From 0102b80f93179c2ef6d80f978f2c6786f21b4384 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 29 2008 21:21:36 +0000 Subject: - Allow spamd to manage exim spool --- diff --git a/policy-20071130.patch b/policy-20071130.patch index aaba2b6..a41f448 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -29169,7 +29169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.3.1/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-10-28 08:44:03.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-10-29 17:12:38.000000000 -0400 @@ -21,8 +21,10 @@ gen_tunable(spamd_enable_home_dirs,true) @@ -29285,7 +29285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam fs_manage_cifs_files(spamd_t) ') -@@ -171,10 +219,15 @@ +@@ -171,6 +219,7 @@ optional_policy(` dcc_domtrans_client(spamd_t) @@ -29293,15 +29293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam dcc_stream_connect_dccifd(spamd_t) ') - optional_policy(` -+ exim_manage_spool(spamd_t) -+') -+ -+optional_policy(` - mysql_search_db(spamd_t) - mysql_stream_connect(spamd_t) - ') -@@ -198,6 +251,11 @@ +@@ -198,6 +247,11 @@ optional_policy(` razor_domtrans(spamd_t) @@ -29313,7 +29305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') optional_policy(` -@@ -212,3 +270,216 @@ +@@ -212,3 +266,216 @@ optional_policy(` udev_read_db(spamd_t) ') @@ -38376,7 +38368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-10-28 09:54:16.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-10-29 16:36:00.000000000 -0400 @@ -29,9 +29,14 @@ ') @@ -39362,7 +39354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1031,16 +1030,29 @@ +@@ -1031,16 +1030,36 @@ # # privileged home directory writers @@ -39378,6 +39370,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + manage_sock_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) + manage_fifo_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) + filetrans_pattern(privhome,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file }) ++ ++ tunable_policy(`user_rw_noexattrfile',` ++ fs_manage_noxattr_fs_files($1_usertype) ++ fs_manage_noxattr_fs_dirs($1_usertype) ++ fs_manage_dos_dirs($1_usertype) ++ fs_manage_dos_files($1_usertype) ++ ') optional_policy(` - loadkeys_run($1_t,$1_r,$1_tty_device_t) @@ -39399,7 +39398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1068,6 +1080,13 @@ +@@ -1068,6 +1087,13 @@ userdom_restricted_user_template($1) @@ -39413,7 +39412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_xwindows_client_template($1) ############################## -@@ -1076,14 +1095,16 @@ +@@ -1076,14 +1102,16 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -39435,7 +39434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1091,32 +1112,29 @@ +@@ -1091,32 +1119,29 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -39479,7 +39478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1127,10 +1145,10 @@ +@@ -1127,10 +1152,10 @@ ## ## ##

