rpms/selinux-policy/devel policy-20070703.patch, 1.61, 1.62 selinux-policy.spec, 1.524, 1.525
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Sep 20 14:39:47 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12707
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Wed Sep 19 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-3
- Allow xserver to search devpts_t
- Dontaudit ldconfig output to homedir
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.61
retrieving revision 1.62
diff -u -r1.61 -r1.62
--- policy-20070703.patch 19 Sep 2007 17:40:59 -0000 1.61
+++ policy-20070703.patch 20 Sep 2007 14:39:14 -0000 1.62
@@ -1145,7 +1145,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.0.8/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/usermanage.te 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/usermanage.te 2007-09-19 16:12:56.000000000 -0400
@@ -92,6 +92,7 @@
dev_read_urand(chfn_t)
@@ -1154,7 +1154,15 @@
auth_dontaudit_read_shadow(chfn_t)
# allow checking if a shell is executable
-@@ -520,6 +521,10 @@
+@@ -297,6 +298,7 @@
+ term_use_all_user_ttys(passwd_t)
+ term_use_all_user_ptys(passwd_t)
+
++auth_domtrans_chk_passwd(passwd_t)
+ auth_manage_shadow(passwd_t)
+ auth_relabel_shadow(passwd_t)
+ auth_etc_filetrans_shadow(passwd_t)
+@@ -520,6 +522,10 @@
mta_manage_spool(useradd_t)
optional_policy(`
@@ -1165,7 +1173,7 @@
dpkg_use_fds(useradd_t)
dpkg_rw_pipes(useradd_t)
')
-@@ -529,6 +534,12 @@
+@@ -529,6 +535,12 @@
')
optional_policy(`
@@ -1452,7 +1460,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-08-02 08:17:26.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/java.if 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/java.if 2007-09-20 08:56:23.000000000 -0400
@@ -32,7 +32,7 @@
## </summary>
## </param>
@@ -1472,7 +1480,7 @@
allow $1_javaplugin_t $2:fd use;
# Unrestricted inheritance from the caller.
allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
-@@ -166,6 +165,53 @@
+@@ -166,6 +165,57 @@
optional_policy(`
xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
')
@@ -1515,6 +1523,10 @@
+ domain_type($1_java_t)
+ domain_entry_file($1_java_t,java_exec_t)
+ role $3 types $1_java_t;
++
++ domain_interactive_fd($1_java_t)
++
++ userdom_unpriv_usertype($1, $1_java_t)
+
+ allow $1_java_t self:process { execheap execmem };
+
@@ -1526,7 +1538,7 @@
')
########################################
-@@ -219,3 +265,66 @@
+@@ -219,3 +269,66 @@
corecmd_search_bin($1)
domtrans_pattern($1, java_exec_t, java_t)
')
@@ -1606,8 +1618,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.8/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-09-17 16:20:18.000000000 -0400
-@@ -18,3 +18,98 @@
++++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-09-20 08:56:35.000000000 -0400
+@@ -18,3 +18,102 @@
corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t)
')
@@ -1698,6 +1710,10 @@
+ domain_entry_file($1_mono_t,mono_exec_t)
+ role $3 types $1_mono_t;
+
++ domain_interactive_fd($1_mono_t)
++
++ userdom_unpriv_usertype($1, $1_mono_t)
++
+ allow $1_mono_t self:process { execheap execmem };
+
+ domtrans_pattern($2, mono_exec_t, $1_mono_t)
@@ -2105,8 +2121,8 @@
allow vmware_host_t self:rawip_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.0.8/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/wine.if 2007-09-17 16:20:18.000000000 -0400
-@@ -18,3 +18,34 @@
++++ serefpolicy-3.0.8/policy/modules/apps/wine.if 2007-09-20 08:56:45.000000000 -0400
+@@ -18,3 +18,84 @@
corecmd_search_bin($1)
domtrans_pattern($1, wine_exec_t, wine_t)
')
@@ -2141,9 +2157,59 @@
+ role $2 types wine_t;
+ allow wine_t $3:chr_file rw_term_perms;
+')
++
++#######################################
++## <summary>
++## The per role template for the wine module.
++## </summary>
++## <desc>
++## <p>
++## This template creates a derived domains which are used
++## for wine applications.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++## <param name="user_role">
++## <summary>
++## The role associated with the user domain.
