rpms/selinux-policy/devel policy-20071130.patch, 1.80, 1.81 selinux-policy.spec, 1.618, 1.619
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Feb 28 03:32:31 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv30066
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Tue Feb 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-5
- Allow nsplugin_config execstack/execmem
- Allow nsplugin_t to read alsa config
- Change apache to use user content
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.80
retrieving revision 1.81
diff -u -r1.80 -r1.81
--- policy-20071130.patch 27 Feb 2008 02:30:24 -0000 1.80
+++ policy-20071130.patch 28 Feb 2008 03:32:23 -0000 1.81
@@ -2340,7 +2340,7 @@
java_domtrans(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-02-27 12:44:10.000000000 -0500
@@ -55,7 +55,7 @@
#
@@ -2350,7 +2350,7 @@
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use;
-@@ -68,33 +68,33 @@
+@@ -68,33 +68,34 @@
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
allow $1_sudo_t self:unix_dgram_socket sendto;
allow $1_sudo_t self:unix_stream_socket connectto;
@@ -2370,6 +2370,7 @@
kernel_read_kernel_sysctls($1_sudo_t)
kernel_read_system_state($1_sudo_t)
- kernel_search_key($1_sudo_t)
++ kernel_link_key($1_sudo_t)
dev_read_urand($1_sudo_t)
@@ -2388,7 +2389,7 @@
domain_use_interactive_fds($1_sudo_t)
domain_sigchld_interactive_fds($1_sudo_t)
-@@ -106,32 +106,42 @@
+@@ -106,32 +107,42 @@
files_getattr_usr_files($1_sudo_t)
# for some PAM modules and for cwd
files_dontaudit_search_home($1_sudo_t)
@@ -4322,7 +4323,7 @@
# /bin
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.3.1/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-02-27 13:16:07.000000000 -0500
@@ -35,7 +35,10 @@
template(`mozilla_per_role_template',`
gen_require(`
@@ -5265,8 +5266,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-02-26 08:29:22.000000000 -0500
-@@ -0,0 +1,149 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-02-27 12:47:03.000000000 -0500
+@@ -0,0 +1,154 @@
+
+policy_module(nsplugin,1.0.0)
+
@@ -5311,6 +5312,7 @@
+
+tunable_policy(`allow_nsplugin_execmem',`
+ allow nsplugin_t self:process { execstack execmem };
++ allow nsplugin_config_t self:process { execstack execmem };
+')
+
+manage_dirs_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
@@ -5359,6 +5361,10 @@
+userdom_dontaudit_append_unpriv_home_content_files(nsplugin_t)
+
+optional_policy(`
++ alsa_read_rw_config(nsplugin_t)
++')
++
++optional_policy(`
+ mozilla_read_user_home_files(user, nsplugin_t)
+ mozilla_write_user_home_files(user, nsplugin_t)
+')
@@ -6213,7 +6219,7 @@
network_port(xen, tcp,8002,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.3.1/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.fc 2008-02-26 14:17:28.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/devices.fc 2008-02-27 17:11:50.000000000 -0500
@@ -1,7 +1,7 @@
/dev -d gen_context(system_u:object_r:device_t,s0)
@@ -6282,7 +6288,7 @@
/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
-@@ -69,9 +85,8 @@
+@@ -69,14 +85,14 @@
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
@@ -6294,7 +6300,13 @@
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -91,6 +106,7 @@
+ ')
+ /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
++/dev/vboxadd.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
+ /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
+ /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+@@ -91,6 +107,7 @@
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
@@ -6302,7 +6314,7 @@
/dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0)
-@@ -98,13 +114,23 @@
+@@ -98,13 +115,23 @@
/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
@@ -6326,7 +6338,7 @@
/dev/pts(/.*)? <<none>>
-@@ -134,3 +160,4 @@
+@@ -134,3 +161,4 @@
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@@ -7148,7 +7160,7 @@
# iso9660_t is the type for CD filesystems
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-02-27 16:58:04.000000000 -0500
@@ -851,9 +851,8 @@
type proc_t, proc_afs_t;
')
@@ -7561,7 +7573,13 @@
# amavis local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.3.1/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-02-26 16:33:46.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-02-27 13:12:43.000000000 -0500
+@@ -1,4 +1,4 @@
+-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
++HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+
+ /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+ /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
@@ -16,7 +16,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -7609,7 +7627,7 @@
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-02-27 17:47:47.000000000 -0500
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -7630,15 +7648,17 @@
allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
-@@ -87,7 +83,6 @@
+@@ -87,7 +83,8 @@
manage_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
manage_fifo_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
manage_sock_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
- files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
++ read_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t)
++ read_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t)
