From 987b10f86dd3bebe6f22b0b2f9f569e04251c542 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mar 14 2008 00:25:00 +0000 Subject: - Add cups_pdf policy - Add openoffice policy to run in xguest --- diff --git a/modules-targeted.conf b/modules-targeted.conf index 060c7a4..6a4d3f4 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1641,3 +1641,10 @@ prelude = module # kerneloops = module +# Layer: apps +# Module: openoffice +# +# openoffice executable +# +openoffice = base + diff --git a/policy-20071130.patch b/policy-20071130.patch index 70a31a8..98a0357 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -3962,7 +3962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te s + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.3.1/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2007-03-01 10:01:48.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/java.fc 2008-03-06 11:17:59.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/apps/java.fc 2008-03-13 18:18:13.000000000 -0400 @@ -11,6 +11,7 @@ # /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) @@ -3971,7 +3971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0) -@@ -20,5 +21,15 @@ +@@ -20,5 +21,11 @@ /usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) @@ -3984,10 +3984,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc +/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + -+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:java_exec_t,s0) -+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:java_exec_t,s0) -+ -+ +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.3.1/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400 @@ -4446,7 +4442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # /bin diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.3.1/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-03-06 10:13:20.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-03-13 18:42:48.000000000 -0400 @@ -35,7 +35,10 @@ template(`mozilla_per_role_template',` gen_require(` @@ -4643,16 +4639,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. - # Browse the web, connect to printer - sysnet_dns_name_resolve($1_mozilla_t) - sysnet_read_config($1_mozilla_t) -- ++ userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t) ++ userdom_dontaudit_use_user_terminals($1,$1_mozilla_t) + - userdom_manage_user_home_content_dirs($1,$1_mozilla_t) - userdom_manage_user_home_content_files($1,$1_mozilla_t) - userdom_manage_user_home_content_symlinks($1,$1_mozilla_t) - userdom_manage_user_tmp_dirs($1,$1_mozilla_t) - userdom_manage_user_tmp_files($1,$1_mozilla_t) - userdom_manage_user_tmp_sockets($1,$1_mozilla_t) -+ userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t) -+ userdom_dontaudit_use_user_terminals($1,$1_mozilla_t) - +- - xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t) + xserver_user_x_domain_template($1,$1_mozilla,$1_mozilla_t,$1_mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t) @@ -4792,7 +4788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -350,19 +277,27 @@ +@@ -350,19 +277,31 @@ optional_policy(` cups_read_rw_config($1_mozilla_t) cups_dbus_chat($1_mozilla_t) @@ -4804,14 +4800,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. - dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t) +# dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t) +# dbus_connectto_user_bus($1,$1_mozilla_t) -+ ') -+ -+ optional_policy(` -+ gnome_exec_gconf($1_mozilla_t) -+ gnome_manage_user_gnome_config($1,$1_mozilla_t) ') optional_policy(` ++ gnome_exec_gconf($1_mozilla_t) ++ gnome_manage_user_gnome_config($1,$1_mozilla_t) ++ ') ++ ++ optional_policy(` + gnome_domtrans_user_gconf($1,$1_mozilla_t) gnome_stream_connect_gconf_template($1,$1_mozilla_t) ') @@ -4819,10 +4815,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. optional_policy(` - java_domtrans_user_javaplugin($1, $1_mozilla_t) + java_plugin_per_role_template($1, $1_mozilla_t, $1_r) ++ ') ++ ++ optional_policy(` ++ openoffice_plugin_per_role_template($1, $1_mozilla_t, $1_r) ') optional_policy(` -@@ -370,37 +305,18 @@ +@@ -370,37 +309,18 @@ ') optional_policy(` @@ -4863,7 +4863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -430,11 +346,11 @@ +@@ -430,11 +350,11 @@ # template(`mozilla_read_user_home_files',` gen_require(` @@ -4878,7 +4878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -464,11 +380,10 @@ +@@ -464,11 +384,10 @@ # template(`mozilla_write_user_home_files',` gen_require(` @@ -4892,7 +4892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -573,3 +488,27 @@ +@@ -573,3 +492,27 @@ allow $2 $1_mozilla_t:tcp_socket rw_socket_perms; ') @@ -5598,6 +5598,247 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + +allow nsplugin_t user_home_t:dir { write read }; +allow nsplugin_t user_home_t:file write; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.3.1/policy/modules/apps/openoffice.fc +--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/apps/openoffice.fc 2008-03-13 18:18:07.000000000 -0400 +@@ -0,0 +1,3 @@ ++/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) ++/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.3.1/policy/modules/apps/openoffice.if +--- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/apps/openoffice.if 2008-03-13 18:21:30.000000000 -0400 +@@ -0,0 +1,212 @@ ++## Openoffice ++ ++####################################### ++## ++## The per role template for the openoffice module. ++## ++## ++##

++## This template creates a derived domains which are used ++## for openoffice plugins that are executed by a browser. ++##

++##

++## This template is invoked automatically for each user, and ++## generally does not need to be invoked directly ++## by policy writers. ++##

++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++## ++## ++## The role associated with the user domain. ++## ++## ++# ++template(`openoffice_plugin_per_role_template',` ++ gen_require(` ++ type openoffice_exec_t; ++ ') ++ ++ ######################################## ++ # ++ # Declarations ++ # ++ ++ type $1_openofficeplugin_t; ++ application_domain($1_openofficeplugin_t,openoffice_exec_t) ++ role $3 types $1_openofficeplugin_t; ++ ++ type $1_openofficeplugin_tmp_t; ++ files_tmp_file($1_openofficeplugin_tmp_t) ++ ++ type $1_openofficeplugin_tmpfs_t; ++ files_tmpfs_file($1_openofficeplugin_tmpfs_t) ++ ++ ######################################## ++ # ++ # Local policy ++ # ++ ++ allow $1_openofficeplugin_t self:process { execmem execstack signal_perms getsched ptrace setsched }; ++ allow $1_openofficeplugin_t self:fifo_file rw_fifo_file_perms; ++ allow $1_openofficeplugin_t self:tcp_socket create_stream_socket_perms; ++ allow $1_openofficeplugin_t self:udp_socket create_socket_perms; ++ ++ allow $1_openofficeplugin_t $1_t:process signull; ++ allow $1_openofficeplugin_t $1_t:unix_stream_socket connectto; ++ allow $1_t $1_openofficeplugin_t:unix_stream_socket connectto; ++ allow $1_openofficeplugin_t $2:unix_stream_socket connectto; ++ allow $1_openofficeplugin_t $2:tcp_socket { read write }; ++ ++ manage_dirs_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmp_t,$1_openofficeplugin_tmp_t) ++ manage_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmp_t,$1_openofficeplugin_tmp_t) ++ files_tmp_filetrans($1_openofficeplugin_t,$1_openofficeplugin_tmp_t,{ file dir }) ++ allow $1_openofficeplugin_t $1_openofficeplugin_tmp_t:file execute; ++ ++ manage_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,$1_openofficeplugin_tmpfs_t) ++ manage_lnk_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,$1_openofficeplugin_tmpfs_t) ++ manage_fifo_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,$1_openofficeplugin_tmpfs_t) ++ manage_sock_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,$1_openofficeplugin_tmpfs_t) ++ fs_tmpfs_filetrans($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,{ file lnk_file sock_file fifo_file }) ++ ++ can_exec($1_openofficeplugin_t, openoffice_exec_t) ++ ++ domtrans_pattern($2, openoffice_exec_t, $1_openofficeplugin_t) ++ # Unrestricted inheritance from the caller. ++ allow $2 $1_openofficeplugin_t:process { noatsecure siginh rlimitinh }; ++ allow $1_openofficeplugin_t $2:process signull; ++ ++ kernel_read_all_sysctls($1_openofficeplugin_t) ++ kernel_search_vm_sysctl($1_openofficeplugin_t) ++ kernel_read_network_state($1_openofficeplugin_t) ++ kernel_read_system_state($1_openofficeplugin_t) ++ ++ # Search bin directory under openofficeplugin for openofficeplugin executable ++ corecmd_exec_bin($1_openofficeplugin_t) ++ ++ corenet_all_recvfrom_unlabeled($1_openofficeplugin_t) ++ corenet_all_recvfrom_netlabel($1_openofficeplugin_t) ++ corenet_tcp_sendrecv_generic_if($1_openofficeplugin_t) ++ corenet_udp_sendrecv_generic_if($1_openofficeplugin_t) ++ corenet_tcp_sendrecv_all_nodes($1_openofficeplugin_t) ++ corenet_udp_sendrecv_all_nodes($1_openofficeplugin_t) ++ corenet_tcp_sendrecv_all_ports($1_openofficeplugin_t) ++ corenet_udp_sendrecv_all_ports($1_openofficeplugin_t) ++ corenet_tcp_connect_all_ports($1_openofficeplugin_t) ++ corenet_sendrecv_all_client_packets($1_openofficeplugin_t) ++ ++ dev_list_sysfs($1_openofficeplugin_t) ++ dev_read_sound($1_openofficeplugin_t) ++ dev_write_sound($1_openofficeplugin_t) ++ dev_read_urand($1_openofficeplugin_t) ++ dev_read_rand($1_openofficeplugin_t) ++ dev_write_rand($1_openofficeplugin_t) ++ ++ files_read_etc_files($1_openofficeplugin_t) ++ files_read_usr_files($1_openofficeplugin_t) ++ files_search_home($1_openofficeplugin_t) ++ files_search_var_lib($1_openofficeplugin_t) ++ files_read_etc_runtime_files($1_openofficeplugin_t) ++ # Read global fonts and font config ++ files_read_etc_files($1_openofficeplugin_t) ++ ++ fs_getattr_xattr_fs($1_openofficeplugin_t) ++ fs_dontaudit_rw_tmpfs_files($1_openofficeplugin_t) ++ fs_getattr_tmpfs($1_openofficeplugin_t) ++ ++ auth_use_nsswitch($1_openofficeplugin_t) ++ ++ libs_use_ld_so($1_openofficeplugin_t) ++ libs_use_shared_libs($1_openofficeplugin_t) ++ ++ logging_send_syslog_msg($1_openofficeplugin_t) ++ ++ miscfiles_read_localization($1_openofficeplugin_t) ++ # Read global fonts and font config ++ miscfiles_read_fonts($1_openofficeplugin_t) ++ ++ userdom_manage_unpriv_users_home_content_files($1_openofficeplugin_t) ++ userdom_dontaudit_use_user_terminals($1,$1_openofficeplugin_t) ++ userdom_dontaudit_setattr_user_home_content_files($1,$1_openofficeplugin_t) ++ userdom_exec_user_home_content_files($1,$1_openofficeplugin_t) ++ userdom_manage_user_tmp_dirs($1,$1_openofficeplugin_t) ++ userdom_manage_user_tmp_files($1,$1_openofficeplugin_t) ++ userdom_manage_user_tmp_sockets($1,$1_openofficeplugin_t) ++ userdom_read_user_tmpfs_files($1,$1_openofficeplugin_t) ++ userdom_manage_user_home_content_dirs($1,$1_openofficeplugin_t) ++ userdom_manage_user_home_content_files($1,$1_openofficeplugin_t) ++ userdom_manage_user_home_content_symlinks($1,$1_openofficeplugin_t) ++ userdom_manage_user_home_content_pipes($1,$1_openofficeplugin_t) ++ userdom_manage_user_home_content_sockets($1,$1_openofficeplugin_t) ++ userdom_user_home_dir_filetrans_user_home_content($1,$1_openofficeplugin_t,{ file lnk_file sock_file fifo_file }) ++ ++ optional_policy(` ++ xserver_user_x_domain_template($1,$1_openofficeplugin,$1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t) ++ ') ++ ++') ++ ++####################################### ++## ++## The per role template for the openoffice module. ++## ++## ++##

++## This template creates a derived domains which are used ++## for openoffice applications. ++##

++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++## ++## ++## The role associated with the user domain. ++## ++## ++# ++template(`openoffice_per_role_template',` ++ gen_require(` ++ type openoffice_exec_t; ++ ') ++ ++ type $1_openoffice_t; ++ domain_type($1_openoffice_t) ++ domain_entry_file($1_openoffice_t,openoffice_exec_t) ++ role $3 types $1_openoffice_t; ++ ++ domain_interactive_fd($1_openoffice_t) ++ ++ userdom_unpriv_usertype($1, $1_openoffice_t) ++ userdom_exec_user_home_content_files($1,$1_openoffice_t) ++ ++ allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack }; ++ ++ allow $2 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh }; ++ allow $1_openoffice_t $2:tcp_socket { read write }; ++ ++ domtrans_pattern($2, openoffice_exec_t, $1_openoffice_t) ++ ++ dev_read_urand($1_openoffice_t) ++ dev_read_rand($1_openoffice_t) ++ ++ fs_dontaudit_rw_tmpfs_files($1_openoffice_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.3.1/policy/modules/apps/openoffice.te +--- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/apps/openoffice.te 2008-03-13 18:14:49.000000000 -0400 +@@ -0,0 +1,14 @@ ++ ++policy_module(openoffice,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type openoffice_t; ++type openoffice_exec_t; ++application_domain(openoffice_t,openoffice_exec_t) ++ ++ ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.3.1/policy/modules/apps/screen.fc --- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/apps/screen.fc 2008-02-26 08:29:22.000000000 -0500 @@ -11186,7 +11427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron -') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.3.1/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2007-11-16 15:30:49.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/cups.fc 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/cups.fc 2008-03-13 17:46:00.000000000 -0400 @@ -8,24 +8,28 @@ /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -11230,7 +11471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -@@ -50,3 +54,10 @@ +@@ -50,3 +54,12 @@ /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) @@ -11241,9 +11482,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/etc/rc.d/init.d/cups -- gen_context(system_u:object_r:cups_script_exec_t,s0) + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++ ++/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.3.1/policy/modules/services/cups.if --- nsaserefpolicy/policy/modules/services/cups.if 2007-01-02 12:57:43.