rpms/selinux-policy/devel policy-20081111.patch, 1.9, 1.10 selinux-policy.spec, 1.752, 1.753
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Dec 8 16:38:39 UTC 2008
- Previous message (by thread): rpms/openser/EL-4 openser.sysconfig, NONE, 1.1 .cvsignore, 1.5, 1.6 import.log, 1.2, 1.3 openser.spec, 1.13, 1.14 sources, 1.5, 1.6
- Next message (by thread): rpms/openoffice.org/devel workspace.impressfontsize.tar.gz, NONE, 1.1 openoffice.org.spec, 1.1712, 1.1713 workspace.impressfontsize.patch, 1.1, 1.2 openoffice.org-2.3.0.ooo80257.sd.textonlystyle.patch, 1.3, NONE openoffice.org-2.3.0.ooo80257.sd.textonlystyle.tar.gz, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv765
Modified Files:
policy-20081111.patch selinux-policy.spec
Log Message:
* Thu Dec 4 2008 Dan Walsh <dwalsh at redhat.com> 3.6.1-7
- Allow iptables to talk to terminals
- Fixes for policy kit
- lots of fixes for booting.
policy-20081111.patch:
Index: policy-20081111.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20081111.patch,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- policy-20081111.patch 4 Dec 2008 21:43:54 -0000 1.9
+++ policy-20081111.patch 8 Dec 2008 16:38:09 -0000 1.10
@@ -1,82 +1,3 @@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.1/Makefile
---- nsaserefpolicy/Makefile 2008-11-11 16:13:50.000000000 -0500
-+++ serefpolicy-3.6.1/Makefile 2008-11-25 09:45:43.000000000 -0500
-@@ -315,20 +315,22 @@
-
- # parse-rolemap modulename,outputfile
- define parse-rolemap
-- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-+ echo "" >> $2
-+# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-+# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
- endef
-
- # perrole-expansion modulename,outputfile
- define perrole-expansion
-- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-- $(call parse-rolemap,$1,$2)
-- $(verbose) echo "')" >> $2
--
-- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-- $(call parse-rolemap-compat,$1,$2)
-- $(verbose) echo "')" >> $2
-+ echo "No longer doing perrole-expansion"
-+# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-+# $(call parse-rolemap,$1,$2)
-+# $(verbose) echo "')" >> $2
-+
-+# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-+# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-+# $(call parse-rolemap-compat,$1,$2)
-+# $(verbose) echo "')" >> $2
- endef
-
- # create-base-per-role-tmpl modulenames,outputfile
-@@ -527,6 +529,10 @@
- @mkdir -p $(appdir)/users
- $(verbose) $(INSTALL) -m 644 $^ $@
-
-+$(appdir)/initrc_context: $(tmpdir)/initrc_context
-+ @mkdir -p $(appdir)
-+ $(verbose) $(INSTALL) -m 644 $< $@
-+
- $(appdir)/%: $(appconf)/%
- @mkdir -p $(appdir)
- $(verbose) $(INSTALL) -m 644 $< $@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.1/Rules.modular
---- nsaserefpolicy/Rules.modular 2008-11-11 16:13:50.000000000 -0500
-+++ serefpolicy-3.6.1/Rules.modular 2008-11-25 09:45:43.000000000 -0500
-@@ -73,8 +73,8 @@
- $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
- @echo "Compliling $(NAME) $(@F) module"
- @test -d $(tmpdir) || mkdir -p $(tmpdir)
-- $(call perrole-expansion,$(basename $(@F)),$@.role)
-- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
-+# $(call perrole-expansion,$(basename $(@F)),$@.role)
-+ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
- $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
-
- $(tmpdir)/%.mod.fc: $(m4support) %.fc
-@@ -129,7 +129,7 @@
- @test -d $(tmpdir) || mkdir -p $(tmpdir)
- # define all available object classes
- $(verbose) $(genperm) $(avs) $(secclass) > $@
-- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
-+# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
- $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
-
- $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
-@@ -146,7 +146,7 @@
- $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/rolemap.conf: $(rolemap)
- $(verbose) echo "" > $@
-- $(call parse-rolemap,base,$@)
-+# $(call parse-rolemap,base,$@)
-
- $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.1/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.1/config/appconfig-mcs/default_contexts 2008-11-25 09:45:43.000000000 -0500
@@ -176,6 +97,12 @@
+system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0
+unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.1/config/appconfig-mcs/userhelper_context
+--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-08-07 11:15:14.000000000 -0400
++++ serefpolicy-3.6.1/config/appconfig-mcs/userhelper_context 2008-11-25 09:45:43.000000000 -0500
+@@ -1 +1 @@
+-system_u:sysadm_r:sysadm_t:s0
++system_u:system_r:unconfined_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.1/config/appconfig-mcs/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.1/config/appconfig-mcs/user_u_default_contexts 2008-11-25 09:45:43.000000000 -0500
@@ -191,12 +118,6 @@
-
+system_r:initrc_su_t:s0 user_r:user_t:s0
+user_r:user_t:s0 user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.1/config/appconfig-mcs/userhelper_context
---- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-08-07 11:15:14.000000000 -0400
-+++ serefpolicy-3.6.1/config/appconfig-mcs/userhelper_context 2008-11-25 09:45:43.000000000 -0500
-@@ -1 +1 @@
--system_u:sysadm_r:sysadm_t:s0
-+system_u:system_r:unconfined_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.6.1/config/appconfig-mcs/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.1/config/appconfig-mcs/xguest_u_default_contexts 2008-11-25 09:45:43.000000000 -0500
@@ -272,6 +193,53 @@
+system_r:xdm_t xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.1/Makefile
+--- nsaserefpolicy/Makefile 2008-11-11 16:13:50.000000000 -0500
++++ serefpolicy-3.6.1/Makefile 2008-11-25 09:45:43.000000000 -0500
+@@ -315,20 +315,22 @@
+
+ # parse-rolemap modulename,outputfile
+ define parse-rolemap
+- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
++ echo "" >> $2
++# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
++# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ endef
+
+ # perrole-expansion modulename,outputfile
+ define perrole-expansion
+- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+- $(call parse-rolemap,$1,$2)
+- $(verbose) echo "')" >> $2
+-
+- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+- $(call parse-rolemap-compat,$1,$2)
+- $(verbose) echo "')" >> $2
++ echo "No longer doing perrole-expansion"
++# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
++# $(call parse-rolemap,$1,$2)
++# $(verbose) echo "')" >> $2
++
++# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
++# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
++# $(call parse-rolemap-compat,$1,$2)
++# $(verbose) echo "')" >> $2
+ endef
+
+ # create-base-per-role-tmpl modulenames,outputfile
+@@ -527,6 +529,10 @@
+ @mkdir -p $(appdir)/users
+ $(verbose) $(INSTALL) -m 644 $^ $@
+
++$(appdir)/initrc_context: $(tmpdir)/initrc_context
++ @mkdir -p $(appdir)
++ $(verbose) $(INSTALL) -m 644 $< $@
++
+ $(appdir)/%: $(appconf)/%
+ @mkdir -p $(appdir)
+ $(verbose) $(INSTALL) -m 644 $< $@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.6.1/man/man8/samba_selinux.8
--- nsaserefpolicy/man/man8/samba_selinux.8 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.6.1/man/man8/samba_selinux.8 2008-11-25 09:45:43.000000000 -0500
@@ -363,6 +331,18 @@
logging_send_syslog_msg(certwatch_t)
miscfiles_read_certs(certwatch_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.6.1/policy/modules/admin/consoletype.te
+--- nsaserefpolicy/policy/modules/admin/consoletype.te 2008-11-11 16:13:49.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/admin/consoletype.te 2008-12-05 09:17:49.000000000 -0500
+@@ -18,7 +18,7 @@
+ # Local declarations
+ #
+
+-allow consoletype_t self:capability sys_admin;
++allow consoletype_t self:capability { sys_admin sys_tty_config };
+ allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow consoletype_t self:fd use;
+ allow consoletype_t self:fifo_file rw_fifo_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.1/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 2008-11-11 16:13:49.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/admin/kismet.te 2008-12-02 11:02:15.000000000 -0500
@@ -1102,7 +1082,7 @@
java_domtrans_unconfined(rpm_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.1/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2008-11-11 16:13:49.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/admin/sudo.if 2008-12-03 14:12:34.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/admin/sudo.if 2008-12-05 14:31:30.000000000 -0500
@@ -51,7 +51,7 @@
#
@@ -1137,7 +1117,7 @@
dev_read_urand($1_sudo_t)
+ dev_rw_generic_usb_dev($1_sudo_t)
-+ dev_list_sysfs($1_sudo_t)
++ dev_read_sysfs($1_sudo_t)
fs_search_auto_mountpoints($1_sudo_t)
fs_getattr_xattr_fs($1_sudo_t)
@@ -1457,9 +1437,12 @@
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.1/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/apps/gnome.if 2008-12-04 13:27:45.000000000 -0500
-@@ -91,3 +91,150 @@
++++ serefpolicy-3.6.1/policy/modules/apps/gnome.if 2008-12-08 10:37:21.000000000 -0500
+@@ -89,5 +89,154 @@
+
+ allow $1 gnome_home_t:dir manage_dir_perms;
allow $1 gnome_home_t:file manage_file_perms;
++ allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
userdom_search_user_home_dirs($1)
')
+
@@ -1526,6 +1509,7 @@
+ type gconf_etc_t;
+ ')
+
++ allow $1 gconf_etc_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+')
+
@@ -1651,6 +1635,37 @@
-/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.1/policy/modules/apps/gpg.if
+--- nsaserefpolicy/policy/modules/apps/gpg.if 2008-11-11 16:13:42.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/apps/gpg.if 2008-12-05 10:36:57.000000000 -0500
+@@ -30,7 +30,7 @@
+
+ # allow ps to show gpg
+ ps_process_pattern($2, gpg_t)
+- allow $2 gpg_t:process signal;
++ allow $2 gpg_t:process { signal sigkill };
+
+ # communicate with the user
+ allow gpg_helper_t $2:fd use;
+@@ -46,9 +46,17 @@
+ manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+-
+ # Transition from the user domain to the agent domain.
+ domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
++
++ #Leaked File Descriptors
++ dontaudit gpg_t $2:tcp_socket rw_socket_perms;
++ dontaudit gpg_t $2:udp_socket rw_socket_perms;
++ dontaudit gpg_t $2:unix_stream_socket rw_socket_perms;
++ dontaudit gpg_t $2:unix_dgram_socket rw_socket_perms;
++ dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
++
++ userdom_manage_user_home_content_files(gpg_t)
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.1/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2008-11-11 16:13:42.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/apps/gpg.te 2008-11-25 09:45:43.000000000 -0500
@@ -2485,8 +2500,8 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.1/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/apps/nsplugin.te 2008-12-03 09:00:12.000000000 -0500
-@@ -0,0 +1,273 @@
++++ serefpolicy-3.6.1/policy/modules/apps/nsplugin.te 2008-12-05 08:34:32.000000000 -0500
+@@ -0,0 +1,275 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -2553,6 +2568,8 @@
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
+userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
@@ -3806,7 +3823,7 @@
+xserver_user_x_domain_template(user, wm_t, wm_tmpfs_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.1/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/kernel/corecommands.fc 2008-11-25 16:31:05.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/kernel/corecommands.fc 2008-12-05 08:55:39.000000000 -0500
@@ -128,6 +128,8 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -3829,6 +3846,17 @@
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -221,8 +221,8 @@
+ /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/vmware-tools/sbin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -291,3 +291,12 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
@@ -10168,8 +10196,8 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.1/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/cups.te 2008-12-02 10:19:15.000000000 -0500
-@@ -20,6 +20,12 @@
++++ serefpolicy-3.6.1/policy/modules/services/cups.te 2008-12-05 08:56:46.000000000 -0500
+@@ -20,9 +20,18 @@
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
@@ -10182,7 +10210,13 @@
type cupsd_rw_etc_t;
files_config_file(cupsd_rw_etc_t)
-@@ -48,6 +54,10 @@
++type cupsd_lock_t;
++files_lock_file(cupsd_lock_t)
++
+ type cupsd_log_t;
+ logging_log_file(cupsd_log_t)
+
+@@ -48,6 +57,10 @@
type hplip_t;
type hplip_exec_t;
init_daemon_domain(hplip_t, hplip_exec_t)
@@ -10193,7 +10227,7 @@
type hplip_etc_t;
files_config_file(hplip_etc_t)
-@@ -65,6 +75,16 @@
+@@ -65,6 +78,16 @@
type ptal_var_run_t;
files_pid_file(ptal_var_run_t)
@@ -10210,7 +10244,7 @@
ifdef(`enable_mcs',`
init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
')
-@@ -79,13 +99,14 @@
+@@ -79,13 +102,14 @@
#
# /usr/lib/cups/backend/serial needs sys_admin(?!)
@@ -10228,7 +10262,7 @@
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -97,6 +118,9 @@
+@@ -97,6 +121,9 @@
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
files_search_etc(cupsd_t)
@@ -10238,7 +10272,7 @@
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
-@@ -104,8 +128,8 @@
+@@ -104,8 +131,11 @@
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
@@ -10246,10 +10280,13 @@
-allow cupsd_t cupsd_exec_t:lnk_file read;
+allow cupsd_t cupsd_exec_t:dir search_dir_perms;
+allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
++
++allow cupsd_t cupsd_lock_t:file manage_file_perms;
++files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
allow cupsd_t cupsd_log_t:dir setattr;
-@@ -116,13 +140,20 @@
+@@ -116,13 +146,20 @@
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
@@ -10272,7 +10309,7 @@
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
-@@ -149,44 +180,49 @@
+@@ -149,44 +186,49 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -10327,7 +10364,7 @@
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -195,15 +231,16 @@
+@@ -195,15 +237,16 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@@ -10348,7 +10385,7 @@
auth_use_nsswitch(cupsd_t)
# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
-@@ -217,17 +254,21 @@
+@@ -217,17 +260,21 @@
miscfiles_read_fonts(cupsd_t)
seutil_read_config(cupsd_t)
@@ -10373,7 +10410,7 @@
')
optional_policy(`
-@@ -244,8 +285,16 @@
+@@ -244,8 +291,16 @@
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
@@ -10390,7 +10427,7 @@
')
optional_policy(`
-@@ -261,6 +310,10 @@
+@@ -261,6 +316,10 @@
')
optional_policy(`
@@ -10401,7 +10438,7 @@
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
-@@ -279,7 +332,7 @@
+@@ -279,7 +338,7 @@
# Cups configuration daemon local policy
#
@@ -10410,7 +10447,7 @@
dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process signal_perms;
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-@@ -311,7 +364,7 @@
+@@ -311,7 +370,7 @@
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
kernel_read_system_state(cupsd_config_t)
@@ -10419,7 +10456,7 @@
corenet_all_recvfrom_unlabeled(cupsd_config_t)
corenet_all_recvfrom_netlabel(cupsd_config_t)
-@@ -324,6 +377,7 @@
+@@ -324,6 +383,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -10427,7 +10464,7 @@
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -341,13 +395,14 @@
+@@ -341,13 +401,14 @@
files_read_var_symlinks(cupsd_config_t)
# Alternatives asks for this
@@ -10443,7 +10480,7 @@
seutil_dontaudit_search_config(cupsd_config_t)
-@@ -359,14 +414,16 @@
+@@ -359,14 +420,16 @@
lpd_read_config(cupsd_config_t)
ifdef(`distro_redhat',`
@@ -10462,7 +10499,7 @@
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -382,6 +439,7 @@
+@@ -382,6 +445,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -10470,7 +10507,7 @@
')
optional_policy(`
-@@ -491,7 +549,8 @@
+@@ -491,7 +555,8 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
@@ -10480,7 +10517,7 @@
cups_stream_connect(hplip_t)
-@@ -500,6 +559,10 @@
+@@ -500,6 +565,10 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -10491,7 +10528,7 @@
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -529,7 +592,8 @@
+@@ -529,7 +598,8 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -10501,7 +10538,7 @@
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -553,7 +617,9 @@
+@@ -553,7 +623,9 @@
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -10512,7 +10549,7 @@
optional_policy(`
dbus_system_bus_client(hplip_t)
-@@ -635,3 +701,39 @@
+@@ -635,3 +707,39 @@
optional_policy(`
udev_read_db(ptal_t)
')
@@ -10586,8 +10623,25 @@
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.1/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/dbus.if 2008-12-04 13:28:31.000000000 -0500
-@@ -160,6 +160,10 @@
++++ serefpolicy-3.6.1/policy/modules/services/dbus.if 2008-12-05 14:40:52.000000000 -0500
+@@ -44,6 +44,7 @@
+
+ attribute session_bus_type;
+ type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
++ type $1_t;
+ ')
+
+ ##############################
+@@ -91,7 +92,7 @@
+ allow $3 $1_dbusd_t:process { sigkill signal };
+
+ # cjp: this seems very broken
+- corecmd_bin_domtrans($1_dbusd_t, $3)
++ corecmd_bin_domtrans($1_dbusd_t, $1_t)
+ allow $1_dbusd_t $3:process sigkill;
+ allow $3 $1_dbusd_t:fd use;
+ allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
+@@ -160,6 +161,10 @@
')
optional_policy(`
@@ -10598,7 +10652,7 @@
hal_dbus_chat($1_dbusd_t)
')
-@@ -185,10 +189,12 @@
+@@ -185,10 +190,12 @@
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@@ -10612,7 +10666,7 @@
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -197,6 +203,10 @@
+@@ -197,6 +204,10 @@
files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
dbus_read_config($1)
@@ -10623,7 +10677,7 @@
')
#######################################
-@@ -244,6 +254,35 @@
+@@ -244,6 +255,35 @@
########################################
## <summary>
@@ -10659,7 +10713,7 @@
## Read dbus configuration.
## </summary>
## <param name="domain">
-@@ -318,3 +357,77 @@
+@@ -318,3 +358,77 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -13223,7 +13277,7 @@
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.1/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-09-24 09:07:28.000000000 -0400
-+++ serefpolicy-3.6.1/policy/modules/services/networkmanager.fc 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/networkmanager.fc 2008-12-05 09:14:39.000000000 -0500
@@ -1,8 +1,12 @@
+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
@@ -13237,13 +13291,11 @@
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
-@@ -10,3 +14,6 @@
+@@ -10,3 +14,4 @@
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-+
-+/usr/libexec/nm-openconnect-service -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.1/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400
+++ serefpolicy-3.6.1/policy/modules/services/networkmanager.if 2008-11-25 09:45:43.000000000 -0500
@@ -15626,7 +15678,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.1/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/polkit.te 2008-12-04 16:37:06.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/polkit.te 2008-12-08 10:25:12.000000000 -0500
@@ -0,0 +1,224 @@
+policy_module(polkit_auth, 1.0.0)
+
@@ -15747,7 +15799,7 @@
+')
+
+optional_policy(`
-+ dbus_system_domain(polkit_auth_exec_t, polkit_auth_t)
++ dbus_system_domain( polkit_auth_t, polkit_auth_exec_t)
+
+ dbus_session_bus_client(polkit_auth_t)
+
@@ -19811,7 +19863,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.1/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/ssh.te 2008-12-04 13:46:29.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/ssh.te 2008-12-05 10:40:21.000000000 -0500
@@ -75,7 +75,7 @@
ubac_constrained(ssh_tmpfs_t)
@@ -19821,6 +19873,15 @@
typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
files_type(home_ssh_t)
userdom_user_home_content(home_ssh_t)
+@@ -95,7 +95,7 @@
+ allow ssh_t self:sem create_sem_perms;
+ allow ssh_t self:msgq create_msgq_perms;
+ allow ssh_t self:msg { send receive };
+-allow ssh_t self:tcp_socket create_socket_perms;
++allow ssh_t self:tcp_socket create_stream_socket_perms;
+ allow ssh_t self:netlink_route_socket r_netlink_socket_perms;
+
+ # Read the ssh key file.