++## </summary>
++## </param>
++#
++template(`wine_per_role_template',`
++ gen_require(`
++ type wine_exec_t;
++ ')
++
++ type $1_wine_t;
++ domain_type($1_wine_t)
++ domain_entry_file($1_wine_t,wine_exec_t)
++ role $3 types $1_wine_t;
++
++ domain_interactive_fd($1_wine_t)
++
++ userdom_unpriv_usertype($1, $1_wine_t)
++
++ allow $1_wine_t self:process { execheap execmem };
++
++ domtrans_pattern($2, wine_exec_t, $1_wine_t)
++
++ optional_policy(`
++ xserver_xdm_rw_shm($1_wine_t)
++ ')
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.0.8/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2007-07-25 10:37:37.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/wine.te 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/wine.te 2007-09-20 09:45:04.000000000 -0400
@@ -9,6 +9,7 @@
type wine_t;
type wine_exec_t;
@@ -2166,7 +2232,7 @@
+')
+
+optional_policy(`
-+ xserver_xdm_rw_shm(mono_t)
++ xserver_xdm_rw_shm(wine_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-08-22 07:14:06.000000000 -0400
@@ -4294,6 +4360,34 @@
+optional_policy(`
+ mailscanner_manage_spool(clamscan_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.0.8/policy/modules/services/consolekit.if
+--- nsaserefpolicy/policy/modules/services/consolekit.if 2007-05-29 14:10:57.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/consolekit.if 2007-09-20 08:49:41.000000000 -0400
+@@ -38,3 +38,24 @@
+ allow $1 consolekit_t:dbus send_msg;
+ allow consolekit_t $1:dbus send_msg;
+ ')
++
++########################################
++## <summary>
++## dontaudit send and receive messages from
++## consolekit over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`consolekit_dontaudit_dbus_chat',`
++ gen_require(`
++ type consolekit_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 consolekit_t:dbus send_msg;
++ dontaudit consolekit_t $1:dbus send_msg;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.0.8/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/consolekit.te 2007-09-17 16:20:18.000000000 -0400
@@ -6788,9 +6882,37 @@
########################################
#
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.0.8/policy/modules/services/networkmanager.if
+--- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-15 14:54:33.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if 2007-09-20 08:50:57.000000000 -0400
+@@ -97,3 +97,24 @@
+ allow $1 NetworkManager_t:dbus send_msg;
+ allow NetworkManager_t $1:dbus send_msg;
+ ')
++
++########################################
++## <summary>
++## dontaudit send and receive messages from
++## NetworkManager over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`networkmanager_dontaudit_dbus_chat',`
++ gen_require(`
++ type NetworkManager_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 NetworkManager_t:dbus send_msg;
++ dontaudit NetworkManager_t $1:dbus send_msg;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2007-09-20 08:50:29.000000000 -0400
@@ -20,7 +20,7 @@
# networkmanager will ptrace itself if gdb is installed
@@ -9342,7 +9464,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-19 11:59:57.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-20 09:43:06.000000000 -0400
@@ -126,6 +126,8 @@
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
@@ -9412,7 +9534,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -555,25 +558,46 @@
+@@ -555,25 +558,49 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -9426,10 +9548,12 @@
userdom_search_user_home_dirs($1,$2)
- # for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1,$2)
--
+ userdom_manage_user_home_content_dirs($1, xdm_t)
+ userdom_manage_user_home_content_files($1, xdm_t)
+ userdom_user_home_dir_filetrans_user_home_content($1, xdm_t, { dir file })
++ userdom_manage_user_tmp_dirs($1, xdm_t)
++ userdom_manage_user_tmp_files($1, xdm_t)
+
xserver_ro_session_template(xdm,$2,$3)
- xserver_rw_session_template($1,$2,$3)
- xserver_use_user_fonts($1,$2)
@@ -9468,7 +9592,7 @@
')
')
-@@ -626,6 +650,24 @@
+@@ -626,6 +653,24 @@
########################################
## <summary>
@@ -9493,7 +9617,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -659,6 +701,73 @@
+@@ -659,6 +704,73 @@
########################################
## <summary>
@@ -9567,7 +9691,15 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -987,6 +1096,37 @@
+@@ -927,6 +1039,7 @@
+ files_search_tmp($1)
+ allow $1 xdm_tmp_t:dir list_dir_perms;
+ create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
++ allow $1 xdm_tmp_t:sock_file unlink;
+ ')
+
+ ########################################
+@@ -987,6 +1100,37 @@
########################################
## <summary>
@@ -9605,7 +9737,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1136,7 +1276,7 @@
+@@ -1136,7 +1280,7 @@
type xdm_xserver_tmp_t;
')
@@ -9614,7 +9746,7 @@
')
########################################
-@@ -1325,3 +1465,62 @@
+@@ -1325,3 +1469,62 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -9894,7 +10026,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-20 09:08:43.000000000 -0400
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -9905,16 +10037,17 @@
allow $1_chkpwd_t self:process getattr;
files_list_etc($1_chkpwd_t)
-@@ -107,7 +108,7 @@
+@@ -106,9 +107,6 @@
+ role $3 types $1_chkpwd_t;
role $3 types system_chkpwd_t;
- # cjp: is this really needed?