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/cups.if 2008-03-10 12:18:38.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/cups.if 2008-03-13 17:47:08.000000000 -0400 @@ -20,6 +20,30 @@ ######################################## @@ -11406,7 +11649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.3.1/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-03-10 12:08:24.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-03-13 17:48:08.000000000 -0400 @@ -43,14 +43,13 @@ type cupsd_var_run_t; @@ -11425,13 +11668,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups type hplip_var_run_t; files_pid_file(hplip_var_run_t) -@@ -65,12 +64,17 @@ +@@ -65,12 +64,27 @@ type ptal_var_run_t; files_pid_file(ptal_var_run_t) +type cups_script_exec_t; +init_script_type(cups_script_exec_t) + ++type cups_pdf_t; ++type cups_pdf_exec_t; ++domain_type(cups_pdf_t) ++domain_entry_file(cups_pdf_t, cups_pdf_exec_t) ++cups_backend(cups_pdf_t, cups_pdf_exec_t) ++role system_r types cups_pdf_t; ++ ++type cups_pdf_tmp_t; ++files_tmp_file(cups_pdf_tmp_t) ++ ifdef(`enable_mcs',` init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh) ') @@ -11443,7 +11696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') ######################################## -@@ -79,13 +83,14 @@ +@@ -79,13 +93,14 @@ # # /usr/lib/cups/backend/serial needs sys_admin(?!) @@ -11461,7 +11714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_t self:tcp_socket create_stream_socket_perms; allow cupsd_t self:udp_socket create_socket_perms; allow cupsd_t self:appletalk_socket create_socket_perms; -@@ -104,7 +109,7 @@ +@@ -104,7 +119,7 @@ # allow cups to execute its backend scripts can_exec(cupsd_t, cupsd_exec_t) @@ -11470,7 +11723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_t cupsd_exec_t:lnk_file read; manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t) -@@ -116,13 +121,19 @@ +@@ -116,13 +131,19 @@ manage_fifo_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) @@ -11492,7 +11745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_t hplip_var_run_t:file { read getattr }; stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t) -@@ -149,32 +160,35 @@ +@@ -149,32 +170,35 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -11532,7 +11785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp corecmd_exec_shell(cupsd_t) corecmd_exec_bin(cupsd_t) -@@ -186,7 +200,7 @@ +@@ -186,7 +210,7 @@ # read python modules files_read_usr_files(cupsd_t) # for /var/lib/defoma @@ -11541,7 +11794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -@@ -195,15 +209,15 @@ +@@ -195,15 +219,15 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) @@ -11561,7 +11814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups auth_use_nsswitch(cupsd_t) libs_use_ld_so(cupsd_t) -@@ -219,17 +233,22 @@ +@@ -219,17 +243,22 @@ miscfiles_read_fonts(cupsd_t) seutil_read_config(cupsd_t) @@ -11586,7 +11839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -242,12 +261,21 @@ +@@ -242,12 +271,21 @@ optional_policy(` dbus_system_bus_client_template(cupsd,cupsd_t) @@ -11608,7 +11861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -263,6 +291,10 @@ +@@ -263,6 +301,10 @@ ') optional_policy(` @@ -11619,7 +11872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) -@@ -326,6 +358,7 @@ +@@ -326,6 +368,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -11627,7 +11880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -353,6 +386,7 @@ +@@ -353,6 +396,7 @@ logging_send_syslog_msg(cupsd_config_t) miscfiles_read_localization(cupsd_config_t) @@ -11635,7 +11888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups seutil_dontaudit_search_config(cupsd_config_t) -@@ -372,6 +406,10 @@ +@@ -372,6 +416,10 @@ ') optional_policy(` @@ -11646,7 +11899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -387,6 +425,7 @@ +@@ -387,6 +435,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -11654,7 +11907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -499,15 +538,10 @@ +@@ -499,15 +548,10 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; @@ -11671,7 +11924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t) files_pid_filetrans(hplip_t,hplip_var_run_t,file) -@@ -537,14 +571,14 @@ +@@ -537,14 +581,14 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -11688,7 +11941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) -@@ -564,7 +598,8 @@ +@@ -564,7 +608,8 @@ userdom_dontaudit_search_sysadm_home_dirs(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) @@ -11698,6 +11951,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups optional_policy(` seutil_sigchld_newrole(hplip_t) +@@ -645,3 +690,38 @@ + optional_policy(` + udev_read_db(ptal_t) + ') ++ ++######################################## ++# ++# cups_pdf local policy ++# ++ ++allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override }; ++ ++## internal communication is often done using fifo and unix sockets. ++allow cups_pdf_t self:fifo_file rw_file_perms; ++allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; ++ ++files_read_etc_files(cups_pdf_t) ++files_read_usr_files(cups_pdf_t) ++ ++kernel_read_system_state(cups_pdf_t) ++ ++libs_use_ld_so(cups_pdf_t) ++libs_use_shared_libs(cups_pdf_t) ++ ++corecmd_exec_ls(cups_pdf_t) ++corecmd_exec_shell(cups_pdf_t) ++corecmd_exec_bin(cups_pdf_t) ++ ++miscfiles_read_localization(cups_pdf_t) ++ ++manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) ++manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) ++files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) ++ ++userdom_home_filetrans_generic_user_home_dir(cups_pdf_t) ++userdom_manage_generic_user_home_content_dirs(cups_pdf_t) ++userdom_manage_generic_user_home_content_files(cups_pdf_t) ++ ++lpd_manage_spool(cups_pdf_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.3.1/policy/modules/services/cvs.if --- nsaserefpolicy/policy/modules/services/cvs.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/cvs.if 2008-02-26 08:29:22.000000000 -0500 @@ -29350,7 +29642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-03-04 16:05:25.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-03-13 20:23:44.000000000 -0400 @@ -6,35 +6,67 @@ # Declarations # @@ -29534,23 +29826,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf oddjob_domtrans_mkhomedir(unconfined_t) ') -@@ -154,38 +199,37 @@ +@@ -154,62 +199,76 @@ ') optional_policy(` - postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - # cjp: this should probably be removed: - postfix_domtrans_master(unconfined_t) --') -- -- --optional_policy(` -- pyzor_per_role_template(unconfined) --') -- --optional_policy(` -- # cjp: this should probably be removed: -- rpc_domtrans_nfsd(unconfined_t) + tunable_policy(`allow_unconfined_qemu_transition', ` + qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + ', ` @@ -29560,56 +29842,76 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + qemu_unconfined_role(unconfined_r) ') - optional_policy(` - rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++optional_policy(` ++ rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + # Allow SELinux aware applications to request rpm_script execution + rpm_transition_script(unconfined_t) + rpm_role_transition(unconfined_r) - ') ++') optional_policy(` - samba_per_role_template(unconfined) -- samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +- pyzor_per_role_template(unconfined) ++ samba_per_role_template(unconfined) + samba_run_unconfined_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + samba_run_smbcontrol(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` -- spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r) +- # cjp: this should probably be removed: +- rpc_domtrans_nfsd(unconfined_t) + sendmail_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` - sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - sysnet_dbus_chat_dhcpc(unconfined_t) +- rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ sysnet_dbus_chat_dhcpc(unconfined_t) + sysnet_role_transition_dhcpc(unconfined_r) ') optional_policy(` -@@ -205,11 +249,30 @@ +- samba_per_role_template(unconfined) +- samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +- samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` -- wine_domtrans(unconfined_t) +- spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r) ++ vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + ') + + optional_policy(` +- sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +- sysnet_dbus_chat_dhcpc(unconfined_t) ++ webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + ') + + optional_policy(` +- tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- usermanage_run_admin_passwd(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + mono_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + mozilla_per_role_template(unconfined, unconfined_t, unconfined_r) + unconfined_domain(unconfined_mozilla_t) + allow unconfined_mozilla_t self:process { execstack execmem }; -+') -+ -+optional_policy(` + ') + + optional_policy(` +- wine_domtrans(unconfined_t) + kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) ') @@ -29620,7 +29922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -219,14 +282,34 @@ +@@ -219,14 +278,34 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -29675,7 +29977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-12 08:26:37.