rpms/selinux-policy/F-9 policy-20071130.patch,1.257,1.258

Miroslav Grepl mgrepl at fedoraproject.org
Thu Mar 5 13:53:50 UTC 2009 

Author: mgrepl

Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv15678

Modified Files:
	policy-20071130.patch 
Log Message:
- Fix pcscd policy
- Allow alsa to read hardware state information



policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.257
retrieving revision 1.258
diff -u -r1.257 -r1.258
--- policy-20071130.patch	27 Feb 2009 09:12:21 -0000	1.257
+++ policy-20071130.patch	5 Mar 2009 13:53:45 -0000	1.258
@@ -572657,8 +572657,14 @@
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.3.1/policy/modules/admin/alsa.te
 --- nsaserefpolicy/policy/modules/admin/alsa.te	2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/admin/alsa.te	2009-02-12 22:21:57.000000000 +0100
-@@ -48,6 +48,7 @@
++++ serefpolicy-3.3.1/policy/modules/admin/alsa.te	2009-03-05 13:27:01.000000000 +0100
+@@ -43,11 +43,13 @@
+ 
+ dev_read_sound(alsa_t)
+ dev_write_sound(alsa_t)
++dev_read_sysfs(alsa_t)
+ 
+ corecmd_exec_bin(alsa_t)
  
  files_search_home(alsa_t)
  files_read_etc_files(alsa_t)
@@ -648218,7 +648224,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.3.1/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/cron.te	2009-02-12 22:21:57.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/cron.te	2009-03-05 13:23:46.000000000 +0100
 @@ -12,14 +12,6 @@
  
  ## <desc>
@@ -648303,11 +648309,12 @@
  
  files_read_etc_files(crond_t)
  files_read_generic_spool(crond_t)
-@@ -142,13 +146,16 @@
+@@ -142,13 +146,17 @@
  files_search_default(crond_t)
  
  init_rw_utmp(crond_t)
-+init_spec_domtrans_script(crond_t)
++#init_spec_domtrans_script(crond_t)
++init_domtrans_script(system_crond_t)
  
  auth_use_nsswitch(crond_t)
  
@@ -648320,7 +648327,7 @@
  
  seutil_read_config(crond_t)
  seutil_read_default_contexts(crond_t)
-@@ -161,11 +168,9 @@
+@@ -161,11 +169,9 @@
  userdom_list_all_users_home_dirs(crond_t)
  
  mta_send_mail(crond_t)
@@ -648333,7 +648340,7 @@
  	optional_policy(`
  		# Debian logcheck has the home dir set to its cache
  		logwatch_search_cache_dir(crond_t)
-@@ -180,21 +185,45 @@
+@@ -180,21 +186,45 @@
  	')
  ')
  
@@ -648380,7 +648387,7 @@
  ')
  
  optional_policy(`
-@@ -236,6 +265,9 @@
+@@ -236,6 +266,9 @@
  allow system_crond_t cron_var_lib_t:file manage_file_perms;
  files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file)
  
@@ -648390,7 +648397,7 @@
  allow system_crond_t system_cron_spool_t:file read_file_perms;
  # The entrypoint interface is not used as this is not
  # a regular entrypoint.  Since crontab files are
-@@ -267,9 +299,13 @@
+@@ -267,9 +300,13 @@
  filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
  files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
  
@@ -648405,7 +648412,7 @@
  
  kernel_read_kernel_sysctls(system_crond_t)
  kernel_read_system_state(system_crond_t)
-@@ -323,7 +359,8 @@
+@@ -323,7 +360,8 @@
  init_read_utmp(system_crond_t)
  init_dontaudit_rw_utmp(system_crond_t)
  # prelink tells init to restart it self, we either need to allow or dontaudit
@@ -648415,7 +648422,7 @@
  
  auth_use_nsswitch(system_crond_t)
  
-@@ -333,6 +370,7 @@
+@@ -333,6 +371,7 @@
  libs_exec_ld_so(system_crond_t)
  
  logging_read_generic_logs(system_crond_t)
@@ -648423,7 +648430,7 @@
  logging_send_syslog_msg(system_crond_t)
  
  miscfiles_read_localization(system_crond_t)
-@@ -348,18 +386,6 @@
+@@ -348,18 +387,6 @@
  	')
  ')
  