+- # cjp: is this really needed?
- allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-+ logging_send_audit_msgs($2)
-
+-
dontaudit $2 shadow_t:file { getattr read };
-@@ -169,6 +170,9 @@
+ # Transition from the user domain to this domain.
+@@ -169,6 +167,9 @@
## </param>
#
interface(`auth_login_pgm_domain',`
@@ -9924,7 +10057,7 @@
domain_type($1)
domain_subj_id_change_exemption($1)
-@@ -176,11 +180,23 @@
+@@ -176,11 +177,23 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
@@ -9948,7 +10081,7 @@
selinux_get_fs_mount($1)
selinux_validate_context($1)
selinux_compute_access_vector($1)
-@@ -196,22 +212,33 @@
+@@ -196,22 +209,33 @@
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
@@ -9983,7 +10116,7 @@
')
')
-@@ -309,9 +336,6 @@
+@@ -309,9 +333,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@@ -9993,7 +10126,7 @@
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -329,6 +353,7 @@
+@@ -329,6 +350,7 @@
optional_policy(`
kerberos_use($1)
@@ -10001,7 +10134,7 @@
')
optional_policy(`
-@@ -347,6 +372,37 @@
+@@ -347,6 +369,37 @@
########################################
## <summary>
@@ -10039,7 +10172,7 @@
## Get the attributes of the shadow passwords file.
## </summary>
## <param name="domain">
-@@ -695,6 +751,24 @@
+@@ -695,6 +748,24 @@
########################################
## <summary>
@@ -10064,7 +10197,7 @@
## Execute pam programs in the PAM domain.
## </summary>
## <param name="domain">
-@@ -1318,14 +1392,9 @@
+@@ -1318,14 +1389,9 @@
## </param>
#
interface(`auth_use_nsswitch',`
@@ -10079,7 +10212,7 @@
files_list_var_lib($1)
miscfiles_read_certs($1)
-@@ -1381,3 +1450,163 @@
+@@ -1381,3 +1447,163 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -11970,7 +12103,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.8/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-09-20 09:37:08.000000000 -0400
@@ -432,6 +432,7 @@
role $2 types run_init_t;
allow run_init_t $3:chr_file rw_term_perms;
@@ -12022,12 +12155,12 @@
+#
+interface(`seutil_domtrans_setsebool',`
+ gen_require(`
-+ type semanage_t, setsebool_exec_t;
++ type setsebool_t, setsebool_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
-+ domtrans_pattern($1,setsebool_exec_t,semanage_t)
++ domtrans_pattern($1,setsebool_exec_t,setsebool_t)
+')
+
+########################################
@@ -12084,7 +12217,7 @@
## Full management of the semanage
## module store.
## </summary>
-@@ -1058,3 +1134,120 @@
+@@ -1058,3 +1134,124 @@
files_search_etc($1)
rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
')
@@ -12157,6 +12290,9 @@
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ logging_send_audit_msgs($1)
+
++ # Running genhomedircon requires this for finding all users
++ auth_use_nsswitch($1)
++
+ allow $1 policy_config_t:file { read write };
+
+ allow $1 semanage_tmp_t:dir manage_dir_perms;
@@ -12197,6 +12333,7 @@
+
+ miscfiles_read_localization($1)
+
++ seutil_search_default_contexts($1)
+ seutil_domtrans_loadpolicy($1)
+ seutil_read_config($1)
+ seutil_manage_bin_policy($1)
@@ -12207,7 +12344,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-09-20 09:31:29.000000000 -0400
@@ -76,7 +76,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -12349,6 +12486,8 @@
#
+seutil_semanage_policy(setsebool_t)
+selinux_set_boolean(setsebool_t)
++# Bug in semanage
++seutil_domtrans_setfiles(setsebool_t)
-allow semanage_t self:capability { dac_override audit_write };
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
@@ -12383,25 +12522,25 @@
-selinux_getattr_fs(semanage_t)
-# for setsebool:
-selinux_set_boolean(semanage_t)
+-
+-term_use_all_terms(semanage_t)
+-
+-# Running genhomedircon requires this for finding all users
+-auth_use_nsswitch(semanage_t)
+-
+-libs_use_ld_so(semanage_t)
+-libs_use_shared_libs(semanage_t)
+-
+-locallogin_use_fds(semanage_t)
+########################################
+#
+# semodule local policy
+#
--term_use_all_terms(semanage_t)
+-logging_send_syslog_msg(semanage_t)
+seutil_semanage_policy(semanage_t)
+can_exec(semanage_t, semanage_exec_t)
- # Running genhomedircon requires this for finding all users
- auth_use_nsswitch(semanage_t)
--
--libs_use_ld_so(semanage_t)
--libs_use_shared_libs(semanage_t)
--
--locallogin_use_fds(semanage_t)
--
--logging_send_syslog_msg(semanage_t)
--
