rpms/selinux-policy/devel policy-20061106.patch, 1.52, 1.53 selinux-policy.spec, 1.374, 1.375
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Dec 28 17:39:15 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv493
Modified Files:
policy-20061106.patch selinux-policy.spec
Log Message:
* Thu Dec 28 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-19
- Add gconf policy and make it work with strict
policy-20061106.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 1
config/appconfig-strict-mls/seusers | 1
config/appconfig-strict/seusers | 1
policy/flask/access_vectors | 2
policy/global_tunables | 48 ++
policy/mls | 31 +
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.if | 17
policy/modules/admin/amanda.te | 1
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 9
policy/modules/admin/consoletype.te | 10
policy/modules/admin/dmesg.te | 1
policy/modules/admin/firstboot.if | 6
policy/modules/admin/logwatch.te | 2
policy/modules/admin/netutils.te | 1
policy/modules/admin/prelink.te | 9
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 20 -
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 46 +-
policy/modules/admin/su.if | 28 +
policy/modules/admin/su.te | 2
policy/modules/admin/sudo.if | 10
policy/modules/admin/usermanage.te | 21 -
policy/modules/apps/evolution.if | 100 +++++
policy/modules/apps/gnome.if | 76 ++++
policy/modules/apps/gnome.te | 3
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 2
policy/modules/apps/java.if | 38 ++
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 17
policy/modules/apps/mozilla.if | 92 +++--
policy/modules/apps/mplayer.if | 73 ++++
policy/modules/apps/slocate.te | 2
policy/modules/apps/thunderbird.if | 31 +
policy/modules/apps/userhelper.if | 19 +
policy/modules/kernel/corecommands.fc | 8
policy/modules/kernel/corecommands.if | 58 +++
policy/modules/kernel/corenetwork.if.in | 97 +++++
policy/modules/kernel/corenetwork.te.in | 15
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 5
policy/modules/kernel/devices.te | 8
policy/modules/kernel/domain.if | 21 +
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.if | 180 +++++++++-
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/kernel.if | 61 +++
policy/modules/kernel/kernel.te | 4
policy/modules/kernel/mls.if | 28 +
policy/modules/kernel/mls.te | 6
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 10
policy/modules/services/apache.te | 16
policy/modules/services/apm.te | 3
policy/modules/services/automount.fc | 1
policy/modules/services/automount.te | 9
policy/modules/services/avahi.if | 21 +
policy/modules/services/bind.fc | 1
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 2
policy/modules/services/cron.if | 92 ++---
policy/modules/services/cron.te | 30 +
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 7
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 16
policy/modules/services/ftp.te | 14
policy/modules/services/hal.fc | 4
policy/modules/services/hal.if | 20 +
policy/modules/services/hal.te | 8
policy/modules/services/inetd.te | 9
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 1
policy/modules/services/kerberos.te | 11
policy/modules/services/lpd.if | 56 +--
policy/modules/services/mta.if | 1
policy/modules/services/mta.te | 1
policy/modules/services/nis.fc | 1
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 15
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 15
policy/modules/services/oddjob.te | 3
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 62 +++
policy/modules/services/pcscd.te | 74 ++++
policy/modules/services/pegasus.if | 31 +
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.te | 13
policy/modules/services/procmail.te | 16
policy/modules/services/radvd.te | 2
policy/modules/services/rhgb.if | 76 ++++
policy/modules/services/rhgb.te | 3
policy/modules/services/rlogin.te | 10
policy/modules/services/rpc.te | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 2
policy/modules/services/samba.te | 8
policy/modules/services/sasl.te | 2
policy/modules/services/setroubleshoot.if | 20 +
policy/modules/services/setroubleshoot.te | 1
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.te | 8
policy/modules/services/ssh.if | 40 ++
policy/modules/services/ssh.te | 7
policy/modules/services/telnet.te | 1
policy/modules/services/tftp.te | 2
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 +++
policy/modules/services/uucp.te | 44 ++
policy/modules/services/xserver.fc | 2
policy/modules/services/xserver.if | 186 ++++++++++
policy/modules/services/xserver.te | 12
policy/modules/system/authlogin.if | 74 ++++
policy/modules/system/authlogin.te | 6
policy/modules/system/clock.te | 8
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 2
policy/modules/system/getty.te | 14
policy/modules/system/hostname.te | 10
policy/modules/system/init.if | 3
policy/modules/system/init.te | 31 +
policy/modules/system/iptables.te | 7
policy/modules/system/libraries.fc | 29 -
policy/modules/system/libraries.te | 6
policy/modules/system/locallogin.if | 37 ++
policy/modules/system/locallogin.te | 6
policy/modules/system/logging.te | 9
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.te | 48 ++
policy/modules/system/miscfiles.fc | 1
policy/modules/system/miscfiles.if | 79 ++++
policy/modules/system/modutils.te | 14
policy/modules/system/mount.te | 20 -
policy/modules/system/raid.te | 7
policy/modules/system/selinuxutil.fc | 2
policy/modules/system/selinuxutil.if | 113 ++++++
policy/modules/system/selinuxutil.te | 107 +----
policy/modules/system/sysnetwork.te | 3
policy/modules/system/tzdata.fc | 3
policy/modules/system/tzdata.if | 23 +
policy/modules/system/tzdata.te | 34 +
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 19 +
policy/modules/system/userdomain.if | 538 ++++++++++++++++++++++++++----
policy/modules/system/userdomain.te | 61 +--
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 35 +
158 files changed, 3255 insertions(+), 521 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20061106.patch,v
retrieving revision 1.52
retrieving revision 1.53
diff -u -r1.52 -r1.53
--- policy-20061106.patch 24 Dec 2006 16:23:25 -0000 1.52
+++ policy-20061106.patch 28 Dec 2006 17:39:12 -0000 1.53
@@ -593,7 +593,7 @@
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-2.4.6/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/sudo.if 2006-12-23 22:41:19.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/sudo.if 2006-12-27 15:52:50.000000000 -0500
@@ -71,6 +71,7 @@
allow $1_sudo_t self:unix_dgram_socket sendto;
allow $1_sudo_t self:unix_stream_socket connectto;
@@ -602,11 +602,19 @@
# Enter this derived domain from the user domain
domain_auto_trans($2, sudo_exec_t, $1_sudo_t)
-@@ -95,10 +96,10 @@
+@@ -88,6 +89,7 @@
+
+ kernel_read_kernel_sysctls($1_sudo_t)
+ kernel_read_system_state($1_sudo_t)
++ kernel_search_key($1_sudo_t)
+
+ dev_read_urand($1_sudo_t)
+
+@@ -95,10 +97,10 @@
fs_getattr_xattr_fs($1_sudo_t)
auth_domtrans_chk_passwd($1_sudo_t)
-+ auth_read_pam_pid($1_sudo_t)
++ auth_manage_pam_pid($1_sudo_t)
- corecmd_getattr_bin_files($1_sudo_t)
corecmd_read_sbin_symlinks($1_sudo_t)
@@ -615,10 +623,32 @@
domain_use_interactive_fds($1_sudo_t)
domain_sigchld_interactive_fds($1_sudo_t)
+@@ -145,9 +147,5 @@
+ domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
+ ')
+
+- ifdef(`pam.te', `
+- allow $1_sudo_t pam_var_run_t:dir create_dir_perms;
+- allow $1_sudo_t pam_var_run_t:file create_file_perms;
+- ')
+ ') dnl end TODO
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.4.6/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/su.if 2006-12-23 22:41:19.000000000 -0500
-@@ -64,6 +64,7 @@
++++ serefpolicy-2.4.6/policy/modules/admin/su.if 2006-12-28 11:43:31.000000000 -0500
+@@ -31,9 +31,10 @@
+ template(`su_restricted_domain_template', `
+ gen_require(`
+ type su_exec_t;
++ attribute sudomain;
+ ')
+
+- type $1_su_t;
++ type $1_su_t, sudomain;
+ domain_entry_file($1_su_t,su_exec_t)
+ domain_type($1_su_t)
+ domain_interactive_fd($1_su_t)
+@@ -64,6 +65,7 @@
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)
kernel_search_key($1_su_t)
@@ -626,7 +656,7 @@
# for SSP
dev_read_urand($1_su_t)
-@@ -180,6 +181,7 @@
+@@ -180,6 +182,7 @@
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_file_perms;
allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
@@ -634,7 +664,7 @@
# Transition from the user domain to this domain.
domain_auto_trans($2, su_exec_t, $1_su_t)
-@@ -195,6 +197,8 @@
+@@ -195,6 +198,8 @@
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)
@@ -643,7 +673,7 @@
# for SSP
dev_read_urand($1_su_t)
-@@ -204,6 +208,8 @@
+@@ -204,6 +209,8 @@
auth_domtrans_user_chk_passwd($1,$1_su_t)
auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
@@ -652,7 +682,7 @@
corecmd_search_bin($1_su_t)
corecmd_search_sbin($1_su_t)
-@@ -219,6 +225,8 @@
+@@ -219,6 +226,8 @@
# Write to utmp.
init_rw_utmp($1_su_t)
@@ -661,16 +691,22 @@
libs_use_ld_so($1_su_t)
libs_use_shared_libs($1_su_t)
-@@ -229,6 +237,8 @@
+@@ -229,6 +238,14 @@
userdom_use_user_terminals($1,$1_su_t)
userdom_search_user_home_dirs($1,$1_su_t)
+ selinux_compute_access_vector($1_su_t)
+
++ # Modify .Xauthority file (via xauth program).
++ optional_policy(`
++ xserver_filetrans_user_xauth($1, sudomain)
++ xserver_domtrans_user_xauth($1, $1_su_t)
++ ')
++
ifdef(`distro_rhel4',`
domain_role_change_exemption($1_su_t)
domain_subj_id_change_exemption($1_su_t)
-@@ -236,7 +246,6 @@
+@@ -236,7 +253,6 @@
selinux_get_fs_mount($1_su_t)
selinux_validate_context($1_su_t)
@@ -678,15 +714,30 @@
selinux_compute_create_context($1_su_t)
selinux_compute_relabel_context($1_su_t)
selinux_compute_user_contexts($1_su_t)
-@@ -301,6 +310,8 @@
+@@ -301,13 +317,7 @@
kerberos_use($1_su_t)
')
+- # Modify .Xauthority file (via xauth program).
+- optional_policy(`
+-# file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
+-# file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
+-# file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
+- xserver_domtrans_user_xauth($1, $1_su_t)
+- ')
+ userdom_search_all_users_home_dirs($1_su_t)
+
+ ifdef(`TODO',`
+ allow $1_su_t $1_home_t:file create_file_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.te serefpolicy-2.4.6/policy/modules/admin/su.te
+--- nsaserefpolicy/policy/modules/admin/su.te 2006-11-16 17:15:26.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/su.te 2006-12-28 11:43:41.000000000 -0500
+@@ -8,3 +8,5 @@
+
+ type su_exec_t;
+ corecmd_executable_file(su_exec_t)
+
- # Modify .Xauthority file (via xauth program).
- optional_policy(`
- # file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
++attribute sudomain;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.4.6/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2006-11-16 17:15:26.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/admin/usermanage.te 2006-12-23 22:41:19.000000000 -0500
@@ -953,7 +1004,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-2.4.6/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2006-11-16 17:15:07.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/gnome.if 2006-12-24 01:48:04.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/gnome.if 2006-12-28 12:01:14.000000000 -0500
@@ -35,13 +35,15 @@
template(`gnome_per_role_template',`
gen_require(`
@@ -971,13 +1022,15 @@
domain_type($1_gconfd_t)
domain_entry_file($1_gconfd_t, gconfd_exec_t)
role $3 types $1_gconfd_t;
-@@ -59,14 +61,23 @@
+@@ -58,15 +60,25 @@
+ #
allow $1_gconfd_t self:process getsched;
-
++ allow $1_gconfd_t self:fifo_file rw_file_perms;
++
+ allow $1_t $1_gconfd_t:dir { getattr search };
+ allow $1_t $1_gconfd_t:file read;
-+
+
allow $1_gconfd_t $1_gconf_home_t:dir manage_dir_perms;
allow $1_gconfd_t $1_gconf_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans($1, $1_gconfd_t, $1_gconf_home_t, dir)
@@ -995,9 +1048,15 @@
domain_auto_trans($2, gconfd_exec_t, $1_gconfd_t)
allow $1_gconfd_t $2:fd use;
allow $1_gconfd_t $2:fifo_file write;
-@@ -127,3 +138,23 @@
- allow $2 $1_gconfd_t:unix_stream_socket connectto;
+@@ -124,6 +136,66 @@
+ type $1_gconf_tmp_t;
+ ')
+
+- allow $2 $1_gconfd_t:unix_stream_socket connectto;
++ allow $2 $1_gconf_tmp_t:dir search_dir_perms;
allow $2 $1_gconf_tmp_t:file r_file_perms;
++ allow $2 $1_gconfd_t:unix_stream_socket connectto;
++ allow $1_gconfd_t $2:unix_stream_socket connectto;
')
+
+
@@ -1019,6 +1078,44 @@
+ allow $1 gnomedomain:process signal;
+')
+
++########################################
++## <summary>
++## Run gconfd in gconfd domain.
++## </summary>
++## <desc>
++## <p>
++## Run gconfd in gconfd domain.