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
-@@ -96,6 +91,7 @@
+@@ -96,6 +93,7 @@
dev_read_urand(httpd_$1_script_t)
corecmd_exec_all_executables(httpd_$1_script_t)
@@ -7646,7 +7666,7 @@
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
-@@ -120,10 +116,6 @@
+@@ -120,10 +118,6 @@
can_exec(httpd_$1_script_t, httpdcontent)
')
@@ -7657,7 +7677,7 @@
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
-@@ -177,48 +169,6 @@
+@@ -177,48 +171,6 @@
miscfiles_read_localization(httpd_$1_script_t)
')
@@ -7706,58 +7726,173 @@
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
-@@ -267,7 +217,7 @@
+@@ -265,72 +217,79 @@
+ template(`apache_per_role_template', `
+ gen_require(`
attribute httpdcontent, httpd_script_domains;
- attribute httpd_exec_scripts, httpd_user_content_type;
- attribute httpd_user_script_exec_type;
+- attribute httpd_exec_scripts, httpd_user_content_type;
+- attribute httpd_user_script_exec_type;
- type httpd_t, httpd_suexec_t, httpd_log_t;
++ attribute httpd_exec_scripts;
+ type httpd_t, httpd_suexec_t, httpd_log_t, httpd_sys_script_t;
++ type httpd_user_content_t;
++ type httpd_user_script_t;
++ type httpd_user_script_ra_t;
++ type httpd_user_script_rw_t;
++ type httpd_user_script_ro_t;
++ type httpd_user_script_exec_t;
++ type httpd_user_htaccess_t;
++ ')
++
++
++ ifelse(`$1',`user',`',`
++ typealias httpd_user_content_t alias httpd_$1_content_t;
++ typealias httpd_user_script_ra_t alias httpd_$1_script_ra_t;
++ typealias httpd_user_script_rw_t alias httpd_$1_script_rw_t;
++ typealias httpd_user_script_ro_t alias httpd_$1_script_ro_t;
++ typealias httpd_user_script_exec_t alias httpd_$1_script_exec_t;
++ typealias httpd_user_htaccess_t alias httpd_$1_htaccess_t;
+ ')
+
+- apache_content_template($1)
+
+- typeattribute httpd_$1_content_t httpd_user_content_type;
+- typeattribute httpd_$1_script_ra_t httpd_user_content_type;
+- typeattribute httpd_$1_script_rw_t httpd_user_content_type;
+- typeattribute httpd_$1_script_ro_t httpd_user_content_type;
+- typeattribute httpd_$1_script_exec_t httpd_user_script_exec_type;
+-
+- typeattribute httpd_$1_script_t httpd_script_domains;
+- userdom_user_home_content($1,httpd_$1_content_t)
+-
+- role $3 types httpd_$1_script_t;
+-
+- allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom };
+-
+- allow $2 httpd_$1_htaccess_t:file { manage_file_perms relabelto relabelfrom };
+-
+- manage_dirs_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+- manage_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+- manage_lnk_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+- relabel_dirs_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+- relabel_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+- relabel_lnk_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+-
+- manage_dirs_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
+- manage_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
+- manage_lnk_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
+- relabel_dirs_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
+- relabel_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
+- relabel_lnk_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
+-
+- manage_dirs_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+- manage_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+- manage_lnk_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+- relabel_dirs_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+- relabel_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+- relabel_lnk_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+-
+- manage_dirs_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
+- manage_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
+- manage_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
+- relabel_dirs_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
+- relabel_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
+- relabel_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
++ role $3 types httpd_user_script_t;
++
++ allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
++
++ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
++
++ manage_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
++ manage_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
++ manage_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
++ relabel_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
++ relabel_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
++ relabel_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
++
++ manage_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
++ manage_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
++ manage_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
++ relabel_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
++ relabel_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
++ relabel_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
++
++ manage_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
++ manage_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
++ manage_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
++ relabel_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