-miscfiles_read_localization(semanage_t)
+# Admins are creating pp files in random locations
+auth_read_all_files_except_shadow(semanage_t)
@@ -12992,39 +13131,151 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-19 13:32:51.000000000 -0400
-@@ -45,7 +45,7 @@
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 09:09:10.000000000 -0400
+@@ -29,8 +29,9 @@
+ ')
+
+ attribute $1_file_type;
++ attribute $1_usertype;
+
+- type $1_t, userdomain;
++ type $1_t, userdomain, $1_usertype;
+ domain_type($1_t)
+ corecmd_shell_entry_type($1_t)
+ corecmd_bin_entry_type($1_t)
+@@ -45,65 +46,69 @@
type $1_tty_device_t;
term_user_tty($1_t,$1_tty_device_t)
- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession };
-+ allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
- allow $1_t self:fd use;
- allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -62,6 +62,10 @@
-
- allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
-
-+ application_exec_all($1_t)
-+
-+ auth_use_nsswitch($1_t)
-+
- kernel_read_kernel_sysctls($1_t)
- kernel_dontaudit_list_unlabeled($1_t)
- kernel_dontaudit_getattr_unlabeled_files($1_t)
-@@ -114,6 +118,10 @@
+- allow $1_t self:fd use;
+- allow $1_t self:fifo_file rw_fifo_file_perms;
+- allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
+- allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
+- allow $1_t self:shm create_shm_perms;
+- allow $1_t self:sem create_sem_perms;
+- allow $1_t self:msgq create_msgq_perms;
+- allow $1_t self:msg { send receive };
+- allow $1_t self:context contains;
+- dontaudit $1_t self:socket create;
+-
+- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
+- term_create_pty($1_t,$1_devpts_t)
+-
+- allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
+-
+- kernel_read_kernel_sysctls($1_t)
+- kernel_dontaudit_list_unlabeled($1_t)
+- kernel_dontaudit_getattr_unlabeled_files($1_t)
+- kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
+- kernel_dontaudit_getattr_unlabeled_pipes($1_t)
+- kernel_dontaudit_getattr_unlabeled_sockets($1_t)
+- kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
+- kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
++ allow $1_t $1_usertype:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
++ allow $1_usertype $1_usertype:fd use;
++ allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
++ allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
++ allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto };
++ allow $1_usertype $1_usertype:shm create_shm_perms;
++ allow $1_usertype $1_usertype:sem create_sem_perms;
++ allow $1_usertype $1_usertype:msgq create_msgq_perms;
++ allow $1_usertype $1_usertype:msg { send receive };
++ allow $1_usertype $1_usertype:context contains;
++ dontaudit $1_usertype $1_usertype:socket create;
++
++ allow $1_usertype $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
++ term_create_pty($1_usertype,$1_devpts_t)
++
++ allow $1_usertype $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
++
++ application_exec_all($1_usertype)
++
++ auth_use_nsswitch($1_usertype)
++
++ kernel_read_kernel_sysctls($1_usertype)
++ kernel_dontaudit_list_unlabeled($1_usertype)
++ kernel_dontaudit_getattr_unlabeled_files($1_usertype)
++ kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
++ kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
++ kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
++ kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
++ kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
+
+ # When the user domain runs ps, there will be a number of access
+ # denials when ps tries to search /proc. Do not audit these denials.
+- domain_dontaudit_read_all_domains_state($1_t)
+- domain_dontaudit_getattr_all_domains($1_t)
+- domain_dontaudit_getsession_all_domains($1_t)
+-
+- files_read_etc_files($1_t)
+- files_read_etc_runtime_files($1_t)
+- files_read_usr_files($1_t)
++ domain_dontaudit_read_all_domains_state($1_usertype)
++ domain_dontaudit_getattr_all_domains($1_usertype)
++ domain_dontaudit_getsession_all_domains($1_usertype)
++
++ files_read_etc_files($1_usertype)
++ files_read_etc_runtime_files($1_usertype)
++ files_read_usr_files($1_usertype)
+ # Read directories and files with the readable_t type.
+ # This type is a general type for "world"-readable files.
