               ',`
+                       storage_raw_read_removable_device($1_t)
+               ')
+       ')
+
        miscfiles_read_hwdata($1_usertype)
 
        # Allow users to run TCP servers (bind to ports and accept connection from