++ relabel_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
++ relabel_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
++
++ manage_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
++ manage_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
++ manage_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
++ relabel_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
++ relabel_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
++ relabel_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
+
+ tunable_policy(`httpd_enable_cgi',`
+ # If a user starts a script by hand it gets the proper context
+- domtrans_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_t)
++ domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
+ ')
+
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+- allow httpd_$1_script_t httpdcontent:file entrypoint;
++ allow httpd_user_script_t httpdcontent:file entrypoint;
+
+- domtrans_pattern($2, httpdcontent, httpd_$1_script_t)
++ domtrans_pattern($2, httpdcontent, httpd_user_script_t)
')
- apache_content_template($1)
-@@ -331,6 +281,7 @@
- userdom_search_user_home_dirs($1,httpd_t)
- userdom_search_user_home_dirs($1,httpd_suexec_t)
- userdom_search_user_home_dirs($1,httpd_$1_script_t)
-+ userdom_search_user_home_dirs($1,httpd_sys_script_t)
+ # allow accessing files/dirs below the users home dir
+ tunable_policy(`httpd_enable_homedirs',`
+- userdom_search_user_home_dirs($1,httpd_t)
+- userdom_search_user_home_dirs($1,httpd_suexec_t)
+- userdom_search_user_home_dirs($1,httpd_$1_script_t)
++ userdom_search_user_home_dirs(user,httpd_t)
++ userdom_search_user_home_dirs(user,httpd_suexec_t)
++ userdom_search_user_home_dirs(user,httpd_user_script_t)
++ userdom_search_user_home_dirs(user,httpd_sys_script_t)
')
')
-@@ -352,12 +303,11 @@
+@@ -352,12 +311,11 @@
#
template(`apache_read_user_scripts',`
gen_require(`
- type httpd_$1_script_exec_t;
-+ attribute httpd_user_script_exec_type;
++ type httpd_user_script_exec_t;
')
-
- allow $2 httpd_$1_script_exec_t:dir list_dir_perms;
- read_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
- read_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
-+ allow $2 httpd_user_script_exec_type:dir list_dir_perms;
-+ read_files_pattern($2,httpd_user_script_exec_type,httpd_user_script_exec_type)
-+ read_lnk_files_pattern($2,httpd_user_script_exec_type,httpd_user_script_exec_type)
++ allow $2 httpd_user_script_exec_t:dir list_dir_perms;
++ read_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
++ read_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
')
########################################
-@@ -378,12 +328,12 @@
+@@ -378,12 +336,12 @@
#
template(`apache_read_user_content',`
gen_require(`
- type httpd_$1_content_t;
-+ attribute httpd_user_content_type;
++ type httpd_user_content_t;
')
- allow $2 httpd_$1_content_t:dir list_dir_perms;
- read_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t)
- read_lnk_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t)
-+ allow $2 httpd_user_content_type:dir list_dir_perms;
-+ read_files_pattern($2,httpd_user_content_type,httpd_user_content_type)
-+ read_lnk_files_pattern($2,httpd_user_content_type,httpd_user_content_type)
++ allow $2 httpd_user_content_t:dir list_dir_perms;
++ read_files_pattern($2,httpd_user_content_t,httpd_user_content_t)
++ read_lnk_files_pattern($2,httpd_user_content_t,httpd_user_content_t)
')
########################################
-@@ -761,6 +711,7 @@
+@@ -761,6 +719,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -7765,7 +7900,7 @@
')
########################################
-@@ -845,6 +796,10 @@
+@@ -845,6 +804,10 @@
type httpd_sys_script_t;
')
@@ -7776,7 +7911,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
')
-@@ -932,7 +887,7 @@
+@@ -932,7 +895,7 @@
type httpd_squirrelmail_t;
')
@@ -7785,7 +7920,31 @@
')
########################################
-@@ -1088,3 +1043,133 @@
+@@ -1023,16 +986,16 @@
+ #
+ interface(`apache_manage_all_user_content',`
+ gen_require(`
+- attribute httpd_user_content_type, httpd_user_script_exec_type;
++ type httpd_user_content_t, httpd_user_script_exec_t;
+ ')
+
+- manage_dirs_pattern($1,httpd_user_content_type,httpd_user_content_type)
+- manage_files_pattern($1,httpd_user_content_type,httpd_user_content_type)
+- manage_lnk_files_pattern($1,httpd_user_content_type,httpd_user_content_type)
++ manage_dirs_pattern($1,httpd_user_content_t,httpd_user_content_t)
++ manage_files_pattern($1,httpd_user_content_t,httpd_user_content_t)
++ manage_lnk_files_pattern($1,httpd_user_content_t,httpd_user_content_t)
+
+- manage_dirs_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type)
+- manage_files_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type)
+- manage_lnk_files_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type)
++ manage_dirs_pattern($1,httpd_user_script_exec_t,httpd_user_script_exec_t)
++ manage_files_pattern($1,httpd_user_script_exec_t,httpd_user_script_exec_t)
++ manage_lnk_files_pattern($1,httpd_user_script_exec_t,httpd_user_script_exec_t)
+ ')
+
+ ########################################
+@@ -1088,3 +1051,133 @@
allow httpd_t $1:process signal;
')
@@ -7921,7 +8080,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-02-27 17:28:38.000000000 -0500