+- files_list_world_readable($1_t)
+- files_read_world_readable_files($1_t)
+- files_read_world_readable_symlinks($1_t)
+- files_read_world_readable_pipes($1_t)
+- files_read_world_readable_sockets($1_t)
++ files_list_world_readable($1_usertype)
++ files_read_world_readable_files($1_usertype)
++ files_read_world_readable_symlinks($1_usertype)
++ files_read_world_readable_pipes($1_usertype)
++ files_read_world_readable_sockets($1_usertype)
+ # old broswer_domain():
+- files_dontaudit_list_non_security($1_t)
+- files_dontaudit_getattr_non_security_files($1_t)
+- files_dontaudit_getattr_non_security_symlinks($1_t)
+- files_dontaudit_getattr_non_security_pipes($1_t)
+- files_dontaudit_getattr_non_security_sockets($1_t)
+- files_dontaudit_getattr_non_security_blk_files($1_t)
+- files_dontaudit_getattr_non_security_chr_files($1_t)
+-
+- libs_use_ld_so($1_t)
+- libs_use_shared_libs($1_t)
+- libs_exec_ld_so($1_t)
++ files_dontaudit_list_non_security($1_usertype)
++ files_dontaudit_getattr_non_security_files($1_usertype)
++ files_dontaudit_getattr_non_security_symlinks($1_usertype)
++ files_dontaudit_getattr_non_security_pipes($1_usertype)
++ files_dontaudit_getattr_non_security_sockets($1_usertype)
++ files_dontaudit_getattr_non_security_blk_files($1_usertype)
++ files_dontaudit_getattr_non_security_chr_files($1_usertype)
++
++ libs_use_ld_so($1_usertype)
++ libs_use_shared_libs($1_usertype)
++ libs_exec_ld_so($1_usertype)
+
+- miscfiles_read_localization($1_t)
+- miscfiles_read_certs($1_t)
++ miscfiles_read_localization($1_usertype)
++ miscfiles_read_certs($1_usertype)
+
+- sysnet_read_config($1_t)
++ sysnet_read_config($1_usertype)
+
+ tunable_policy(`allow_execmem',`
+ # Allow loading DSOs that require executable stack.
+@@ -114,6 +119,10 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
+
+ optional_policy(`
-+ ssh_rw_stream_sockets($1_t)
++ ssh_rw_stream_sockets($1_usertype)
+ ')
')
#######################################
-@@ -184,7 +192,7 @@
+@@ -184,7 +193,7 @@
files_list_home($1_t)
tunable_policy(`use_nfs_home_dirs',`
@@ -13033,7 +13284,7 @@
fs_read_nfs_files($1_t)
fs_read_nfs_symlinks($1_t)
fs_read_nfs_named_sockets($1_t)
-@@ -195,7 +203,7 @@
+@@ -195,7 +204,7 @@
')
tunable_policy(`use_samba_home_dirs',`
@@ -13042,41 +13293,133 @@
fs_read_cifs_files($1_t)
fs_read_cifs_symlinks($1_t)
fs_read_cifs_named_sockets($1_t)
-@@ -315,13 +323,19 @@
+@@ -262,42 +271,42 @@
+
+ # full control of the home directory
+ allow $1_t $1_home_t:file entrypoint;
+- manage_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+- manage_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+- manage_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+- manage_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+- manage_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+- relabel_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+- relabel_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+- relabel_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+- relabel_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+- relabel_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+- filetrans_pattern($1_t,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
+- files_list_home($1_t)
++ manage_dirs_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
++ manage_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
++ manage_lnk_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
++ manage_sock_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
++ manage_fifo_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
++ relabel_dirs_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
++ relabel_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
++ relabel_lnk_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
++ relabel_sock_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
++ relabel_fifo_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
++ filetrans_pattern($1_usertype,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
++ files_list_home($1_usertype)
+
+ # cjp: this should probably be removed:
+- allow $1_t $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
++ allow $1_usertype $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
+
+ tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs($1_t)
+- fs_manage_nfs_files($1_t)
+- fs_manage_nfs_symlinks($1_t)
+- fs_manage_nfs_named_sockets($1_t)
+- fs_manage_nfs_named_pipes($1_t)
++ fs_manage_nfs_dirs($1_usertype)
++ fs_manage_nfs_files($1_usertype)
++ fs_manage_nfs_symlinks($1_usertype)
++ fs_manage_nfs_named_sockets($1_usertype)
++ fs_manage_nfs_named_pipes($1_usertype)
+ ',`
+- fs_dontaudit_manage_nfs_dirs($1_t)
+- fs_dontaudit_manage_nfs_files($1_t)
++ fs_dontaudit_manage_nfs_dirs($1_usertype)
++ fs_dontaudit_manage_nfs_files($1_usertype)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs($1_t)
+- fs_manage_cifs_files($1_t)
+- fs_manage_cifs_symlinks($1_t)
+- fs_manage_cifs_named_sockets($1_t)
+- fs_manage_cifs_named_pipes($1_t)
++ fs_manage_cifs_dirs($1_usertype)
++ fs_manage_cifs_files($1_usertype)