@@ -39494,7 +39493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1164,7 +1182,6 @@ +@@ -1164,7 +1189,6 @@ # Need the following rule to allow users to run vpnc corenet_tcp_bind_xserver_port($1_t) @@ -39502,7 +39501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1182,32 +1199,49 @@ +@@ -1182,32 +1206,49 @@ ') ') @@ -39552,19 +39551,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + optional_policy(` + java_per_role_template($1, $1_t, $1_r) -+ ') -+ -+ optional_policy(` -+ mono_per_role_template($1, $1_t, $1_r) ') optional_policy(` - setroubleshoot_stream_connect($1_t) ++ mono_per_role_template($1, $1_t, $1_r) ++ ') ++ ++ optional_policy(` + gpg_per_role_template($1, $1_usertype, $1_r) ') ') -@@ -1284,8 +1318,6 @@ +@@ -1284,8 +1325,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -39573,7 +39572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1307,8 +1339,6 @@ +@@ -1307,8 +1346,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -39582,7 +39581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1363,11 +1393,8 @@ +@@ -1363,11 +1400,8 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -39596,7 +39595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -1422,6 +1449,7 @@ +@@ -1422,6 +1456,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -39604,7 +39603,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1787,10 +1815,14 @@ +@@ -1787,10 +1822,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -39620,7 +39619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1886,11 +1918,11 @@ +@@ -1886,11 +1925,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -39634,7 +39633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1920,11 +1952,11 @@ +@@ -1920,11 +1959,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -39648,7 +39647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1968,12 +2000,12 @@ +@@ -1968,12 +2007,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -39664,7 +39663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2003,10 +2035,11 @@ +@@ -2003,10 +2042,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -39678,7 +39677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2038,11 +2071,67 @@ +@@ -2038,11 +2078,67 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -39748,7 +39747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2074,10 +2163,10 @@ +@@ -2074,10 +2170,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -39761,7 +39760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2107,11 +2196,11 @@ +@@ -2107,11 +2203,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -39775,7 +39774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2141,11 +2230,11 @@ +@@ -2141,11 +2237,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -39790,7 +39789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2175,10 +2264,14 @@ +@@ -2175,10 +2271,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -39807,7 +39806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2208,11 +2301,11 @@ +@@ -2208,11 +2308,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -39821,7 +39820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2242,11 +2335,11 @@ +@@ -2242,11 +2342,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -39835,7 +39834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2276,10 +2369,10 @@ +@@ -2276,10 +2376,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -39848,7 +39847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2311,12 +2404,12 @@ +@@ -2311,12 +2411,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -39864,7 +39863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2348,10 +2441,10 @@ +@@ -2348,10 +2448,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -39877,7 +39876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2383,12 +2476,12 @@ +@@ -2383,12 +2483,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -39893,7 +39892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2420,12 +2513,12 @@ +@@ -2420,12 +2520,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -39909,7 +39908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2457,12 +2550,12 @@ +@@ -2457,12 +2557,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -39925,7 +39924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2507,11 +2600,11 @@ +@@ -2507,11 +2607,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -39939,7 +39938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2556,11 +2649,11 @@ +@@ -2556,11 +2656,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -39953,7 +39952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2600,11 +2693,11 @@ +@@ -2600,11 +2700,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -39967,7 +39966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2634,11 +2727,11 @@ +@@ -2634,11 +2734,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -39981,7 +39980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2668,11 +2761,11 @@ +@@ -2668,11 +2768,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -39995,7 +39994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2704,10 +2797,10 @@ +@@ -2704,10 +2804,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -40008,7 +40007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2739,10 +2832,10 @@ +@@ -2739,10 +2839,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -40021,7 +40020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2772,12 +2865,12 @@ +@@ -2772,12 +2872,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -40037,7 +40036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2809,20 +2902,20 @@ +@@ -2809,20 +2909,20 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -40062,7 +40061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## temporary files. ##

##

-@@ -2842,21 +2935,23 @@ +@@ -2842,21 +2942,23 @@ ## ## # @@ -40091,7 +40090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

##

## This is a templated interface, and should only -@@ -2871,35 +2966,106 @@ +@@ -2871,32 +2973,103 @@ ## ## ##

@@ -40126,9 +40125,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo -##

-##

-## This is a templated interface, and should only --## be called from a per-userdomain template. --##

--## +## +## +## Domain allowed access. @@ -40210,13 +40206,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +##

+##

+## This is a templated interface, and should only -+## be called from a per-userdomain template. -+##

-+## - ## - ## - ## The prefix of the user domain (e.g., user -@@ -2914,10 +3080,10 @@ + ## be called from a per-userdomain template. + ##