@@ -648442,7 +648449,7 @@
  optional_policy(`
  	# Needed for certwatch
  	apache_exec_modules(system_crond_t)
-@@ -383,11 +409,20 @@
+@@ -383,11 +410,20 @@
  ')
  
  optional_policy(`
@@ -648463,7 +648470,7 @@
  ')
  
  optional_policy(`
-@@ -415,8 +450,7 @@
+@@ -415,8 +451,7 @@
  ')
  
  optional_policy(`
@@ -648473,7 +648480,7 @@
  ')
  
  optional_policy(`
-@@ -424,15 +458,12 @@
+@@ -424,15 +459,12 @@
  ')
  
  optional_policy(`
@@ -651642,7 +651649,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.3.1/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/ftp.te	2009-02-13 10:49:16.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/ftp.te	2009-03-05 13:36:02.000000000 +0100
 @@ -26,7 +26,7 @@
  ## <desc>
  ## <p>
@@ -651727,7 +651734,7 @@
  tunable_policy(`ftp_home_dir',`
  	allow ftpd_t self:capability { dac_override dac_read_search };
  
-@@ -218,7 +237,13 @@
+@@ -218,8 +237,16 @@
  	userdom_manage_all_users_home_content_dirs(ftpd_t)
  	userdom_manage_all_users_home_content_files(ftpd_t)
  	userdom_manage_all_users_home_content_symlinks(ftpd_t)
@@ -651737,11 +651744,14 @@
 +	auth_read_all_files_except_shadow(ftpd_t)
 +	auth_read_all_symlinks_except_shadow(ftpd_t)
  ')
-+userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t, { dir file lnk_file })
  
++#Needed for permissive mode, to make sure everything gets labeled correctly
++userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
++
  tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
  	fs_manage_nfs_files(ftpd_t)
-@@ -237,6 +262,18 @@
+ 	fs_read_nfs_symlinks(ftpd_t)
+@@ -237,6 +264,18 @@
  ')
  
  optional_policy(`
@@ -651760,7 +651770,7 @@
  	corecmd_exec_shell(ftpd_t)
  
  	files_read_usr_files(ftpd_t)
-@@ -253,7 +290,9 @@
+@@ -253,7 +292,9 @@
  ')
  
  optional_policy(`
@@ -651771,7 +651781,7 @@
  ')
  
  optional_policy(`
-@@ -265,6 +304,14 @@
+@@ -265,6 +306,14 @@
  ')
  
  optional_policy(`
@@ -656513,10 +656523,32 @@
 +	unconfined_use_terminals(openvpn_t)
 +')
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.fc serefpolicy-3.3.1/policy/modules/services/pcscd.fc
+--- nsaserefpolicy/policy/modules/services/pcscd.fc	2008-02-26 14:23:10.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/pcscd.fc	2009-03-05 13:07:09.000000000 +0100
+@@ -1,5 +1,6 @@
+ /var/run/pcscd\.comm	-s	gen_context(system_u:object_r:pcscd_var_run_t,s0)
+ /var/run/pcscd\.pid	--	gen_context(system_u:object_r:pcscd_var_run_t,s0)
+ /var/run/pcscd\.pub	--	gen_context(system_u:object_r:pcscd_var_run_t,s0)
++/var/run/pcscd\.events(/.*)?    gen_context(system_u:object_r:pcscd_var_run_t,s0)
+ 
+ /usr/sbin/pcscd		--	gen_context(system_u:object_r:pcscd_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.3.1/policy/modules/services/pcscd.te
 --- nsaserefpolicy/policy/modules/services/pcscd.te	2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/pcscd.te	2009-02-12 22:21:57.000000000 +0100
-@@ -45,6 +45,7 @@
++++ serefpolicy-3.3.1/policy/modules/services/pcscd.te	2009-03-05 13:06:58.000000000 +0100
+@@ -27,9 +27,10 @@
+ allow pcscd_t self:unix_dgram_socket create_socket_perms;
+ allow pcscd_t self:tcp_socket create_stream_socket_perms;
+ 
++manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+ manage_files_pattern(pcscd_t,pcscd_var_run_t,pcscd_var_run_t)
+ manage_sock_files_pattern(pcscd_t,pcscd_var_run_t,pcscd_var_run_t)
+-files_pid_filetrans(pcscd_t,pcscd_var_run_t, { file sock_file })
++files_pid_filetrans(pcscd_t,pcscd_var_run_t, { file dir sock_file })
+ 
+ corenet_all_recvfrom_unlabeled(pcscd_t)
+ corenet_all_recvfrom_netlabel(pcscd_t)
+@@ -45,6 +46,7 @@
  files_read_etc_files(pcscd_t)
  files_read_etc_runtime_files(pcscd_t)
  
