From 096b1f3404152836460d8d40320b449e92c8cdeb Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Feb 13 2008 21:43:16 +0000 Subject: - Add additional login users interfaces - userdom_admin_login_user_template(staff) --- diff --git a/policy-20071130.patch b/policy-20071130.patch index 512a2b3..48c3f82 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -1682,8 +1682,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal /usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-3.2.7/policy/modules/apps/ethereal.if --- nsaserefpolicy/policy/modules/apps/ethereal.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/apps/ethereal.if 2008-02-06 11:02:29.000000000 -0500 -@@ -48,12 +48,10 @@ ++++ serefpolicy-3.2.7/policy/modules/apps/ethereal.if 2008-02-13 16:34:13.000000000 -0500 +@@ -35,6 +35,7 @@ + template(`ethereal_per_role_template',` + + gen_require(` ++ type user_ethereal_home_t, user_ethereal_tmp_t; + type ethereal_exec_t; + ') + +@@ -48,12 +49,10 @@ application_domain($1_ethereal_t,ethereal_exec_t) role $3 types $1_ethereal_t; @@ -1700,7 +1708,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal type $1_ethereal_tmpfs_t; files_tmpfs_file($1_ethereal_tmpfs_t) -@@ -163,17 +161,6 @@ +@@ -152,28 +151,11 @@ + nscd_socket_use($1_ethereal_t) + ') + +- # Manual transition from userhelper +- optional_policy(` +- userhelper_use_user_fd($1,$1_ethereal_t) +- userhelper_sigchld_user($1,$1_ethereal_t) +- ') +- + optional_policy(` + xserver_user_client_template($1,$1_ethereal_t,$1_ethereal_tmpfs_t) xserver_create_xdm_tmp_sockets($1_ethereal_t) ') @@ -1718,6 +1737,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal ') ####################################### +@@ -200,7 +182,7 @@ + # + template(`ethereal_admin_template',` + gen_require(` +- type $1_ethereal_t; ++ type ethereal_exec_t; + ') + + # Create various types of sockets +@@ -242,7 +224,8 @@ + # + template(`ethereal_domtrans_user_ethereal',` + gen_require(` +- type $1_ethereal_t, ethereal_exec_t; ++ type ethereal_exec_t; ++ type $1_ethereal_t; + ') + + domtrans_pattern($2,ethereal_exec_t,$1_ethereal_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.2.7/policy/modules/apps/ethereal.te --- nsaserefpolicy/policy/modules/apps/ethereal.te 2007-12-19 05:32:09.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/ethereal.te 2008-02-06 11:02:29.000000000 -0500 @@ -2704,8 +2742,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc s # /usr diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if serefpolicy-3.2.7/policy/modules/apps/irc.if --- nsaserefpolicy/policy/modules/apps/irc.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/apps/irc.if 2008-02-06 11:02:29.000000000 -0500 -@@ -50,12 +50,11 @@ ++++ serefpolicy-3.2.7/policy/modules/apps/irc.if 2008-02-13 16:34:23.000000000 -0500 +@@ -35,6 +35,7 @@ + template(`irc_per_role_template',` + gen_require(` + type irc_exec_t; ++ type user_irc_home_t, user_irc_tmp_t; + ') + + ######################################## +@@ -50,12 +51,11 @@ userdom_user_home_content($1,$1_irc_exec_t) application_domain($1_irc_t,$1_irc_exec_t) @@ -2722,7 +2768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if s ######################################## # # Local policy -@@ -65,18 +64,18 @@ +@@ -65,18 +65,18 @@ allow $1_irc_t self:tcp_socket create_socket_perms; allow $1_irc_t self:udp_socket create_socket_perms; @@ -3706,7 +3752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. +HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:user_mplayer_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.2.7/policy/modules/apps/mplayer.if --- nsaserefpolicy/policy/modules/apps/mplayer.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/apps/mplayer.if 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/apps/mplayer.if 2008-02-13 16:34:09.000000000 -0500 @@ -35,6 +35,7 @@ template(`mplayer_per_role_template',` gen_require(` @@ -3773,7 +3819,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. # domain transition domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t) -@@ -503,8 +504,8 @@ +@@ -470,7 +471,9 @@ + # + template(`mplayer_domtrans_user_mplayer',` + gen_require(` +- type $1_mplayer_t, mplayer_exec_t; ++ type mplayer_exec_t; ++ type $1_mplayer_t; ++ + ') + + domtrans_pattern($2, mplayer_exec_t,$1_mplayer_t) +@@ -503,8 +506,8 @@ # template(`mplayer_read_user_home_files',` gen_require(` @@ -3808,8 +3865,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.7/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/apps/nsplugin.if 2008-02-08 14:05:36.000000000 -0500 -@@ -0,0 +1,337 @@ ++++ serefpolicy-3.2.7/policy/modules/apps/nsplugin.if 2008-02-13 16:34:51.000000000 -0500 +@@ -0,0 +1,338 @@ + +## policy for nsplugin + @@ -3960,6 +4017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + type nsplugin_t; + type nsplugin_config_t; + type nsplugin_rw_t; ++ type $1_tmpfs_t; + ') + nsplugin_domtrans($2) + @@ -4298,8 +4356,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.f # /usr diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.2.7/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/apps/screen.if 2008-02-06 11:02:29.000000000 -0500 -@@ -50,8 +50,9 @@ ++++ serefpolicy-3.2.7/policy/modules/apps/screen.if 2008-02-13 16:34:38.000000000 -0500 +@@ -35,6 +35,7 @@ + template(`screen_per_role_template',` + gen_require(` + type screen_dir_t, screen_exec_t; ++ type user_screen_ro_home_t; + ') + + ######################################## +@@ -50,8 +51,9 @@ type $1_screen_tmp_t; files_tmp_file($1_screen_tmp_t) @@ -4311,7 +4377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i type $1_screen_var_run_t; files_pid_file($1_screen_var_run_t) -@@ -81,9 +82,9 @@ +@@ -81,9 +83,9 @@ filetrans_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t,fifo_file) files_pid_filetrans($1_screen_t,screen_dir_t,dir) @@ -4324,7 +4390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i allow $1_screen_t $2:process signal; -@@ -91,12 +92,12 @@ +@@ -91,12 +93,12 @@ allow $2 $1_screen_t:process signal; allow $1_screen_t $2:process signal; @@ -4437,8 +4503,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderb + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.2.7/policy/modules/apps/tvtime.if --- nsaserefpolicy/policy/modules/apps/tvtime.