some userdomain patches from Russell Coker

Added mono_run for unconfined and also xserver_role and allow it to dbus
chat with xdm.

Allow sysadm_t to read kmsg.

Allow user domains to dbus chat with kerneloops for the kerneloops desktop
gui.  Also allow them to chat with devicekit disk and power daemons.

Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems

policy/modules/contrib

@@ -1 +1 @@
-Subproject commit 8f3a5492d213d8ffecb0233ce1ff924485bb72d2
+Subproject commit 9e82928816d773ae2c90d5118d28a3f79ce7b1ca

policy/modules/system/unconfined.te

@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.9.3)
+policy_module(unconfined, 3.9.4)
 
 ########################################
 #
@@ -120,7 +120,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	mono_domtrans(unconfined_t)
+	mono_run(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
@@ -210,6 +210,11 @@ optional_policy(`
 	wine_domtrans(unconfined_t)
 ')
 
+optional_policy(`
+	xserver_role(unconfined_r, unconfined_t)
+	xserver_dbus_chat_xdm(unconfined_t)
+')
+
 ########################################
 #
 # Unconfined Execmem Local policy

policy/modules/system/userdomain.if

@@ -117,6 +117,15 @@ template(`userdom_base_user_template',`
 		# Allow making the stack executable via mprotect.
 		allow $1_t self:process execstack;
 	')
+
+	optional_policy(`
+		devicekit_dbus_chat_disk($1_t)
+		devicekit_dbus_chat_power($1_t)
+	')
+
+	optional_policy(`
+		kerneloops_dbus_chat($1_t)
+	')
 ')
 
 #######################################

policy/modules/system/userdomain.te

@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.13.7)
+policy_module(userdomain, 4.13.8)
 
 ########################################
 #