@@ -658016,7 +658048,7 @@
  /var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.3.1/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/postfix.if	2009-02-12 22:21:57.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/postfix.if	2009-03-05 13:43:11.000000000 +0100
 @@ -46,6 +46,7 @@
  
  	allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -658025,7 +658057,15 @@
  
  	can_exec(postfix_$1_t, postfix_$1_exec_t)
  
-@@ -206,9 +207,8 @@
+@@ -78,6 +79,7 @@
+ 	files_read_etc_runtime_files(postfix_$1_t)
+ 	files_read_usr_symlinks(postfix_$1_t)
+ 	files_search_spool(postfix_$1_t)
++	files_search_all_mountpoints(postfix_$1_t)
+ 	files_getattr_tmp_dirs(postfix_$1_t)
+ 
+ 	init_dontaudit_use_fds(postfix_$1_t)
+@@ -206,9 +208,8 @@
  		type postfix_etc_t;
  	')
  
@@ -658037,7 +658077,7 @@
  	files_search_etc($1)
  ')
  
-@@ -416,7 +416,7 @@
+@@ -416,7 +417,7 @@
  ##	</summary>
  ## </param>
  #
@@ -658046,7 +658086,7 @@
  	gen_require(`
  		type postfix_private_t;
  	')
-@@ -427,6 +427,26 @@
+@@ -427,6 +428,26 @@
  
  ########################################
  ## <summary>
@@ -658073,7 +658113,7 @@
  ##	Execute the master postfix program in the
  ##	postfix_master domain.
  ## </summary>
-@@ -482,6 +502,24 @@
+@@ -482,6 +503,24 @@
  	files_search_spool($1)
  ')
  
@@ -658098,7 +658138,7 @@
  ########################################
  ## <summary>
  ##	Read postfix mail spool files.
-@@ -503,6 +541,44 @@
+@@ -503,6 +542,44 @@
  
  ########################################
  ## <summary>
@@ -658143,7 +658183,7 @@
  ##	Execute postfix user mail programs
  ##	in their respective domains.
  ## </summary>
-@@ -519,3 +595,22 @@
+@@ -519,3 +596,22 @@
  
  	typeattribute $1 postfix_user_domtrans;
  ')
@@ -659587,7 +659627,7 @@
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.3.1/policy/modules/services/ppp.te
 --- nsaserefpolicy/policy/modules/services/ppp.te	2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/ppp.te	2009-02-12 22:21:57.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/ppp.te	2009-03-05 13:10:40.000000000 +0100
 @@ -71,7 +71,7 @@
  # PPPD Local policy
  #
@@ -659606,7 +659646,15 @@
  kernel_read_network_state(pppd_t)
  kernel_load_module(pppd_t)
  
-@@ -176,10 +176,9 @@
+@@ -161,6 +161,7 @@
+ 
+ init_read_utmp(pppd_t)
+ init_dontaudit_write_utmp(pppd_t)
++init_signal_script(pppd_t)
+ 
+ auth_use_nsswitch(pppd_t)
+ 
+@@ -176,10 +177,9 @@
  sysnet_etc_filetrans_config(pppd_t)
  
  userdom_dontaudit_use_unpriv_user_fds(pppd_t)
@@ -659618,7 +659666,7 @@
  userdom_search_unpriv_users_home_dirs(pppd_t)
  
  ppp_exec(pppd_t)
-@@ -196,6 +195,12 @@
+@@ -196,6 +196,12 @@
  
  optional_policy(`
  	mta_send_mail(pppd_t)
@@ -659631,7 +659679,7 @@
  ')
  
  optional_policy(`
-@@ -215,14 +220,16 @@
+@@ -215,14 +221,16 @@
  # PPTP Local policy
  #
  
@@ -659651,7 +659699,7 @@
  
  allow pptp_t pppd_etc_t:dir { getattr read search };
  allow pptp_t pppd_etc_t:file { read getattr };
-@@ -246,9 +253,13 @@
+@@ -246,9 +254,13 @@
  kernel_list_proc(pptp_t)
  kernel_read_kernel_sysctls(pptp_t)
  kernel_read_proc_symlinks(pptp_t)
@@ -659665,7 +659713,7 @@
  corenet_all_recvfrom_unlabeled(pptp_t)
  corenet_all_recvfrom_netlabel(pptp_t)
  corenet_tcp_sendrecv_all_if(pptp_t)
-@@ -264,12 +275,16 @@
+@@ -264,12 +276,16 @@
  fs_getattr_all_fs(pptp_t)
  fs_search_auto_mountpoints(pptp_t)
  