++ fs_manage_cifs_symlinks($1_usertype)
++ fs_manage_cifs_named_sockets($1_usertype)
++ fs_manage_cifs_named_pipes($1_usertype)
+ ',`
+- fs_dontaudit_manage_cifs_dirs($1_t)
+- fs_dontaudit_manage_cifs_files($1_t)
++ fs_dontaudit_manage_cifs_dirs($1_usertype)
++ fs_dontaudit_manage_cifs_files($1_usertype)
+ ')
+ ')
+
+@@ -315,14 +324,20 @@
## <rolebase/>
#
template(`userdom_exec_home_template',`
- can_exec($1_t,$1_home_t)
- tunable_policy(`use_nfs_home_dirs',`
+- fs_exec_nfs_files($1_t)
+ tunable_policy(`allow_$1_exec_content', `
-+ can_exec($1_t,$1_home_t)
++ can_exec($1_usertype,$1_home_t)
+ ',`
-+ dontaudit $1_t $1_home_t:file execute;
-+ ')
-+
-+
-+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
- fs_exec_nfs_files($1_t)
++ dontaudit $1_usertype $1_home_t:file execute;
')
- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1_t)
++
++ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
++ fs_exec_nfs_files($1_usertype)
++ ')
++
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
- fs_exec_cifs_files($1_t)
++ fs_exec_cifs_files($1_usertype)
')
')
-@@ -395,7 +409,9 @@
+
+@@ -374,12 +389,12 @@
+ type $1_tmp_t, $1_file_type;
+ files_tmp_file($1_tmp_t)
+
+- manage_dirs_pattern($1_t,$1_tmp_t,$1_tmp_t)
+- manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+- manage_lnk_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+- manage_sock_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+- manage_fifo_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+- files_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file sock_file fifo_file })
++ manage_dirs_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
++ manage_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
++ manage_lnk_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
++ manage_sock_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
++ manage_fifo_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
++ files_tmp_filetrans($1_usertype, $1_tmp_t, { dir file lnk_file sock_file fifo_file })
+ ')
+
+ #######################################
+@@ -395,7 +410,9 @@
## <rolebase/>
#
template(`userdom_exec_tmp_template',`
- exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+ tunable_policy(`allow_$1_exec_content', `
-+ exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
++ exec_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
+ ')
')
#######################################
-@@ -509,10 +525,6 @@
+@@ -509,10 +526,6 @@
## <rolebase/>
#
template(`userdom_exec_generic_pgms_template',`
@@ -13087,7 +13430,7 @@
corecmd_exec_bin($1_t)
')
-@@ -530,9 +542,6 @@
+@@ -530,9 +543,6 @@
## <rolebase/>
#
template(`userdom_basic_networking_template',`
@@ -13097,7 +13440,7 @@
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
-@@ -563,32 +572,29 @@
+@@ -563,32 +573,29 @@
#
template(`userdom_xwindows_client_template',`
gen_require(`
@@ -13151,7 +13494,7 @@
')
#######################################
-@@ -664,67 +670,39 @@
+@@ -664,67 +671,39 @@
attribute unpriv_userdomain;
')
@@ -13222,7 +13565,7 @@
files_exec_etc_files($1_t)
files_search_locks($1_t)
# Check to see if cdrom is mounted
-@@ -737,12 +715,6 @@
+@@ -737,12 +716,6 @@
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
@@ -13235,7 +13578,7 @@
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
-@@ -755,31 +727,16 @@
+@@ -755,31 +728,16 @@
storage_getattr_fixed_disk_dev($1_t)
auth_read_login_records($1_t)
@@ -13269,7 +13612,7 @@
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
seutil_exec_checkpolicy($1_t)
seutil_exec_setfiles($1_t)
-@@ -794,19 +751,12 @@
+@@ -794,19 +752,12 @@
files_read_default_symlinks($1_t)
files_read_default_sockets($1_t)
files_read_default_pipes($1_t)
@@ -13289,7 +13632,7 @@
optional_policy(`
alsa_read_rw_config($1_t)
')
-@@ -821,11 +771,6 @@
+@@ -821,11 +772,6 @@
')
optional_policy(`
@@ -13301,7 +13644,7 @@
allow $1_t self:dbus send_msg;
dbus_system_bus_client_template($1,$1_t)
-@@ -834,21 +779,18 @@
+@@ -834,21 +780,18 @@
')
optional_policy(`
@@ -13327,7 +13670,7 @@
')
optional_policy(`
-@@ -876,17 +818,17 @@
+@@ -876,17 +819,17 @@
')
optional_policy(`
@@ -13353,7 +13696,7 @@
')
optional_policy(`
-@@ -900,16 +842,6 @@
+@@ -900,16 +843,6 @@
')
optional_policy(`
@@ -13370,7 +13713,7 @@
resmgr_stream_connect($1_t)
')
-@@ -919,11 +851,6 @@
+@@ -919,11 +852,6 @@
')
optional_policy(`
@@ -13382,7 +13725,7 @@
samba_stream_connect_winbind($1_t)
')
-@@ -954,21 +881,163 @@
+@@ -954,21 +882,163 @@
## </summary>
## </param>
#
@@ -13457,66 +13800,66 @@
- userdom_common_user_template($1)
+ auth_dontaudit_write_login_records($1_t)
+
-+ dev_read_sysfs($1_t)
-+ dev_read_urand($1_t)
++ dev_read_sysfs($1_usertype)
++ dev_read_urand($1_usertype)
+
-+ kernel_dontaudit_read_system_state($1_t)
++ kernel_dontaudit_read_system_state($1_usertype)
+
-+ domain_use_interactive_fds($1_t)
++ domain_use_interactive_fds($1_usertype)
+ # Command completion can fire hundreds of denials
-+ domain_dontaudit_exec_all_entry_files($1_t)
++ domain_dontaudit_exec_all_entry_files($1_usertype)
+
+ # Stat lost+found.
