rpms/selinux-policy/devel policy-20071130.patch, 1.60, 1.61 selinux-policy.spec, 1.606, 1.607
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed Feb 13 21:43:21 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv24615
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Thu Feb 5 2008 Dan Walsh <dwalsh at redhat.com> 3.2.7-5
- Add additional login users interfaces
- userdom_admin_login_user_template(staff)
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.60
retrieving revision 1.61
diff -u -r1.60 -r1.61
--- policy-20071130.patch 12 Feb 2008 18:41:35 -0000 1.60
+++ policy-20071130.patch 13 Feb 2008 21:43:16 -0000 1.61
@@ -1682,8 +1682,16 @@
/usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-3.2.7/policy/modules/apps/ethereal.if
--- nsaserefpolicy/policy/modules/apps/ethereal.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/apps/ethereal.if 2008-02-06 11:02:29.000000000 -0500
-@@ -48,12 +48,10 @@
++++ serefpolicy-3.2.7/policy/modules/apps/ethereal.if 2008-02-13 16:34:13.000000000 -0500
+@@ -35,6 +35,7 @@
+ template(`ethereal_per_role_template',`
+
+ gen_require(`
++ type user_ethereal_home_t, user_ethereal_tmp_t;
+ type ethereal_exec_t;
+ ')
+
+@@ -48,12 +49,10 @@
application_domain($1_ethereal_t,ethereal_exec_t)
role $3 types $1_ethereal_t;
@@ -1700,7 +1708,18 @@
type $1_ethereal_tmpfs_t;
files_tmpfs_file($1_ethereal_tmpfs_t)
-@@ -163,17 +161,6 @@
+@@ -152,28 +151,11 @@
+ nscd_socket_use($1_ethereal_t)
+ ')
+
+- # Manual transition from userhelper
+- optional_policy(`
+- userhelper_use_user_fd($1,$1_ethereal_t)
+- userhelper_sigchld_user($1,$1_ethereal_t)
+- ')
+-
+ optional_policy(`
+ xserver_user_client_template($1,$1_ethereal_t,$1_ethereal_tmpfs_t)
xserver_create_xdm_tmp_sockets($1_ethereal_t)
')
@@ -1718,6 +1737,25 @@
')
#######################################
+@@ -200,7 +182,7 @@
+ #
+ template(`ethereal_admin_template',`
+ gen_require(`
+- type $1_ethereal_t;
++ type ethereal_exec_t;
+ ')
+
+ # Create various types of sockets
+@@ -242,7 +224,8 @@
+ #
+ template(`ethereal_domtrans_user_ethereal',`
+ gen_require(`
+- type $1_ethereal_t, ethereal_exec_t;
++ type ethereal_exec_t;
++ type $1_ethereal_t;
+ ')
+
+ domtrans_pattern($2,ethereal_exec_t,$1_ethereal_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.2.7/policy/modules/apps/ethereal.te
--- nsaserefpolicy/policy/modules/apps/ethereal.te 2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/apps/ethereal.te 2008-02-06 11:02:29.000000000 -0500
@@ -2704,8 +2742,16 @@
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if serefpolicy-3.2.7/policy/modules/apps/irc.if
--- nsaserefpolicy/policy/modules/apps/irc.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/apps/irc.if 2008-02-06 11:02:29.000000000 -0500
-@@ -50,12 +50,11 @@
++++ serefpolicy-3.2.7/policy/modules/apps/irc.if 2008-02-13 16:34:23.000000000 -0500
+@@ -35,6 +35,7 @@
+ template(`irc_per_role_template',`
+ gen_require(`
+ type irc_exec_t;
++ type user_irc_home_t, user_irc_tmp_t;
+ ')
+
+ ########################################
+@@ -50,12 +51,11 @@
userdom_user_home_content($1,$1_irc_exec_t)
application_domain($1_irc_t,$1_irc_exec_t)
@@ -2722,7 +2768,7 @@
########################################
#
# Local policy
-@@ -65,18 +64,18 @@
+@@ -65,18 +65,18 @@
allow $1_irc_t self:tcp_socket create_socket_perms;
allow $1_irc_t self:udp_socket create_socket_perms;
@@ -3706,7 +3752,7 @@
+HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:user_mplayer_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.2.7/policy/modules/apps/mplayer.if
--- nsaserefpolicy/policy/modules/apps/mplayer.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/apps/mplayer.if 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/apps/mplayer.if 2008-02-13 16:34:09.000000000 -0500
@@ -35,6 +35,7 @@
template(`mplayer_per_role_template',`
gen_require(`
@@ -3773,7 +3819,18 @@
# domain transition
domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t)
-@@ -503,8 +504,8 @@
+@@ -470,7 +471,9 @@
+ #
+ template(`mplayer_domtrans_user_mplayer',`
+ gen_require(`
+- type $1_mplayer_t, mplayer_exec_t;
++ type mplayer_exec_t;
++ type $1_mplayer_t;
++
+ ')
+
+ domtrans_pattern($2, mplayer_exec_t,$1_mplayer_t)
+@@ -503,8 +506,8 @@
#
template(`mplayer_read_user_home_files',`
gen_require(`
@@ -3808,8 +3865,8 @@
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.7/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/apps/nsplugin.if 2008-02-08 14:05:36.000000000 -0500
-@@ -0,0 +1,337 @@
++++ serefpolicy-3.2.7/policy/modules/apps/nsplugin.if 2008-02-13 16:34:51.000000000 -0500
+@@ -0,0 +1,338 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -3960,6 +4017,7 @@
+ type nsplugin_t;
+ type nsplugin_config_t;
+ type nsplugin_rw_t;
++ type $1_tmpfs_t;
+ ')
+ nsplugin_domtrans($2)
+
@@ -4298,8 +4356,16 @@
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.2.7/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/apps/screen.if 2008-02-06 11:02:29.000000000 -0500
-@@ -50,8 +50,9 @@
++++ serefpolicy-3.2.7/policy/modules/apps/screen.if 2008-02-13 16:34:38.000000000 -0500
