rpms/selinux-policy/F-8 booleans-targeted.conf, 1.33, 1.34 policy-20070703.patch, 1.127, 1.128 selinux-policy.spec, 1.572, 1.573
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Nov 9 19:43:37 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21475
Modified Files:
booleans-targeted.conf policy-20070703.patch
selinux-policy.spec
Log Message:
* Fri Nov 9 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-50
- Allow login programs to delete user temp files
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/booleans-targeted.conf,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -r1.33 -r1.34
--- booleans-targeted.conf 24 Oct 2007 20:15:22 -0000 1.33
+++ booleans-targeted.conf 9 Nov 2007 19:42:58 -0000 1.34
@@ -148,7 +148,7 @@
# Support NFS home directories
#
-use_nfs_home_dirs = false
+use_nfs_home_dirs = true
# Support SAMBA home directories
#
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.127
retrieving revision 1.128
diff -u -r1.127 -r1.128
--- policy-20070703.patch 8 Nov 2007 22:07:40 -0000 1.127
+++ policy-20070703.patch 9 Nov 2007 19:42:58 -0000 1.128
@@ -266,6 +266,127 @@
.EX
httpd_sys_script_rw_t
.EE
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.0.8/man/man8/samba_selinux.8
+--- nsaserefpolicy/man/man8/samba_selinux.8 2007-10-22 13:21:44.000000000 -0400
++++ serefpolicy-3.0.8/man/man8/samba_selinux.8 2007-11-09 13:31:37.000000000 -0500
+@@ -1,50 +1,83 @@
+-.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "Samba Selinux Policy documentation"
++.TH "samba_selinux" "8" "9 Nov 2007" "dwalsh at redhat.com" "Samba Selinux Policy documentation"
+ .SH "NAME"
+-samba_selinux \- Security Enhanced Linux Policy for Samba
++samba_selinux \- Securing Samba with SELinux
+ .SH "DESCRIPTION"
+
+ Security-Enhanced Linux secures the Samba server via flexible mandatory access
+-control.
+-.SH FILE_CONTEXTS
+-SELinux requires files to have an extended attribute to define the file type.
+-Policy governs the access daemons have to these files.
+-If you want to share files other than home directories, those files must be
+-labeled samba_share_t. So if you created a special directory /var/eng, you
+-would need to label the directory with the chcon tool.
+-.TP
+-chcon -t samba_share_t /var/eng
+-.TP
+-If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
+-.TP
+-/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
+-.br
+-/var/eng(/.*)? system_u:object_r:samba_share_t
++control. SELinux Samba policy defaults to least privilege access. Several Booleans and file contexts are available to customize the way Samba SELinux works.
+
+ .SH SHARING FILES
+-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
++SELinux requires files be labeled with an extended attribute to define the file type.
++Policy governs the access daemons have to these files. When sharing files with Samba you have many options on how to label the files.
++If you want to share files/directories other than home directories or standard directory. You should label these files/directories as samba_share_t. For example if you created the directory /var/eng, you can label the directory and its contents with the chcon tool.
++
++# chcon -R -t samba_share_t /var/eng
++
++This label will not survive a relabel. A better solution to make the change permanent, you must tell the SELinux system about the label customization. The semanage command can customize the default file contexts on your machine. restorecon will read the file_context and apply it to the files and directories..
++
++# semange fcontext -a -t samba_share_t '/var/eng(/.*)?'
++.br
++# restorecon -R -v /var/eng
++
+
+-setsebool -P allow_smbd_anon_write=1
++.SH SHARING HOME DIRECTORIES
+
+-.SH BOOLEANS
+-.br
+-SELinux policy is customizable based on least access required. So by
+-default SElinux policy turns off SELinux sharing of home directories and
+-the use of Samba shares from a remote machine as a home directory.
+-.TP
++By default SELinux policy turns off SELinux sharing of home directories
+ If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean.
++
++# setsebool -P samba_enable_home_dirs 1
++
++.SH SHARING PUBLIC FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
++
++# semange fcontext -a -t public_content_rw_t '/var/eng(/.*)?'
++.br
++# restorecon -R -v /var/eng
+ .br
++# setsebool -P allow_smbd_anon_write 1
++
++.SH SHARING FILES SYSTEM FILES
++Note: You should not do the above for standard directories or home directories! For example directories owned by an RPM. If you wanted to share /usr via Samba, changing its context and all of the sub directories to samba_share_t would be a bad idea. Other confined domains would no longer be able to read /usr and this would cause havoc on the machine. There are two booleans that you can set to allow the sharing of standard directories. If you want to share any standard directory read/only you can set the boolean samba_export_all_ro.
