From 163db1055729a073485e41236861b003455e634c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 08 2008 16:38:09 +0000 Subject: - Allow iptables to talk to terminals - Fixes for policy kit - lots of fixes for booting. --- diff --git a/policy-20081111.patch b/policy-20081111.patch index 1af67ab..d143105 100644 --- a/policy-20081111.patch +++ b/policy-20081111.patch @@ -1,82 +1,3 @@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.1/Makefile ---- nsaserefpolicy/Makefile 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.1/Makefile 2008-11-25 09:45:43.000000000 -0500 -@@ -315,20 +315,22 @@ - - # parse-rolemap modulename,outputfile - define parse-rolemap -- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ -- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 -+ echo "" >> $2 -+# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ -+# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 - endef - - # perrole-expansion modulename,outputfile - define perrole-expansion -- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 -- $(call parse-rolemap,$1,$2) -- $(verbose) echo "')" >> $2 -- -- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 -- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 -- $(call parse-rolemap-compat,$1,$2) -- $(verbose) echo "')" >> $2 -+ echo "No longer doing perrole-expansion" -+# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 -+# $(call parse-rolemap,$1,$2) -+# $(verbose) echo "')" >> $2 -+ -+# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 -+# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 -+# $(call parse-rolemap-compat,$1,$2) -+# $(verbose) echo "')" >> $2 - endef - - # create-base-per-role-tmpl modulenames,outputfile -@@ -527,6 +529,10 @@ - @mkdir -p $(appdir)/users - $(verbose) $(INSTALL) -m 644 $^ $@ - -+$(appdir)/initrc_context: $(tmpdir)/initrc_context -+ @mkdir -p $(appdir) -+ $(verbose) $(INSTALL) -m 644 $< $@ -+ - $(appdir)/%: $(appconf)/% - @mkdir -p $(appdir) - $(verbose) $(INSTALL) -m 644 $< $@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.1/Rules.modular ---- nsaserefpolicy/Rules.modular 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.1/Rules.modular 2008-11-25 09:45:43.000000000 -0500 -@@ -73,8 +73,8 @@ - $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te - @echo "Compliling $(NAME) $(@F) module" - @test -d $(tmpdir) || mkdir -p $(tmpdir) -- $(call perrole-expansion,$(basename $(@F)),$@.role) -- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) -+# $(call perrole-expansion,$(basename $(@F)),$@.role) -+ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) - $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ - - $(tmpdir)/%.mod.fc: $(m4support) %.fc -@@ -129,7 +129,7 @@ - @test -d $(tmpdir) || mkdir -p $(tmpdir) - # define all available object classes - $(verbose) $(genperm) $(avs) $(secclass) > $@ -- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) -+# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) - $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true - - $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy -@@ -146,7 +146,7 @@ - $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy - $(tmpdir)/rolemap.conf: $(rolemap) - $(verbose) echo "" > $@ -- $(call parse-rolemap,base,$@) -+# $(call parse-rolemap,base,$@) - - $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy - $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.1/config/appconfig-mcs/default_contexts --- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-11-11 16:13:50.000000000 -0500 +++ serefpolicy-3.6.1/config/appconfig-mcs/default_contexts 2008-11-25 09:45:43.000000000 -0500 @@ -176,6 +97,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0 +unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 system_r:xdm_t:s0 unconfined_r:unconfined_t:s0 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.1/config/appconfig-mcs/userhelper_context +--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-08-07 11:15:14.000000000 -0400 ++++ serefpolicy-3.6.1/config/appconfig-mcs/userhelper_context 2008-11-25 09:45:43.000000000 -0500 +@@ -1 +1 @@ +-system_u:sysadm_r:sysadm_t:s0 ++system_u:system_r:unconfined_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.1/config/appconfig-mcs/user_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-11-11 16:13:50.000000000 -0500 +++ serefpolicy-3.6.1/config/appconfig-mcs/user_u_default_contexts 2008-11-25 09:45:43.000000000 -0500 @@ -191,12 +118,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con - +system_r:initrc_su_t:s0 user_r:user_t:s0 +user_r:user_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.1/config/appconfig-mcs/userhelper_context ---- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.6.1/config/appconfig-mcs/userhelper_context 2008-11-25 09:45:43.000000000 -0500 -@@ -1 +1 @@ --system_u:sysadm_r:sysadm_t:s0 -+system_u:system_r:unconfined_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.6.1/config/appconfig-mcs/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.1/config/appconfig-mcs/xguest_u_default_contexts 2008-11-25 09:45:43.000000000 -0500 @@ -272,6 +193,53 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:xdm_t xguest_r:xguest_t:s0 +system_r:initrc_su_t:s0 xguest_r:xguest_t:s0 +xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.1/Makefile +--- nsaserefpolicy/Makefile 2008-11-11 16:13:50.000000000 -0500 ++++ serefpolicy-3.6.1/Makefile 2008-11-25 09:45:43.000000000 -0500 +@@ -315,20 +315,22 @@ + + # parse-rolemap modulename,outputfile + define parse-rolemap +- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ +- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 ++ echo "" >> $2 ++# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ ++# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 + endef + + # perrole-expansion modulename,outputfile + define perrole-expansion +- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 +- $(call parse-rolemap,$1,$2) +- $(verbose) echo "')" >> $2 +- +- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 +- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 +- $(call parse-rolemap-compat,$1,$2) +- $(verbose) echo "')" >> $2 ++ echo "No longer doing perrole-expansion" ++# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 ++# $(call parse-rolemap,$1,$2) ++# $(verbose) echo "')" >> $2 ++ ++# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 ++# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 ++# $(call parse-rolemap-compat,$1,$2) ++# $(verbose) echo "')" >> $2 + endef + + # create-base-per-role-tmpl modulenames,outputfile +@@ -527,6 +529,10 @@ + @mkdir -p $(appdir)/users + $(verbose) $(INSTALL) -m 644 $^ $@ + ++$(appdir)/initrc_context: $(tmpdir)/initrc_context ++ @mkdir -p $(appdir) ++ $(verbose) $(INSTALL) -m 644 $< $@ ++ + $(appdir)/%: $(appconf)/% + @mkdir -p $(appdir) + $(verbose) $(INSTALL) -m 644 $< $@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.6.1/man/man8/samba_selinux.8 --- nsaserefpolicy/man/man8/samba_selinux.8 2008-08-07 11:15:14.000000000 -0400 +++ serefpolicy-3.6.1/man/man8/samba_selinux.8 2008-11-25 09:45:43.000000000 -0500 @@ -363,6 +331,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(certwatch_t) miscfiles_read_certs(certwatch_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.6.1/policy/modules/admin/consoletype.te +--- nsaserefpolicy/policy/modules/admin/consoletype.te 2008-11-11 16:13:49.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/admin/consoletype.te 2008-12-05 09:17:49.000000000 -0500 +@@ -18,7 +18,7 @@ + # Local declarations + # + +-allow consoletype_t self:capability sys_admin; ++allow consoletype_t self:capability { sys_admin sys_tty_config }; + allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow consoletype_t self:fd use; + allow consoletype_t self:fifo_file rw_fifo_file_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.1/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 2008-11-11 16:13:49.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/admin/kismet.te 2008-12-02 11:02:15.000000000 -0500 @@ -1102,7 +1082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol java_domtrans_unconfined(rpm_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.1/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/admin/sudo.if 2008-12-03 14:12:34.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/admin/sudo.if 2008-12-05 14:31:30.000000000 -0500 @@ -51,7 +51,7 @@ # @@ -1137,7 +1117,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand($1_sudo_t) + dev_rw_generic_usb_dev($1_sudo_t) -+ dev_list_sysfs($1_sudo_t) ++ dev_read_sysfs($1_sudo_t) fs_search_auto_mountpoints($1_sudo_t) fs_getattr_xattr_fs($1_sudo_t) @@ -1457,9 +1437,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.1/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/apps/gnome.if 2008-12-04 13:27:45.000000000 -0500 -@@ -91,3 +91,150 @@ ++++ serefpolicy-3.6.1/policy/modules/apps/gnome.if 2008-12-08 10:37:21.000000000 -0500 +@@ -89,5 +89,154 @@ + + allow $1 gnome_home_t:dir manage_dir_perms; allow $1 gnome_home_t:file manage_file_perms; ++ allow $1 gnome_home_t:lnk_file manage_lnk_file_perms; userdom_search_user_home_dirs($1) ') + @@ -1526,6 +1509,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + type gconf_etc_t; + ') + ++ allow $1 gconf_etc_t:dir list_dir_perms; + read_files_pattern($1, gconf_etc_t, gconf_etc_t) +') + @@ -1651,6 +1635,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) +/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.1/policy/modules/apps/gpg.if +--- nsaserefpolicy/policy/modules/apps/gpg.if 2008-11-11 16:13:42.