diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index f52bae503..c29694389 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -211,6 +211,13 @@ template(`su_per_userdomain_template',`
userdom_search_user_home($1,$1_su_t)
ifdef(`targeted_policy',`
+ # allow user to suspend terminal.
+ # does not work in strict since the
+ # parent may not be able to use
+ # the terminal if we newrole,
+ # which relabels the terminal.
+ allow $1_su_t self:process sigstop;
+
corecmd_exec_bin($1_su_t)
userdom_manage_all_user_files($1_su_t)
userdom_manage_all_user_symlinks($1_su_t)
@@ -220,6 +227,7 @@ template(`su_per_userdomain_template',`
# make sediff easier.
if(!secure_mode) {
unconfined_domtrans($1_su_t)
+ unconfined_signal($1_su_t)
}
',`
if(secure_mode) {
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 19f21b031..66c46751f 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -185,6 +185,22 @@ interface(`unconfined_sigchld',`
allow $1 unconfined_t:process sigchld;
')
+########################################
+##
+## Send generic signals to the unconfined domain.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`unconfined_signal',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process signal;
+')
+
########################################
##
## Do not audit attempts to read unconfined domain unnamed pipes.