++## </p>
++## <p>
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`gnome_domtrans_user_gconf',`
++ gen_require(`
++ type $1_gconfd_t, gconfd_exec_t;
++ ')
++
++ domain_auto_trans($2,gconfd_exec_t,$1_gconfd_t)
++
++ allow $2 $1_gconfd_t:fd use;
++ allow $1_gconfd_t $2:fd use;
++ allow $1_gconfd_t $2:fifo_file rw_file_perms;
++ allow $1_gconfd_t $2:process sigchld;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-2.4.6/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2006-11-16 17:15:07.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/apps/gnome.te 2006-12-23 23:41:40.000000000 -0500
@@ -1057,6 +1154,51 @@
/opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
#
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-2.4.6/policy/modules/apps/java.if
+--- nsaserefpolicy/policy/modules/apps/java.if 2006-11-16 17:15:07.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/java.if 2006-12-26 10:57:01.000000000 -0500
+@@ -199,3 +199,41 @@
+ refpolicywarn(`$0($1) has no effect in strict policy.')
+ ')
+ ')
++
++########################################
++## <summary>
++## Run java in javaplugin domain.
++## </summary>
++## <desc>
++## <p>
++## Run java in javaplugin domain.
++## </p>
++## <p>
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`java_domtrans_user_javaplugin',`
++ gen_require(`
++ type $1_javaplugin_t, java_exec_t;
++ ')
++
++ domain_auto_trans($2,java_exec_t,$1_javaplugin_t)
++
++ allow $2 $1_javaplugin_t:fd use;
++ allow $1_javaplugin_t $2:fd use;
++ allow $1_javaplugin_t $2:fifo_file rw_file_perms;
++ allow $1_javaplugin_t $2:process sigchld;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.4.6/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2006-11-16 17:15:07.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/apps/java.te 2006-12-23 22:41:19.000000000 -0500
@@ -1097,25 +1239,241 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-2.4.6/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2006-11-29 09:27:46.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/mozilla.if 2006-12-23 22:41:19.000000000 -0500
-@@ -188,6 +188,7 @@
++++ serefpolicy-2.4.6/policy/modules/apps/mozilla.if 2006-12-26 11:39:47.000000000 -0500
+@@ -59,7 +59,7 @@
+ #
+ allow $1_mozilla_t self:capability { sys_nice setgid setuid };
+ allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit };
+- allow $1_mozilla_t self:fifo_file { getattr read write };
++ allow $1_mozilla_t self:fifo_file rw_file_perms;
+ allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create };
+ allow $1_mozilla_t self:sem create_sem_perms;
+ allow $1_mozilla_t self:socket create_socket_perms;
+@@ -154,6 +154,7 @@
+ dev_write_sound($1_mozilla_t)
+ dev_read_sound($1_mozilla_t)
+ dev_dontaudit_rw_dri($1_mozilla_t)
++ dev_getattr_sysfs_dirs($1_mozilla_t)
+
+ files_read_etc_runtime_files($1_mozilla_t)
+ files_read_usr_files($1_mozilla_t)
+@@ -163,8 +164,9 @@
+ # interacting with gstreamer
+ files_read_var_files($1_mozilla_t)
+ files_read_var_symlinks($1_mozilla_t)
++ files_dontaudit_getattr_boot_dirs($1_mozilla_t)
+
+- fs_search_inotifyfs($1_mozilla_t)
++ fs_list_inotifyfs($1_mozilla_t)
+ fs_rw_tmpfs_files($1_mozilla_t)
+
+ libs_use_ld_so($1_mozilla_t)
+@@ -180,6 +182,8 @@
+ sysnet_dns_name_resolve($1_mozilla_t)
+ sysnet_read_config($1_mozilla_t)
+
++ term_dontaudit_getattr_pty_dirs($1_mozilla_t)
++
+ userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
+ userdom_manage_user_home_content_files($1,$1_mozilla_t)
+ userdom_manage_user_home_content_symlinks($1,$1_mozilla_t)
+@@ -188,7 +192,9 @@
userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
-+ xserver_read_xdm_tmp_files($1_mozilla_t)
-
+-
++
++ xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
++ xserver_dontaudit_getattr_tmp_sock($1_mozilla_t)
tunable_policy(`allow_execmem',`
allow $1_mozilla_t self:process { execmem execstack };
-@@ -366,9 +367,6 @@
- # Java plugin
- optional_policy(`
- #reh, these are hacked in types due to the use of the java_per_role_template
+ ')
+@@ -336,6 +342,14 @@
+ ')
+
+ optional_policy(`
++ gnome_stream_connect_gconf_template($1,$1_mozilla_t)
++ ')
++
++ optional_policy(`
++ ssh_dontaudit_use_user_ssh_agent_fds($1,$1_mozilla_t)
++ ')
++
++ optional_policy(`
+ apache_read_user_scripts($1,$1_mozilla_t)
+ apache_read_user_content($1,$1_mozilla_t)
+ ')
+@@ -359,34 +373,24 @@
+ ')
+
+ optional_policy(`
++ automount_dontaudit_getattr_tmp_dirs($1_mozilla_t)
++ ')
++
++ optional_policy(`
+ lpd_domtrans_user_lpr($1,$1_mozilla_t)
+ ')
+
+- ifdef(`TODO',`
+- # Java plugin
+- optional_policy(`
+- #reh, these are hacked in types due to the use of the java_per_role_template
- type $1_mozilla_tmp_t;
- files_tmp_file($1_mozilla_tmp_t)
-
- #this looks even more ugly.
- type $1_mozilla_tty_device_t;
- term_tty($1_mozilla_t,$1_mozilla_tty_device_t)
+- #this looks even more ugly.
+- type $1_mozilla_tty_device_t;
+- term_tty($1_mozilla_t,$1_mozilla_tty_device_t)
+- type $1_mozilla_devpts_t;
+- term_pty($1_mozilla_devpts_t)
+- type $1_mozilla_home_dir_t;
+- userdom_user_home_content($1,$1_mozilla_home_dir_t)
++ ######### Launch mplayer
++ optional_policy(`
++ mplayer_domtrans_user_mplayer($1, $1_mozilla_t)
++ mplayer_read_user_home_files($1, $1_mozilla_t)
++ ')
+
+- java_per_role_template($1_mozilla,$2,$3)
+- ')
++ optional_policy(`
++ java_domtrans_user_javaplugin($1, $1_mozilla_t)
++ ')
+
+- ######### Launch mplayer
+- optional_policy(`
+- domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
+- dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
+- dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
+- dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
+- ')
++ ifdef(`TODO',`
+ #NOTE commented out in strict.