@@ -20,6 +20,8 @@
# Declarations
#
@@ -7971,7 +8130,7 @@
## the terminal.
## </p>
## </desc>
-@@ -109,6 +118,27 @@
+@@ -109,14 +118,33 @@
## </desc>
gen_tunable(httpd_unified,false)
@@ -7997,9 +8156,17 @@
+gen_tunable(allow_httpd_sys_script_anon_write,false)
+
attribute httpdcontent;
- attribute httpd_user_content_type;
+-attribute httpd_user_content_type;
+
+ # domains that can exec all users scripts
+ attribute httpd_exec_scripts;
-@@ -147,6 +177,9 @@
+ attribute httpd_script_exec_type;
+-attribute httpd_user_script_exec_type;
+
+ # user script domains
+ attribute httpd_script_domains;
+@@ -147,6 +175,9 @@
type httpd_log_t;
logging_log_file(httpd_log_t)
@@ -8009,7 +8176,15 @@
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
-@@ -207,7 +240,7 @@
+@@ -202,12 +233,15 @@
+ prelink_object_file(httpd_modules_t)
+ ')
+
++apache_content_template(user)
++userdom_user_home_content(user,httpd_user_content_t)
++
+ ########################################
+ #
# Apache server local policy
#
@@ -8018,7 +8193,7 @@
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-@@ -249,6 +282,7 @@
+@@ -249,6 +283,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -8026,7 +8201,7 @@
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -289,6 +323,7 @@
+@@ -289,6 +324,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -8034,7 +8209,7 @@
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -315,9 +350,7 @@
+@@ -315,9 +351,7 @@
auth_use_nsswitch(httpd_t)
@@ -8045,7 +8220,7 @@
domain_use_interactive_fds(httpd_t)
-@@ -335,6 +368,10 @@
+@@ -335,6 +369,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -8056,7 +8231,7 @@
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -351,25 +388,38 @@
+@@ -351,25 +389,38 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -8100,7 +8275,7 @@
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
-@@ -382,6 +432,10 @@
+@@ -382,6 +433,10 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -8111,7 +8286,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -399,11 +453,21 @@
+@@ -399,11 +454,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -8133,7 +8308,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -437,8 +501,14 @@
+@@ -437,8 +502,14 @@
')
optional_policy(`
@@ -8149,7 +8324,7 @@
')
optional_policy(`
-@@ -450,19 +520,13 @@
+@@ -450,19 +521,13 @@
')
optional_policy(`
@@ -8170,7 +8345,7 @@
')
optional_policy(`
-@@ -472,13 +536,14 @@
+@@ -472,13 +537,14 @@
openca_kill(httpd_t)
')
@@ -8189,7 +8364,7 @@
')
optional_policy(`
-@@ -486,6 +551,7 @@
+@@ -486,6 +552,7 @@
')
optional_policy(`
@@ -8197,11 +8372,17 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -521,6 +587,13 @@
+@@ -521,6 +588,19 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
+optional_policy(`
++ type httpd_unconfined_script_t;
++ type httpd_unconfined_script_exec_t;
++ domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t)
++ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
++ unconfined_domain(httpd_unconfined_script_t)
++
+ tunable_policy(`httpd_tty_comm',`
+ unconfined_use_terminals(httpd_helper_t)
+ ')
@@ -8211,7 +8392,7 @@
########################################
#
# Apache PHP script local policy
-@@ -550,18 +623,24 @@
+@@ -550,18 +630,24 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -8239,7 +8420,7 @@
')
########################################
-@@ -585,6 +664,8 @@
+@@ -585,6 +671,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -8248,7 +8429,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -593,9 +674,7 @@
+@@ -593,9 +681,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -8259,7 +8440,7 @@
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +707,7 @@
+@@ -628,6 +714,7 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -8267,7 +8448,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
-@@ -638,6 +718,12 @@
+@@ -638,6 +725,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -8280,7 +8461,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +741,6 @@
+@@ -655,10 +748,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -8291,7 +8472,7 @@
########################################
#
# Apache system script local policy
-@@ -668,7 +750,8 @@
+@@ -668,7 +757,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -8301,7 +8482,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +765,44 @@
+@@ -682,15 +772,44 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -8313,15 +8494,15 @@
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+tunable_policy(`httpd_use_nfs', `
-+ fs_read_nfs_files(httpd_sys_script_t)
-+ fs_read_nfs_symlinks(httpd_sys_script_t)
-+')
-+
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
++ fs_read_nfs_files(httpd_sys_script_t)
++ fs_read_nfs_symlinks(httpd_sys_script_t)
++')
++
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -8347,7 +8528,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -700,9 +812,15 @@