+@@ -35,6 +35,7 @@
+ template(`screen_per_role_template',`
+ gen_require(`
+ type screen_dir_t, screen_exec_t;
++ type user_screen_ro_home_t;
+ ')
+
+ ########################################
+@@ -50,8 +51,9 @@
type $1_screen_tmp_t;
files_tmp_file($1_screen_tmp_t)
@@ -4311,7 +4377,7 @@
type $1_screen_var_run_t;
files_pid_file($1_screen_var_run_t)
-@@ -81,9 +82,9 @@
+@@ -81,9 +83,9 @@
filetrans_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t,fifo_file)
files_pid_filetrans($1_screen_t,screen_dir_t,dir)
@@ -4324,7 +4390,7 @@
allow $1_screen_t $2:process signal;
-@@ -91,12 +92,12 @@
+@@ -91,12 +93,12 @@
allow $2 $1_screen_t:process signal;
allow $1_screen_t $2:process signal;
@@ -4437,8 +4503,16 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.2.7/policy/modules/apps/tvtime.if
--- nsaserefpolicy/policy/modules/apps/tvtime.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/apps/tvtime.if 2008-02-06 11:02:29.000000000 -0500
-@@ -46,12 +46,10 @@
++++ serefpolicy-3.2.7/policy/modules/apps/tvtime.if 2008-02-13 16:34:04.000000000 -0500
+@@ -35,6 +35,7 @@
+ template(`tvtime_per_role_template',`
+ gen_require(`
+ type tvtime_exec_t;
++ type user_tvtime_home_t, user_tvtime_tmp_t;
+ ')
+
+ ########################################
+@@ -46,12 +47,10 @@
application_domain($1_tvtime_t,tvtime_exec_t)
role $3 types $1_tvtime_t;
@@ -4455,7 +4529,7 @@
type $1_tvtime_tmpfs_t;
files_tmpfs_file($1_tvtime_tmpfs_t)
-@@ -67,14 +65,14 @@
+@@ -67,14 +66,14 @@
allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms;
# X access, Home files
@@ -4478,7 +4552,7 @@
manage_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t)
manage_lnk_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t)
-@@ -86,12 +84,12 @@
+@@ -86,12 +85,12 @@
domtrans_pattern($2, tvtime_exec_t, $1_tvtime_t)
# X access, Home files
@@ -4524,7 +4598,7 @@
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.2.7/policy/modules/apps/userhelper.if
--- nsaserefpolicy/policy/modules/apps/userhelper.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/apps/userhelper.if 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/apps/userhelper.if 2008-02-13 16:33:49.000000000 -0500
@@ -181,24 +181,6 @@
nscd_socket_use($1_userhelper_t)
')
@@ -4550,9 +4624,48 @@
')
########################################
+@@ -240,29 +222,6 @@
+
+ ########################################
+ ## <summary>
+-## Allow domain to use userhelper file descriptor.
+-## </summary>
+-## <param name="prefix">
+-## <summary>
+-## The prefix of the domain, example user is the prefix of user_t.
+-## </summary>
+-## </param>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-template(`userhelper_use_user_fd',`
+- gen_require(`
+- type $1_userhelper_t;
+- ')
+-
+- allow $2 $1_userhelper_t:fd use;
+-')
+-
+-########################################
+-## <summary>
+ ## Allow domain to send sigchld to userhelper.
+ ## </summary>
+ ## <param name="prefix">
+@@ -278,7 +237,7 @@
+ #
+ template(`userhelper_sigchld_user',`
+ gen_require(`
+- type $1_userhelper_t;
++ type userhelper_exec_t;
+ ')
+
+ allow $2 $1_userhelper_t:process sigchld;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.2.7/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/apps/vmware.fc 2008-02-11 17:52:05.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/apps/vmware.fc 2008-02-13 09:52:21.000000000 -0500
@@ -1,9 +1,9 @@
#
# HOME_DIR/
@@ -4599,8 +4712,8 @@
+/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
+/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
-+/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_exec_t,s0)
-+/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_exec_t,s0)
++/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
++/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.2.7/policy/modules/apps/vmware.if
--- nsaserefpolicy/policy/modules/apps/vmware.if 2007-02-19 11:32:52.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/apps/vmware.if 2008-02-06 11:02:29.000000000 -0500
@@ -4629,7 +4742,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.2.7/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/apps/vmware.te 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/apps/vmware.te 2008-02-13 16:42:06.000000000 -0500
@@ -22,17 +22,21 @@
type vmware_var_run_t;
files_pid_file(vmware_var_run_t)
@@ -4674,17 +4787,27 @@
dev_rw_vmware(vmware_host_t)
domain_use_interactive_fds(vmware_host_t)
-@@ -99,6 +109,10 @@
+@@ -99,14 +109,12 @@
')
netutils_domtrans_ping(vmware_host_t)
+-ifdef(`TODO',`
+-# VMWare need access to pcmcia devices for network
+ optional_policy(`
+-allow kernel_t cardmgr_var_lib_t:dir { getattr search };
+-allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
++ unconfined_domain(vmware_host_t)
+ ')
+-# Vmware create network devices
+-allow kernel_t self:capability net_admin;
+-allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
+-allow kernel_t self:socket create;
++
+optional_policy(`
+ xserver_xdm_rw_shm(vmware_host_t)
-+')
+ ')
++
+
- ifdef(`TODO',`