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/apps/tvtime.if 2008-02-06 11:02:29.000000000 -0500 -@@ -46,12 +46,10 @@ ++++ serefpolicy-3.2.7/policy/modules/apps/tvtime.if 2008-02-13 16:34:04.000000000 -0500 +@@ -35,6 +35,7 @@ + template(`tvtime_per_role_template',` + gen_require(` + type tvtime_exec_t; ++ type user_tvtime_home_t, user_tvtime_tmp_t; + ') + + ######################################## +@@ -46,12 +47,10 @@ application_domain($1_tvtime_t,tvtime_exec_t) role $3 types $1_tvtime_t; @@ -4455,7 +4529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.i type $1_tvtime_tmpfs_t; files_tmpfs_file($1_tvtime_tmpfs_t) -@@ -67,14 +65,14 @@ +@@ -67,14 +66,14 @@ allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms; # X access, Home files @@ -4478,7 +4552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.i manage_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t) manage_lnk_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t) -@@ -86,12 +84,12 @@ +@@ -86,12 +85,12 @@ domtrans_pattern($2, tvtime_exec_t, $1_tvtime_t) # X access, Home files @@ -4524,7 +4598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc s # /usr diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.2.7/policy/modules/apps/userhelper.if --- nsaserefpolicy/policy/modules/apps/userhelper.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/apps/userhelper.if 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/apps/userhelper.if 2008-02-13 16:33:49.000000000 -0500 @@ -181,24 +181,6 @@ nscd_socket_use($1_userhelper_t) ') @@ -4550,9 +4624,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp ') ######################################## +@@ -240,29 +222,6 @@ + + ######################################## + ## +-## Allow domain to use userhelper file descriptor. +-## +-## +-## +-## The prefix of the domain, example user is the prefix of user_t. +-## +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-template(`userhelper_use_user_fd',` +- gen_require(` +- type $1_userhelper_t; +- ') +- +- allow $2 $1_userhelper_t:fd use; +-') +- +-######################################## +-## + ## Allow domain to send sigchld to userhelper. + ## + ## +@@ -278,7 +237,7 @@ + # + template(`userhelper_sigchld_user',` + gen_require(` +- type $1_userhelper_t; ++ type userhelper_exec_t; + ') + + allow $2 $1_userhelper_t:process sigchld; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.2.7/policy/modules/apps/vmware.fc --- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/apps/vmware.fc 2008-02-11 17:52:05.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/apps/vmware.fc 2008-02-13 09:52:21.000000000 -0500 @@ -1,9 +1,9 @@ # # HOME_DIR/ @@ -4599,8 +4712,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.f +/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) +/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) +/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) -+/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_exec_t,s0) -+/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_exec_t,s0) ++/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) ++/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.2.7/policy/modules/apps/vmware.if --- nsaserefpolicy/policy/modules/apps/vmware.if 2007-02-19 11:32:52.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/vmware.if 2008-02-06 11:02:29.000000000 -0500 @@ -4629,7 +4742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.2.7/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2007-12-19 05:32:09.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/apps/vmware.te 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/apps/vmware.te 2008-02-13 16:42:06.000000000 -0500 @@ -22,17 +22,21 @@ type vmware_var_run_t; files_pid_file(vmware_var_run_t) @@ -4674,17 +4787,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t dev_rw_vmware(vmware_host_t) domain_use_interactive_fds(vmware_host_t) -@@ -99,6 +109,10 @@ +@@ -99,14 +109,12 @@ ') netutils_domtrans_ping(vmware_host_t) +-ifdef(`TODO',` +-# VMWare need access to pcmcia devices for network + optional_policy(` +-allow kernel_t cardmgr_var_lib_t:dir { getattr search }; +-allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read }; ++ unconfined_domain(vmware_host_t) + ') +-# Vmware create network devices +-allow kernel_t self:capability net_admin; +-allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; +-allow kernel_t self:socket create; ++ +optional_policy(` + xserver_xdm_rw_shm(vmware_host_t) -+') + ') ++ + - ifdef(`TODO',` - # VMWare need access to pcmcia devices for network - optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.2.7/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2007-09-12 10:34:17.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/wine.if 2008-02-06 11:02:29.000000000 -0500 @@ -5305,7 +5428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.7/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/kernel/devices.if 2008-02-07 11:04:37.