@@ -659682,7 +659730,7 @@
  libs_use_ld_so(pptp_t)
  libs_use_shared_libs(pptp_t)
  
-@@ -278,6 +293,7 @@
+@@ -278,6 +294,7 @@
  miscfiles_read_localization(pptp_t)
  
  sysnet_read_config(pptp_t)
@@ -659690,7 +659738,7 @@
  
  userdom_dontaudit_use_unpriv_user_fds(pptp_t)
  userdom_dontaudit_search_sysadm_home_dirs(pptp_t)
-@@ -287,6 +303,14 @@
+@@ -287,6 +304,14 @@
  ')
  
  optional_policy(`
@@ -669882,7 +669930,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.3.1/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2008-02-26 14:23:09.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc	2009-02-19 13:58:47.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/libraries.fc	2009-03-05 13:40:29.000000000 +0100
 @@ -69,8 +69,10 @@
  ifdef(`distro_gentoo',`
  # despite the extensions, they are actually libs
@@ -669998,7 +670046,7 @@
  /var/ftp/lib(64)?(/.*)?				gen_context(system_u:object_r:lib_t,s0)
  /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
  
-@@ -301,6 +318,23 @@
+@@ -301,6 +318,28 @@
  /var/lib/samba/bin/.+\.so(\.[^/]*)*	-l	gen_context(system_u:object_r:lib_t,s0)
  ')
  
@@ -670022,6 +670070,11 @@
 +/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/sse2/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
++/opt/google-earth/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/opt/Komodo/lib/python/lib/python2.6/lib-dynload/.*\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.3.1/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2008-02-26 14:23:09.000000000 +0100
 +++ serefpolicy-3.3.1/policy/modules/system/libraries.te	2009-02-12 22:21:57.000000000 +0100
@@ -674071,7 +674124,7 @@
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-26 14:23:09.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2009-02-19 11:21:16.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2009-03-05 13:35:19.000000000 +0100
 @@ -29,9 +29,14 @@
  	')
  
@@ -675399,7 +675452,7 @@
  ')
  
  ########################################
-@@ -2038,11 +2097,67 @@
+@@ -2038,11 +2097,92 @@
  #
  template(`userdom_manage_user_home_content_dirs',`
  	gen_require(`
@@ -675414,6 +675467,31 @@
 +
 +')
 +
++#######################################
++## <summary>
++##      Create objects in a user home directory
++##      with an automatic type transition to
++##      the user home file type.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++## <param name="object_class">
++##      <summary>
++##      The class of the object to be created.
++##      </summary>
++## </param>
++#
++interface(`userdom_user_home_dir_filetrans_pattern',`
++        gen_require(`
++                type user_home_dir_t, user_home_t;
++        ')
++
++        type_transition $1 user_home_dir_t:$2 user_home_t;
++')
++
 +########################################
 +## <summary>
 +##	dontaudit attemps to Create files
@@ -675469,7 +675547,7 @@
  ')
  
  ########################################
-@@ -2074,10 +2189,10 @@
+@@ -2074,10 +2214,10 @@
  #
  template(`userdom_dontaudit_setattr_user_home_content_files',`
  	gen_require(`
@@ -675482,7 +675560,7 @@
  ')
  
  ########################################
-@@ -2107,11 +2222,11 @@
+@@ -2107,11 +2247,11 @@
  #
  template(`userdom_read_user_home_content_files',`
  	gen_require(`
@@ -675496,7 +675574,7 @@
  ')
  
  ########################################
-@@ -2141,11 +2256,11 @@
+@@ -2141,11 +2281,11 @@
  #
  template(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -675511,7 +675589,7 @@
  ')
  
  ########################################
-@@ -2175,10 +2290,14 @@
+@@ -2175,10 +2315,14 @@
  #
  template(`userdom_dontaudit_write_user_home_content_files',`
  	gen_require(`
@@ -675528,7 +675606,7 @@
  ')
  
  ########################################
-@@ -2208,11 +2327,11 @@
+@@ -2208,11 +2352,11 @@
  #
  template(`userdom_read_user_home_content_symlinks',`
  	gen_require(`
@@ -675542,7 +675620,7 @@
  ')
  