+ ######### Launch email client, and make webcal links work
+ #ifdef(`evolution.te', `
+@@ -406,7 +410,41 @@
+ # GNOME integration
+ optional_policy(`
+ gnome_application($1_mozilla, $1)
+- gnome_file_dialog($1_mozilla, $1)
++pp gnome_file_dialog($1_mozilla, $1)
+ ')
+ ')
+ ')
++
++########################################
++## <summary>
++## Read mozilla per user homedir
++## </summary>
++## <desc>
++## <p>
++## Read mozilla per user homedir
++## </p>
++## <p>
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`mozilla_read_user_home_files',`
++ gen_require(`
++ type $1_mozilla_home_t;
++ ')
++
++ allow $2 $1_mozilla_home_t:dir list_dir_perms;
++ allow $2 $1_mozilla_home_t:file r_file_perms;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-2.4.6/policy/modules/apps/mplayer.if
+--- nsaserefpolicy/policy/modules/apps/mplayer.if 2006-11-16 17:15:07.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/mplayer.if 2006-12-26 07:25:26.000000000 -0500
+@@ -446,3 +446,76 @@
+ nscd_socket_use($1_mplayer_t)
+ ')
+ ')
++
++########################################
++## <summary>
++## Run mplayer in mplayer domain.
++## </summary>
++## <desc>
++## <p>
++## Run mplayer in mplayer domain.
++## </p>
++## <p>
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`mplayer_domtrans_user_mplayer',`
++ gen_require(`
++ type $1_mplayer_t, mplayer_exec_t;
++ ')
++
++ domain_auto_trans($2,mplayer_exec_t,$1_mplayer_t)
++
++ allow $2 $1_mplayer_t:fd use;
++ allow $1_mplayer_t $2:fd use;
++ allow $1_mplayer_t $2:fifo_file rw_file_perms;
++ allow $1_mplayer_t $2:process sigchld;
++')
++
++########################################
++## <summary>
++## Read mplayer per user homedir
++## </summary>
++## <desc>
++## <p>
++## Read mplayer per user homedir
++## </p>
++## <p>
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`mplayer_read_user_home_files',`
++ gen_require(`
++ type $1_mplayer_home_t;
++ ')
++
++ allow $2 $1_mplayer_home_t:dir search_dir_perms;
++ allow $2 $1_mplayer_home_t:file r_file_perms;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.4.6/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2006-11-16 17:15:07.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/apps/slocate.te 2006-12-23 22:41:19.000000000 -0500
@@ -1130,7 +1488,7 @@
# mls Higher level directories will be refused, so dontaudit
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-2.4.6/policy/modules/apps/thunderbird.if
--- nsaserefpolicy/policy/modules/apps/thunderbird.if 2006-11-16 17:15:07.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/thunderbird.if 2006-12-23 22:41:19.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/thunderbird.if 2006-12-28 12:04:29.000000000 -0500
@@ -62,6 +62,9 @@
allow $1_thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind };
allow $1_thunderbird_t self:tcp_socket create_socket_perms;
@@ -1155,16 +1513,20 @@
corenet_non_ipsec_sendrecv($1_thunderbird_t)
corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
-@@ -126,6 +132,8 @@
+@@ -126,15 +132,20 @@
files_list_tmp($1_thunderbird_t)
files_read_usr_files($1_thunderbird_t)
files_read_etc_files($1_thunderbird_t)
++ files_read_etc_runtime_files($1_thunderbird_t)
+ files_read_var_files($1_thunderbird_t)
+ files_read_var_symlinks($1_thunderbird_t)
fs_getattr_xattr_fs($1_thunderbird_t)
# Access ~/.thunderbird
-@@ -135,6 +143,7 @@
+ fs_search_auto_mountpoints($1_thunderbird_t)
++ fs_list_inotifyfs($1_thunderbird_t)
+
+ libs_use_shared_libs($1_thunderbird_t)
libs_use_ld_so($1_thunderbird_t)
miscfiles_read_fonts($1_thunderbird_t)
@@ -1172,7 +1534,7 @@
sysnet_read_config($1_thunderbird_t)
# Allow DNS
-@@ -148,7 +157,8 @@
+@@ -148,7 +159,8 @@
userdom_read_user_home_content_files($1,$1_thunderbird_t)
xserver_user_client_template($1,$1_thunderbird_t,$1_thunderbird_tmpfs_t)
@@ -1182,7 +1544,7 @@
# Transition from user type
tunable_policy(`! disable_thunderbird_trans',`
domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
-@@ -299,6 +309,10 @@
+@@ -299,6 +311,10 @@
')
optional_policy(`
@@ -1193,6 +1555,26 @@
dbus_system_bus_client_template($1_thunderbird,$1_thunderbird_t)
dbus_user_bus_client_template($1,$1_thunderbird,$1_thunderbird_t)
dbus_send_system_bus($1_thunderbird_t)
+@@ -321,6 +337,19 @@
+ nis_use_ypbind($1_thunderbird_t)
+ ')
+
++ optional_policy(`
++ ssh_dontaudit_use_user_ssh_agent_fds($1, $1_thunderbird_t)
++ ')
++
++ optional_policy(`
++ gnome_stream_connect_gconf_template($1,$1_thunderbird_t)
++ gnome_domtrans_user_gconf($1, $1_thunderbird_t)
++ ')
++
++ optional_policy(`
++ mozilla_read_user_home_files($1, $1_thunderbird_t)
++ ')
++
+ ifdef(`TODO',`
+ # FIXME: Rules were removed to centralize policy in a gnome_app macro
+ # A similar thing might be necessary for mozilla compiled without GNOME
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-2.4.6/policy/modules/apps/userhelper.if
--- nsaserefpolicy/policy/modules/apps/userhelper.if 2006-11-16 17:15:07.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/apps/userhelper.if 2006-12-23 22:41:19.000000000 -0500
@@ -1228,8 +1610,13 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc 2006-12-23 22:41:19.000000000 -0500
-@@ -73,6 +73,7 @@
++++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc 2006-12-28 09:38:30.000000000 -0500
+@@ -1,4 +1,3 @@
+-
+ #
+ # /bin
+ #
+@@ -73,6 +72,7 @@
ifdef(`targeted_policy',`
/etc/X11/prefdm -- gen_context(system_u:object_r:bin_t,s0)
@@ -1237,7 +1624,18 @@
')
#
-@@ -247,3 +248,6 @@
+@@ -188,7 +188,10 @@
+ /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/authconfig/authconfig.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
+@@ -247,3 +250,6 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -1246,8 +1644,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.4.6/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.if 2006-12-23 22:41:19.000000000 -0500
-@@ -928,7 +928,19 @@
++++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.if 2006-12-27 16:17:08.000000000 -0500
+@@ -928,7 +928,21 @@
type bin_t, sbin_t;
')
@@ -1256,6 +1654,8 @@
+ ifdef(`targeted_policy',`
+ can_exec($1,exec_type)
+ ', `
++ # Need this dontaudit or command completion fires hundreds of avcs
++ dontaudit $1 exec_type:file execute;
+ corecmd_exec_bin($1)
+ corecmd_exec_sbin($1)
+ corecmd_exec_shell($1)
@@ -1268,7 +1668,7 @@
allow $1 { bin_t sbin_t }:dir list_dir_perms;
allow $1 { bin_t sbin_t }:lnk_file read_file_perms;
')
-@@ -950,6 +962,7 @@
+@@ -950,6 +964,7 @@
type bin_t, sbin_t;
')
@@ -1276,7 +1676,7 @@
allow $1 exec_type:file manage_file_perms;
allow $1 { bin_t sbin_t }:dir rw_dir_perms;
allow $1 { bin_t sbin_t }:lnk_file create_lnk_perms;
-@@ -972,6 +985,7 @@
+@@ -972,6 +987,7 @@
')
allow $1 exec_type:file { relabelfrom relabelto };
@@ -1284,7 +1684,7 @@
')
########################################
-@@ -990,4 +1004,24 @@
+@@ -990,4 +1006,44 @@
')
allow $1 exec_type:file { getattr read execute };
@@ -1308,7 +1708,27 @@
+
+ allow $1 exec_type:file getattr;
+ userdom_getattr_all_executables($1)
++')
++
++########################################
++## <summary>
++## dontaudit checking for execute privs on all executables
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corecmd_dontaudit_exec_all_executables',`
++ gen_require(`
++ attribute exec_type;
++ ')
++
++ dontaudit $1 exec_type:file execute;
')
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2006-11-16 17:15:04.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in 2006-12-23 22:41:19.000000000 -0500
@@ -1603,6 +2023,34 @@
#
# random_device_t is the type of /dev/random
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-2.4.6/policy/modules/kernel/domain.if
+--- nsaserefpolicy/policy/modules/kernel/domain.if 2006-11-16 17:15:04.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/domain.if 2006-12-27 16:19:26.000000000 -0500
+@@ -1276,3 +1276,24 @@
+ domain_trans($1,$2,$3)
+ type_transition $1 $2:process $3;
+ ')
++
++
++########################################
++## <summary>
++## dontaudit checking for execute on all entry point files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`domain_dontaudit_exec_all_entry_files',`
++ gen_require(`
++ attribute entry_type;
++ ')
++
++ dontaudit $1 entry_type:file execute;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.4.6/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2006-11-16 17:15:04.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/kernel/domain.te 2006-12-23 22:41:19.000000000 -0500
@@ -3510,17 +3958,109 @@
allow radvd_t radvd_var_run_t:file create_file_perms;
allow radvd_t radvd_var_run_t:dir rw_dir_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.if serefpolicy-2.4.6/policy/modules/services/rhgb.if
+--- nsaserefpolicy/policy/modules/services/rhgb.if 2006-11-16 17:15:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/rhgb.if 2006-12-28 09:47:15.000000000 -0500
+@@ -124,3 +124,79 @@
+
+ allow $1 rhgb_tmpfs_t:file { read write };
+ ')
++
++########################################
++## <summary>
++## Read from and write to the rhgb devpts.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`rhgb_use_ptys',`
++ gen_require(`
++ type rhgb_devpts_t;
++ ')
++
++ allow $1 rhgb_devpts_t:chr_file rw_file_perms;
++')
++
++########################################
++## <summary>
++## dontaudit Read from and write to the rhgb devpts.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`rhgb_dontaudit_use_ptys',`
++ gen_require(`
++ type rhgb_devpts_t;
++ ')
++
++ dontaudit $1 rhgb_devpts_t:chr_file rw_file_perms;
++')
++
++
++########################################
++## <summary>
++## Get the process group of rhgb.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhgb_getpgid',`
++ gen_require(`
++ type rhgb_t;
++ ')
++
++ allow $1 rhgb_t:process getpgid;
++')
++
++########################################
++## <summary>
++## Send a signal to rhgb.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhgb_signal',`
++ gen_require(`
++ type rhgb_t;
++ ')
++
++ allow $1 rhgb_t:process signal;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-2.4.6/policy/modules/services/rhgb.te
--- nsaserefpolicy/policy/modules/services/rhgb.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/rhgb.te 2006-12-23 22:41:19.000000000 -0500
-@@ -114,6 +114,7 @@
++++ serefpolicy-2.4.6/policy/modules/services/rhgb.te 2006-12-28 09:22:35.000000000 -0500
+@@ -114,6 +114,8 @@
xserver_kill_xdm_xserver(rhgb_t)
# for running setxkbmap
xserver_read_xkb_libs(rhgb_t)
+xserver_domtrans_xdm_xserver(rhgb_t)
++xserver_signal_xdm_xserver(rhgb_t)
ifdef(`strict_policy',`
allow rhgb_t rhgb_devpts_t:chr_file { rw_file_perms setattr };
+@@ -126,7 +128,6 @@
+ term_dontaudit_use_unallocated_ttys(rhgb_t)
+
+ xserver_domtrans_xdm_xserver(rhgb_t)
+- xserver_signal_xdm_xserver(rhgb_t)
+ xserver_read_xdm_tmp_files(rhgb_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-2.4.6/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/rlogin.te 2006-12-23 22:41:19.000000000 -0500
@@ -3645,7 +4185,7 @@
auth_domtrans_chk_passwd(saslauthd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-2.4.6/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/setroubleshoot.if 2006-12-24 11:22:36.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/setroubleshoot.if 2006-12-26 07:30:53.000000000 -0500
@@ -1 +1,21 @@
## <summary>SELinux troubleshooting service</summary>
+
@@ -3754,7 +4294,7 @@
init_use_script_ptys(spamd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-2.4.6/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/ssh.if 2006-12-24 01:00:23.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/ssh.if 2006-12-28 11:59:21.000000000 -0500
@@ -234,6 +234,7 @@
domain_type($1_ssh_agent_t)
domain_entry_file($1_ssh_agent_t,ssh_agent_exec_t)
@@ -3763,6 +4303,49 @@
type $1_ssh_agent_tmp_t;
files_tmp_file($1_ssh_agent_tmp_t)
+@@ -734,3 +735,42 @@
+
+ dontaudit $1 sshd_key_t:file { getattr read };
+ ')
++
++########################################
++## <summary>
++## Inherit and use a file descriptor
++## from the ssh-agent.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ssh_use_user_ssh_agent_fds',`
++ gen_require(`
++ type $1_ssh_agent_t;
++ ')
++
++ allow $2 $1_ssh_agent_t:fd use;
++')
++
++########################################
++## <summary>
++## dontaudit use of file descriptor
++## from the ssh-agent.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ssh_dontaudit_use_user_ssh_agent_fds',`
++ gen_require(`
++ type $1_ssh_agent_t;
++ ')
++
++ dontaudit $2 $1_ssh_agent_t:fd use;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.4.6/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/ssh.te 2006-12-23 22:41:19.000000000 -0500
@@ -3985,7 +4568,7 @@
/tmp/\.X11-unix/.* -s <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.4.6/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2006-11-29 09:27:47.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/xserver.if 2006-12-24 00:42:00.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/xserver.if 2006-12-28 10:14:55.000000000 -0500
@@ -45,7 +45,7 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -4004,7 +4587,19 @@