++
++# setsebool -P samba_export_all_ro 1
++
++This boolean will allow Samba to read every file on the system.Similarly if you want to share all files and directories via Samba, you set the samba_export_all_rw
++
++# setsebool -P samba_export_all_rw 1
++
++This boolean would allow Samba to read and write every file on your system. So a compromised Samba server would be very dangerous.
++
++.SH SHARING PUBLIC NFS FILES
++SELinux prevents the Samba daemons from reading/writing nfs shares by default. If you are using samba to share NFS file systems you need to turn on the samba_share_nfs boolean
++
++# setsebool -P samba_share_nfs 1
++
++.SH USING CIFS/SAMBA HOME DIRECTORIES
++Samba SELinux policy will not allow any confined applications to access remote
++samba shares mounted on your machine. If you want to use a remote Samba server
++for the home directories on this machine, you must set the use_samba_home_dirs
++boolean.
++
++# setsebool -P use_samba_home_dirs 1
++
++.SH SAMBA Scripts
++Samba can be setup to run user defined scripts, by default if you install these scripts /var/lib/samba/scripts they will be labeled samba_unconfined_script_exec_t. Since these scripts can do just about anything on the system you can run them as unconfined. But you need to turn on the samba_run_unconfined boolean
++
++# setsebool -P samba_run_unconfined 1
++
++If you are willing to write policy an interface exists in samba.if called samba_helper_template(APP). This interface will create a file context of samba_APP_script_exec_t, and a domain of samba_APP_script_t. Samba will transition scripts labeled samba_app_script_exec_t to samba_APP_script_t, you can then user audit2allow to write policy to confine your script.
++
++.SH USING SAMBA AS A DOMAIN CONTROLLER
++If you want to run samba as a domain controller, IE Add machines to the passwd
++file on a Linux box, you need to turn on the samba_domain_controller boolean.
++This allows the Samba daemon to run and transition to the passwd, useradd, and
++groupadd utilities. These tools can manipulate the passwd database.
+
+-setsebool -P samba_enable_home_dirs 1
+-.TP
+-If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean.
+-.br
+-
+-setsebool -P use_samba_home_dirs 1
+-.TP
+-system-config-selinux is a GUI tool available to customize SELinux policy settings.
++.SH GUI system-config-selinux
++system-config-selinux is a GUI tool available to customize all of the SELinux booleans and file context described above.
+
+ .SH AUTHOR
+ This manual page was written by Dan Walsh <dwalsh at redhat.com>.
+
+ .SH "SEE ALSO"
+-selinux(8), samba(7), chcon(1), setsebool(8)
++selinux(8), semanage(8), samba(7), chcon(1), setsebool(8), restorecon(8),
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/ru/man8/ftpd_selinux.8 serefpolicy-3.0.8/man/ru/man8/ftpd_selinux.8
--- nsaserefpolicy/man/ru/man8/ftpd_selinux.8 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/man/ru/man8/ftpd_selinux.8 2007-10-29 23:59:29.000000000 -0400
@@ -4129,7 +4250,7 @@
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-11-09 14:39:30.000000000 -0500
@@ -343,8 +343,7 @@
########################################
@@ -4285,7 +4406,32 @@
## Do not audit attempts to read or write
## character device nodes in the root directory.
## </summary>
-@@ -2023,6 +2040,31 @@
+@@ -1229,6 +1246,24 @@
+
+ ########################################
+ ## <summary>
++## Remove entries from the tmp directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_delete_tmp_dir_entry',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 tmp_t:dir del_entry_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Unmount a rootfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -2023,6 +2058,31 @@