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-13 18:42:23.000000000 -0400 @@ -29,9 +29,14 @@ ') @@ -30694,7 +30996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1091,32 +1104,25 @@ +@@ -1091,32 +1104,29 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -30709,25 +31011,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - optional_policy(` - consolekit_dbus_chat($1_t) - ') -- -- optional_policy(` -- cups_dbus_chat($1_t) -- ') -- ') + # Broken Cover up bugzilla #345921 Should be removed when this is fixed + corenet_tcp_connect_soundd_port($1_t) + corenet_tcp_sendrecv_soundd_port($1_t) + corenet_tcp_sendrecv_all_if($1_t) + corenet_tcp_sendrecv_lo_node($1_t) +- optional_policy(` +- cups_dbus_chat($1_t) +- ') ++ optional_policy(` ++ apache_per_role_template($1, $1_usertype, $1_r) + ') + optional_policy(` - java_per_role_template($1, $1_t, $1_r) -+ apache_per_role_template($1, $1_usertype, $1_r) ++ nsplugin_per_role_template($1, $1_usertype, $1_r) ') optional_policy(` - mono_per_role_template($1, $1_t, $1_r) -+ nsplugin_per_role_template($1, $1_usertype, $1_r) ++ openoffice_per_role_template($1, $1_usertype, $1_r) ') optional_policy(` @@ -30736,7 +31040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1127,10 +1133,10 @@ +@@ -1127,10 +1137,10 @@ ## ## ##

@@ -30751,7 +31055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1193,12 +1199,11 @@ +@@ -1193,12 +1203,11 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -30766,7 +31070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') # Run pppd in pppd_t by default for user -@@ -1207,7 +1212,27 @@ +@@ -1207,7 +1216,27 @@ ') optional_policy(` @@ -30795,7 +31099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1284,8 +1309,6 @@ +@@ -1284,8 +1313,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -30804,7 +31108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1363,13 +1386,6 @@ +@@ -1363,13 +1390,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -30818,7 +31122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` userhelper_exec($1_t) ') -@@ -1422,6 +1438,7 @@ +@@ -1422,6 +1442,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -30826,7 +31130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1787,10 +1804,14 @@ +@@ -1787,10 +1808,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -30842,7 +31146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1886,11 +1907,11 @@ +@@ -1886,11 +1911,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -30856,7 +31160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1920,11 +1941,11 @@ +@@ -1920,11 +1945,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -30870,7 +31174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1968,12 +1989,12 @@ +@@ -1968,12 +1993,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -30886,7 +31190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2003,10 +2024,10 @@ +@@ -2003,10 +2028,10 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -30899,7 +31203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2038,11 +2059,47 @@ +@@ -2038,11 +2063,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -30949,7 +31253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2074,10 +2131,10 @@ +@@ -2074,10 +2135,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -30962,7 +31266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2107,11 +2164,11 @@ +@@ -2107,11 +2168,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -30976,7 +31280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2141,11 +2198,11 @@ +@@ -2141,11 +2202,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -30991,7 +31295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2175,10 +2232,14 @@ +@@ -2175,10 +2236,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -31008,7 +31312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2208,11 +2269,11 @@ +@@ -2208,11 +2273,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -31022,7 +31326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2242,11 +2303,11 @@ +@@ -2242,11 +2307,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -31036,7 +31340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2276,10 +2337,10 @@ +@@ -2276,10 +2341,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -31049,7 +31353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2311,12 +2372,12 @@ +@@ -2311,12 +2376,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -31065,7 +31369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2348,10 +2409,10 @@ +@@ -2348,10 +2413,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -31078,7 +31382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2383,12 +2444,12 @@ +@@ -2383,12 +2448,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -31094,7 +31398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2420,12 +2481,12 @@ +@@ -2420,12 +2485,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -31110,7 +31414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2457,12 +2518,12 @@ +@@ -2457,12 +2522,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -31126,7 +31430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2507,11 +2568,11 @@ +@@ -2507,11 +2572,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -31140,7 +31444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2556,11 +2617,11 @@ +@@ -2556,11 +2621,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -31154,7 +31458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2600,11 +2661,11 @@ +@@ -2600,11 +2665,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -31168,7 +31472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2634,11 +2695,11 @@ +@@ -2634,11 +2699,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -31182,7 +31486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2668,11 +2729,11 @@ +@@ -2668,11 +2733,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -31196,7 +31500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2704,10 +2765,10 @@ +@@ -2704,10 +2769,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -31209,7 +31513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2739,10 +2800,10 @@ +@@ -2739,10 +2804,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -31222,7 +31526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2772,12 +2833,12 @@ +@@ -2772,12 +2837,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -31238,7 +31542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2809,10 +2870,10 @@ +@@ -2809,10 +2874,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -31251,7 +31555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2844,10 +2905,48 @@ +@@ -2844,10 +2909,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -31302,7 +31606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2877,12 +2976,12 @@ +@@ -2877,12 +2980,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -31318,7 +31622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2914,10 +3013,10 @@ +@@ -2914,10 +3017,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -31331,7 +31635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2949,12 +3048,12 @@ +@@ -2949,12 +3052,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -31347,7 +31651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2986,11 +3085,11 @@ +@@ -2986,11 +3089,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -31361,7 +31665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3022,11 +3121,11 @@ +@@ -3022,11 +3125,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -31375,7 +31679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3058,11 +3157,11 @@ +@@ -3058,11 +3161,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -31389,7 +31693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3094,11 +3193,11 @@ +@@ -3094,11 +3197,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -31403,7 +31707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3130,11 +3229,11 @@ +@@ -3130,11 +3233,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -31417,7 +31721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3179,10 +3278,10 @@ +@@ -3179,10 +3282,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -31430,7 +31734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3223,10 +3322,10 @@ +@@ -3223,10 +3326,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -31443,7 +31747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3254,6 +3353,42 @@ +@@ -3254,6 +3357,42 @@ ## ## # @@ -31486,7 +31790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo template(`userdom_rw_user_tmpfs_files',` gen_require(` type $1_tmpfs_t; -@@ -4231,11 +4366,11 @@ +@@ -4231,11 +4370,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -31500,7 +31804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4251,10 +4386,10 @@ +@@ -4251,10 +4390,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -31513,7 +31817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4270,11 +4405,11 @@ +@@ -4270,11 +4409,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -31527,7 +31831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4289,16 +4424,16 @@ +@@ -4289,16 +4428,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -31547,7 +31851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4307,12 +4442,27 @@ +@@ -4307,12 +4446,27 @@ ## ## # @@ -31578,7 +31882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4327,13 +4477,13 @@ +@@ -4327,13 +4481,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -31596,7 +31900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4531,10 +4681,10 @@ +@@ -4531,10 +4685,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -31609,7 +31913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4551,10 +4701,10 @@ +@@ -4551,10 +4705,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -31622,7 +31926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4569,10 +4719,10 @@ +@@ -4569,10 +4723,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -31635,7 +31939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4588,10 +4738,10 @@ +@@ -4588,10 +4742,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -31648,7 +31952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4606,10 +4756,10 @@ +@@ -4606,10 +4760,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -31661,7 +31965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4625,10 +4775,10 @@ +@@ -4625,10 +4779,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -31674,7 +31978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4644,12 +4794,11 @@ +@@ -4644,12 +4798,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -31690,7 +31994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4676,10 +4825,10 @@ +@@ -4676,10 +4829,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -31703,7 +32007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4694,10 +4843,10 @@ +@@ -4694,10 +4847,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -31716,7 +32020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4712,13 +4861,13 @@ +@@ -4712,13 +4865,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -31734,7 +32038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4754,11 +4903,49 @@ +@@ -4754,11 +4907,49 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -31785,7 +32089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4778,6 +4965,14 @@ +@@ -4778,6 +4969,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -31800,7 +32104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4839,6 +5034,26 @@ +@@ -4839,6 +5038,26 @@ ######################################## ##

@@ -31827,7 +32131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all directories ## in all users home directories. ## -@@ -4859,6 +5074,25 @@ +@@ -4859,6 +5078,25 @@ ######################################## ## @@ -31853,7 +32157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4879,6 +5113,26 @@ +@@ -4879,6 +5117,26 @@ ######################################## ## @@ -31880,7 +32184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all symlinks ## in all users home directories. ## -@@ -5115,7 +5369,7 @@ +@@ -5115,7 +5373,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -31889,7 +32193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5304,6 +5558,50 @@ +@@ -5304,6 +5562,50 @@ ######################################## ## @@ -31940,7 +32244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5509,6 +5807,42 @@ +@@ -5509,6 +5811,42 @@ ######################################## ## @@ -31983,7 +32287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5674,6 +6008,42 @@ +@@ -5674,6 +6012,42 @@ ######################################## ## @@ -32026,7 +32330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5704,3 +6074,370 @@ +@@ -5704,3 +6078,370 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 86d39a5..533b4d8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 17%{?dist} +Release: 18%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -388,6 +388,10 @@ exit 0 %endif %changelog +* Thu Mar 13 2008 Dan Walsh 3.3.1-18 +- Add cups_pdf policy +- Add openoffice policy to run in xguest + * Thu Mar 13 2008 Dan Walsh 3.3.1-17 - prewika needs to contact mysql - Allow syslog to read system_map files