  ########################################
-@@ -2242,11 +2361,11 @@
+@@ -2242,11 +2386,11 @@
  #
  template(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -675556,7 +675634,7 @@
  ')
  
  ########################################
-@@ -2276,10 +2395,37 @@
+@@ -2276,10 +2420,37 @@
  #
  template(`userdom_dontaudit_exec_user_home_content_files',`
  	gen_require(`
@@ -675596,7 +675674,7 @@
  ')
  
  ########################################
-@@ -2311,12 +2457,12 @@
+@@ -2311,12 +2482,12 @@
  #
  template(`userdom_manage_user_home_content_files',`
  	gen_require(`
@@ -675612,7 +675690,7 @@
  ')
  
  ########################################
-@@ -2348,10 +2494,10 @@
+@@ -2348,10 +2519,10 @@
  #
  template(`userdom_dontaudit_manage_user_home_content_dirs',`
  	gen_require(`
@@ -675625,7 +675703,7 @@
  ')
  
  ########################################
-@@ -2383,12 +2529,12 @@
+@@ -2383,12 +2554,12 @@
  #
  template(`userdom_manage_user_home_content_symlinks',`
  	gen_require(`
@@ -675641,7 +675719,7 @@
  ')
  
  ########################################
-@@ -2420,12 +2566,12 @@
+@@ -2420,12 +2591,12 @@
  #
  template(`userdom_manage_user_home_content_pipes',`
  	gen_require(`
@@ -675657,7 +675735,7 @@
  ')
  
  ########################################
-@@ -2457,12 +2603,12 @@
+@@ -2457,12 +2628,12 @@
  #
  template(`userdom_manage_user_home_content_sockets',`
  	gen_require(`
@@ -675673,7 +675751,7 @@
  ')
  
  ########################################
-@@ -2507,11 +2653,11 @@
+@@ -2507,11 +2678,11 @@
  #
  template(`userdom_user_home_dir_filetrans',`
  	gen_require(`
@@ -675687,7 +675765,7 @@
  ')
  
  ########################################
-@@ -2556,11 +2702,11 @@
+@@ -2556,11 +2727,11 @@
  #
  template(`userdom_user_home_content_filetrans',`
  	gen_require(`
@@ -675701,7 +675779,7 @@
  ')
  
  ########################################
-@@ -2600,11 +2746,11 @@
+@@ -2600,11 +2771,11 @@
  #
  template(`userdom_user_home_dir_filetrans_user_home_content',`
  	gen_require(`
@@ -675715,7 +675793,7 @@
  ')
  
  ########################################
-@@ -2634,11 +2780,11 @@
+@@ -2634,11 +2805,11 @@
  #
  template(`userdom_write_user_tmp_sockets',`
  	gen_require(`
@@ -675729,7 +675807,7 @@
  ')
  
  ########################################
-@@ -2668,11 +2814,11 @@
+@@ -2668,11 +2839,11 @@
  #
  template(`userdom_list_user_tmp',`
  	gen_require(`
@@ -675743,7 +675821,7 @@
  ')
  
  ########################################
-@@ -2704,10 +2850,10 @@
+@@ -2704,10 +2875,10 @@
  #
  template(`userdom_dontaudit_list_user_tmp',`
  	gen_require(`
@@ -675756,7 +675834,7 @@
  ')
  
  ########################################
-@@ -2739,10 +2885,10 @@
+@@ -2739,10 +2910,10 @@
  #
  template(`userdom_dontaudit_manage_user_tmp_dirs',`
  	gen_require(`
@@ -675769,7 +675847,7 @@
  ')
  
  ########################################
-@@ -2772,12 +2918,12 @@
+@@ -2772,12 +2943,12 @@
  #
  template(`userdom_read_user_tmp_files',`
  	gen_require(`
@@ -675785,55 +675863,25 @@
  ')
  