########################################
## <summary>
@@ -4317,7 +4463,7 @@
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3107,6 +3149,24 @@
+@@ -3107,6 +3167,24 @@
########################################
## <summary>
@@ -4342,7 +4488,7 @@
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3198,6 +3258,44 @@
+@@ -3198,6 +3276,44 @@
########################################
## <summary>
@@ -4387,7 +4533,7 @@
## Read all tmp files.
## </summary>
## <param name="domain">
-@@ -3323,6 +3421,42 @@
+@@ -3323,6 +3439,42 @@
########################################
## <summary>
@@ -4430,7 +4576,7 @@
## Get the attributes of files in /usr.
## </summary>
## <param name="domain">
-@@ -3381,7 +3515,7 @@
+@@ -3381,7 +3533,7 @@
########################################
## <summary>
@@ -4439,7 +4585,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -3389,17 +3523,17 @@
+@@ -3389,17 +3541,17 @@
## </summary>
## </param>
#
@@ -4460,7 +4606,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -3407,12 +3541,12 @@
+@@ -3407,12 +3559,12 @@
## </summary>
## </param>
#
@@ -4475,7 +4621,7 @@
')
########################################
-@@ -4043,7 +4177,7 @@
+@@ -4043,7 +4195,7 @@
type var_t, var_lock_t;
')
@@ -4484,7 +4630,7 @@
')
########################################
-@@ -4560,6 +4694,8 @@
+@@ -4560,6 +4712,8 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
@@ -4493,7 +4639,7 @@
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
-@@ -4582,6 +4718,11 @@
+@@ -4582,6 +4736,11 @@
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -4505,7 +4651,7 @@
')
########################################
-@@ -4619,3 +4760,28 @@
+@@ -4619,3 +4778,28 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@@ -11377,7 +11523,7 @@
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.8/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/samba.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/samba.if 2007-11-09 13:10:57.000000000 -0500
@@ -332,6 +332,25 @@
########################################
@@ -11419,8 +11565,8 @@
+
+########################################
+## <summary>
-+## Create a set of derived types for apache
-+## web content.
++## Create a set of derived types for samba
++## helper scripts.
+## </summary>
+## <param name="prefix">
+## <summary>
@@ -11517,7 +11663,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-11-01 13:41:52.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-11-09 12:27:28.000000000 -0500
@@ -137,6 +137,11 @@
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
@@ -13637,7 +13783,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-11-08 09:15:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-11-09 14:35:36.000000000 -0500
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -13701,7 +13847,7 @@
selinux_get_fs_mount($1)
selinux_validate_context($1)
selinux_compute_access_vector($1)
-@@ -196,22 +218,40 @@
+@@ -196,22 +218,41 @@
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
@@ -13728,6 +13874,7 @@
seutil_read_default_contexts($1)
+ userdom_set_rlimitnh($1)
++ userdom_unlink_unpriv_users_tmp_files($1)
+
+ optional_policy(`
+ nis_authenticate($1)
@@ -13743,7 +13890,7 @@
')
')
-@@ -309,9 +349,6 @@
+@@ -309,9 +350,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@@ -13753,7 +13900,7 @@
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -329,6 +366,8 @@
+@@ -329,6 +367,8 @@
optional_policy(`
kerberos_use($1)
@@ -13762,7 +13909,7 @@
')