-+ files_getattr_lost_found_dirs($1_t)
++ files_getattr_lost_found_dirs($1_usertype)
+
-+ fs_get_all_fs_quotas($1_t)
-+ fs_getattr_all_fs($1_t)
-+ fs_getattr_all_dirs($1_t)
-+ fs_search_auto_mountpoints($1_t)
-+ fs_list_inotifyfs($1_t)
++ fs_get_all_fs_quotas($1_usertype)
++ fs_getattr_all_fs($1_usertype)
++ fs_getattr_all_dirs($1_usertype)
++ fs_search_auto_mountpoints($1_usertype)
++ fs_list_inotifyfs($1_usertype)
+
+ # Stop warnings about access to /dev/console
-+ init_dontaudit_rw_utmp($1_t)
-+ init_dontaudit_use_fds($1_t)
-+ init_dontaudit_use_script_fds($1_t)
++ init_dontaudit_rw_utmp($1_usertype)
++ init_dontaudit_use_fds($1_usertype)
++ init_dontaudit_use_script_fds($1_usertype)
+
-+ libs_exec_lib_files($1_t)
++ libs_exec_lib_files($1_usertype)
+
-+ logging_dontaudit_getattr_all_logs($1_t)
++ logging_dontaudit_getattr_all_logs($1_usertype)
+
-+ miscfiles_read_man_pages($1_t)
++ miscfiles_read_man_pages($1_usertype)
+ # for running TeX programs
-+ miscfiles_read_tetex_data($1_t)
-+ miscfiles_exec_tetex_data($1_t)
++ miscfiles_read_tetex_data($1_usertype)
++ miscfiles_exec_tetex_data($1_usertype)
+
-+ seutil_read_config($1_t)
++ seutil_read_config($1_usertype)
+
-+ files_dontaudit_list_default($1_t)
-+ files_dontaudit_read_default_files($1_t)
++ files_dontaudit_list_default($1_usertype)
++ files_dontaudit_read_default_files($1_usertype)
+
+ userdom_poly_home_template($1)
+ userdom_poly_tmp_template($1)
+
+ optional_policy(`
-+ cups_stream_connect($1_t)
-+ cups_stream_connect_ptal($1_t)
++ cups_stream_connect($1_usertype)
++ cups_stream_connect_ptal($1_usertype)
+ ')
+
+ optional_policy(`
-+ kerberos_use($1_t)
++ kerberos_use($1_usertype)
+ ')
+
+ optional_policy(`
-+ mta_dontaudit_read_spool_symlinks($1_t)
++ mta_dontaudit_read_spool_symlinks($1_usertype)
+ ')
+
+ optional_policy(`
-+ quota_dontaudit_getattr_db($1_t)
++ quota_dontaudit_getattr_db($1_usertype)
+ ')
+
+ optional_policy(`
-+ rpm_read_db($1_t)
-+ rpm_dontaudit_manage_db($1_t)
++ rpm_read_db($1_usertype)
++ rpm_dontaudit_manage_db($1_usertype)
+ ')
+')
+
@@ -13552,7 +13895,7 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
-@@ -977,23 +1046,51 @@
+@@ -977,23 +1047,51 @@
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
@@ -13615,7 +13958,7 @@
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1029,15 +1126,7 @@
+@@ -1029,15 +1127,7 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -13632,7 +13975,7 @@
')
optional_policy(`
-@@ -1054,17 +1143,6 @@
+@@ -1054,17 +1144,6 @@
setroubleshoot_stream_connect($1_t)
')
@@ -13650,7 +13993,7 @@
')
#######################################
-@@ -1102,6 +1180,8 @@
+@@ -1102,6 +1181,8 @@
class passwd { passwd chfn chsh rootok crontab };
')
@@ -13659,7 +14002,7 @@
##############################
#
# Declarations
-@@ -1127,7 +1207,7 @@
+@@ -1127,7 +1208,7 @@
# $1_t local policy
#
@@ -13668,7 +14011,7 @@
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
-@@ -1139,7 +1219,11 @@
+@@ -1139,7 +1220,11 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -13681,7 +14024,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1902,6 +1986,41 @@
+@@ -1902,6 +1987,41 @@
########################################
## <summary>
@@ -13723,7 +14066,7 @@
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -3078,7 +3197,7 @@