# Run helper programs in $1_xserver_t.
corecmd_search_sbin($1_xserver_t)
corecmd_exec_bin($1_xserver_t)
-@@ -279,6 +281,8 @@
+@@ -170,6 +172,11 @@
+ ')
+
+ optional_policy(`
++ rhgb_getpgid($1_xserver_t)
++ rhgb_signal($1_xserver_t)
++ ')
++
++ optional_policy(`
+ apm_stream_connect($1_xserver_t)
+ ')
+
+@@ -279,6 +286,8 @@
allow $1_xauth_t $1_xserver_t:fifo_file rw_file_perms;
allow $1_xauth_t $1_xserver_t:process sigchld;
@@ -4013,7 +4608,7 @@
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
domain_auto_trans($2, xserver_exec_t, $1_xserver_t)
-@@ -425,6 +429,8 @@
+@@ -425,6 +434,8 @@
allow $2 $1_iceauth_home_t:file manage_file_perms;
allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
@@ -4022,7 +4617,7 @@
fs_search_auto_mountpoints($1_iceauth_t)
libs_use_ld_so($1_iceauth_t)
-@@ -578,6 +584,8 @@
+@@ -578,6 +589,8 @@
xserver_rw_session_template($1,$2,$3)
xserver_use_user_fonts($1,$2)
@@ -4031,7 +4626,7 @@
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 $1_xserver_t:shm rw_shm_perms;
-@@ -906,10 +914,12 @@
+@@ -906,10 +919,12 @@
domain_auto_trans($1,xserver_exec_t,xdm_xserver_t)
@@ -4044,7 +4639,7 @@
')
########################################
-@@ -1024,6 +1034,7 @@
+@@ -1024,6 +1039,7 @@
logging_search_logs($1)
allow $1 xserver_log_t:dir rw_dir_perms;
allow $1 xserver_log_t:file unlink;
@@ -4052,7 +4647,7 @@
')
########################################
-@@ -1080,6 +1091,7 @@
+@@ -1080,6 +1096,7 @@
type xdm_tmp_t;
')
@@ -4060,7 +4655,7 @@
allow $1 xdm_tmp_t:dir search_dir_perms;
allow $1 xdm_tmp_t:file { getattr read };
')
-@@ -1160,3 +1172,79 @@
+@@ -1160,3 +1177,170 @@
allow $1 xdm_xserver_tmp_t:sock_file write;
allow $1 xdm_xserver_t:unix_stream_socket connectto;
')
@@ -4140,6 +4735,97 @@
+ allow $1 xdm_tmp_t:file rw_file_perms;
+')
+
++########################################
++## <summary>
++## dontaudit getattr xdm temporary files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit
++## </summary>
++## </param>
++#
++interface(`xserver_dontaudit_read_xdm_tmp_files',`
++ gen_require(`
++ type xdm_tmp_t;
++ ')
++
++ dontaudit $1 xdm_tmp_t:dir search_dir_perms;
++ dontaudit $1 xdm_tmp_t:file r_file_perms;
++')
++
++########################################
++## <summary>
++## dontaudit getattr xdm temporary files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit
++## </summary>
++## </param>
++#
++interface(`xserver_dontaudit_getattr_tmp_sock',`
++ gen_require(`
++ type xdm_tmp_t;
++ ')
++
++ dontaudit $1 xdm_tmp_t:sock_file getattr;
++')
++
++
++########################################
++## <summary>
++## manage xdm temporary files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit
++## </summary>
++## </param>
++#
++interface(`xserver_manage_xdm_tmp_files',`
++ gen_require(`
++ type xdm_tmp_t;
++ ')
++
++ allow $1 xdm_tmp_t:dir search_dir_perms;
++ allow $1 xdm_tmp_t:file create_file_perms;
++')
++
++
++########################################
++## <summary>
++## Transition to a user Xauthority domain.
++## </summary>
++## <desc>
++## <p>
++## Transition to a user Xauthority domain.
++## </p>
++## <p>
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`xserver_filetrans_user_xauth',`
++ gen_require(`
++ type $1_xauth_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, $2, $1_xauth_home_t, file)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.4.6/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/xserver.te 2006-12-24 11:03:54.000000000 -0500
@@ -4192,7 +4878,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.4.6/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/authlogin.if 2006-12-23 22:41:19.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/authlogin.if 2006-12-27 15:52:23.000000000 -0500
@@ -190,6 +190,9 @@
## </param>
#
@@ -4406,8 +5092,8 @@
type fsadm_log_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-2.4.6/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/getty.te 2006-12-23 22:41:19.000000000 -0500
-@@ -33,7 +33,8 @@
++++ serefpolicy-2.4.6/policy/modules/system/getty.te 2006-12-28 09:48:19.000000000 -0500