  ########################################
-@@ -2809,20 +2955,20 @@
+@@ -2809,10 +2980,45 @@
  #
  template(`userdom_dontaudit_read_user_tmp_files',`
  	gen_require(`
 -		type $1_tmp_t;
 +		type user_tmp_t;
- 	')
- 
--	dontaudit $2 $1_tmp_t:file read_file_perms;
++	')
++
 +	dontaudit $2 user_tmp_t:file read_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to append users
-+##	Do not audit attempts to write users
- ##	temporary files.
- ## </summary>
- ## <desc>
- ##	<p>
--##	Do not audit attempts to append users
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to write users
- ##	temporary files.
- ##	</p>
- ##	<p>
-@@ -2842,17 +2988,90 @@
- ##	</summary>
- ## </param>
- #
--template(`userdom_dontaudit_append_user_tmp_files',`
-+template(`userdom_dontaudit_write_user_tmp_files',`
- 	gen_require(`
--		type $1_tmp_t;
-+		type user_tmp_t;
- 	')
- 
--	dontaudit $2 $1_tmp_t:file append;
-+	dontaudit $2 user_tmp_t:file write;
- ')
- 
- ########################################
- ## <summary>
--##	Read and write user temporary files.
-+##	Do not audit attempts to append users
 +##	temporary files.
 +## </summary>
 +## <desc>
 +##	<p>
-+##	Do not audit attempts to append users
++##	Do not audit attempts to write users
 +##	temporary files.
 +##	</p>
 +##	<p>
@@ -675853,9 +675901,22 @@
 +##	</summary>
 +## </param>
 +#
-+template(`userdom_dontaudit_append_user_tmp_files',`
++template(`userdom_dontaudit_write_user_tmp_files',`
 +	gen_require(`
 +		type user_tmp_t;
+ 	')
+ 
+-	dontaudit $2 $1_tmp_t:file read_file_perms;
++	dontaudit $2 user_tmp_t:file write;
+ ')
+ 
+ ########################################
+@@ -2844,10 +3050,48 @@
+ #
+ template(`userdom_dontaudit_append_user_tmp_files',`
+ 	gen_require(`
+-		type $1_tmp_t;
++		type user_tmp_t;
 +	')
 +
 +	dontaudit $2 user_tmp_t:file append;
@@ -675894,18 +675955,14 @@
 +	gen_require(`
 +		attribute user_tmpfile;
 +		attribute userdomain;
-+	')
-+
+ 	')
+ 
+-	dontaudit $2 $1_tmp_t:file append;
 +	stream_connect_pattern($1, user_tmpfile, user_tmpfile, userdomain)
-+')
-+
-+########################################
-+## <summary>
-+##	Read and write user temporary files.
- ## </summary>
- ## <desc>
- ##	<p>
-@@ -2877,12 +3096,12 @@
+ ')
+ 
+ ########################################
+@@ -2877,12 +3121,12 @@
  #
  template(`userdom_rw_user_tmp_files',`
  	gen_require(`
@@ -675921,7 +675978,7 @@
  ')
  
  ########################################
-@@ -2914,10 +3133,10 @@
+@@ -2914,10 +3158,10 @@
  #
  template(`userdom_dontaudit_manage_user_tmp_files',`
  	gen_require(`
@@ -675934,7 +675991,7 @@
  ')
  
  ########################################
-@@ -2949,12 +3168,12 @@
+@@ -2949,12 +3193,12 @@
  #
  template(`userdom_read_user_tmp_symlinks',`
  	gen_require(`
@@ -675950,7 +676007,7 @@
  ')
  
  ########################################
-@@ -2986,11 +3205,11 @@
+@@ -2986,11 +3230,11 @@
  #
  template(`userdom_manage_user_tmp_dirs',`
  	gen_require(`
@@ -675964,7 +676021,7 @@
  ')
  
  ########################################
-@@ -3022,11 +3241,11 @@
+@@ -3022,11 +3266,11 @@
  #
  template(`userdom_manage_user_tmp_files',`
  	gen_require(`
@@ -675978,7 +676035,7 @@
  ')
  
  ########################################
-@@ -3058,11 +3277,11 @@
+@@ -3058,11 +3302,11 @@
  #
  template(`userdom_manage_user_tmp_symlinks',`
  	gen_require(`
@@ -675992,7 +676049,7 @@
  ')
  
  ########################################
-@@ -3094,11 +3313,11 @@
+@@ -3094,11 +3338,11 @@
  #
  template(`userdom_manage_user_tmp_pipes',`
  	gen_require(`
@@ -676006,7 +676063,7 @@
  ')
  
  ########################################
-@@ -3130,11 +3349,11 @@
+@@ -3130,11 +3374,11 @@
  #
  template(`userdom_manage_user_tmp_sockets',`
  	gen_require(`
@@ -676020,7 +676077,7 @@
  ')
  
  ########################################
-@@ -3179,10 +3398,10 @@
+@@ -3179,10 +3423,10 @@
  #
  template(`userdom_user_tmp_filetrans',`
  	gen_require(`
@@ -676033,7 +676090,7 @@
  	files_search_tmp($2)
  ')
  