+@@ -700,9 +819,15 @@
clamav_domtrans_clamscan(httpd_sys_script_t)
')
@@ -8363,7 +8544,7 @@
')
########################################
-@@ -724,3 +842,46 @@
+@@ -724,3 +849,46 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -13552,7 +13733,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.3.1/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-02-27 16:57:40.000000000 -0500
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -16034,7 +16215,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.3.1/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/nscd.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/nscd.te 2008-02-27 17:21:47.000000000 -0500
@@ -23,19 +23,22 @@
type nscd_log_t;
logging_log_file(nscd_log_t)
@@ -16070,16 +16251,15 @@
kernel_read_kernel_sysctls(nscd_t)
kernel_list_proc(nscd_t)
kernel_read_proc_symlinks(nscd_t)
-@@ -73,6 +78,8 @@
+@@ -73,6 +78,7 @@
corenet_udp_sendrecv_all_nodes(nscd_t)
corenet_tcp_sendrecv_all_ports(nscd_t)
corenet_udp_sendrecv_all_ports(nscd_t)
+corenet_udp_bind_all_nodes(nscd_t)
-+corenet_udp_bind_all_nodes(nscd_t)
corenet_tcp_connect_all_ports(nscd_t)
corenet_sendrecv_all_client_packets(nscd_t)
corenet_rw_tun_tap_dev(nscd_t)
-@@ -93,6 +100,7 @@
+@@ -93,6 +99,7 @@
libs_use_ld_so(nscd_t)
libs_use_shared_libs(nscd_t)
@@ -16087,7 +16267,7 @@
logging_send_syslog_msg(nscd_t)
miscfiles_read_localization(nscd_t)
-@@ -114,3 +122,12 @@
+@@ -114,3 +121,12 @@
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
@@ -22506,7 +22686,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-02-26 09:47:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-02-27 18:04:08.000000000 -0500
@@ -15,6 +15,11 @@
template(`xserver_common_domain_template',`
gen_require(`
@@ -22911,7 +23091,7 @@
- libs_use_ld_so($1_iceauth_t)
- libs_use_shared_libs($1_iceauth_t)
+ # Device rules
-+ allow xdm_x_domain $2:x_device { read getattr setattr setfocus grab bell };
++ allow xdm_x_domain $2:x_device { getattr setattr setfocus grab bell };
- userdom_use_user_terminals($1,$1_iceauth_t)
+ allow $2 { input_xevent_t xdm_input_xevent_type }:x_event send;
@@ -22957,7 +23137,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -542,25 +539,356 @@
+@@ -542,25 +539,360 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -23051,6 +23231,7 @@
+ type screensaver_xext_t, unknown_xext_t, x_rootscreen_t;
+ type xdm_default_xproperty_t;
+ type disallowed_xext_t;
++ type output_xext_t;
+
+ attribute x_server_domain, x_domain;
+ attribute xproperty_type;
@@ -23100,7 +23281,7 @@
+ # Hacks
+ # everyone can get the input focus of everyone else
+ # this is a fundamental brokenness in the X protocol
-+ allow $3 { x_domain x_server_domain }:x_device { getfocus setfocus use setattr bell read manage freeze getattr grab };
++ allow $3 { x_domain x_server_domain }:x_device { getfocus setfocus use setattr bell manage freeze getattr grab };
+ # everyone can grab the server
+ # everyone does it, it is basically a free DOS attack
+ allow $3 x_server_domain:x_server grab;
@@ -23128,6 +23309,9 @@
+ # X Properties
+ # can read and write client properties
+ allow $3 $2_default_xproperty_t:x_property { create destroy read write };
++ allow $3 default_xproperty_t:x_property read;
++ allow $3 output_xext_t:x_extension use;
++
+ allow $3 xdm_default_xproperty_t:x_property { write read };
+
+ type_transition $3 default_xproperty_t:x_property $2_default_xproperty_t;
@@ -23228,7 +23412,7 @@
+ allow $3 xselection_type:x_selection *;
+ allow $3 x_domain:x_cursor *;
+ allow $3 { x_domain remote_xclient_t }:x_client *;
-+ allow $3 { x_domain x_server_domain }:x_device *;
++ allow $3 { x_domain x_server_domain }:x_device ~{ read };
+ allow $3 xextension_type:x_extension *;
+ allow $3 { x_domain x_server_domain }:x_resource *;
+ allow $3 xevent_type:{ x_event x_synthetic_event } *;
@@ -23320,7 +23504,7 @@
')
')
-@@ -593,26 +921,44 @@
+@@ -593,26 +925,44 @@
#
template(`xserver_use_user_fonts',`
gen_require(`
@@ -23372,7 +23556,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -638,10 +984,77 @@
+@@ -638,10 +988,77 @@
#
template(`xserver_domtrans_user_xauth',`
gen_require(`
@@ -23452,7 +23636,7 @@
')
########################################
-@@ -671,10 +1084,10 @@
+@@ -671,10 +1088,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
@@ -23465,7 +23649,7 @@
')
########################################
-@@ -760,7 +1173,7 @@
+@@ -760,7 +1177,7 @@
type xconsole_device_t;
')
@@ -23474,7 +23658,7 @@
')
########################################
-@@ -860,6 +1273,25 @@
+@@ -860,6 +1277,25 @@
########################################
## <summary>
@@ -23500,7 +23684,7 @@
## Read xdm-writable configuration files.
## </summary>
## <param name="domain">
-@@ -914,6 +1346,7 @@
+@@ -914,6 +1350,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -23508,7 +23692,7 @@
')