- # VMWare need access to pcmcia devices for network
- optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.2.7/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2007-09-12 10:34:17.000000000 -0400
+++ serefpolicy-3.2.7/policy/modules/apps/wine.if 2008-02-06 11:02:29.000000000 -0500
@@ -5305,7 +5428,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.7/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/kernel/devices.if 2008-02-07 11:04:37.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/kernel/devices.if 2008-02-13 09:09:19.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -7971,7 +8094,16 @@
+/etc/rc.d/init.d/pand -- gen_context(system_u:object_r:bluetooth_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.2.7/policy/modules/services/bluetooth.if
--- nsaserefpolicy/policy/modules/services/bluetooth.if 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/services/bluetooth.if 2008-02-07 13:14:54.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/bluetooth.if 2008-02-13 15:16:10.000000000 -0500
+@@ -35,7 +35,7 @@
+ template(`bluetooth_per_role_template',`
+ gen_require(`
+ attribute bluetooth_helper_domain;
+- type bluetooth_helper_exec_t;
++ type bluetooth_helper_exec_t, bluetooth_t;
+ ')
+
+ type $1_bluetooth_t, bluetooth_helper_domain;
@@ -226,3 +226,88 @@
dontaudit $1 bluetooth_helper_domain:dir search;
dontaudit $1 bluetooth_helper_domain:file { read getattr };
@@ -12056,7 +12188,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.7/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/hal.te 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/hal.te 2008-02-13 09:08:25.000000000 -0500
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -12124,7 +12256,15 @@
domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
allow hald_t hald_acl_t:process signal;
-@@ -325,6 +339,11 @@
+@@ -304,6 +318,7 @@
+ corecmd_exec_bin(hald_acl_t)
+
+ dev_getattr_all_chr_files(hald_acl_t)
++dev_setattr_all_chr_files(hald_acl_t)
+ dev_getattr_generic_usb_dev(hald_acl_t)
+ dev_getattr_video_dev(hald_acl_t)
+ dev_setattr_video_dev(hald_acl_t)
+@@ -325,6 +340,11 @@
miscfiles_read_localization(hald_acl_t)
@@ -12136,7 +12276,7 @@
########################################
#
# Local hald mac policy
-@@ -338,10 +357,14 @@
+@@ -338,10 +358,14 @@
manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
files_search_var_lib(hald_mac_t)
@@ -12151,7 +12291,7 @@
libs_use_ld_so(hald_mac_t)
libs_use_shared_libs(hald_mac_t)
-@@ -391,3 +414,7 @@
+@@ -391,3 +415,7 @@
libs_use_shared_libs(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
@@ -19401,19 +19541,22 @@
+/etc/rc.d/init.d/spamd -- gen_context(system_u:object_r:spamd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.7/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/services/spamassassin.if 2008-02-07 12:12:50.000000000 -0500
-@@ -37,7 +37,9 @@
-
++++ serefpolicy-3.2.7/policy/modules/services/spamassassin.if 2008-02-13 16:33:07.000000000 -0500
+@@ -34,10 +34,11 @@
+ # cjp: when tunables are available, spamc stuff should be
+ # toggled on activation of spamc, and similarly for spamd.
+ template(`spamassassin_per_role_template',`
+-
gen_require(`
type spamc_exec_t, spamassassin_exec_t;
- type spamd_t, spamd_tmp_t;
-+ type spamc_t, spamd_t, spamd_tmp_t;
-+ type user_spamassissin_home_t, user_spamassissin_tmp_t;
++ type spamc_t, spamd_t, spamassassin_t, spamd_tmp_t;
++ type user_spamassassin_home_t, user_spamassassin_tmp_t;
+ type user_spamc_tmp_t;
')
##############################
-@@ -45,278 +47,28 @@
+@@ -45,278 +46,28 @@
# Declarations
#
@@ -19431,14 +19574,10 @@
- type $1_spamassassin_home_t alias $1_spamassassin_rw_t;
- userdom_user_home_content($1,$1_spamassassin_home_t)
- files_poly_member($1_spamassassin_home_t)
-+ typealias spamc_t alias $1_spamc_t;
-+ role $3 types spamc_t;
-
+-
- type $1_spamassassin_tmp_t;
- files_tmp_file($1_spamassassin_tmp_t)
-+ typealias spamassassin_t alias $1_spamassassin_t;
-+ role $3 types spamassassin_t;
-
+-
- ##############################
- #
- # $1_spamc_t local policy
@@ -19603,17 +19742,19 @@
- corecmd_read_bin_sockets($1_spamassassin_t)
-
- domain_use_interactive_fds($1_spamassassin_t)
--
++ typealias spamc_t alias $1_spamc_t;
++ role $3 types spamc_t;
+
- files_read_etc_files($1_spamassassin_t)
- files_read_etc_runtime_files($1_spamassassin_t)
- files_list_home($1_spamassassin_t)
- files_read_usr_files($1_spamassassin_t)
- files_dontaudit_search_var($1_spamassassin_t)
--
++ typealias spamassassin_t alias $1_spamassassin_t;
++ role $3 types spamassassin_t;
+
- libs_use_ld_so($1_spamassassin_t)
- libs_use_shared_libs($1_spamassassin_t)
--
-- logging_send_syslog_msg($1_spamassassin_t)
+ ifelse(`$1',`user',`',`
+ typealias user_spamassassin_home_t alias $1_spamassassin_home_t;
+ typealias user_spamassassin_tmp_t alias $1_spamassassin_tmp_t;
@@ -19627,10 +19768,12 @@
+ relabel_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
+ relabel_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
-- miscfiles_read_localization($1_spamassassin_t)