-@@ -3223,10 +3442,10 @@
+@@ -3223,10 +3467,10 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -676046,7 +676103,7 @@
  ')
  
  ########################################
-@@ -3254,6 +3473,63 @@
+@@ -3254,6 +3498,63 @@
  ##	</summary>
  ## </param>
  #
@@ -676110,7 +676167,7 @@
  template(`userdom_rw_user_tmpfs_files',`
  	gen_require(`
  		type $1_tmpfs_t;
-@@ -3267,6 +3543,42 @@
+@@ -3267,6 +3568,42 @@
  
  ########################################
  ## <summary>
@@ -676153,7 +676210,7 @@
  ##	List users untrusted directories.
  ## </summary>
  ## <desc>
-@@ -3962,6 +4274,24 @@
+@@ -3962,6 +4299,24 @@
  
  ########################################
  ## <summary>
@@ -676178,7 +676235,7 @@
  ##	Manage unpriviledged user SysV shared
  ##	memory segments.
  ## </summary>
-@@ -4231,11 +4561,11 @@
+@@ -4231,11 +4586,11 @@
  #
  interface(`userdom_search_staff_home_dirs',`
  	gen_require(`
@@ -676192,7 +676249,7 @@
  ')
  
  ########################################
-@@ -4251,10 +4581,10 @@
+@@ -4251,10 +4606,10 @@
  #
  interface(`userdom_dontaudit_search_staff_home_dirs',`
  	gen_require(`
@@ -676205,7 +676262,7 @@
  ')
  
  ########################################
-@@ -4270,11 +4600,11 @@
+@@ -4270,11 +4625,11 @@
  #
  interface(`userdom_manage_staff_home_dirs',`
  	gen_require(`
@@ -676219,7 +676276,7 @@
  ')
  
  ########################################
-@@ -4289,16 +4619,16 @@
+@@ -4289,16 +4644,16 @@
  #
  interface(`userdom_relabelto_staff_home_dirs',`
  	gen_require(`
@@ -676239,7 +676296,7 @@
  ##	users home directory.
  ## </summary>
  ## <param name="domain">
-@@ -4307,12 +4637,54 @@
+@@ -4307,12 +4662,54 @@
  ##	</summary>
  ## </param>
  #
@@ -676297,7 +676354,7 @@
  ')
  
  ########################################
-@@ -4327,13 +4699,13 @@
+@@ -4327,13 +4724,13 @@
  #
  interface(`userdom_read_staff_home_content_files',`
  	gen_require(`
@@ -676315,7 +676372,7 @@
  ')
  
  ########################################
-@@ -4531,10 +4903,10 @@
+@@ -4531,10 +4928,10 @@
  #
  interface(`userdom_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -676328,7 +676385,7 @@
  ')
  
  ########################################
-@@ -4551,10 +4923,10 @@
+@@ -4551,10 +4948,10 @@
  #
  interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -676341,7 +676398,7 @@
  ')
  
  ########################################
-@@ -4569,10 +4941,10 @@
+@@ -4569,10 +4966,10 @@
  #
  interface(`userdom_search_sysadm_home_dirs',`
  	gen_require(`
@@ -676354,7 +676411,7 @@
  ')
  
  ########################################
-@@ -4588,10 +4960,10 @@
+@@ -4588,10 +4985,10 @@
  #
  interface(`userdom_dontaudit_search_sysadm_home_dirs',`
  	gen_require(`
@@ -676367,7 +676424,7 @@
  ')
  
  ########################################
-@@ -4606,10 +4978,10 @@
+@@ -4606,10 +5003,10 @@
  #
  interface(`userdom_list_sysadm_home_dirs',`
  	gen_require(`
@@ -676380,7 +676437,7 @@
  ')
  
  ########################################
-@@ -4625,10 +4997,10 @@
+@@ -4625,10 +5022,10 @@
  #
  interface(`userdom_dontaudit_list_sysadm_home_dirs',`
  	gen_require(`
@@ -676393,7 +676450,7 @@
  ')
  
  ########################################
-@@ -4644,14 +5016,53 @@
+@@ -4644,14 +5041,53 @@
  #
  interface(`userdom_dontaudit_read_sysadm_home_content_files',`
  	gen_require(`
@@ -676451,7 +676508,7 @@
  ########################################
  ## <summary>
  ##	Create objects in sysadm home directories
-@@ -4676,10 +5087,10 @@
+@@ -4676,10 +5112,10 @@
  #
  interface(`userdom_sysadm_home_dir_filetrans',`
  	gen_require(`
@@ -676464,7 +676521,7 @@
  ')
  