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/kernel/devices.if 2008-02-13 09:09:19.000000000 -0500 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1,device_t,device_node) @@ -7971,7 +8094,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue +/etc/rc.d/init.d/pand -- gen_context(system_u:object_r:bluetooth_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.2.7/policy/modules/services/bluetooth.if --- nsaserefpolicy/policy/modules/services/bluetooth.if 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/services/bluetooth.if 2008-02-07 13:14:54.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/bluetooth.if 2008-02-13 15:16:10.000000000 -0500 +@@ -35,7 +35,7 @@ + template(`bluetooth_per_role_template',` + gen_require(` + attribute bluetooth_helper_domain; +- type bluetooth_helper_exec_t; ++ type bluetooth_helper_exec_t, bluetooth_t; + ') + + type $1_bluetooth_t, bluetooth_helper_domain; @@ -226,3 +226,88 @@ dontaudit $1 bluetooth_helper_domain:dir search; dontaudit $1 bluetooth_helper_domain:file { read getattr }; @@ -12056,7 +12188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.7/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/hal.te 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/hal.te 2008-02-13 09:08:25.000000000 -0500 @@ -49,6 +49,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -12124,7 +12256,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t) allow hald_t hald_acl_t:process signal; -@@ -325,6 +339,11 @@ +@@ -304,6 +318,7 @@ + corecmd_exec_bin(hald_acl_t) + + dev_getattr_all_chr_files(hald_acl_t) ++dev_setattr_all_chr_files(hald_acl_t) + dev_getattr_generic_usb_dev(hald_acl_t) + dev_getattr_video_dev(hald_acl_t) + dev_setattr_video_dev(hald_acl_t) +@@ -325,6 +340,11 @@ miscfiles_read_localization(hald_acl_t) @@ -12136,7 +12276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ######################################## # # Local hald mac policy -@@ -338,10 +357,14 @@ +@@ -338,10 +358,14 @@ manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t) files_search_var_lib(hald_mac_t) @@ -12151,7 +12291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. libs_use_ld_so(hald_mac_t) libs_use_shared_libs(hald_mac_t) -@@ -391,3 +414,7 @@ +@@ -391,3 +415,7 @@ libs_use_shared_libs(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) @@ -19401,19 +19541,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +/etc/rc.d/init.d/spamd -- gen_context(system_u:object_r:spamd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.7/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/services/spamassassin.if 2008-02-07 12:12:50.000000000 -0500 -@@ -37,7 +37,9 @@ - ++++ serefpolicy-3.2.7/policy/modules/services/spamassassin.if 2008-02-13 16:33:07.000000000 -0500 +@@ -34,10 +34,11 @@ + # cjp: when tunables are available, spamc stuff should be + # toggled on activation of spamc, and similarly for spamd. + template(`spamassassin_per_role_template',` +- gen_require(` type spamc_exec_t, spamassassin_exec_t; - type spamd_t, spamd_tmp_t; -+ type spamc_t, spamd_t, spamd_tmp_t; -+ type user_spamassissin_home_t, user_spamassissin_tmp_t; ++ type spamc_t, spamd_t, spamassassin_t, spamd_tmp_t; ++ type user_spamassassin_home_t, user_spamassassin_tmp_t; + type user_spamc_tmp_t; ') ############################## -@@ -45,278 +47,28 @@ +@@ -45,278 +46,28 @@ # Declarations # @@ -19431,14 +19574,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam - type $1_spamassassin_home_t alias $1_spamassassin_rw_t; - userdom_user_home_content($1,$1_spamassassin_home_t) - files_poly_member($1_spamassassin_home_t) -+ typealias spamc_t alias $1_spamc_t; -+ role $3 types spamc_t; - +- - type $1_spamassassin_tmp_t; - files_tmp_file($1_spamassassin_tmp_t) -+ typealias spamassassin_t alias $1_spamassassin_t; -+ role $3 types spamassassin_t; - +- - ############################## - # - # $1_spamc_t local policy @@ -19603,17 +19742,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam - corecmd_read_bin_sockets($1_spamassassin_t) - - domain_use_interactive_fds($1_spamassassin_t) -- ++ typealias spamc_t alias $1_spamc_t; ++ role $3 types spamc_t; + - files_read_etc_files($1_spamassassin_t) - files_read_etc_runtime_files($1_spamassassin_t) - files_list_home($1_spamassassin_t) - files_read_usr_files($1_spamassassin_t) - files_dontaudit_search_var($1_spamassassin_t) -- ++ typealias spamassassin_t alias $1_spamassassin_t; ++ role $3 types spamassassin_t; + - libs_use_ld_so($1_spamassassin_t) - libs_use_shared_libs($1_spamassassin_t) -- -- logging_send_syslog_msg($1_spamassassin_t) + ifelse(`$1',`user',`',` + typealias user_spamassassin_home_t alias $1_spamassassin_home_t; + typealias user_spamassassin_tmp_t alias $1_spamassassin_tmp_t; @@ -19627,10 +19768,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + relabel_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) + relabel_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) -- miscfiles_read_localization($1_spamassassin_t) +- logging_send_syslog_msg($1_spamassassin_t) + domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) + domtrans_pattern($2, spamc_exec_t, spamc_t) +- miscfiles_read_localization($1_spamassassin_t) +- - # cjp: this could probably be removed - seutil_read_config($1_spamassassin_t) - @@ -19710,7 +19853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') ######################################## -@@ -370,7 +122,7 @@ +@@ -370,7 +121,7 @@ # interface(`spamassassin_exec_spamd',` gen_require(` @@ -19719,7 +19862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') can_exec($1,spamd_exec_t) -@@ -398,11 +150,65 @@ +@@ -398,11 +149,65 @@ ## # template(`spamassassin_domtrans_user_client',` @@ -19743,12 +19886,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +## +# +interface(`spamassassin_domtrans_spamc',` - gen_require(` -- type $1_spamc_t, spamc_exec_t; ++ gen_require(` + type