@@ -115,6 +115,7 @@
manage_dirs_pattern(ssh_t,home_ssh_t,home_ssh_t)
manage_sock_files_pattern(ssh_t,home_ssh_t,home_ssh_t)
@@ -19829,7 +19890,24 @@
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -318,6 +319,9 @@
+@@ -139,6 +140,8 @@
+ corenet_tcp_sendrecv_all_ports(ssh_t)
+ corenet_tcp_connect_ssh_port(ssh_t)
+ corenet_sendrecv_ssh_client_packets(ssh_t)
++corenet_tcp_bind_all_nodes(ssh_t)
++corenet_tcp_bind_all_unreserved_ports(ssh_t)
+
+ dev_read_urand(ssh_t)
+
+@@ -202,6 +205,7 @@
+ # for port forwarding
+ tunable_policy(`user_tcp_server',`
+ corenet_tcp_bind_ssh_port(ssh_t)
++ corenet_tcp_bind_all_nodes(ssh_t)
+ ')
+
+ optional_policy(`
+@@ -318,6 +322,9 @@
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
@@ -19839,7 +19917,7 @@
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
-@@ -331,6 +335,14 @@
+@@ -331,6 +338,14 @@
')
optional_policy(`
@@ -19854,7 +19932,7 @@
daemontools_service_domain(sshd_t, sshd_exec_t)
')
-@@ -349,7 +361,11 @@
+@@ -349,7 +364,11 @@
')
optional_policy(`
@@ -19867,7 +19945,7 @@
unconfined_shell_domtrans(sshd_t)
')
-@@ -408,6 +424,8 @@
+@@ -408,6 +427,8 @@
init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
@@ -20461,8 +20539,8 @@
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.1/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/xserver.fc 2008-11-25 09:45:43.000000000 -0500
-@@ -3,11 +3,13 @@
++++ serefpolicy-3.6.1/policy/modules/services/xserver.fc 2008-12-08 10:44:04.000000000 -0500
+@@ -3,11 +3,14 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
@@ -20473,10 +20551,11 @@
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
++HOME_DIR/\.dmrc -- gen_context(system_u:object_r:xdm_home_t,s0)
#
# /dev
-@@ -32,11 +34,6 @@
+@@ -32,11 +35,6 @@
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -20488,7 +20567,7 @@
#
# /opt
#
-@@ -61,6 +58,7 @@
+@@ -61,6 +59,7 @@
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
@@ -20496,7 +20575,7 @@
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
-@@ -89,16 +87,26 @@
+@@ -89,16 +88,26 @@
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -20900,7 +20979,7 @@
## display.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-11-18 18:57:20.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/xserver.te 2008-12-03 18:27:33.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/xserver.te 2008-12-08 10:28:07.000000000 -0500
@@ -34,6 +34,13 @@
## <desc>
@@ -21034,7 +21113,7 @@
typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
files_tmpfs_file(xserver_tmpfs_t)
ubac_constrained(xserver_tmpfs_t)
-@@ -256,6 +275,9 @@
+@@ -256,13 +275,13 @@
allow xauth_t xauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
@@ -21044,7 +21123,14 @@
manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
-@@ -300,13 +322,14 @@
+
+-allow xdm_t xauth_home_t:file manage_file_perms;
+-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+-
+ domain_use_interactive_fds(xauth_t)
+
+ files_read_etc_files(xauth_t)
+@@ -300,13 +319,14 @@
# XDM Local policy
#
@@ -21062,7 +21148,7 @@
allow xdm_t self:tcp_socket create_stream_socket_perms;
allow xdm_t self:udp_socket create_socket_perms;
allow xdm_t self:socket create_socket_perms;
-@@ -314,6 +337,11 @@
+@@ -314,6 +334,11 @@
allow xdm_t self:key { search link write };
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@@ -21070,11 +21156,11 @@
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+
+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
-+userdom_user_tmp_filetrans(xdm_t, xdm_home_t, file)
++userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -329,6 +357,8 @@
+@@ -329,6 +354,8 @@
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
@@ -21083,7 +21169,7 @@
manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
-@@ -336,15 +366,30 @@
+@@ -336,15 +363,30 @@
manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -21116,7 +21202,7 @@
allow xdm_t xserver_t:process signal;
allow xdm_t xserver_t:unix_stream_socket connectto;
-@@ -358,6 +403,7 @@
+@@ -358,6 +400,7 @@
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xserver_t:shm rw_shm_perms;
@@ -21124,7 +21210,7 @@
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t)
-@@ -389,11 +435,13 @@
+@@ -389,11 +432,13 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@@ -21138,7 +21224,7 @@
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -401,6 +449,7 @@
+@@ -401,6 +446,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -21146,7 +21232,7 @@
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -413,14 +462,17 @@
+@@ -413,14 +459,17 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -21166,7 +21252,7 @@
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +483,13 @@
+@@ -431,9 +480,13 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -21180,7 +21266,7 @@
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,6 +498,7 @@
+@@ -442,6 +495,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -21188,7 +21274,7 @@
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -450,6 +507,7 @@
+@@ -450,6 +504,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -21196,7 +21282,7 @@
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -460,10 +518,10 @@
+@@ -460,10 +515,10 @@
logging_read_generic_logs(xdm_t)
@@ -21209,7 +21295,7 @@
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -504,10 +562,12 @@
+@@ -504,10 +559,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -21222,7 +21308,7 @@
')
optional_policy(`
-@@ -515,12 +575,35 @@
+@@ -515,12 +572,35 @@
')
optional_policy(`
@@ -21258,7 +21344,7 @@
hostname_exec(xdm_t)
')
-@@ -542,6 +625,18 @@
+@@ -542,6 +622,18 @@
')
optional_policy(`
@@ -21277,7 +21363,7 @@
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +645,8 @@
+@@ -550,8 +642,8 @@
')
optional_policy(`
@@ -21287,7 +21373,7 @@
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -571,6 +666,10 @@
+@@ -571,6 +663,10 @@
')
optional_policy(`
@@ -21298,7 +21384,7 @@
xfs_stream_connect(xdm_t)
')
-@@ -635,6 +734,15 @@
+@@ -635,6 +731,15 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -21314,7 +21400,7 @@