  ########################################
-@@ -4694,10 +5105,10 @@
+@@ -4694,10 +5130,10 @@
  #
  interface(`userdom_search_sysadm_home_content_dirs',`
  	gen_require(`
@@ -676477,7 +676534,7 @@
  ')
  
  ########################################
-@@ -4712,13 +5123,13 @@
+@@ -4712,13 +5148,13 @@
  #
  interface(`userdom_read_sysadm_home_content_files',`
  	gen_require(`
@@ -676495,7 +676552,7 @@
  ')
  
  ########################################
-@@ -4754,16 +5165,16 @@
+@@ -4754,16 +5190,16 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
@@ -676515,7 +676572,7 @@
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4771,18 +5182,18 @@
+@@ -4771,18 +5207,18 @@
  ##	</summary>
  ## </param>
  #
@@ -676537,7 +676594,7 @@
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4790,36 +5201,45 @@
+@@ -4790,31 +5226,79 @@
  ##	</summary>
  ## </param>
  #
@@ -676583,20 +676640,18 @@
 +	tunable_policy(`use_samba_home_dirs',`
 +		fs_list_cifs($1)
 +	')
- ')
- 
- ########################################
- ## <summary>
--##	Read all files in all users home directories.
++')
++
++########################################
++## <summary>
 +##	Search all users home directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4827,7 +5247,46 @@
- ##	</summary>
- ## </param>
- #
--interface(`userdom_read_all_users_home_content_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`userdom_search_all_users_home_content',`
 +	gen_require(`
 +		attribute home_dir_type, home_type;
@@ -676624,23 +676679,10 @@
 +	dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
 +	fs_dontaudit_list_nfs($1)
 +	fs_dontaudit_list_cifs($1)
-+')
-+
-+########################################
-+## <summary>
-+##	Read all files in all users home directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_read_all_users_home_content_files',`
- 	gen_require(`
- 		attribute home_type;
- 	')
-@@ -4839,6 +5298,26 @@
+ ')
+ 
+ ########################################
+@@ -4839,6 +5323,26 @@
  
  ########################################
  ## <summary>
@@ -676667,7 +676709,7 @@
  ##	Create, read, write, and delete all directories
  ##	in all users home directories.
  ## </summary>
-@@ -4859,6 +5338,25 @@
+@@ -4859,6 +5363,25 @@
  
  ########################################
  ## <summary>
@@ -676693,7 +676735,7 @@
  ##	Create, read, write, and delete all files
  ##	in all users home directories.
  ## </summary>
-@@ -4879,6 +5377,26 @@
+@@ -4879,6 +5402,26 @@
  
  ########################################
  ## <summary>
@@ -676720,7 +676762,7 @@
  ##	Create, read, write, and delete all symlinks
  ##	in all users home directories.
  ## </summary>
-@@ -5115,7 +5633,7 @@
+@@ -5115,7 +5658,7 @@
  #
  interface(`userdom_relabelto_generic_user_home_dirs',`
  	gen_require(`
@@ -676729,7 +676771,7 @@
  	')
  
  	files_search_home($1)
-@@ -5304,6 +5822,63 @@
+@@ -5304,6 +5847,63 @@
  
  ########################################
  ## <summary>
@@ -676793,7 +676835,7 @@
  ##	Create, read, write, and delete directories in
  ##	unprivileged users home directories.
  ## </summary>
-@@ -5509,6 +6084,43 @@
+@@ -5509,6 +6109,43 @@
  
  ########################################
  ## <summary>
@@ -676837,7 +676879,7 @@
  ##	Read and write unprivileged user ttys.
  ## </summary>
  ## <param name="domain">
-@@ -5559,7 +6171,7 @@
+@@ -5559,7 +6196,7 @@
  		attribute userdomain;
  	')
  
@@ -676846,7 +676888,7 @@
  	kernel_search_proc($1)
  ')
  
-@@ -5674,6 +6286,42 @@
+@@ -5674,6 +6311,42 @@
  
  ########################################
  ## <summary>
@@ -676889,7 +676931,7 @@
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5704,3 +6352,408 @@
+@@ -5704,3 +6377,408 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')

More information about the fedora-extras-commits mailing list