optional_policy(`
-@@ -347,6 +386,37 @@
+@@ -347,6 +387,37 @@
########################################
## <summary>
@@ -13800,7 +13947,7 @@
## Get the attributes of the shadow passwords file.
## </summary>
## <param name="domain">
-@@ -695,6 +765,24 @@
+@@ -695,6 +766,24 @@
########################################
## <summary>
@@ -13825,7 +13972,7 @@
## Execute pam programs in the PAM domain.
## </summary>
## <param name="domain">
-@@ -1318,16 +1406,14 @@
+@@ -1318,16 +1407,14 @@
## </param>
#
interface(`auth_use_nsswitch',`
@@ -13845,7 +13992,7 @@
miscfiles_read_certs($1)
sysnet_dns_name_resolve($1)
-@@ -1347,6 +1433,8 @@
+@@ -1347,6 +1434,8 @@
optional_policy(`
samba_stream_connect_winbind($1)
@@ -13854,7 +14001,7 @@
')
')
-@@ -1381,3 +1469,181 @@
+@@ -1381,3 +1470,181 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -16506,7 +16653,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-11-09 14:27:22.000000000 -0500
@@ -76,7 +76,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -16666,17 +16813,17 @@
-
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
+-
+-corecmd_exec_bin(semanage_t)
+init_dontaudit_use_fds(setsebool_t)
--corecmd_exec_bin(semanage_t)
+-dev_read_urand(semanage_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_selinux_config(setsebool_t)
--dev_read_urand(semanage_t)
--
-domain_use_interactive_fds(semanage_t)
-
-files_read_etc_files(semanage_t)
@@ -16744,16 +16891,19 @@
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -521,6 +503,8 @@
+@@ -521,6 +503,11 @@
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
+logging_send_audit_msgs(setfiles_t)
+
++files_list_isid_type_dirs(setfiles_t)
++files_read_isid_type_files(setfiles_t)
++
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
-@@ -537,6 +521,7 @@
+@@ -537,6 +524,7 @@
fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
@@ -16761,7 +16911,7 @@
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
-@@ -590,8 +575,16 @@
+@@ -590,8 +578,16 @@
fs_relabel_tmpfs_chr_file(setfiles_t)
')
@@ -17352,7 +17502,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-11-01 13:54:05.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-11-08 17:36:37.000000000 -0500
@@ -5,36 +5,52 @@
#
# Declarations
@@ -17460,55 +17610,54 @@
')
optional_policy(`
-@@ -107,6 +123,10 @@
+@@ -107,22 +123,22 @@
optional_policy(`
oddjob_dbus_chat(unconfined_t)
')
-+
+-')
+
+-optional_policy(`
+- firstboot_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ optional_policy(`
+ vpnc_dbus_chat(unconfined_t)
+ ')
')
optional_policy(`
-@@ -114,15 +134,15 @@
- ')
-
- optional_policy(`
- ftp_run_ftpdctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-+ java_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++ firstboot_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- inn_domtrans(unconfined_t)
-+ ftp_run_ftpdctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++ java_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- java_domtrans(unconfined_t)
-+ iptables_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++ ftp_run_ftpdctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-@@ -130,15 +150,10 @@
+@@ -130,15 +146,10 @@
')
optional_policy(`
- modutils_run_update_mods(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+-')
+-
+-optional_policy(`
+- mono_domtrans(unconfined_t)
+ mono_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
-
optional_policy(`
-- mono_domtrans(unconfined_t)
--')
--
--optional_policy(`
- mta_per_role_template(unconfined,unconfined_t,unconfined_r)
+ modutils_run_update_mods(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-@@ -155,32 +170,23 @@
+@@ -155,32 +166,23 @@
optional_policy(`
postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -17545,22 +17694,22 @@
')
optional_policy(`
-@@ -205,11 +211,22 @@
+@@ -205,11 +207,22 @@
')
optional_policy(`
- wine_domtrans(unconfined_t)
+ wine_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-+')
-+
-+optional_policy(`
-+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
-+ unconfined_domain(unconfined_mozilla_t)
-+ allow unconfined_mozilla_t self:process { execstack execmem };
')
optional_policy(`
- xserver_domtrans_xdm_xserver(unconfined_t)
++ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
++ unconfined_domain(unconfined_mozilla_t)
++ allow unconfined_mozilla_t self:process { execstack execmem };
++')
++
++optional_policy(`
+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
+')
+
@@ -17570,7 +17719,7 @@
')
########################################
-@@ -219,14 +236,28 @@
+@@ -219,14 +232,28 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -17610,7 +17759,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-07 17:15:08.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-09 14:38:42.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -18651,7 +18800,33 @@
')
########################################
-@@ -5529,6 +5687,24 @@
+@@ -5346,6 +5504,25 @@
+
+ ########################################
+ ## <summary>
++## unlink all unprivileged users files in /tmp
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_unlink_unpriv_users_tmp_files',`
++ gen_require(`
++ attribute user_tmpfile;
++ ')
++
++ files_delete_tmp_dir_entry($1)
++ allow $1 user_tmpfile:file unlink;
++')
++
++########################################
++## <summary>
+ ## Write all unprivileged users files in /tmp
+ ## </summary>
+ ## <param name="domain">
+@@ -5529,6 +5706,24 @@
########################################
## <summary>
@@ -18676,7 +18851,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5559,3 +5735,379 @@
+@@ -5559,3 +5754,379 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.572
retrieving revision 1.573
diff -u -r1.572 -r1.573
--- selinux-policy.spec 8 Nov 2007 22:07:40 -0000 1.572
+++ selinux-policy.spec 9 Nov 2007 19:42:59 -0000 1.573
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 49%{?dist}
+Release: 50%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -380,6 +380,9 @@
%endif
%changelog
+* Fri Nov 9 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-50
+- Allow login programs to delete user temp files
+
* Thu Nov 8 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-49
- Separate xguest from guest
- Allow confined domains to output to rpm pipes
More information about the fedora-extras-commits
mailing list