+- logging_send_syslog_msg($1_spamassassin_t)
+ domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
+ domtrans_pattern($2, spamc_exec_t, spamc_t)
+- miscfiles_read_localization($1_spamassassin_t)
+-
- # cjp: this could probably be removed
- seutil_read_config($1_spamassassin_t)
-
@@ -19710,7 +19853,7 @@
')
########################################
-@@ -370,7 +122,7 @@
+@@ -370,7 +121,7 @@
#
interface(`spamassassin_exec_spamd',`
gen_require(`
@@ -19719,7 +19862,7 @@
')
can_exec($1,spamd_exec_t)
-@@ -398,11 +150,65 @@
+@@ -398,11 +149,65 @@
## </param>
#
template(`spamassassin_domtrans_user_client',`
@@ -19743,12 +19886,10 @@
+## </param>
+#
+interface(`spamassassin_domtrans_spamc',`
- gen_require(`
-- type $1_spamc_t, spamc_exec_t;
++ gen_require(`
+ type spamc_t, spamc_exec_t;
- ')
-
-- domtrans_pattern($2,spamc_exec_t,$1_spamc_t)
++ ')
++
+ domtrans_pattern($1,spamc_exec_t,spamc_t)
+')
+
@@ -19778,16 +19919,18 @@
+## </param>
+#
+template(`spamassassin_read_user_home_files',`
-+ gen_require(`
+ gen_require(`
+- type $1_spamc_t, spamc_exec_t;
+ type user_spamassassin_home_t;
-+ ')
-+
+ ')
+
+- domtrans_pattern($2,spamc_exec_t,$1_spamc_t)
+ allow $1 user_spamassassin_home_t:dir list_dir_perms;
+ allow $1 user_spamassassin_home_t:file read_file_perms;
')
########################################
-@@ -446,11 +252,31 @@
+@@ -446,11 +251,31 @@
## </param>
#
template(`spamassassin_domtrans_user_local_client',`
@@ -19821,7 +19964,7 @@
')
########################################
-@@ -469,6 +295,7 @@
+@@ -469,6 +294,7 @@
')
files_search_var_lib($1)
@@ -19829,7 +19972,7 @@
read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
')
-@@ -528,3 +355,133 @@
+@@ -528,3 +354,133 @@
dontaudit $1 spamd_tmp_t:sock_file getattr;
')
@@ -21129,7 +21272,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.7/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/xserver.if 2008-02-12 12:15:41.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/xserver.if 2008-02-13 15:23:35.000000000 -0500
@@ -15,6 +15,7 @@
template(`xserver_common_domain_template',`
gen_require(`
@@ -21226,9 +21369,7 @@
-
- type $1_fonts_config_t, fonts_config_type;
- userdom_user_home_content($1,$1_fonts_cache_t)
-+ typealias xauth_t alias $1_xauth_t;
-+ role $3 types xauth_t;
-
+-
- type $1_iceauth_t;
- domain_type($1_iceauth_t)
- domain_entry_file($1_iceauth_t,iceauth_exec_t)
@@ -21246,7 +21387,9 @@
- type $1_xauth_home_t alias $1_xauth_rw_t, xauth_home_type;
- files_poly_member($1_xauth_home_t)
- userdom_user_home_content($1,$1_xauth_home_t)
--
++ typealias xauth_t alias $1_xauth_t;
++ role $3 types xauth_t;
+
- type $1_xauth_tmp_t;
- files_tmp_file($1_xauth_tmp_t)
+ typealias iceauth_t alias $1_iceauth_t;
@@ -21327,24 +21470,24 @@
-
- allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file)
--
++ domtrans_pattern($2, xauth_exec_t, xauth_t)
+
- manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
- manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
-
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
-+ domtrans_pattern($2, xauth_exec_t, xauth_t)
-
+-
- allow $2 $1_xauth_t:process signal;
+ allow $2 xauth_t:process signal;
# allow ps to show xauth
- ps_process_pattern($2,$1_xauth_t)
-+ ps_process_pattern($2,xauth_t)
-
+-
- allow $2 $1_xauth_home_t:file manage_file_perms;
- allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
--
++ ps_process_pattern($2,xauth_t)
+
- allow xdm_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file)
-
@@ -21401,20 +21544,20 @@
-
- allow $2 $1_iceauth_home_t:file manage_file_perms;
- allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
--
-- allow xdm_t $1_iceauth_home_t:file read_file_perms;
--
-- fs_search_auto_mountpoints($1_iceauth_t)
+ ps_process_pattern($2,iceauth_t)
-- libs_use_ld_so($1_iceauth_t)
-- libs_use_shared_libs($1_iceauth_t)
+- allow xdm_t $1_iceauth_home_t:file read_file_perms;
+ allow $2 user_iceauth_home_t:file manage_file_perms;
+ allow $2 user_iceauth_home_t:file { relabelfrom relabelto };
-- userdom_use_user_terminals($1,$1_iceauth_t)
+- fs_search_auto_mountpoints($1_iceauth_t)
+ userdom_use_user_terminals($1,iceauth_t)
+- libs_use_ld_so($1_iceauth_t)
+- libs_use_shared_libs($1_iceauth_t)
+-
+- userdom_use_user_terminals($1,$1_iceauth_t)
+-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_iceauth_t)
- ')
@@ -21606,9 +21749,8 @@
+template(`xserver_read_user_xauth',`
+ gen_require(`
+ type user_xauth_home_t;
- ')
-
-- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
++ ')
++
+ allow $2 user_xauth_home_t:file { getattr read };
+')
+
@@ -21640,8 +21782,9 @@
+template(`xserver_read_user_iceauth',`
+ gen_require(`
+ type user_iceauth_home_t;
-+ ')
-+
+ ')
+
+- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+ # Read .Iceauthority file
+ allow $2 user_iceauth_home_t:file { getattr read };
')
@@ -21703,31 +21846,32 @@
')
########################################
-@@ -937,7 +1004,7 @@
+@@ -955,6 +1022,24 @@
########################################
## <summary>
--## Read XDM var lib files.