+@@ -33,14 +33,16 @@
#
# Use capabilities.
@@ -4415,8 +5101,36 @@
+# getty requires sys_admin #209426
+allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid sys_admin };
dontaudit getty_t self:capability sys_tty_config;
- allow getty_t self:process { getpgid getsession signal_perms };
+-allow getty_t self:process { getpgid getsession signal_perms };
++allow getty_t self:process { getpgid setpgid getsession signal_perms };
+ allow getty_t getty_etc_t:dir r_dir_perms;
+ allow getty_t getty_etc_t:file r_file_perms;
+ allow getty_t getty_etc_t:lnk_file { getattr read };
+ files_etc_filetrans(getty_t,getty_etc_t,{ file dir })
++allow getty_t self:fifo_file rw_file_perms;
+
+ allow getty_t getty_lock_t:file create_file_perms;
+ files_lock_filetrans(getty_t,getty_lock_t,file)
+@@ -82,6 +84,7 @@
+
+ corecmd_search_bin(getty_t)
+ corecmd_search_sbin(getty_t)
++corecmd_read_bin_symlinks(getty_t)
+
+ files_rw_generic_pids(getty_t)
+ files_read_etc_runtime_files(getty_t)
+@@ -135,3 +138,10 @@
+ optional_policy(`
+ udev_read_db(getty_t)
+ ')
++
++optional_policy(`
++ rhgb_dontaudit_use_ptys(getty_t)
++')
++
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.4.6/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2006-11-16 17:15:24.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/system/hostname.te 2006-12-23 22:41:19.000000000 -0500
@@ -4444,7 +5158,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.4.6/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/init.if 2006-12-23 22:41:19.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/init.if 2006-12-28 09:25:21.000000000 -0500
@@ -221,11 +221,14 @@
gen_require(`
type initrc_t;
@@ -4462,7 +5176,7 @@
domain_auto_trans(initrc_t,$2,$1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.4.6/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/init.te 2006-12-23 22:41:19.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/init.te 2006-12-28 09:18:21.000000000 -0500
@@ -125,6 +125,7 @@
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
@@ -4512,7 +5226,18 @@
# slapd needs to read cert files from its initscript
miscfiles_read_certs(initrc_t)
-@@ -499,7 +509,17 @@
+@@ -488,6 +498,10 @@
+ ')
+ ')
+
++optional_policy(`
++ rhgb_use_ptys(daemon)
++')
++
+ ifdef(`targeted_policy',`
+ domain_subj_id_change_exemption(initrc_t)
+ unconfined_domain(initrc_t)
+@@ -499,7 +513,17 @@
tunable_policy(`allow_daemons_use_tty',`
term_use_unallocated_ttys(daemon)
term_use_generic_ptys(daemon)
@@ -4521,16 +5246,16 @@
+ # system-config-services causes avc messages that should be dontaudited
+ unconfined_dontaudit_rw_pipes(daemon)
+
- ')
++ ')
+
+ tunable_policy(`allow_daemons_dump_core',`
+ files_dump_core(daemon)
-+ ')
+ ')
+
',`
# cjp: require doesnt work in the else of optionals :\
# this also would result in a type transition
-@@ -710,6 +730,9 @@
+@@ -710,6 +734,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -4567,7 +5292,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.4.6/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/libraries.fc 2006-12-23 22:41:19.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/libraries.fc 2006-12-26 07:07:59.000000000 -0500
@@ -131,6 +131,7 @@
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -4617,7 +5342,11 @@
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -246,6 +244,9 @@
+@@ -243,9 +241,13 @@
+ /usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ # Flash plugin, Macromedia
++HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -4627,7 +5356,7 @@
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -258,10 +259,9 @@
+@@ -258,10 +260,9 @@
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Java, Sun Microsystems (JPackage SRPM)
@@ -4641,7 +5370,7 @@
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -300,3 +300,5 @@
+@@ -300,3 +301,5 @@
/var/spool/postfix/lib(64)?/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/var/spool/postfix/lib(64)?/devfsd/.+\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -5008,7 +5737,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.4.6/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/modutils.te 2006-12-23 22:41:19.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/modutils.te 2006-12-28 09:48:43.000000000 -0500
@@ -54,6 +54,8 @@
can_exec(insmod_t, insmod_exec_t)
@@ -5029,7 +5758,14 @@
ifdef(`targeted_policy',`
unconfined_domain(insmod_t)
')
-@@ -145,6 +143,9 @@
+@@ -142,9 +140,16 @@
+ ')
+
+ optional_policy(`
++ rhgb_dontaudit_use_ptys(insmod_t)
++')
++
++optional_policy(`
fs_manage_ramfs_files(insmod_t)
rhgb_use_fds(insmod_t)
@@ -5039,7 +5775,7 @@
ifdef(`hide_broken_symptoms',`
xserver_dontaudit_rw_xdm_xserver_tcp_sockets(insmod_t)
-@@ -179,6 +180,7 @@
+@@ -179,6 +184,7 @@
files_read_kernel_symbol_table(depmod_t)
files_read_kernel_modules(depmod_t)
@@ -5667,7 +6403,7 @@
init_dbus_chat_script(unconfined_execmem_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.4.6/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-11-29 09:27:47.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-12-24 02:04:35.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-12-28 09:59:50.000000000 -0500
@@ -22,9 +22,9 @@
## <rolebase/>
#
@@ -5679,16 +6415,17 @@
')
attribute $1_file_type;
-@@ -102,6 +102,8 @@
+@@ -101,6 +101,9 @@
+ libs_exec_ld_so($1_t)
miscfiles_read_localization($1_t)
-
-+ sysnet_read_config($1_t)
++ miscfiles_read_certs($1_t)
+
++ sysnet_read_config($1_t)
+
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
- allow $1_t self:process execmem;
-@@ -136,6 +138,10 @@
+@@ -136,6 +139,10 @@
## <rolebase/>
#
template(`userdom_ro_home_template',`
@@ -5699,7 +6436,7 @@
# type for contents of home directory
type $1_home_t, $1_file_type, home_type;
files_type($1_home_t)
-@@ -149,6 +155,7 @@
+@@ -149,6 +156,7 @@
files_mountpoint($1_home_dir_t)
files_associate_tmp($1_home_dir_t)
fs_associate_tmpfs($1_home_dir_t)
@@ -5707,7 +6444,7 @@
##############################
#
-@@ -220,6 +227,10 @@
+@@ -220,6 +228,10 @@
## <rolebase/>
#
template(`userdom_manage_home_template',`
@@ -5718,7 +6455,7 @@
# type for contents of home directory
type $1_home_t, $1_file_type, home_type;
files_type($1_home_t)
-@@ -319,12 +330,11 @@
+@@ -319,12 +331,11 @@
## <rolebase/>
#
template(`userdom_poly_home_template',`
@@ -5736,7 +6473,7 @@
')
#######################################
-@@ -347,6 +357,10 @@
+@@ -347,6 +358,10 @@
## <rolebase/>
#
template(`userdom_manage_tmp_template',`
@@ -5747,7 +6484,7 @@
type $1_tmp_t, $1_file_type;
files_tmp_file($1_tmp_t)
-@@ -387,9 +401,7 @@
+@@ -387,9 +402,7 @@
## <rolebase/>
#
template(`userdom_poly_tmp_template',`
@@ -5758,7 +6495,7 @@
')
#######################################
-@@ -415,6 +427,9 @@
+@@ -415,6 +428,9 @@
## <rolebase/>
#
template(`userdom_manage_tmpfs_template',`
@@ -5768,16 +6505,16 @@
type $1_tmpfs_t, $1_file_type;
files_tmpfs_file($1_tmpfs_t)
-@@ -567,6 +582,8 @@
+@@ -567,6 +583,8 @@
xserver_read_xdm_pid($1_t)
# gnome-session creates socket under /tmp/.ICE-unix/
xserver_create_xdm_tmp_sockets($1_t)
+ # Needed for escd, remove if we get escd policy
-+ xserver_rw_xdm_tmp_files($1_t)
++ xserver_manage_xdm_tmp_files($1_t)
')
')
-@@ -673,6 +690,8 @@
+@@ -673,6 +691,8 @@
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_t self:process { ptrace setfscreate };
@@ -5786,7 +6523,7 @@
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-@@ -734,6 +753,7 @@
+@@ -734,6 +754,7 @@
auth_search_pam_console_data($1_t)
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
@@ -5794,7 +6531,7 @@
init_read_utmp($1_t)
# The library functions always try to open read-write first,
-@@ -756,6 +776,7 @@
+@@ -756,6 +777,7 @@
seutil_read_default_contexts($1_t)
seutil_read_config($1_t)