########################################
-@@ -955,6 +1388,24 @@
+@@ -955,6 +1392,24 @@
########################################
## <summary>
@@ -23533,7 +23717,7 @@
## Execute the X server in the XDM X server domain.
## </summary>
## <param name="domain">
-@@ -965,15 +1416,47 @@
+@@ -965,15 +1420,47 @@
#
interface(`xserver_domtrans_xdm_xserver',`
gen_require(`
@@ -23582,7 +23766,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1123,7 +1606,7 @@
+@@ -1123,7 +1610,7 @@
type xdm_xserver_tmp_t;
')
@@ -23591,7 +23775,7 @@
')
########################################
-@@ -1312,3 +1795,108 @@
+@@ -1312,3 +1799,108 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -23702,7 +23886,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-02-27 18:04:32.000000000 -0500
@@ -16,21 +16,79 @@
## <desc>
@@ -24253,7 +24437,7 @@
+allow xserver_unconfined_type xselection_type:x_selection *;
+allow xserver_unconfined_type { x_domain self }:x_cursor *;
+allow xserver_unconfined_type { x_domain remote_xclient_t self }:x_client *;
-+allow xserver_unconfined_type { x_domain x_server_domain self }:x_device *;
++allow xserver_unconfined_type { x_domain x_server_domain self }:x_device ~{ read };
+allow xserver_unconfined_type xextension_type:x_extension *;
+allow xserver_unconfined_type { x_domain x_server_domain self }:x_resource *;
+allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -27984,7 +28168,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-02-26 17:21:16.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-02-27 16:50:07.000000000 -0500
@@ -6,35 +6,67 @@
# Declarations
#
@@ -28068,7 +28252,7 @@
seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -51,13 +86,25 @@
+@@ -51,14 +86,23 @@
userdom_priveleged_home_dir_manager(unconfined_t)
optional_policy(`
@@ -28090,13 +28274,13 @@
optional_policy(`
apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- apache_per_role_template(unconfined, unconfined_t, unconfined_r)
+- apache_per_role_template(unconfined, unconfined_t, unconfined_r)
- # this is disallowed usage:
-+ # this is dissallowed usage:
- unconfined_domain(httpd_unconfined_script_t)
+- unconfined_domain(httpd_unconfined_script_t)
')
-@@ -69,11 +116,11 @@
+ optional_policy(`
+@@ -69,11 +113,11 @@
bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
@@ -28113,7 +28297,7 @@
optional_policy(`
init_dbus_chat_script(unconfined_t)
-@@ -101,12 +148,24 @@
+@@ -101,12 +145,24 @@
')
optional_policy(`
@@ -28138,7 +28322,7 @@
')
optional_policy(`
-@@ -118,11 +177,7 @@
+@@ -118,11 +174,7 @@
')
optional_policy(`
@@ -28151,7 +28335,7 @@
')
optional_policy(`
-@@ -134,14 +189,6 @@
+@@ -134,14 +186,6 @@
')
optional_policy(`
@@ -28166,7 +28350,7 @@
oddjob_domtrans_mkhomedir(unconfined_t)
')
-@@ -154,38 +201,37 @@
+@@ -154,38 +198,37 @@
')
optional_policy(`
@@ -28219,7 +28403,7 @@
')
optional_policy(`
-@@ -205,11 +251,30 @@
+@@ -205,11 +248,30 @@
')
optional_policy(`
@@ -28252,7 +28436,7 @@
')
########################################
-@@ -219,14 +284,34 @@
+@@ -219,14 +281,34 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -28307,7 +28491,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-02-27 13:18:26.000000000 -0500
@@ -29,9 +29,14 @@
')
@@ -29322,13 +29506,14 @@
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1091,32 +1100,21 @@
+@@ -1091,32 +1100,25 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
- alsa_read_rw_config($1_t)
-- ')
--
++ alsa_read_rw_config($1_usertype)
+ ')
+
- optional_policy(`
- dbus_per_role_template($1, $1_t, $1_r)
- dbus_system_bus_client_template($1, $1_t)
@@ -29340,11 +29525,6 @@
- optional_policy(`
- cups_dbus_chat($1_t)
- ')
-+ alsa_read_rw_config($1_usertype)
- ')
-
-- optional_policy(`
-- java_per_role_template($1, $1_t, $1_r)
- ')
+ # Broken Cover up bugzilla #345921 Should be removed when this is fixed
+ corenet_tcp_connect_soundd_port($1_t)
@@ -29353,6 +29533,11 @@
+ corenet_tcp_sendrecv_lo_node($1_t)
optional_policy(`
+- java_per_role_template($1, $1_t, $1_r)
++ apache_per_role_template($1, $1_usertype, $1_r)
+ ')
+
+ optional_policy(`
- mono_per_role_template($1, $1_t, $1_r)
+ nsplugin_per_role_template($1, $1_usertype, $1_r)
')
@@ -29363,7 +29548,7 @@
')
')
-@@ -1127,10 +1125,10 @@
+@@ -1127,10 +1129,10 @@
## </summary>
## <desc>
## <p>
@@ -29378,7 +29563,7 @@
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1193,12 +1191,11 @@
+@@ -1193,12 +1195,11 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -29393,7 +29578,7 @@
')
# Run pppd in pppd_t by default for user
-@@ -1207,7 +1204,23 @@
+@@ -1207,7 +1208,23 @@
')
optional_policy(`
@@ -29418,7 +29603,7 @@
')
')
-@@ -1284,8 +1297,6 @@
+@@ -1284,8 +1301,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -29427,7 +29612,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1363,13 +1374,6 @@
+@@ -1363,13 +1378,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -29441,7 +29626,7 @@
optional_policy(`
userhelper_exec($1_t)
')
-@@ -1422,6 +1426,7 @@
+@@ -1422,6 +1430,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -29449,7 +29634,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1787,10 +1792,14 @@
+@@ -1787,10 +1796,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -29465,7 +29650,7 @@
')
########################################
-@@ -1886,11 +1895,11 @@
+@@ -1886,11 +1899,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -29479,7 +29664,7 @@
')
########################################
-@@ -1920,11 +1929,11 @@
+@@ -1920,11 +1933,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -29493,7 +29678,7 @@
')
########################################
-@@ -1968,12 +1977,12 @@
+@@ -1968,12 +1981,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -29509,7 +29694,7 @@
')
########################################
-@@ -2003,10 +2012,10 @@
+@@ -2003,10 +2016,10 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -29522,7 +29707,7 @@
')
########################################
-@@ -2038,11 +2047,47 @@
+@@ -2038,11 +2051,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -29572,7 +29757,7 @@