+## dontaudit search of XDM var lib directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -945,12 +1012,12 @@
- ## </summary>
- ## </param>
- #
--interface(`xserver_read_xdm_lib_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`xserver_dontaudit_xdm_lib_search',`
- gen_require(`
- type xdm_var_lib_t;
- ')
-
-- allow $1 xdm_var_lib_t:file { getattr read };
++ gen_require(`
++ type xdm_var_lib_t;
++ ')
++
+ dontaudit $1 xdm_var_lib_t:dir search_dir_perms;
- ')
-
- ########################################
-@@ -965,15 +1032,47 @@
++')
++
++########################################
++## <summary>
+ ## Execute the X server in the XDM X server domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -965,15 +1050,47 @@
#
interface(`xserver_domtrans_xdm_xserver',`
gen_require(`
@@ -21776,7 +21920,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1123,7 +1222,7 @@
+@@ -1123,7 +1240,7 @@
type xdm_xserver_tmp_t;
')
@@ -21785,7 +21929,7 @@
')
########################################
-@@ -1312,3 +1411,63 @@
+@@ -1312,3 +1429,65 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -21849,6 +21993,8 @@
+ allow $1 xdm_t:process ptrace;
+')
+
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.7/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/services/xserver.te 2008-02-12 13:25:46.000000000 -0500
@@ -24425,8 +24571,8 @@
+/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.2.7/policy/modules/system/qemu.if
--- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/system/qemu.if 2008-02-07 10:20:14.000000000 -0500
-@@ -0,0 +1,151 @@
++++ serefpolicy-3.2.7/policy/modules/system/qemu.if 2008-02-13 16:31:33.000000000 -0500
+@@ -0,0 +1,202 @@
+
+## <summary>policy for qemu</summary>
+
@@ -24561,6 +24707,7 @@
+ qemu_domtrans($1)
+ allow qemu_t $3:chr_file rw_file_perms;
+')
++
+########################################
+## <summary>
+## Execute qemu programs in the qemu domain.
@@ -24578,10 +24725,60 @@
+ role $1 types qemu_t;
+')
+
++
++########################################
++## <summary>
++## Execute a domain transition to run qemu.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`qemu_domtrans_unconfined',`
++ gen_require(`
++ type qemu_unconfined_t;
++ type qemu_exec_t;
++ ')
++
++ domtrans_pattern($1,qemu_exec_t,qemu_unconfined_t)
++')
++
++########################################
++## <summary>
++## Execute qemu programs in the qemu unconfined domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to allow the PAM domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the terminal allow the PAM domain to use.
++## </summary>
++## </param>
++#
++interface(`qemu_run_unconfined',`
++ gen_require(`
++ type qemu_unconfined_t;
++ ')
++
++ qemu_domtrans_unconfined($1)
++ role $2 types qemu_unconfined_t;
++ allow qemu_unconfined_t $3:chr_file rw_file_perms;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.7/policy/modules/system/qemu.te
--- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/system/qemu.te 2008-02-06 11:02:30.000000000 -0500
-@@ -0,0 +1,60 @@
++++ serefpolicy-3.2.7/policy/modules/system/qemu.te 2008-02-13 16:26:38.000000000 -0500
+@@ -0,0 +1,66 @@
+policy_module(qemu,1.0.0)
+
+########################################
@@ -24594,6 +24791,9 @@
+application_domain(qemu_t, qemu_exec_t)
+role system_r types qemu_t;
+
++type qemu_unconfined_t;
++domain_type(qemu_unconfined_t)
++
+########################################
+#
+# qemu local policy
@@ -24642,6 +24842,9 @@
+
+miscfiles_read_localization(qemu_t)
+
++allow qemu_unconfined_t self:process { execstack execmem };
++unconfined_domain_noaudit(qemu_unconfined_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.2.7/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/system/raid.te 2008-02-06 11:02:30.000000000 -0500
@@ -25797,8 +26000,8 @@
+ allow $1 unconfined_t:process getpgid;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.7/policy/modules/system/unconfined.te
---- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/system/unconfined.te 2008-02-07 10:19:49.000000000 -0500
+--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/system/unconfined.te 2008-02-13 16:32:11.000000000 -0500
@@ -6,35 +6,66 @@
# Declarations
#
@@ -25979,7 +26182,7 @@
oddjob_domtrans_mkhomedir(unconfined_t)
')
-@@ -154,38 +200,34 @@
+@@ -154,38 +200,36 @@
')
optional_policy(`
@@ -25998,6 +26201,8 @@
- rpc_domtrans_nfsd(unconfined_t)
+ tunable_policy(`allow_unconfined_qemu_transition', `
+ qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ ', `
++ qemu_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ')
+ qemu_role(unconfined_r)
')
@@ -26028,7 +26233,7 @@
')
optional_policy(`
-@@ -205,11 +247,30 @@
+@@ -205,11 +249,30 @@
')
optional_policy(`
@@ -26061,7 +26266,7 @@
')
########################################
-@@ -219,14 +280,34 @@
+@@ -219,14 +282,34 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -26116,7 +26321,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.7/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/system/userdomain.if 2008-02-11 17:21:21.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/system/userdomain.if 2008-02-12 15:29:11.000000000 -0500
@@ -29,9 +29,14 @@
')
@@ -27181,7 +27386,7 @@
')
# Run pppd in pppd_t by default for user
-@@ -1201,7 +1197,11 @@
+@@ -1201,7 +1197,23 @@
')
optional_policy(`
@@ -27191,10 +27396,22 @@
+
+ optional_policy(`
+ polkit_per_role_template($1, $1_usertype, $1_r)
++ ')
++
++ optional_policy(`
++ java_per_role_template($1, $1_t, $1_r)
++ ')
++
++ optional_policy(`
++ mono_per_role_template($1, $1_t, $1_r)
++ ')
++
++ optional_policy(`
++ gpg_per_role_template($1, $1_usertype, $1_r)
')
')
-@@ -1278,8 +1278,6 @@
+@@ -1278,8 +1290,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -27203,7 +27420,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1357,13 +1355,6 @@
+@@ -1357,13 +1367,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -27217,7 +27434,7 @@
optional_policy(`
userhelper_exec($1_t)
')
-@@ -1416,6 +1407,7 @@
+@@ -1416,6 +1419,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -27225,7 +27442,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1781,10 +1773,14 @@
+@@ -1781,10 +1785,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -27241,7 +27458,7 @@
')
########################################
-@@ -1880,11 +1876,11 @@
+@@ -1880,11 +1888,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -27255,7 +27472,7 @@
')
########################################
-@@ -1914,11 +1910,11 @@
+@@ -1914,11 +1922,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -27269,7 +27486,7 @@