# Create files in /var/log with the xserver_log_t type.
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
logging_log_filetrans(xserver_t, xserver_log_t,file)
-@@ -682,6 +790,7 @@
+@@ -682,6 +787,7 @@
dev_rw_input_dev(xserver_t)
dev_rwx_zero(xserver_t)
@@ -21322,7 +21408,7 @@
domain_mmap_low(xserver_t)
files_read_etc_files(xserver_t)
-@@ -697,6 +806,7 @@
+@@ -697,6 +803,7 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -21330,7 +21416,7 @@
mls_xwin_read_to_clearance(xserver_t)
-@@ -806,7 +916,7 @@
+@@ -806,7 +913,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -21339,7 +21425,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -830,6 +940,10 @@
+@@ -830,6 +937,10 @@
xserver_use_user_fonts(xserver_t)
@@ -21350,7 +21436,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -844,11 +958,14 @@
+@@ -844,11 +955,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -21366,7 +21452,7 @@
')
optional_policy(`
-@@ -856,6 +973,11 @@
+@@ -856,6 +970,11 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -21378,7 +21464,7 @@
########################################
#
# Rules common to all X window domains
-@@ -972,6 +1094,21 @@
+@@ -972,6 +1091,21 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -21400,7 +21486,7 @@
ifdef(`TODO',`
tunable_policy(`allow_polyinstantiation',`
# xdm needs access for linking .X11-unix to poly /tmp
-@@ -986,3 +1123,13 @@
+@@ -986,3 +1120,13 @@
#
allow xdm_t user_home_type:file unlink;
') dnl end TODO
@@ -23398,7 +23484,7 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.1/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/mount.te 2008-11-27 06:40:08.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/mount.te 2008-12-08 11:14:40.000000000 -0500
@@ -18,17 +18,18 @@
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;
@@ -23498,7 +23584,15 @@
auth_use_nsswitch(mount_t)
-@@ -133,7 +146,7 @@
+@@ -116,6 +129,7 @@
+ seutil_read_config(mount_t)
+
+ userdom_use_all_users_fds(mount_t)
++userdom_manage_user_home_content_dirs(mount_t)
+
+ ifdef(`distro_redhat',`
+ optional_policy(`
+@@ -133,7 +147,7 @@
tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_shadow(mount_t)
@@ -23507,7 +23601,7 @@
files_mounton_non_security(mount_t)
')
-@@ -164,6 +177,8 @@
+@@ -164,6 +178,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -23516,7 +23610,7 @@
')
optional_policy(`
-@@ -171,6 +186,15 @@
+@@ -171,6 +187,15 @@
')
optional_policy(`
@@ -23532,7 +23626,7 @@
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -178,6 +202,11 @@
+@@ -178,6 +203,11 @@
')
')
@@ -23544,7 +23638,7 @@
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -185,6 +214,7 @@
+@@ -185,6 +215,7 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -23552,7 +23646,7 @@
')
########################################
-@@ -195,4 +225,26 @@
+@@ -195,4 +226,26 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -25461,7 +25555,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-04 16:31:37.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-08 11:32:11.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -25642,18 +25736,50 @@
')
')
-@@ -232,7 +246,10 @@
+@@ -220,9 +234,10 @@
+ interface(`userdom_manage_home_role',`
+ gen_require(`
+ type user_home_t, user_home_dir_t;
++ attribute user_home_type;
+ ')
+
+- role $1 types { user_home_t user_home_dir_t };
++ role $1 types { user_home_type user_home_dir_t };
+
+ ##############################
+ #
+@@ -232,17 +247,20 @@
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
+ allow $2 user_home_t:dir mounton;
allow $2 user_home_t:file entrypoint;
-+
-+ allow $2 user_home_t:dir_file_class_set { relabelto relabelfrom };
- manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-@@ -250,25 +267,23 @@
+- manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+- relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
++
++ allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
++ manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++ relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+ files_list_home($2)
+
+@@ -250,25 +268,23 @@
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
@@ -25683,7 +25809,7 @@
')
')
-@@ -303,6 +318,7 @@
+@@ -303,6 +319,7 @@
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -25691,7 +25817,7 @@
')
#######################################
-@@ -368,46 +384,41 @@
+@@ -368,46 +385,41 @@
#######################################
## <summary>
@@ -25713,12 +25839,10 @@
- gen_require(`
- type $1_t;
- ')
-+interface(`userdom_basic_networking',`
-
+-
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
-+ allow $1 self:tcp_socket create_stream_socket_perms;
-+ allow $1 self:udp_socket create_socket_perms;
++interface(`userdom_basic_networking',`
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
@@ -25730,7 +25854,9 @@
- corenet_udp_sendrecv_all_ports($1_t)
- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_all_client_packets($1_t)
--
++ allow $1 self:tcp_socket create_stream_socket_perms;
++ allow $1 self:udp_socket create_socket_perms;
+
- corenet_all_recvfrom_labeled($1_t, $1_t)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
@@ -25758,7 +25884,7 @@
')