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
@@ -5802,7 +6539,7 @@
# for when the network connection is killed
# this is needed when a login role can change
# to this one.
-@@ -781,6 +802,10 @@
+@@ -781,6 +803,10 @@
')
optional_policy(`
@@ -5813,7 +6550,7 @@
# Allow graphical boot to check battery lifespan
apm_stream_connect($1_t)
')
-@@ -791,9 +816,11 @@
+@@ -791,9 +817,11 @@
optional_policy(`
cups_stream_connect_ptal($1_t)
@@ -5825,7 +6562,7 @@
dbus_system_bus_client_template($1,$1_t)
optional_policy(`
-@@ -801,6 +828,11 @@
+@@ -801,6 +829,11 @@
')
optional_policy(`
@@ -5837,7 +6574,7 @@
cups_dbus_chat_config($1_t)
')
-@@ -853,6 +885,11 @@
+@@ -853,6 +886,11 @@
')
optional_policy(`
@@ -5849,7 +6586,7 @@
quota_dontaudit_getattr_db($1_t)
')
-@@ -933,6 +970,7 @@
+@@ -933,6 +971,7 @@
#
# privileged home directory writers
@@ -5857,7 +6594,7 @@
allow privhome $1_home_t:file manage_file_perms;
allow privhome $1_home_t:lnk_file create_lnk_perms;
allow privhome $1_home_t:dir manage_dir_perms;
-@@ -984,6 +1022,10 @@
+@@ -984,6 +1023,10 @@
')
optional_policy(`
@@ -5868,7 +6605,17 @@
loadkeys_run($1_t,$1_r,$1_tty_device_t)
')
-@@ -1169,6 +1211,10 @@
+@@ -1120,6 +1163,9 @@
+ domain_read_all_domains_state($1_t)
+ domain_getattr_all_domains($1_t)
+ domain_dontaudit_ptrace_all_domains($1_t)
++ # Command completion can fire hundreds of avcs
++ domain_dontaudit_exec_all_entry_files($1_t)
++
+ # signal all domains:
+ domain_kill_all_domains($1_t)
+ domain_signal_all_domains($1_t)
+@@ -1169,6 +1215,10 @@
')
optional_policy(`
@@ -5879,7 +6626,7 @@
cron_admin_template($1,$1_t,$1_r)
')
-@@ -1188,7 +1234,7 @@
+@@ -1188,7 +1238,7 @@
ifdef(`xserver.te', `
tunable_policy(`xdm_sysadm_login',`
allow xdm_t $1_home_t:lnk_file read;
@@ -5888,7 +6635,7 @@
')
')
') dnl endif TODO
-@@ -1859,7 +1905,7 @@
+@@ -1859,7 +1909,7 @@
')
files_search_home($2)
@@ -5897,7 +6644,7 @@
allow $2 $1_home_t:dir search_dir_perms;
allow $2 $1_home_t:file r_file_perms;
')
-@@ -1962,8 +2008,8 @@
+@@ -1962,8 +2012,8 @@
')
files_search_home($2)
@@ -5908,7 +6655,7 @@
allow $2 $1_home_t:lnk_file r_file_perms;
')
-@@ -1998,8 +2044,8 @@
+@@ -1998,8 +2048,8 @@
')
files_search_home($2)
@@ -5919,7 +6666,7 @@
can_exec($2,$1_home_t)
')
-@@ -2069,7 +2115,7 @@
+@@ -2069,7 +2119,7 @@
')
files_search_home($2)
@@ -5928,7 +6675,7 @@
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:file create_file_perms;
')
-@@ -2142,7 +2188,7 @@
+@@ -2142,7 +2192,7 @@
')
files_search_home($2)
@@ -5937,7 +6684,7 @@
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:lnk_file create_lnk_perms;
')
-@@ -2180,7 +2226,7 @@
+@@ -2180,7 +2230,7 @@
')
files_search_home($2)
@@ -5946,7 +6693,7 @@
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:fifo_file create_file_perms;
')
-@@ -2218,7 +2264,7 @@
+@@ -2218,7 +2268,7 @@
')
files_search_home($2)
@@ -5955,7 +6702,7 @@
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:sock_file create_file_perms;
')
-@@ -3977,7 +4023,7 @@
+@@ -3977,7 +4027,7 @@
')
files_search_home($1)
@@ -5964,7 +6711,7 @@
')
########################################
-@@ -3996,7 +4042,7 @@
+@@ -3996,7 +4046,7 @@
type staff_home_dir_t;
')
@@ -5973,7 +6720,7 @@
')
########################################
-@@ -4343,7 +4389,7 @@
+@@ -4343,7 +4393,7 @@
type sysadm_home_dir_t;
')
@@ -5982,7 +6729,7 @@
')
########################################
-@@ -4501,41 +4547,13 @@
+@@ -4501,41 +4551,13 @@
## </param>
#
interface(`userdom_read_sysadm_home_content_files',`
@@ -6029,7 +6776,7 @@
')
########################################
-@@ -4858,7 +4876,7 @@
+@@ -4858,7 +4880,7 @@
type user_home_t;
')
@@ -6038,7 +6785,7 @@
')
########################################
-@@ -4905,6 +4923,28 @@
+@@ -4905,6 +4927,28 @@
########################################
## <summary>
@@ -6067,7 +6814,7 @@
## Read files in generic user home directories.
## </summary>
## <param name="domain">
-@@ -5497,3 +5537,383 @@
+@@ -5497,3 +5541,383 @@
allow $1 user_home_dir_t:dir create_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.374
retrieving revision 1.375
diff -u -r1.374 -r1.375
--- selinux-policy.spec 24 Dec 2006 15:26:26 -0000 1.374
+++ selinux-policy.spec 28 Dec 2006 17:39:12 -0000 1.375
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
-Release: 18%{?dist}
+Release: 19%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -351,6 +351,9 @@
%endif
%changelog
+* Thu Dec 28 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-19
+- Add gconf policy and make it work with strict
+
* Sat Dec 23 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-18
- Many fixes for strict policy and by extension mls.
More information about the fedora-cvs-commits
mailing list