')
########################################
-@@ -1962,12 +1958,12 @@
+@@ -1962,12 +1970,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -27285,7 +27502,7 @@
')
########################################
-@@ -1997,10 +1993,10 @@
+@@ -1997,10 +2005,10 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -27298,7 +27515,7 @@
')
########################################
-@@ -2032,11 +2028,47 @@
+@@ -2032,11 +2040,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -27348,7 +27565,7 @@
')
########################################
-@@ -2068,10 +2100,10 @@
+@@ -2068,10 +2112,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -27361,7 +27578,7 @@
')
########################################
-@@ -2101,11 +2133,11 @@
+@@ -2101,11 +2145,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -27375,7 +27592,7 @@
')
########################################
-@@ -2135,11 +2167,11 @@
+@@ -2135,11 +2179,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -27390,7 +27607,7 @@
')
########################################
-@@ -2169,10 +2201,14 @@
+@@ -2169,10 +2213,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -27407,7 +27624,7 @@
')
########################################
-@@ -2202,11 +2238,11 @@
+@@ -2202,11 +2250,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -27421,7 +27638,7 @@
')
########################################
-@@ -2236,11 +2272,11 @@
+@@ -2236,11 +2284,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -27435,7 +27652,7 @@
')
########################################
-@@ -2270,10 +2306,10 @@
+@@ -2270,10 +2318,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -27448,7 +27665,7 @@
')
########################################
-@@ -2305,12 +2341,12 @@
+@@ -2305,12 +2353,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -27464,7 +27681,7 @@
')
########################################
-@@ -2342,10 +2378,10 @@
+@@ -2342,10 +2390,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -27477,7 +27694,7 @@
')
########################################
-@@ -2377,12 +2413,12 @@
+@@ -2377,12 +2425,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -27493,7 +27710,7 @@
')
########################################
-@@ -2414,12 +2450,12 @@
+@@ -2414,12 +2462,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -27509,7 +27726,7 @@
')
########################################
-@@ -2451,12 +2487,12 @@
+@@ -2451,12 +2499,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -27525,7 +27742,7 @@
')
########################################
-@@ -2501,11 +2537,11 @@
+@@ -2501,11 +2549,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -27539,7 +27756,7 @@
')
########################################
-@@ -2550,11 +2586,11 @@
+@@ -2550,11 +2598,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -27553,7 +27770,7 @@
')
########################################
-@@ -2594,11 +2630,11 @@
+@@ -2594,11 +2642,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -27567,7 +27784,7 @@
')
########################################
-@@ -2628,11 +2664,11 @@
+@@ -2628,11 +2676,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -27581,7 +27798,7 @@
')
########################################
-@@ -2662,11 +2698,11 @@
+@@ -2662,11 +2710,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -27595,7 +27812,7 @@
')
########################################
-@@ -2698,10 +2734,10 @@
+@@ -2698,10 +2746,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -27608,7 +27825,7 @@
')
########################################
-@@ -2733,10 +2769,10 @@
+@@ -2733,10 +2781,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -27621,7 +27838,7 @@
')
########################################
-@@ -2766,12 +2802,12 @@
+@@ -2766,12 +2814,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -27637,7 +27854,7 @@
')
########################################
-@@ -2803,10 +2839,10 @@
+@@ -2803,10 +2851,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -27650,7 +27867,7 @@
')
########################################
-@@ -2838,10 +2874,48 @@
+@@ -2838,10 +2886,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -27701,7 +27918,7 @@
')
########################################
-@@ -2871,12 +2945,12 @@
+@@ -2871,12 +2957,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -27717,7 +27934,7 @@
')
########################################
-@@ -2908,10 +2982,10 @@
+@@ -2908,10 +2994,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -27730,7 +27947,7 @@
')
########################################
-@@ -2943,12 +3017,12 @@
+@@ -2943,12 +3029,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -27746,7 +27963,7 @@
')
########################################
-@@ -2980,11 +3054,11 @@
+@@ -2980,11 +3066,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -27760,7 +27977,7 @@
')
########################################
-@@ -3016,11 +3090,11 @@
+@@ -3016,11 +3102,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -27774,7 +27991,7 @@
')
########################################
-@@ -3052,11 +3126,11 @@
+@@ -3052,11 +3138,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -27788,7 +28005,7 @@
')
########################################
-@@ -3088,11 +3162,11 @@
+@@ -3088,11 +3174,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -27802,7 +28019,7 @@
')
########################################
-@@ -3124,11 +3198,11 @@
+@@ -3124,11 +3210,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -27816,7 +28033,7 @@
')
########################################
-@@ -3173,10 +3247,10 @@
+@@ -3173,10 +3259,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -27829,7 +28046,7 @@
files_search_tmp($2)
')
-@@ -3217,10 +3291,10 @@
+@@ -3217,10 +3303,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -27842,7 +28059,7 @@
')
########################################
-@@ -3248,6 +3322,42 @@
+@@ -3248,6 +3334,42 @@
## </summary>
## </param>
#
@@ -27885,7 +28102,7 @@
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
type $1_tmpfs_t;
-@@ -4225,11 +4335,11 @@
+@@ -4225,11 +4347,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -27899,7 +28116,7 @@
')
########################################
-@@ -4245,10 +4355,10 @@
+@@ -4245,10 +4367,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -27912,7 +28129,7 @@
')
########################################
-@@ -4264,11 +4374,11 @@
+@@ -4264,11 +4386,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -27926,7 +28143,7 @@
')
########################################
-@@ -4283,16 +4393,16 @@
+@@ -4283,16 +4405,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -27946,7 +28163,7 @@