#######################################
-@@ -420,34 +431,39 @@
+@@ -420,34 +432,39 @@
## is the prefix for user_t).
## </summary>
## </param>
@@ -25816,7 +25942,7 @@
')
#######################################
-@@ -497,11 +513,7 @@
+@@ -497,11 +514,7 @@
attribute unpriv_userdomain;
')
@@ -25829,7 +25955,7 @@
##############################
#
-@@ -512,189 +524,192 @@
+@@ -512,189 +525,194 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -25847,26 +25973,26 @@
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
+-
+- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype)
-- corecmd_exec_bin($1_t)
+- corenet_udp_bind_all_nodes($1_t)
+- corenet_udp_bind_generic_port($1_t)
+ corenet_udp_bind_all_nodes($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
-- corenet_udp_bind_all_nodes($1_t)
-- corenet_udp_bind_generic_port($1_t)
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
-- dev_read_rand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
--
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
@@ -25976,6 +26102,8 @@
optional_policy(`
- dbus_system_bus_client($1_t)
+ dbus_system_bus_client($1_usertype)
++
++ allow $1_usertype $1_usertype:dbus send_msg;
optional_policy(`
- bluetooth_dbus_chat($1_t)
@@ -26065,16 +26193,16 @@
- postgresql_stream_connect($1_t)
- postgresql_tcp_connect($1_t)
+ postgresql_stream_connect($1_usertype)
++ ')
')
++
++ optional_policy(`
++ # to allow monitoring of pcmcia status
++ pcmcia_read_pid($1_usertype)
')
optional_policy(`
- resmgr_stream_connect($1_t)
-+ # to allow monitoring of pcmcia status
-+ pcmcia_read_pid($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ pcscd_read_pub_files($1_usertype)
+ pcscd_stream_connect($1_usertype)
')
@@ -26104,25 +26232,25 @@
')
#######################################
-@@ -722,15 +737,27 @@
+@@ -722,15 +740,27 @@
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_change_password_template($1)
++
++ userdom_manage_home_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
-+ userdom_manage_home_role($1_r, $1_usertype)
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_exec_user_tmp_files($1_t)
- userdom_exec_user_home_content_files($1_t)
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
++ gen_tunable(allow_$1_exec_content, true)
- userdom_change_password_template($1)
-+ gen_tunable(allow_$1_exec_content, true)
-+
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -26138,7 +26266,7 @@
##############################
#
-@@ -746,70 +773,72 @@
+@@ -746,70 +776,72 @@
allow $1_t self:context contains;
@@ -26244,7 +26372,7 @@
')
')
-@@ -846,6 +875,27 @@
+@@ -846,6 +878,28 @@
# Local policy
#
@@ -26256,8 +26384,9 @@
+ ')
+
+ optional_policy(`
-+ dbus_role_template($1, $1_r, $1_t)
-+ dbus_system_bus_client($1_t)
++ dbus_role_template($1, $1_r, $1_usertype)
++ dbus_system_bus_client($1_usertype)
++ allow $1_usertype $1_usertype:dbus send_msg;
+
+ optional_policy(`
+ consolekit_dbus_chat($1_usertype)
@@ -26272,7 +26401,7 @@
optional_policy(`
loadkeys_run($1_t,$1_r)
')
-@@ -876,7 +926,7 @@
+@@ -876,7 +930,7 @@
userdom_restricted_user_template($1)
@@ -26281,7 +26410,7 @@
##############################
#
-@@ -884,14 +934,18 @@
+@@ -884,14 +938,18 @@
#
auth_role($1_r, $1_t)
@@ -26305,7 +26434,7 @@
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -899,28 +953,24 @@
+@@ -899,28 +957,24 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -26340,7 +26469,7 @@
')
')
-@@ -931,8 +981,7 @@
+@@ -931,8 +985,7 @@
## </summary>
## <desc>
## <p>
@@ -26350,7 +26479,7 @@
## </p>
## <p>
## This template creates a user domain, types, and
-@@ -954,8 +1003,8 @@
+@@ -954,8 +1007,8 @@
# Declarations
#
@@ -26360,7 +26489,7 @@
userdom_common_user_template($1)
##############################
-@@ -964,11 +1013,10 @@
+@@ -964,11 +1017,10 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -26373,7 +26502,7 @@
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -986,36 +1034,37 @@
+@@ -986,36 +1038,37 @@
')
')
@@ -26424,7 +26553,7 @@
')
')
-@@ -1050,7 +1099,7 @@
+@@ -1050,7 +1103,7 @@
#
template(`userdom_admin_user_template',`
gen_require(`
@@ -26433,7 +26562,7 @@
')
##############################
-@@ -1059,8 +1108,7 @@
+@@ -1059,8 +1112,7 @@
#
# Inherit rules for ordinary users.
@@ -26443,7 +26572,7 @@
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1083,7 +1131,8 @@
+@@ -1083,7 +1135,8 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -26453,7 +26582,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1106,8 +1155,6 @@
+@@ -1106,8 +1159,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -26462,7 +26591,7 @@
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1162,20 +1209,6 @@
+@@ -1162,20 +1213,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -26483,7 +26612,7 @@
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1221,6 +1254,7 @@
+@@ -1221,6 +1258,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -26491,16 +26620,23 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1291,6 +1325,8 @@
+@@ -1286,11 +1324,15 @@
+ interface(`userdom_user_home_content',`
+ gen_require(`
+ type user_home_t;
++ attribute user_home_type;
+ ')
+
allow $1 user_home_t:filesystem associate;
files_type($1)
ubac_constrained($1)
+
+ files_poly_member($1)
++ typeattribute $1 user_home_type;
')
########################################
-@@ -1387,7 +1423,7 @@
+@@ -1387,7 +1429,7 @@
########################################
## <summary>
@@ -26509,7 +26645,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -1420,6 +1456,14 @@
+@@ -1420,6 +1462,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -26524,7 +26660,7 @@
')
########################################
-@@ -1435,9 +1479,11 @@
+@@ -1435,9 +1485,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -26536,7 +26672,7 @@
')
########################################
-@@ -1494,6 +1540,25 @@
+@@ -1494,6 +1546,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -26562,7 +26698,7 @@
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1547,9 +1612,9 @@
+@@ -1547,9 +1618,9 @@
type user_home_dir_t, user_home_t;
')
@@ -26574,7 +26710,7 @@
')
########################################
-@@ -1568,6 +1633,8 @@
+@@ -1568,6 +1639,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -26583,7 +26719,15 @@
')
########################################
-@@ -1741,6 +1808,62 @@
+@@ -1643,6 +1716,7 @@
+ type user_home_dir_t, user_home_t;
+ ')
+
++ list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t })
+ read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ files_search_home($1)
+ ')
