From e03f6d4c61c86d2e5e6d370f4db7ba89cbaf4874 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Tue, 18 Apr 2017 21:41:45 -0400
Subject: [PATCH] some userdomain patches from Russell Coker

Added mono_run for unconfined and also xserver_role and allow it to dbus
chat with xdm.

Allow sysadm_t to read kmsg.

Allow user domains to dbus chat with kerneloops for the kerneloops desktop
gui.  Also allow them to chat with devicekit disk and power daemons.

Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems
---
 policy/modules/contrib              | 2 +-
 policy/modules/system/unconfined.te | 9 +++++++--
 policy/modules/system/userdomain.if | 9 +++++++++
 policy/modules/system/userdomain.te | 2 +-
 4 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib b/policy/modules/contrib
index 8f3a5492d..9e8292881 160000
--- a/policy/modules/contrib
+++ b/policy/modules/contrib
@@ -1 +1 @@
-Subproject commit 8f3a5492d213d8ffecb0233ce1ff924485bb72d2
+Subproject commit 9e82928816d773ae2c90d5118d28a3f79ce7b1ca
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index bb88f2610..2ab6b1040 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.9.3)
+policy_module(unconfined, 3.9.4)
 
 ########################################
 #
@@ -120,7 +120,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	mono_domtrans(unconfined_t)
+	mono_run(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
@@ -210,6 +210,11 @@ optional_policy(`
 	wine_domtrans(unconfined_t)
 ')
 
+optional_policy(`
+	xserver_role(unconfined_r, unconfined_t)
+	xserver_dbus_chat_xdm(unconfined_t)
+')
+
 ########################################
 #
 # Unconfined Execmem Local policy
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 19622e858..69f2bb22d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -117,6 +117,15 @@ template(`userdom_base_user_template',`
 		# Allow making the stack executable via mprotect.
 		allow $1_t self:process execstack;
 	')
+
+	optional_policy(`
+		devicekit_dbus_chat_disk($1_t)
+		devicekit_dbus_chat_power($1_t)
+	')
+
+	optional_policy(`
+		kerneloops_dbus_chat($1_t)
+	')
 ')
 
 #######################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 7e3cbab43..3aaf3eaa6 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.13.7)
+policy_module(userdomain, 4.13.8)
 
 ########################################
 #