')
########################################
-@@ -2074,10 +2119,10 @@
+@@ -2074,10 +2123,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -29585,7 +29770,7 @@
')
########################################
-@@ -2107,11 +2152,11 @@
+@@ -2107,11 +2156,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -29599,7 +29784,7 @@
')
########################################
-@@ -2141,11 +2186,11 @@
+@@ -2141,11 +2190,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -29614,7 +29799,7 @@
')
########################################
-@@ -2175,10 +2220,14 @@
+@@ -2175,10 +2224,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -29631,7 +29816,7 @@
')
########################################
-@@ -2208,11 +2257,11 @@
+@@ -2208,11 +2261,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -29645,7 +29830,7 @@
')
########################################
-@@ -2242,11 +2291,11 @@
+@@ -2242,11 +2295,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -29659,7 +29844,7 @@
')
########################################
-@@ -2276,10 +2325,10 @@
+@@ -2276,10 +2329,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -29672,7 +29857,7 @@
')
########################################
-@@ -2311,12 +2360,12 @@
+@@ -2311,12 +2364,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -29688,7 +29873,7 @@
')
########################################
-@@ -2348,10 +2397,10 @@
+@@ -2348,10 +2401,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -29701,7 +29886,7 @@
')
########################################
-@@ -2383,12 +2432,12 @@
+@@ -2383,12 +2436,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -29717,7 +29902,7 @@
')
########################################
-@@ -2420,12 +2469,12 @@
+@@ -2420,12 +2473,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -29733,7 +29918,7 @@
')
########################################
-@@ -2457,12 +2506,12 @@
+@@ -2457,12 +2510,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -29749,7 +29934,7 @@
')
########################################
-@@ -2507,11 +2556,11 @@
+@@ -2507,11 +2560,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -29763,7 +29948,7 @@
')
########################################
-@@ -2556,11 +2605,11 @@
+@@ -2556,11 +2609,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -29777,7 +29962,7 @@
')
########################################
-@@ -2600,11 +2649,11 @@
+@@ -2600,11 +2653,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -29791,7 +29976,7 @@
')
########################################
-@@ -2634,11 +2683,11 @@
+@@ -2634,11 +2687,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -29805,7 +29990,7 @@
')
########################################
-@@ -2668,11 +2717,11 @@
+@@ -2668,11 +2721,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -29819,7 +30004,7 @@
')
########################################
-@@ -2704,10 +2753,10 @@
+@@ -2704,10 +2757,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -29832,7 +30017,7 @@
')
########################################
-@@ -2739,10 +2788,10 @@
+@@ -2739,10 +2792,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -29845,7 +30030,7 @@
')
########################################
-@@ -2772,12 +2821,12 @@
+@@ -2772,12 +2825,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -29861,7 +30046,7 @@
')
########################################
-@@ -2809,10 +2858,10 @@
+@@ -2809,10 +2862,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -29874,7 +30059,7 @@
')
########################################
-@@ -2844,10 +2893,48 @@
+@@ -2844,10 +2897,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -29925,7 +30110,7 @@
')
########################################
-@@ -2877,12 +2964,12 @@
+@@ -2877,12 +2968,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -29941,7 +30126,7 @@
')
########################################
-@@ -2914,10 +3001,10 @@
+@@ -2914,10 +3005,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -29954,7 +30139,7 @@
')
########################################
-@@ -2949,12 +3036,12 @@
+@@ -2949,12 +3040,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -29970,7 +30155,7 @@
')
########################################
-@@ -2986,11 +3073,11 @@
+@@ -2986,11 +3077,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -29984,7 +30169,7 @@
')
########################################
-@@ -3022,11 +3109,11 @@
+@@ -3022,11 +3113,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -29998,7 +30183,7 @@
')
########################################
-@@ -3058,11 +3145,11 @@
+@@ -3058,11 +3149,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -30012,7 +30197,7 @@
')
########################################
-@@ -3094,11 +3181,11 @@
+@@ -3094,11 +3185,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -30026,7 +30211,7 @@
')
########################################
-@@ -3130,11 +3217,11 @@
+@@ -3130,11 +3221,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -30040,7 +30225,7 @@
')
########################################
-@@ -3179,10 +3266,10 @@
+@@ -3179,10 +3270,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -30053,7 +30238,7 @@
files_search_tmp($2)
')
-@@ -3223,10 +3310,10 @@
+@@ -3223,10 +3314,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -30066,7 +30251,7 @@
')
########################################
-@@ -3254,6 +3341,42 @@
+@@ -3254,6 +3345,42 @@
## </summary>
## </param>
#
@@ -30109,7 +30294,7 @@
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
type $1_tmpfs_t;
-@@ -4231,11 +4354,11 @@
+@@ -4231,11 +4358,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -30123,7 +30308,7 @@
')
########################################
-@@ -4251,10 +4374,10 @@
+@@ -4251,10 +4378,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -30136,7 +30321,7 @@
')
########################################
-@@ -4270,11 +4393,11 @@
+@@ -4270,11 +4397,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -30150,7 +30335,7 @@
')
########################################
-@@ -4289,16 +4412,16 @@
+@@ -4289,16 +4416,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -30170,7 +30355,7 @@
## users home directory.
## </summary>
## <param name="domain">
-@@ -4307,12 +4430,27 @@
+@@ -4307,12 +4434,27 @@
## </summary>
## </param>
#
@@ -30201,7 +30386,7 @@
')
########################################
-@@ -4327,13 +4465,13 @@
+@@ -4327,13 +4469,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -30219,7 +30404,7 @@
')
########################################
-@@ -4531,10 +4669,10 @@
+@@ -4531,10 +4673,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -30232,7 +30417,7 @@
')
########################################
-@@ -4551,10 +4689,10 @@
+@@ -4551,10 +4693,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -30245,7 +30430,7 @@
')
########################################
-@@ -4569,10 +4707,10 @@
+@@ -4569,10 +4711,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -30258,7 +30443,7 @@
')
########################################
-@@ -4588,10 +4726,10 @@
+@@ -4588,10 +4730,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -30271,7 +30456,7 @@
')
########################################
-@@ -4606,10 +4744,10 @@
+@@ -4606,10 +4748,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -30284,7 +30469,7 @@
')
########################################
-@@ -4625,10 +4763,10 @@
+@@ -4625,10 +4767,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -30297,7 +30482,7 @@
')
########################################
-@@ -4644,12 +4782,11 @@
+@@ -4644,12 +4786,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -30313,7 +30498,7 @@
')
########################################
-@@ -4676,10 +4813,10 @@
+@@ -4676,10 +4817,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -30326,7 +30511,7 @@
')
########################################
-@@ -4694,10 +4831,10 @@
+@@ -4694,10 +4835,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -30339,7 +30524,7 @@
')
########################################
-@@ -4712,13 +4849,13 @@
+@@ -4712,13 +4853,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -30357,7 +30542,7 @@
')
########################################
-@@ -4754,11 +4891,49 @@
+@@ -4754,11 +4895,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -30408,7 +30593,7 @@
')
########################################
-@@ -4778,6 +4953,14 @@
+@@ -4778,6 +4957,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -30423,7 +30608,7 @@
')
########################################
-@@ -4839,6 +5022,26 @@
+@@ -4839,6 +5026,26 @@
########################################
## <summary>
@@ -30450,7 +30635,7 @@
## Create, read, write, and delete all directories
## in all users home directories.
## </summary>
-@@ -4859,6 +5062,25 @@
+@@ -4859,6 +5066,25 @@
########################################
## <summary>
@@ -30476,7 +30661,7 @@
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4879,6 +5101,26 @@
+@@ -4879,6 +5105,26 @@
########################################
## <summary>
@@ -30503,7 +30688,7 @@
## Create, read, write, and delete all symlinks
## in all users home directories.
## </summary>
-@@ -5115,7 +5357,7 @@
+@@ -5115,7 +5361,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -30512,7 +30697,7 @@
')
files_search_home($1)
-@@ -5304,6 +5546,50 @@
+@@ -5304,6 +5550,50 @@
########################################
## <summary>
@@ -30563,7 +30748,7 @@
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5509,6 +5795,42 @@
+@@ -5509,6 +5799,42 @@
########################################
## <summary>
@@ -30606,7 +30791,7 @@
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5674,6 +5996,42 @@
+@@ -5674,6 +6000,42 @@
########################################
## <summary>
@@ -30649,7 +30834,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5704,3 +6062,368 @@
+@@ -5704,3 +6066,368 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.618
retrieving revision 1.619
diff -u -r1.618 -r1.619
--- selinux-policy.spec 26 Feb 2008 23:02:51 -0000 1.618
+++ selinux-policy.spec 28 Feb 2008 03:32:23 -0000 1.619
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -388,6 +388,11 @@
%endif
%changelog
+* Tue Feb 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-5
+- Allow nsplugin_config execstack/execmem
+- Allow nsplugin_t to read alsa config
+- Change apache to use user content
+
* Tue Feb 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-4
- Add cyphesis policy
More information about the fedora-extras-commits
mailing list