+@@ -1741,6 +1815,62 @@
########################################
## <summary>
@@ -26646,7 +26790,7 @@
## Execute user home files.
## </summary>
## <param name="domain">
-@@ -1757,14 +1880,6 @@
+@@ -1757,14 +1887,6 @@
files_search_home($1)
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
@@ -26661,7 +26805,7 @@
')
########################################
-@@ -1787,6 +1902,46 @@
+@@ -1787,6 +1909,46 @@
########################################
## <summary>
@@ -26708,7 +26852,7 @@
## Create, read, write, and delete files
## in a user home subdirectory.
## </summary>
-@@ -2819,6 +2974,24 @@
+@@ -2819,6 +2981,24 @@
########################################
## <summary>
@@ -26733,7 +26877,7 @@
## Do not audit attempts to use user ttys.
## </summary>
## <param name="domain">
-@@ -2965,6 +3138,24 @@
+@@ -2965,6 +3145,24 @@
########################################
## <summary>
@@ -26758,7 +26902,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -2981,3 +3172,263 @@
+@@ -2981,3 +3179,263 @@
allow $1 userdomain:dbus send_msg;
')
@@ -27024,7 +27168,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.1/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2008-11-13 18:40:02.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/userdomain.te 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/userdomain.te 2008-12-08 10:35:36.000000000 -0500
@@ -8,13 +8,6 @@
## <desc>
@@ -27053,20 +27197,32 @@
## Allow user to r/w files on filesystems
## that do not have extended attributes (FAT, CDROM, FLOPPY)
## </p>
-@@ -58,6 +44,12 @@
- attribute untrusted_content_type;
- attribute untrusted_content_tmp_type;
-
+@@ -55,8 +41,14 @@
+ # unprivileged user domains
+ attribute unpriv_userdomain;
+
+-attribute untrusted_content_type;
+-attribute untrusted_content_tmp_type;
++# unprivileged user domains
++attribute user_home_type;
++
+type admin_home_t;
+files_type(admin_home_t)
+files_associate_tmp(admin_home_t)
+fs_associate_tmpfs(admin_home_t)
+files_mountpoint(admin_home_t)
-+
+
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
- files_type(user_home_dir_t)
-@@ -95,3 +87,7 @@
+@@ -70,6 +62,7 @@
+
+ type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
+ typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
++typeattribute user_home_t user_home_type;
+ userdom_user_home_content(user_home_t)
+ fs_associate_tmpfs(user_home_t)
+ files_associate_tmp(user_home_t)
+@@ -95,3 +88,7 @@
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
@@ -27451,6 +27607,38 @@
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.1/Rules.modular
+--- nsaserefpolicy/Rules.modular 2008-11-11 16:13:50.000000000 -0500
++++ serefpolicy-3.6.1/Rules.modular 2008-11-25 09:45:43.000000000 -0500
+@@ -73,8 +73,8 @@
+ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+ @echo "Compliling $(NAME) $(@F) module"
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+- $(call perrole-expansion,$(basename $(@F)),$@.role)
+- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
++# $(call perrole-expansion,$(basename $(@F)),$@.role)
++ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+ $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+ $(tmpdir)/%.mod.fc: $(m4support) %.fc
+@@ -129,7 +129,7 @@
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ # define all available object classes
+ $(verbose) $(genperm) $(avs) $(secclass) > $@
+- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
++# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
+ $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+
+ $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
+@@ -146,7 +146,7 @@
+ $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/rolemap.conf: $(rolemap)
+ $(verbose) echo "" > $@
+- $(call parse-rolemap,base,$@)
++# $(call parse-rolemap,base,$@)
+
+ $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.1/support/Makefile.devel
--- nsaserefpolicy/support/Makefile.devel 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.1/support/Makefile.devel 2008-11-25 09:45:43.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.752
retrieving revision 1.753
diff -u -r1.752 -r1.753
--- selinux-policy.spec 4 Dec 2008 21:43:55 -0000 1.752
+++ selinux-policy.spec 8 Dec 2008 16:38:09 -0000 1.753
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.1
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
- Previous message (by thread): rpms/openser/EL-4 openser.sysconfig, NONE, 1.1 .cvsignore, 1.5, 1.6 import.log, 1.2, 1.3 openser.spec, 1.13, 1.14 sources, 1.5, 1.6
- Next message (by thread): rpms/openoffice.org/devel workspace.impressfontsize.tar.gz, NONE, 1.1 openoffice.org.spec, 1.1712, 1.1713 workspace.impressfontsize.patch, 1.1, 1.2 openoffice.org-2.3.0.ooo80257.sd.textonlystyle.patch, 1.3, NONE openoffice.org-2.3.0.ooo80257.sd.textonlystyle.tar.gz, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list