spamc_t, spamc_exec_t; - ') - -- domtrans_pattern($2,spamc_exec_t,$1_spamc_t) ++ ') ++ + domtrans_pattern($1,spamc_exec_t,spamc_t) +') + @@ -19778,16 +19919,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +## +# +template(`spamassassin_read_user_home_files',` -+ gen_require(` + gen_require(` +- type $1_spamc_t, spamc_exec_t; + type user_spamassassin_home_t; -+ ') -+ + ') + +- domtrans_pattern($2,spamc_exec_t,$1_spamc_t) + allow $1 user_spamassassin_home_t:dir list_dir_perms; + allow $1 user_spamassassin_home_t:file read_file_perms; ') ######################################## -@@ -446,11 +252,31 @@ +@@ -446,11 +251,31 @@ ## # template(`spamassassin_domtrans_user_local_client',` @@ -19821,7 +19964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') ######################################## -@@ -469,6 +295,7 @@ +@@ -469,6 +294,7 @@ ') files_search_var_lib($1) @@ -19829,7 +19972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t) ') -@@ -528,3 +355,133 @@ +@@ -528,3 +354,133 @@ dontaudit $1 spamd_tmp_t:sock_file getattr; ') @@ -21129,7 +21272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.7/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/xserver.if 2008-02-12 12:15:41.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/xserver.if 2008-02-13 15:23:35.000000000 -0500 @@ -15,6 +15,7 @@ template(`xserver_common_domain_template',` gen_require(` @@ -21226,9 +21369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser - - type $1_fonts_config_t, fonts_config_type; - userdom_user_home_content($1,$1_fonts_cache_t) -+ typealias xauth_t alias $1_xauth_t; -+ role $3 types xauth_t; - +- - type $1_iceauth_t; - domain_type($1_iceauth_t) - domain_entry_file($1_iceauth_t,iceauth_exec_t) @@ -21246,7 +21387,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser - type $1_xauth_home_t alias $1_xauth_rw_t, xauth_home_type; - files_poly_member($1_xauth_home_t) - userdom_user_home_content($1,$1_xauth_home_t) -- ++ typealias xauth_t alias $1_xauth_t; ++ role $3 types xauth_t; + - type $1_xauth_tmp_t; - files_tmp_file($1_xauth_tmp_t) + typealias iceauth_t alias $1_iceauth_t; @@ -21327,24 +21470,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser - - allow $1_xauth_t $1_xauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file) -- ++ domtrans_pattern($2, xauth_exec_t, xauth_t) + - manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t) - manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t) - files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir }) - - domtrans_pattern($2, xauth_exec_t, $1_xauth_t) -+ domtrans_pattern($2, xauth_exec_t, xauth_t) - +- - allow $2 $1_xauth_t:process signal; + allow $2 xauth_t:process signal; # allow ps to show xauth - ps_process_pattern($2,$1_xauth_t) -+ ps_process_pattern($2,xauth_t) - +- - allow $2 $1_xauth_home_t:file manage_file_perms; - allow $2 $1_xauth_home_t:file { relabelfrom relabelto }; -- ++ ps_process_pattern($2,xauth_t) + - allow xdm_t $1_xauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file) - @@ -21401,20 +21544,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser - - allow $2 $1_iceauth_home_t:file manage_file_perms; - allow $2 $1_iceauth_home_t:file { relabelfrom relabelto }; -- -- allow xdm_t $1_iceauth_home_t:file read_file_perms; -- -- fs_search_auto_mountpoints($1_iceauth_t) + ps_process_pattern($2,iceauth_t) -- libs_use_ld_so($1_iceauth_t) -- libs_use_shared_libs($1_iceauth_t) +- allow xdm_t $1_iceauth_home_t:file read_file_perms; + allow $2 user_iceauth_home_t:file manage_file_perms; + allow $2 user_iceauth_home_t:file { relabelfrom relabelto }; -- userdom_use_user_terminals($1,$1_iceauth_t) +- fs_search_auto_mountpoints($1_iceauth_t) + userdom_use_user_terminals($1,iceauth_t) +- libs_use_ld_so($1_iceauth_t) +- libs_use_shared_libs($1_iceauth_t) +- +- userdom_use_user_terminals($1,$1_iceauth_t) +- - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files($1_iceauth_t) - ') @@ -21606,9 +21749,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +template(`xserver_read_user_xauth',` + gen_require(` + type user_xauth_home_t; - ') - -- domtrans_pattern($2, xauth_exec_t, $1_xauth_t) ++ ') ++ + allow $2 user_xauth_home_t:file { getattr read }; +') + @@ -21640,8 +21782,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +template(`xserver_read_user_iceauth',` + gen_require(` + type user_iceauth_home_t; -+ ') -+ + ') + +- domtrans_pattern($2, xauth_exec_t, $1_xauth_t) + # Read .Iceauthority file + allow $2 user_iceauth_home_t:file { getattr read }; ') @@ -21703,31 +21846,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -937,7 +1004,7 @@ +@@ -955,6 +1022,24 @@ ######################################## ## --## Read XDM var lib files. +## dontaudit search of XDM var lib directories. - ## - ## - ## -@@ -945,12 +1012,12 @@ - ## - ## - # --interface(`xserver_read_xdm_lib_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`xserver_dontaudit_xdm_lib_search',` - gen_require(` - type xdm_var_lib_t; - ') - -- allow $1 xdm_var_lib_t:file { getattr read }; ++ gen_require(` ++ type xdm_var_lib_t; ++ ') ++ + dontaudit $1 xdm_var_lib_t:dir search_dir_perms; - ') - - ######################################## -@@ -965,15 +1032,47 @@ ++') ++ ++######################################## ++## + ## Execute the X server in the XDM X server domain. + ## + ## +@@ -965,15 +1050,47 @@ # interface(`xserver_domtrans_xdm_xserver',` gen_require(` @@ -21776,7 +21920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1123,7 +1222,7 @@ +@@ -1123,7 +1240,7 @@ type xdm_xserver_tmp_t; ') @@ -21785,7 +21929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1312,3 +1411,63 @@ +@@ -1312,3 +1429,65 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -21849,6 +21993,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + allow $1 xdm_t:process ptrace; +') + ++ ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.7/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/xserver.te 2008-02-12 13:25:46.000000000 -0500 @@ -24425,8 +24571,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.f +/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.2.7/policy/modules/system/qemu.if --- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/system/qemu.if 2008-02-07 10:20:14.000000000 -0500 -@@ -0,0 +1,151 @@ ++++ serefpolicy-3.2.7/policy/modules/system/qemu.if 2008-02-13 16:31:33.000000000 -0500 +@@ -0,0 +1,202 @@ + +## policy for qemu + @@ -24561,6 +24707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i + qemu_domtrans($1) + allow qemu_t $3:chr_file rw_file_perms; +') ++ +######################################## +## +## Execute qemu programs in the qemu domain. @@ -24578,10 +24725,60 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i + role $1 types qemu_t; +') + ++ ++######################################## ++## ++## Execute a domain transition to run qemu. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`qemu_domtrans_unconfined',` ++ gen_require(` ++ type qemu_unconfined_t; ++ type qemu_exec_t; ++ ') ++ ++ domtrans_pattern($1,qemu_exec_t,qemu_unconfined_t) ++') ++ ++######################################## ++## ++## Execute qemu programs in the qemu unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to allow the PAM domain. ++## ++## ++## ++## ++## The type of the terminal allow the PAM domain to use. ++## ++## ++# ++interface(`qemu_run_unconfined',` ++ gen_require(` ++ type qemu_unconfined_t; ++ ') ++ ++ qemu_domtrans_unconfined($1) ++ role $2 types qemu_unconfined_t; ++ allow qemu_unconfined_t $3:chr_file rw_file_perms; ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.7/policy/modules/system/qemu.te --- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/system/qemu.te 2008-02-06 11:02:30.000000000 -0500 -@@ -0,0 +1,60 @@ ++++ serefpolicy-3.2.7/policy/modules/system/qemu.te 2008-02-13 16:26:38.000000000 -0500 +@@ -0,0 +1,66 @@ +policy_module(qemu,1.0.0) + +######################################## @@ -24594,6 +24791,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t +application_domain(qemu_t, qemu_exec_t) +role system_r types qemu_t; + ++type qemu_unconfined_t; ++domain_type(qemu_unconfined_t) ++ +######################################## +# +# qemu local policy @@ -24642,6 +24842,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t + +miscfiles_read_localization(qemu_t) + ++allow qemu_unconfined_t self:process { execstack execmem }; ++unconfined_domain_noaudit(qemu_unconfined_t) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.2.7/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/raid.te 2008-02-06 11:02:30.000000000 -0500 @@ -25797,8 +26000,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + allow $1 unconfined_t:process getpgid; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.7/policy/modules/system/unconfined.te ---- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/system/unconfined.te 2008-02-07 10:19:49.000000000 -0500 +--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/system/unconfined.te 2008-02-13 16:32:11.000000000 -0500 @@ -6,35 +6,66 @@ # Declarations # @@ -25979,7 +26182,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf oddjob_domtrans_mkhomedir(unconfined_t) ') -@@ -154,38 +200,34 @@ +@@ -154,38 +200,36 @@ ') optional_policy(` @@ -25998,6 +26201,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - rpc_domtrans_nfsd(unconfined_t) + tunable_policy(`allow_unconfined_qemu_transition', ` + qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ ', ` ++ qemu_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + ') + qemu_role(unconfined_r) ') @@ -26028,7 +26233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -205,11 +247,30 @@ +@@ -205,11 +249,30 @@ ') optional_policy(` @@ -26061,7 +26266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -219,14 +280,34 @@ +@@ -219,14 +282,34 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -26116,7 +26321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.7/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/system/userdomain.if 2008-02-11 17:21:21.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/system/userdomain.if 2008-02-12 15:29:11.000000000 -0500 @@ -29,9 +29,14 @@ ') @@ -27181,7 +27386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') # Run pppd in pppd_t by default for user -@@ -1201,7 +1197,11 @@ +@@ -1201,7 +1197,23 @@ ') optional_policy(` @@ -27191,10 +27396,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + optional_policy(` + polkit_per_role_template($1, $1_usertype, $1_r) ++ ') ++ ++ optional_policy(` ++ java_per_role_template($1, $1_t, $1_r) ++ ') ++ ++ optional_policy(` ++ mono_per_role_template($1, $1_t, $1_r) ++ ') ++ ++ optional_policy(` ++ gpg_per_role_template($1, $1_usertype, $1_r) ') ') -@@ -1278,8 +1278,6 @@ +@@ -1278,8 +1290,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -27203,7 +27420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1357,13 +1355,6 @@ +@@ -1357,13 +1367,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -27217,7 +27434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` userhelper_exec($1_t) ') -@@ -1416,6 +1407,7 @@ +@@ -1416,6 +1419,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -27225,7 +27442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1781,10 +1773,14 @@ +@@ -1781,10 +1785,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -27241,7 +27458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1880,11 +1876,11 @@ +@@ -1880,11 +1888,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -27255,7 +27472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1914,11 +1910,11 @@ +@@ -1914,11 +1922,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -27269,7 +27486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1962,12 +1958,12 @@ +@@ -1962,12 +1970,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -27285,7 +27502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1997,10 +1993,10 @@ +@@ -1997,10 +2005,10 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -27298,7 +27515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2032,11 +2028,47 @@ +@@ -2032,11 +2040,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -27348,7 +27565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2068,10 +2100,10 @@ +@@ -2068,10 +2112,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -27361,7 +27578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2101,11 +2133,11 @@ +@@ -2101,11 +2145,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -27375,7 +27592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2135,11 +2167,11 @@ +@@ -2135,11 +2179,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -27390,7 +27607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2169,10 +2201,14 @@ +@@ -2169,10 +2213,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -27407,7 +27624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2202,11 +2238,11 @@ +@@ -2202,11 +2250,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -27421,7 +27638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2236,11 +2272,11 @@ +@@ -2236,11 +2284,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -27435,7 +27652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2270,10 +2306,10 @@ +@@ -2270,10 +2318,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -27448,7 +27665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2305,12 +2341,12 @@ +@@ -2305,12 +2353,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -27464,7 +27681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2342,10 +2378,10 @@ +@@ -2342,10 +2390,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -27477,7 +27694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2377,12 +2413,12 @@ +@@ -2377,12 +2425,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -27493,7 +27710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2414,12 +2450,12 @@ +@@ -2414,12 +2462,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -27509,7 +27726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2451,12 +2487,12 @@ +@@ -2451,12 +2499,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -27525,7 +27742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2501,11 +2537,11 @@ +@@ -2501,11 +2549,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -27539,7 +27756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2550,11 +2586,11 @@ +@@ -2550,11 +2598,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -27553,7 +27770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2594,11 +2630,11 @@ +@@ -2594,11 +2642,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -27567,7 +27784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2628,11 +2664,11 @@ +@@ -2628,11 +2676,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -27581,7 +27798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2662,11 +2698,11 @@ +@@ -2662,11 +2710,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -27595,7 +27812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2698,10 +2734,10 @@ +@@ -2698,10 +2746,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -27608,7 +27825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2733,10 +2769,10 @@ +@@ -2733,10 +2781,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -27621,7 +27838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2766,12 +2802,12 @@ +@@ -2766,12 +2814,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -27637,7 +27854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2803,10 +2839,10 @@ +@@ -2803,10 +2851,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -27650,7 +27867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2838,10 +2874,48 @@ +@@ -2838,10 +2886,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -27701,7 +27918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2871,12 +2945,12 @@ +@@ -2871,12 +2957,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -27717,7 +27934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2908,10 +2982,10 @@ +@@ -2908,10 +2994,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -27730,7 +27947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2943,12 +3017,12 @@ +@@ -2943,12 +3029,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -27746,7 +27963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2980,11 +3054,11 @@ +@@ -2980,11 +3066,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -27760,7 +27977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3016,11 +3090,11 @@ +@@ -3016,11 +3102,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -27774,7 +27991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3052,11 +3126,11 @@ +@@ -3052,11 +3138,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -27788,7 +28005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3088,11 +3162,11 @@ +@@ -3088,11 +3174,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -27802,7 +28019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3124,11 +3198,11 @@ +@@ -3124,11 +3210,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -27816,7 +28033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3173,10 +3247,10 @@ +@@ -3173,10 +3259,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -27829,7 +28046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3217,10 +3291,10 @@ +@@ -3217,10 +3303,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -27842,7 +28059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3248,6 +3322,42 @@ +@@ -3248,6 +3334,42 @@ ## ## # @@ -27885,7 +28102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo template(`userdom_rw_user_tmpfs_files',` gen_require(` type $1_tmpfs_t; -@@ -4225,11 +4335,11 @@ +@@ -4225,11 +4347,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -27899,7 +28116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4245,10 +4355,10 @@ +@@ -4245,10 +4367,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -27912,7 +28129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4264,11 +4374,11 @@ +@@ -4264,11 +4386,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -27926,7 +28143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4283,16 +4393,16 @@ +@@ -4283,16 +4405,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -27946,7 +28163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4301,38 +4411,32 @@ +@@ -4301,18 +4423,33 @@ ## ## # @@ -27964,67 +28181,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## -## Read files in the staff users home directory. +-## +## Do not audit attempts to append to the staff +## users home directory. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`userdom_read_staff_home_content_files',` -- gen_require(` -- type staff_home_dir_t, staff_home_t; -- ') -- -- files_search_home($1) -- allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms; -- read_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t) -- read_lnk_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t) ++## ++## ++# +interface(`userdom_dontaudit_append_staff_home_content_files',` + userdom_dontaudit_append_unpriv_home_content_files($1) - ') - - ######################################## - ## --## Send a SIGCHLD signal to sysadm users. ++') ++ ++######################################## ++## +## Read files in the staff users home directory. - ## ++## ## ## -@@ -4340,7 +4444,28 @@ - ## - ## + ## Domain allowed access. +@@ -4321,13 +4458,13 @@ # --interface(`userdom_sigchld_sysadm',` -+interface(`userdom_read_staff_home_content_files',` -+ gen_require(` + interface(`userdom_read_staff_home_content_files',` + gen_require(` +- type staff_home_dir_t, staff_home_t; + type user_home_dir_t, user_home_t; -+ ') -+ -+ files_search_home($1) + ') + + files_search_home($1) +- allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms; +- read_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t) +- read_lnk_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t) + allow $1 { user_home_dir_t user_home_t }:dir list_dir_perms; + read_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) + read_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) -+') -+ -+######################################## -+## -+## Send a SIGCHLD signal to sysadm users. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_sigchld_sysadm',` - gen_require(` - type sysadm_t; - ') -@@ -4525,10 +4650,10 @@ + ') + + ######################################## +@@ -4525,10 +4662,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -28037,7 +28233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4545,10 +4670,10 @@ +@@ -4545,10 +4682,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -28050,7 +28246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4563,10 +4688,10 @@ +@@ -4563,10 +4700,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -28063,7 +28259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4582,10 +4707,10 @@ +@@ -4582,10 +4719,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -28076,7 +28272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4600,10 +4725,10 @@ +@@ -4600,10 +4737,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -28089,7 +28285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4619,10 +4744,10 @@ +@@ -4619,10 +4756,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -28102,7 +28298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4638,12 +4763,11 @@ +@@ -4638,12 +4775,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -28118,7 +28314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4670,10 +4794,10 @@ +@@ -4670,10 +4806,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -28131,7 +28327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4688,10 +4812,10 @@ +@@ -4688,10 +4824,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -28144,7 +28340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4706,13 +4830,13 @@ +@@ -4706,13 +4842,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -28162,7 +28358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4748,11 +4872,49 @@ +@@ -4748,11 +4884,49 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -28213,7 +28409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4772,6 +4934,14 @@ +@@ -4772,6 +4946,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -28228,7 +28424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4833,6 +5003,26 @@ +@@ -4833,6 +5015,26 @@ ######################################## ## @@ -28255,7 +28451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all directories ## in all users home directories. ## -@@ -4853,6 +5043,25 @@ +@@ -4853,6 +5055,25 @@ ######################################## ## @@ -28281,7 +28477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4873,6 +5082,26 @@ +@@ -4873,6 +5094,26 @@ ######################################## ## @@ -28308,7 +28504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all symlinks ## in all users home directories. ## -@@ -5109,7 +5338,7 @@ +@@ -5109,7 +5350,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -28317,7 +28513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5298,6 +5527,50 @@ +@@ -5298,6 +5539,50 @@ ######################################## ## @@ -28368,7 +28564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5503,6 +5776,42 @@ +@@ -5503,6 +5788,42 @@ ######################################## ## @@ -28411,7 +28607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5668,6 +5977,42 @@ +@@ -5668,6 +5989,42 @@ ######################################## ## @@ -28454,7 +28650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5698,3 +6043,301 @@ +@@ -5698,3 +6055,368 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -28756,6 +28952,73 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + typeattribute $1 unpriv_process; +') ++ ++ ++####################################### ++## ++## The template for creating a unprivileged user roughly ++## equivalent to a regular linux user. ++## ++## ++##

++## The template for creating a unprivileged user roughly ++## equivalent to a regular linux user. ++##

++##

++## This template creates a user domain, types, and ++## rules for the user's tty, pty, home directories, ++## tmp, and tmpfs files. ++##

++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++# ++template(`userdom_admin_login_user_template', ` ++ ++ userdom_unpriv_user_template($1) ++ ++ allow $1_t self:capability sys_nice; ++ ++ domain_read_all_domains_state($1_t) ++ domain_getattr_all_domains($1_t) ++ ++ files_read_kernel_modules($1_t) ++ ++ kernel_read_fs_sysctls($1_t) ++ ++ modutils_read_module_config($1_t) ++ modutils_read_module_deps($1_t) ++ ++ miscfiles_read_hwdata($1_t) ++ ++ sudo_per_role_template($1, $1_t, $1_r) ++ seutil_run_newrole($1_t, $1_r, { $1_tty_device_t $1_devpts_t }) ++ ++ optional_policy(` ++ gnomeclock_dbus_chat($1_t) ++ ') ++ ++ optional_policy(` ++ kerneloops_dbus_chat($1_t) ++ ') ++ ++ optional_policy(` ++ rpm_dbus_chat($1_t) ++ ') ++ ++ optional_policy(` ++ setroubleshoot_stream_connect($1_t) ++ ') ++ ++ optional_policy(` ++ netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) ++ netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) ++ ') ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.2.7/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/userdomain.te 2008-02-08 14:50:33.000000000 -0500 @@ -29951,68 +30214,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i +## Policy for staff user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.7/policy/modules/users/staff.te --- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/users/staff.te 2008-02-08 14:13:09.000000000 -0500 -@@ -0,0 +1,60 @@ ++++ serefpolicy-3.2.7/policy/modules/users/staff.te 2008-02-13 11:47:19.000000000 -0500 +@@ -0,0 +1,9 @@ +policy_module(staff,1.0.1) -+userdom_unpriv_user_template(staff) ++userdom_admin_login_user_template(staff) + +# only staff_r can change to sysadm_r +userdom_role_change_template(staff, sysadm) +userdom_dontaudit_use_sysadm_terms(staff_t) + -+allow staff_t self:capability sys_nice; ++xserver_domtrans_xdm_xserver(staff_t) + -+domain_read_all_domains_state(staff_t) -+domain_getattr_all_domains(staff_t) -+ -+files_read_kernel_modules(staff_t) -+ -+kernel_read_fs_sysctls(staff_t) -+ -+modutils_read_module_config(staff_t) -+modutils_read_module_deps(staff_t) -+ -+miscfiles_read_hwdata(staff_t) -+ -+sudo_per_role_template(staff, staff_t, staff_r) -+seutil_run_newrole(staff_t, staff_r, { staff_tty_device_t staff_devpts_t }) -+ -+optional_policy(` -+ gnomeclock_dbus_chat(staff_t) -+') -+ -+optional_policy(` -+ gpg_per_role_template(staff, staff_usertype, staff_r) -+') -+ -+optional_policy(` -+ java_per_role_template(staff, staff_t, staff_r) -+') -+ -+optional_policy(` -+ kerneloops_dbus_chat(staff_t) -+') -+ -+optional_policy(` -+ mono_per_role_template(staff, staff_t, staff_r) -+') -+ -+optional_policy(` -+ rpm_dbus_chat(staff_t) -+') -+ -+optional_policy(` -+ setroubleshoot_stream_connect(staff_t) -+') -+ -+optional_policy(` -+ netutils_run_ping_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t }) -+ netutils_run_traceroute_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t }) -+') -+ -+optional_policy(` -+ xserver_per_role_template(staff, staff_t, staff_r) -+') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.fc serefpolicy-3.2.7/policy/modules/users/user.fc --- nsaserefpolicy/policy/modules/users/user.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/users/user.fc 2008-02-06 11:02:30.000000000 -0500 @@ -30025,32 +30237,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.if +## Policy for user user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.te serefpolicy-3.2.7/policy/modules/users/user.te --- nsaserefpolicy/policy/modules/users/user.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/users/user.te 2008-02-06 11:02:30.000000000 -0500 -@@ -0,0 +1,25 @@ ++++ serefpolicy-3.2.7/policy/modules/users/user.te 2008-02-13 11:46:59.000000000 -0500 +@@ -0,0 +1,4 @@ +policy_module(user,1.0.1) +userdom_unpriv_user_template(user) + -+optional_policy(` -+ java_per_role_template(user, user_t, user_r) -+') -+ -+optional_policy(` -+ mono_per_role_template(user, user_t, user_r) -+') -+ -+optional_policy(` -+ xserver_per_role_template(user, user_t, user_r) -+') -+ -+optional_policy(` -+ gpg_per_role_template(user, user_usertype, user_r) -+') -+ -+optional_policy(` -+ netutils_run_ping_cond(user_t,user_r,{ user_tty_device_t user_devpts_t }) -+ netutils_run_traceroute_cond(user_t,user_r,{ user_tty_device_t user_devpts_t }) -+') -+ + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.2.7/policy/modules/users/webadm.fc --- nsaserefpolicy/policy/modules/users/webadm.fc 1969-12-31 19:00:00.000000000 -0500