## users home directory.
## </summary>
## <param name="domain">
-@@ -4301,38 +4411,32 @@
+@@ -4301,18 +4423,33 @@
## </summary>
## </param>
#
@@ -27964,67 +28181,46 @@
########################################
## <summary>
-## Read files in the staff users home directory.
+-## </summary>
+## Do not audit attempts to append to the staff
+## users home directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`userdom_read_staff_home_content_files',`
-- gen_require(`
-- type staff_home_dir_t, staff_home_t;
-- ')
--
-- files_search_home($1)
-- allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms;
-- read_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t)
-- read_lnk_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t)
++## </summary>
++## </param>
++#
+interface(`userdom_dontaudit_append_staff_home_content_files',`
+ userdom_dontaudit_append_unpriv_home_content_files($1)
- ')
-
- ########################################
- ## <summary>
--## Send a SIGCHLD signal to sysadm users.
++')
++
++########################################
++## <summary>
+## Read files in the staff users home directory.
- ## </summary>
++## </summary>
## <param name="domain">
## <summary>
-@@ -4340,7 +4444,28 @@
- ## </summary>
- ## </param>
+ ## Domain allowed access.
+@@ -4321,13 +4458,13 @@
#
--interface(`userdom_sigchld_sysadm',`
-+interface(`userdom_read_staff_home_content_files',`
-+ gen_require(`
+ interface(`userdom_read_staff_home_content_files',`
+ gen_require(`
+- type staff_home_dir_t, staff_home_t;
+ type user_home_dir_t, user_home_t;
-+ ')
-+
-+ files_search_home($1)
+ ')
+
+ files_search_home($1)
+- allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms;
+- read_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t)
+- read_lnk_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t)
+ allow $1 { user_home_dir_t user_home_t }:dir list_dir_perms;
+ read_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+ read_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
-+')
-+
-+########################################
-+## <summary>
-+## Send a SIGCHLD signal to sysadm users.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_sigchld_sysadm',`
- gen_require(`
- type sysadm_t;
- ')
-@@ -4525,10 +4650,10 @@
+ ')
+
+ ########################################
+@@ -4525,10 +4662,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -28037,7 +28233,7 @@
')
########################################
-@@ -4545,10 +4670,10 @@
+@@ -4545,10 +4682,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -28050,7 +28246,7 @@
')
########################################
-@@ -4563,10 +4688,10 @@
+@@ -4563,10 +4700,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -28063,7 +28259,7 @@
')
########################################
-@@ -4582,10 +4707,10 @@
+@@ -4582,10 +4719,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -28076,7 +28272,7 @@
')
########################################
-@@ -4600,10 +4725,10 @@
+@@ -4600,10 +4737,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -28089,7 +28285,7 @@
')
########################################
-@@ -4619,10 +4744,10 @@
+@@ -4619,10 +4756,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -28102,7 +28298,7 @@
')
########################################
-@@ -4638,12 +4763,11 @@
+@@ -4638,12 +4775,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -28118,7 +28314,7 @@
')
########################################
-@@ -4670,10 +4794,10 @@
+@@ -4670,10 +4806,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -28131,7 +28327,7 @@
')
########################################
-@@ -4688,10 +4812,10 @@
+@@ -4688,10 +4824,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -28144,7 +28340,7 @@
')
########################################
-@@ -4706,13 +4830,13 @@
+@@ -4706,13 +4842,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -28162,7 +28358,7 @@
')
########################################
-@@ -4748,11 +4872,49 @@
+@@ -4748,11 +4884,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -28213,7 +28409,7 @@
')
########################################
-@@ -4772,6 +4934,14 @@
+@@ -4772,6 +4946,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -28228,7 +28424,7 @@
')
########################################
-@@ -4833,6 +5003,26 @@
+@@ -4833,6 +5015,26 @@
########################################
## <summary>
@@ -28255,7 +28451,7 @@
## Create, read, write, and delete all directories
## in all users home directories.
## </summary>
-@@ -4853,6 +5043,25 @@
+@@ -4853,6 +5055,25 @@
########################################
## <summary>
@@ -28281,7 +28477,7 @@
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4873,6 +5082,26 @@
+@@ -4873,6 +5094,26 @@
########################################
## <summary>
@@ -28308,7 +28504,7 @@
## Create, read, write, and delete all symlinks
## in all users home directories.
## </summary>
-@@ -5109,7 +5338,7 @@
+@@ -5109,7 +5350,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -28317,7 +28513,7 @@
')
files_search_home($1)
-@@ -5298,6 +5527,50 @@
+@@ -5298,6 +5539,50 @@
########################################
## <summary>
@@ -28368,7 +28564,7 @@
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5503,6 +5776,42 @@
+@@ -5503,6 +5788,42 @@
########################################
## <summary>
@@ -28411,7 +28607,7 @@
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5668,6 +5977,42 @@
+@@ -5668,6 +5989,42 @@
########################################
## <summary>
@@ -28454,7 +28650,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5698,3 +6043,301 @@
+@@ -5698,3 +6055,368 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -28756,6 +28952,73 @@
+
+ typeattribute $1 unpriv_process;
+')
++
++
++#######################################
++## <summary>
++## The template for creating a unprivileged user roughly
++## equivalent to a regular linux user.