+ ## +@@ -2914,10 +3087,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -40229,7 +40222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2949,12 +3115,12 @@ +@@ -2949,12 +3122,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -40245,7 +40238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2986,11 +3152,11 @@ +@@ -2986,11 +3159,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -40259,7 +40252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3022,11 +3188,11 @@ +@@ -3022,11 +3195,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -40273,7 +40266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3058,11 +3224,11 @@ +@@ -3058,11 +3231,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -40287,7 +40280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3094,11 +3260,11 @@ +@@ -3094,11 +3267,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -40301,7 +40294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3130,11 +3296,11 @@ +@@ -3130,11 +3303,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -40315,7 +40308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3179,10 +3345,10 @@ +@@ -3179,10 +3352,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -40328,7 +40321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3223,10 +3389,10 @@ +@@ -3223,10 +3396,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -40341,7 +40334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3254,6 +3420,42 @@ +@@ -3254,6 +3427,42 @@ ## ## # @@ -40384,7 +40377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo template(`userdom_rw_user_tmpfs_files',` gen_require(` type $1_tmpfs_t; -@@ -3267,6 +3469,42 @@ +@@ -3267,6 +3476,42 @@ ######################################## ## @@ -40427,7 +40420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## List users untrusted directories. ## ## -@@ -3962,6 +4200,24 @@ +@@ -3962,6 +4207,24 @@ ######################################## ## @@ -40452,7 +40445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Manage unpriviledged user SysV shared ## memory segments. ## -@@ -4231,11 +4487,11 @@ +@@ -4231,11 +4494,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -40466,7 +40459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4251,10 +4507,10 @@ +@@ -4251,10 +4514,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -40479,7 +40472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4270,11 +4526,11 @@ +@@ -4270,11 +4533,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -40493,7 +40486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4289,16 +4545,16 @@ +@@ -4289,16 +4552,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -40513,13 +40506,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4307,12 +4563,54 @@ +@@ -4307,12 +4570,54 @@ ## ## # -interface(`userdom_dontaudit_append_staff_home_content_files',` +interface(`userdom_dontaudit_append_unpriv_home_content_files',` -+ gen_require(` + gen_require(` +- type staff_home_t; + type user_home_t; + ') + @@ -40546,8 +40540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +# +interface(`userdom_dontaudit_unlink_unpriv_home_content_files',` - gen_require(` -- type staff_home_t; ++ gen_require(` + type user_home_t; ') @@ -40571,7 +40564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4327,13 +4625,13 @@ +@@ -4327,13 +4632,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -40589,7 +40582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4531,10 +4829,10 @@ +@@ -4531,10 +4836,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -40602,7 +40595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4551,10 +4849,10 @@ +@@ -4551,10 +4856,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -40615,7 +40608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4569,10 +4867,10 @@ +@@ -4569,10 +4874,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -40628,7 +40621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4588,10 +4886,10 @@ +@@ -4588,10 +4893,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -40641,7 +40634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4606,10 +4904,10 @@ +@@ -4606,10 +4911,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -40654,7 +40647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4625,10 +4923,10 @@ +@@ -4625,10 +4930,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -40667,7 +40660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4644,12 +4942,29 @@ +@@ -4644,12 +4949,29 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -40701,7 +40694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4676,10 +4991,10 @@ +@@ -4676,10 +4998,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -40714,7 +40707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4694,10 +5009,10 @@ +@@ -4694,10 +5016,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -40727,7 +40720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4712,13 +5027,13 @@ +@@ -4712,13 +5034,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -40745,7 +40738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4754,11 +5069,49 @@ +@@ -4754,11 +5076,49 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -40796,7 +40789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4778,6 +5131,14 @@ +@@ -4778,6 +5138,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -40811,7 +40804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4815,6 +5176,8 @@ +@@ -4815,6 +5183,8 @@ ') dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; @@ -40820,7 +40813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4839,7 +5202,7 @@ +@@ -4839,7 +5209,7 @@ ######################################## ## @@ -40829,22 +40822,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## in all users home directories. ## ## -@@ -4848,7 +5211,27 @@ +@@ -4848,18 +5218,57 @@ ## ## # -interface(`userdom_manage_all_users_home_content_dirs',` +interface(`userdom_delete_all_users_home_content_dirs',` -+ gen_require(` -+ attribute home_type; -+ ') -+ -+ files_list_home($1) + gen_require(` + attribute home_type; + ') + + files_list_home($1) +- allow $1 home_type:dir manage_dir_perms; + delete_dirs_pattern($1, home_type, home_type) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete all files +## Create, read, write, and delete all directories +## in all users home directories. +## @@ -40855,13 +40850,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +# +interface(`userdom_manage_all_users_home_content_dirs',` - gen_require(` - attribute home_type; - ') -@@ -4859,6 +5242,25 @@ - - ######################################## - ## ++ gen_require(` ++ attribute home_type; ++ ') ++ ++ files_list_home($1) ++ allow $1 home_type:dir manage_dir_perms; ++') ++ ++######################################## ++## +## Delete all files +## in all users home directories. +## @@ -40881,10 +40879,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + +######################################## +## - ## Create, read, write, and delete all files ++## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4879,6 +5281,26 @@ + ## +@@ -4879,6 +5288,26 @@ ######################################## ## @@ -40911,7 +40910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all symlinks ## in all users home directories. ## -@@ -5115,7 +5537,7 @@ +@@ -5115,7 +5544,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -40920,7 +40919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5304,6 +5726,63 @@ +@@ -5304,6 +5733,63 @@ ######################################## ## @@ -40984,7 +40983,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5509,6 +5988,43 @@ +@@ -5509,6 +5995,43 @@ ######################################## ## @@ -41028,7 +41027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5559,7 +6075,7 @@ +@@ -5559,7 +6082,7 @@ attribute userdomain; ') @@ -41037,7 +41036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -5674,6 +6190,42 @@ +@@ -5674,6 +6197,42 @@ ######################################## ## @@ -41080,7 +41079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5704,3 +6256,408 @@ +@@ -5704,3 +6263,408 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ')