-+## Allow unprivledged user to create and transition to svirt domains. ++## Allow unprivileged user to create and transition to svirt domains. +##
+##- ## The template for creating a unprivileged user roughly -@@ -990,27 +1322,33 @@ template(`userdom_unpriv_user_template', ` +@@ -990,27 +1326,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -44707,7 +44733,7 @@ index 3c5dba7..519b132 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1359,60 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1363,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -44733,11 +44759,9 @@ index 3c5dba7..519b132 100644 + + tunable_policy(`selinuxuser_tcp_server',` + corenet_tcp_bind_all_unreserved_ports($1_usertype) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) ++ ') ++ ++ optional_policy(` + cdrecord_role($1_r, $1_t) + ') + @@ -44766,9 +44790,11 @@ index 3c5dba7..519b132 100644 + optional_policy(` + mount_run_fusermount($1_t, $1_r) + mount_read_pid_files($1_t) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) + wine_role_template($1, $1_r, $1_t) + ') + @@ -44778,7 +44804,7 @@ index 3c5dba7..519b132 100644 ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1421,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1425,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -44789,7 +44815,7 @@ index 3c5dba7..519b132 100644 ') ') -@@ -1082,7 +1459,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1463,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -44800,7 +44826,7 @@ index 3c5dba7..519b132 100644 ') ############################## -@@ -1098,6 +1477,7 @@ template(`userdom_admin_user_template',` +@@ -1098,6 +1481,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -44808,7 +44834,7 @@ index 3c5dba7..519b132 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1108,14 +1488,8 @@ template(`userdom_admin_user_template',` +@@ -1108,14 +1492,8 @@ template(`userdom_admin_user_template',` # $1_t local policy # @@ -44825,7 +44851,7 @@ index 3c5dba7..519b132 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1131,6 +1505,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1509,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -44833,7 +44859,7 @@ index 3c5dba7..519b132 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1523,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1527,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -44848,7 +44874,7 @@ index 3c5dba7..519b132 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,29 +1541,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1545,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -44891,7 +44917,7 @@ index 3c5dba7..519b132 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1582,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1586,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -44900,7 +44926,7 @@ index 3c5dba7..519b132 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1591,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1595,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -44919,7 +44945,7 @@ index 3c5dba7..519b132 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1243,7 +1637,7 @@ template(`userdom_admin_user_template',` +@@ -1243,7 +1641,7 @@ template(`userdom_admin_user_template',` ##
-+## Allow docker to transition to unconfined conateiners ++## Allow docker to transition to unconfined containers. +##
+##++## Allow pcp to bind to all unreserved_ports ++##
++##-+## Allow zarafa domains to setrlimit/sys_rouserce. ++## Allow zarafa domains to setrlimit/sys_resource. +##
+##