++## </summary>
++## <desc>
++## <p>
++## The template for creating a unprivileged user roughly
++## equivalent to a regular linux user.
++## </p>
++## <p>
++## This template creates a user domain, types, and
++## rules for the user's tty, pty, home directories,
++## tmp, and tmpfs files.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++#
++template(`userdom_admin_login_user_template', `
++
++ userdom_unpriv_user_template($1)
++
++ allow $1_t self:capability sys_nice;
++
++ domain_read_all_domains_state($1_t)
++ domain_getattr_all_domains($1_t)
++
++ files_read_kernel_modules($1_t)
++
++ kernel_read_fs_sysctls($1_t)
++
++ modutils_read_module_config($1_t)
++ modutils_read_module_deps($1_t)
++
++ miscfiles_read_hwdata($1_t)
++
++ sudo_per_role_template($1, $1_t, $1_r)
++ seutil_run_newrole($1_t, $1_r, { $1_tty_device_t $1_devpts_t })
++
++ optional_policy(`
++ gnomeclock_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
++ kerneloops_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
++ rpm_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
++ setroubleshoot_stream_connect($1_t)
++ ')
++
++ optional_policy(`
++ netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
++ netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
++ ')
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.2.7/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/system/userdomain.te 2008-02-08 14:50:33.000000000 -0500
@@ -29951,68 +30214,17 @@
+## <summary>Policy for staff user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.7/policy/modules/users/staff.te
--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/users/staff.te 2008-02-08 14:13:09.000000000 -0500
-@@ -0,0 +1,60 @@
++++ serefpolicy-3.2.7/policy/modules/users/staff.te 2008-02-13 11:47:19.000000000 -0500
+@@ -0,0 +1,9 @@
+policy_module(staff,1.0.1)
-+userdom_unpriv_user_template(staff)
++userdom_admin_login_user_template(staff)
+
+# only staff_r can change to sysadm_r
+userdom_role_change_template(staff, sysadm)
+userdom_dontaudit_use_sysadm_terms(staff_t)
+
-+allow staff_t self:capability sys_nice;
++xserver_domtrans_xdm_xserver(staff_t)
+
-+domain_read_all_domains_state(staff_t)
-+domain_getattr_all_domains(staff_t)
-+
-+files_read_kernel_modules(staff_t)
-+
-+kernel_read_fs_sysctls(staff_t)
-+
-+modutils_read_module_config(staff_t)
-+modutils_read_module_deps(staff_t)
-+
-+miscfiles_read_hwdata(staff_t)
-+
-+sudo_per_role_template(staff, staff_t, staff_r)
-+seutil_run_newrole(staff_t, staff_r, { staff_tty_device_t staff_devpts_t })
-+
-+optional_policy(`
-+ gnomeclock_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
-+ gpg_per_role_template(staff, staff_usertype, staff_r)
-+')
-+
-+optional_policy(`
-+ java_per_role_template(staff, staff_t, staff_r)
-+')
-+
-+optional_policy(`
-+ kerneloops_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
-+ mono_per_role_template(staff, staff_t, staff_r)
-+')
-+
-+optional_policy(`
-+ rpm_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
-+ setroubleshoot_stream_connect(staff_t)
-+')
-+
-+optional_policy(`
-+ netutils_run_ping_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t })
-+ netutils_run_traceroute_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t })
-+')
-+
-+optional_policy(`
-+ xserver_per_role_template(staff, staff_t, staff_r)
-+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.fc serefpolicy-3.2.7/policy/modules/users/user.fc
--- nsaserefpolicy/policy/modules/users/user.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/users/user.fc 2008-02-06 11:02:30.000000000 -0500
@@ -30025,32 +30237,11 @@
+## <summary>Policy for user user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.te serefpolicy-3.2.7/policy/modules/users/user.te
--- nsaserefpolicy/policy/modules/users/user.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/users/user.te 2008-02-06 11:02:30.000000000 -0500
-@@ -0,0 +1,25 @@
++++ serefpolicy-3.2.7/policy/modules/users/user.te 2008-02-13 11:46:59.000000000 -0500
+@@ -0,0 +1,4 @@
+policy_module(user,1.0.1)
+userdom_unpriv_user_template(user)
+
-+optional_policy(`
-+ java_per_role_template(user, user_t, user_r)
-+')
-+
-+optional_policy(`
-+ mono_per_role_template(user, user_t, user_r)
-+')
-+
-+optional_policy(`
-+ xserver_per_role_template(user, user_t, user_r)
-+')
-+
-+optional_policy(`
-+ gpg_per_role_template(user, user_usertype, user_r)
-+')
-+
-+optional_policy(`
-+ netutils_run_ping_cond(user_t,user_r,{ user_tty_device_t user_devpts_t })
-+ netutils_run_traceroute_cond(user_t,user_r,{ user_tty_device_t user_devpts_t })
-+')
-+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.2.7/policy/modules/users/webadm.fc
--- nsaserefpolicy/policy/modules/users/webadm.fc 1969-12-31 19:00:00.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.606
retrieving revision 1.607
diff -u -r1.606 -r1.607
--- selinux-policy.spec 12 Feb 2008 17:47:57 -0000 1.606
+++ selinux-policy.spec 13 Feb 2008 21:43:16 -0000 1.607
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.2.7
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,10 @@
%endif
%changelog
+* Thu Feb 5 2008 Dan Walsh <dwalsh at redhat.com> 3.2.7-5
+- Add additional login users interfaces
+ - userdom_admin_login_user_template(staff)
+
* Thu Feb 5 2008 Dan Walsh <dwalsh at redhat.com> 3.2.7-3
- More fixes for polkit
More information about the fedora-extras-commits
mailing list