+@@ -3078,7 +3198,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -13732,7 +14075,7 @@
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4615,6 +4734,24 @@
+@@ -4615,6 +4735,24 @@
files_list_home($1)
allow $1 home_dir_type:dir search_dir_perms;
')
@@ -13757,7 +14100,7 @@
########################################
## <summary>
-@@ -4633,6 +4770,14 @@
+@@ -4633,6 +4771,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -13772,7 +14115,7 @@
')
########################################
-@@ -5323,7 +5468,7 @@
+@@ -5323,7 +5469,7 @@
attribute user_tmpfile;
')
@@ -13781,7 +14124,7 @@
')
########################################
-@@ -5559,3 +5704,336 @@
+@@ -5559,3 +5705,372 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -13977,31 +14320,35 @@
+
+userdom_xwindows_client_template($1)
+
-+logging_send_syslog_msg($1_t)
++logging_send_syslog_msg($1_usertype)
+
+optional_policy(`
-+ alsa_read_rw_config($1_t)
++ alsa_read_rw_config($1_usertype)
+')
+
+authlogin_per_role_template($1, $1_t, $1_r)
+
-+auth_search_pam_console_data($1_t)
++auth_search_pam_console_data($1_usertype)
+
-+dev_read_sound($1_t)
-+dev_write_sound($1_t)
++dev_read_sound($1_usertype)
++dev_write_sound($1_usertype)
+
+optional_policy(`
-+ dbus_per_role_template($1, $1_t, $1_r)
-+ dbus_system_bus_client_template($1, $1_t)
-+ allow $1_t self:dbus send_msg;
++ dbus_per_role_template($1, $1_usertype, $1_r)
++ dbus_system_bus_client_template($1, $1_usertype)
++ allow $1_usertype $1_usertype:dbus send_msg;
+
+ optional_policy(`
-+ cups_dbus_chat($1_t)
++ cups_dbus_chat($1_usertype)
+ ')
+
+')
+
+optional_policy(`
++ consolekit_dontaudit_dbus_chat($1_usertype)
++')
++
++optional_policy(`
+ java_per_role_template($1, $1_t, $1_r)
+')
+
@@ -14010,11 +14357,15 @@
+')
+
+optional_policy(`
-+ setroubleshoot_dontaudit_stream_connect($1_t)
++ networkmanager_dontaudit_dbus_chat($1_usertype)
++')
++
++optional_policy(`
++ setroubleshoot_dontaudit_stream_connect($1_usertype)
+')
+
+# gnome keyring wants to read this. Needs to be exlicitly granted
-+dev_dontaudit_read_rand($1_t)
++dev_dontaudit_read_rand($1_usertype)
+
+')
+
@@ -14118,6 +14469,34 @@
+ allow $1 userdomain:process rlimitinh;
+')
+
++########################################
++## <summary>
++## Define this type as a Allow apps to set rlimits on userdomain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`userdom_unpriv_usertype',`
++ gen_require(`
++ attribute unpriv_userdomain, userdomain;
++ ')
++ typeattribute $2 $1_usertype, unpriv_userdomain, userdomain;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.8/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-09-12 10:34:51.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.te 2007-09-17 16:20:18.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.524
retrieving revision 1.525
diff -u -r1.524 -r1.525
--- selinux-policy.spec 19 Sep 2007 17:40:59 -0000 1.524
+++ selinux-policy.spec 20 Sep 2007 14:39:14 -0000 1.525
@@ -288,7 +288,7 @@
semodule -s targeted -r moilscanner 2>/dev/null
%loadpolicy targeted
%relabel targeted
-if [ $1 = 0 ]; then
+if [ $1 = 1 ]; then
semanage login -m -s "system_u" __default__ 2> /dev/null
semanage user -a -P unconfined -R "unconfined_r system_r" unconfined_u
semanage user -a -P guest -R guest_r guest_u
More information about the fedora-extras-commits
mailing list