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/apps/gpg.if 2008-12-05 10:36:57.000000000 -0500 +@@ -30,7 +30,7 @@ + + # allow ps to show gpg + ps_process_pattern($2, gpg_t) +- allow $2 gpg_t:process signal; ++ allow $2 gpg_t:process { signal sigkill }; + + # communicate with the user + allow gpg_helper_t $2:fd use; +@@ -46,9 +46,17 @@ + manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) + manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) + files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) +- + # Transition from the user domain to the agent domain. + domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) ++ ++ #Leaked File Descriptors ++ dontaudit gpg_t $2:tcp_socket rw_socket_perms; ++ dontaudit gpg_t $2:udp_socket rw_socket_perms; ++ dontaudit gpg_t $2:unix_stream_socket rw_socket_perms; ++ dontaudit gpg_t $2:unix_dgram_socket rw_socket_perms; ++ dontaudit gpg_t $2:fifo_file rw_fifo_file_perms; ++ ++ userdom_manage_user_home_content_files(gpg_t) + ') + + ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.1/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2008-11-11 16:13:42.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/apps/gpg.te 2008-11-25 09:45:43.000000000 -0500 @@ -2485,8 +2500,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.1/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/apps/nsplugin.te 2008-12-03 09:00:12.000000000 -0500 -@@ -0,0 +1,273 @@ ++++ serefpolicy-3.6.1/policy/modules/apps/nsplugin.te 2008-12-05 08:34:32.000000000 -0500 +@@ -0,0 +1,275 @@ + +policy_module(nsplugin, 1.0.0) + @@ -2553,6 +2568,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) +exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) +manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) ++manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) ++manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) +manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) +userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir}) +userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir}) @@ -3806,7 +3823,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +xserver_user_x_domain_template(user, wm_t, wm_tmpfs_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.1/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/kernel/corecommands.fc 2008-11-25 16:31:05.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/kernel/corecommands.fc 2008-12-05 08:55:39.000000000 -0500 @@ -128,6 +128,8 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3829,6 +3846,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) +@@ -221,8 +221,8 @@ + /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib/vmware-tools/sbin64(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -291,3 +291,12 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) @@ -10168,8 +10196,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.1/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/cups.te 2008-12-02 10:19:15.000000000 -0500 -@@ -20,6 +20,12 @@ ++++ serefpolicy-3.6.1/policy/modules/services/cups.te 2008-12-05 08:56:46.000000000 -0500 +@@ -20,9 +20,18 @@ type cupsd_etc_t; files_config_file(cupsd_etc_t) @@ -10182,7 +10210,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type cupsd_rw_etc_t; files_config_file(cupsd_rw_etc_t) -@@ -48,6 +54,10 @@ ++type cupsd_lock_t; ++files_lock_file(cupsd_lock_t) ++ + type cupsd_log_t; + logging_log_file(cupsd_log_t) + +@@ -48,6 +57,10 @@ type hplip_t; type hplip_exec_t; init_daemon_domain(hplip_t, hplip_exec_t) @@ -10193,7 +10227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type hplip_etc_t; files_config_file(hplip_etc_t) -@@ -65,6 +75,16 @@ +@@ -65,6 +78,16 @@ type ptal_var_run_t; files_pid_file(ptal_var_run_t) @@ -10210,7 +10244,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`enable_mcs',` init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh) ') -@@ -79,13 +99,14 @@ +@@ -79,13 +102,14 @@ # # /usr/lib/cups/backend/serial needs sys_admin(?!) @@ -10228,7 +10262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_t self:tcp_socket create_stream_socket_perms; allow cupsd_t self:udp_socket create_socket_perms; allow cupsd_t self:appletalk_socket create_socket_perms; -@@ -97,6 +118,9 @@ +@@ -97,6 +121,9 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) files_search_etc(cupsd_t) @@ -10238,7 +10272,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) -@@ -104,8 +128,8 @@ +@@ -104,8 +131,11 @@ # allow cups to execute its backend scripts can_exec(cupsd_t, cupsd_exec_t) @@ -10246,10 +10280,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -allow cupsd_t cupsd_exec_t:lnk_file read; +allow cupsd_t cupsd_exec_t:dir search_dir_perms; +allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; ++ ++allow cupsd_t cupsd_lock_t:file manage_file_perms; ++files_lock_filetrans(cupsd_t, cupsd_lock_t, file) manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) allow cupsd_t cupsd_log_t:dir setattr; -@@ -116,13 +140,20 @@ +@@ -116,13 +146,20 @@ manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) @@ -10272,7 +10309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_t hplip_var_run_t:file read_file_perms; stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) -@@ -149,44 +180,49 @@ +@@ -149,44 +186,49 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -10327,7 +10364,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -@@ -195,15 +231,16 @@ +@@ -195,15 +237,16 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) @@ -10348,7 +10385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(cupsd_t) # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* -@@ -217,17 +254,21 @@ +@@ -217,17 +260,21 @@ miscfiles_read_fonts(cupsd_t) seutil_read_config(cupsd_t) @@ -10373,7 +10410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -244,8 +285,16 @@ +@@ -244,8 +291,16 @@ userdom_dbus_send_all_users(cupsd_t) optional_policy(` @@ -10390,7 +10427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -261,6 +310,10 @@ +@@ -261,6 +316,10 @@ ') optional_policy(` @@ -10401,7 +10438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) -@@ -279,7 +332,7 @@ +@@ -279,7 +338,7 @@ # Cups configuration daemon local policy # @@ -10410,7 +10447,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit cupsd_config_t self:capability sys_tty_config; allow cupsd_config_t self:process signal_perms; allow cupsd_config_t self:fifo_file rw_fifo_file_perms; -@@ -311,7 +364,7 @@ +@@ -311,7 +370,7 @@ files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file) kernel_read_system_state(cupsd_config_t) @@ -10419,7 +10456,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(cupsd_config_t) corenet_all_recvfrom_netlabel(cupsd_config_t) -@@ -324,6 +377,7 @@ +@@ -324,6 +383,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -10427,7 +10464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -341,13 +395,14 @@ +@@ -341,13 +401,14 @@ files_read_var_symlinks(cupsd_config_t) # Alternatives asks for this @@ -10443,7 +10480,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_dontaudit_search_config(cupsd_config_t) -@@ -359,14 +414,16 @@ +@@ -359,14 +420,16 @@ lpd_read_config(cupsd_config_t) ifdef(`distro_redhat',` @@ -10462,7 +10499,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -382,6 +439,7 @@ +@@ -382,6 +445,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -10470,7 +10507,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -491,7 +549,8 @@ +@@ -491,7 +555,8 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; @@ -10480,7 +10517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cups_stream_connect(hplip_t) -@@ -500,6 +559,10 @@ +@@ -500,6 +565,10 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -10491,7 +10528,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -529,7 +592,8 @@ +@@ -529,7 +598,8 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -10501,7 +10538,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -553,7 +617,9 @@ +@@ -553,7 +623,9 @@ userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -10512,7 +10549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` dbus_system_bus_client(hplip_t) -@@ -635,3 +701,39 @@ +@@ -635,3 +707,39 @@ optional_policy(` udev_read_db(ptal_t) ') @@ -10586,8 +10623,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.1/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/dbus.if 2008-12-04 13:28:31.000000000 -0500 -@@ -160,6 +160,10 @@ ++++ serefpolicy-3.6.1/policy/modules/services/dbus.if 2008-12-05 14:40:52.000000000 -0500 +@@ -44,6 +44,7 @@ + + attribute session_bus_type; + type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; ++ type $1_t; + ') + + ############################## +@@ -91,7 +92,7 @@ + allow $3 $1_dbusd_t:process { sigkill signal }; + + # cjp: this seems very broken +- corecmd_bin_domtrans($1_dbusd_t, $3) ++ corecmd_bin_domtrans($1_dbusd_t, $1_t) + allow $1_dbusd_t $3:process sigkill; + allow $3 $1_dbusd_t:fd use; + allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; +@@ -160,6 +161,10 @@ ') optional_policy(` @@ -10598,7 +10652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hal_dbus_chat($1_dbusd_t) ') -@@ -185,10 +189,12 @@ +@@ -185,10 +190,12 @@ type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; @@ -10612,7 +10666,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) -@@ -197,6 +203,10 @@ +@@ -197,6 +204,10 @@ files_search_pids($1) stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) dbus_read_config($1) @@ -10623,7 +10677,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -244,6 +254,35 @@ +@@ -244,6 +255,35 @@ ######################################## ## @@ -10659,7 +10713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read dbus configuration. ## ## -@@ -318,3 +357,77 @@ +@@ -318,3 +358,77 @@ allow $1 system_dbusd_t:dbus *; ') @@ -13223,7 +13277,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.1/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.6.1/policy/modules/services/networkmanager.fc 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/networkmanager.fc 2008-12-05 09:14:39.000000000 -0500 @@ -1,8 +1,12 @@ +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + @@ -13237,13 +13291,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) -@@ -10,3 +14,6 @@ +@@ -10,3 +14,4 @@ /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -+ -+/usr/libexec/nm-openconnect-service -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.1/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400 +++ serefpolicy-3.6.1/policy/modules/services/networkmanager.if 2008-11-25 09:45:43.000000000 -0500 @@ -15626,7 +15678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.1/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/polkit.te 2008-12-04 16:37:06.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/polkit.te 2008-12-08 10:25:12.000000000 -0500 @@ -0,0 +1,224 @@ +policy_module(polkit_auth, 1.0.0) + @@ -15747,7 +15799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` -+ dbus_system_domain(polkit_auth_exec_t, polkit_auth_t) ++ dbus_system_domain( polkit_auth_t, polkit_auth_exec_t) + + dbus_session_bus_client(polkit_auth_t) + @@ -19811,7 +19863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.1/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/ssh.te 2008-12-04 13:46:29.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/ssh.te 2008-12-05 10:40:21.000000000 -0500 @@ -75,7 +75,7 @@ ubac_constrained(ssh_tmpfs_t) @@ -19821,6 +19873,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; files_type(home_ssh_t) userdom_user_home_content(home_ssh_t) +@@ -95,7 +95,7 @@ + allow ssh_t self:sem create_sem_perms; + allow ssh_t self:msgq create_msgq_perms; + allow ssh_t self:msg { send receive }; +-allow ssh_t self:tcp_socket create_socket_perms; ++allow ssh_t self:tcp_socket create_stream_socket_perms; + allow ssh_t self:netlink_route_socket r_netlink_socket_perms; + + # Read the ssh key file. @@ -115,6 +115,7 @@ manage_dirs_pattern(ssh_t,home_ssh_t,home_ssh_t) manage_sock_files_pattern(ssh_t,home_ssh_t,home_ssh_t) @@ -19829,7 +19890,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) -@@ -318,6 +319,9 @@ +@@ -139,6 +140,8 @@ + corenet_tcp_sendrecv_all_ports(ssh_t) + corenet_tcp_connect_ssh_port(ssh_t) + corenet_sendrecv_ssh_client_packets(ssh_t) ++corenet_tcp_bind_all_nodes(ssh_t) ++corenet_tcp_bind_all_unreserved_ports(ssh_t) + + dev_read_urand(ssh_t) + +@@ -202,6 +205,7 @@ + # for port forwarding + tunable_policy(`user_tcp_server',` + corenet_tcp_bind_ssh_port(ssh_t) ++ corenet_tcp_bind_all_nodes(ssh_t) + ') + + optional_policy(` +@@ -318,6 +322,9 @@ corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) @@ -19839,7 +19917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to -@@ -331,6 +335,14 @@ +@@ -331,6 +338,14 @@ ') optional_policy(` @@ -19854,7 +19932,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol daemontools_service_domain(sshd_t, sshd_exec_t) ') -@@ -349,7 +361,11 @@ +@@ -349,7 +364,11 @@ ') optional_policy(` @@ -19867,7 +19945,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_shell_domtrans(sshd_t) ') -@@ -408,6 +424,8 @@ +@@ -408,6 +427,8 @@ init_use_fds(ssh_keygen_t) init_use_script_ptys(ssh_keygen_t) @@ -20461,8 +20539,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.1/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/xserver.fc 2008-11-25 09:45:43.000000000 -0500 -@@ -3,11 +3,13 @@ ++++ serefpolicy-3.6.1/policy/modules/services/xserver.fc 2008-12-08 10:44:04.000000000 -0500 +@@ -3,11 +3,14 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) @@ -20473,10 +20551,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) ++HOME_DIR/\.dmrc -- gen_context(system_u:object_r:xdm_home_t,s0) # # /dev -@@ -32,11 +34,6 @@ +@@ -32,11 +35,6 @@ /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -20488,7 +20567,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /opt # -@@ -61,6 +58,7 @@ +@@ -61,6 +59,7 @@ /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) @@ -20496,7 +20575,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) -@@ -89,16 +87,26 @@ +@@ -89,16 +88,26 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -20900,7 +20979,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## display. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2008-11-18 18:57:20.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/xserver.te 2008-12-03 18:27:33.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/xserver.te 2008-12-08 10:28:07.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -21034,7 +21113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t }; files_tmpfs_file(xserver_tmpfs_t) ubac_constrained(xserver_tmpfs_t) -@@ -256,6 +275,9 @@ +@@ -256,13 +275,13 @@ allow xauth_t xauth_home_t:file manage_file_perms; userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) @@ -21044,7 +21123,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) -@@ -300,13 +322,14 @@ + +-allow xdm_t xauth_home_t:file manage_file_perms; +-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) +- + domain_use_interactive_fds(xauth_t) + + files_read_etc_files(xauth_t) +@@ -300,13 +319,14 @@ # XDM Local policy # @@ -21062,7 +21148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t self:tcp_socket create_stream_socket_perms; allow xdm_t self:udp_socket create_socket_perms; allow xdm_t self:socket create_socket_perms; -@@ -314,6 +337,11 @@ +@@ -314,6 +334,11 @@ allow xdm_t self:key { search link write }; allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; @@ -21070,11 +21156,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) + +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) -+userdom_user_tmp_filetrans(xdm_t, xdm_home_t, file) ++userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file) # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -329,6 +357,8 @@ +@@ -329,6 +354,8 @@ manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) @@ -21083,7 +21169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -@@ -336,15 +366,30 @@ +@@ -336,15 +363,30 @@ manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) @@ -21116,7 +21202,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:unix_stream_socket connectto; -@@ -358,6 +403,7 @@ +@@ -358,6 +400,7 @@ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -21124,7 +21210,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t) -@@ -389,11 +435,13 @@ +@@ -389,11 +432,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) @@ -21138,7 +21224,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -401,6 +449,7 @@ +@@ -401,6 +446,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -21146,7 +21232,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -413,14 +462,17 @@ +@@ -413,14 +459,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -21166,7 +21252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +483,13 @@ +@@ -431,9 +480,13 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -21180,7 +21266,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,6 +498,7 @@ +@@ -442,6 +495,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -21188,7 +21274,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -450,6 +507,7 @@ +@@ -450,6 +504,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -21196,7 +21282,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -460,10 +518,10 @@ +@@ -460,10 +515,10 @@ logging_read_generic_logs(xdm_t) @@ -21209,7 +21295,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -504,10 +562,12 @@ +@@ -504,10 +559,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -21222,7 +21308,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -515,12 +575,35 @@ +@@ -515,12 +572,35 @@ ') optional_policy(` @@ -21258,7 +21344,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -542,6 +625,18 @@ +@@ -542,6 +622,18 @@ ') optional_policy(` @@ -21277,7 +21363,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +645,8 @@ +@@ -550,8 +642,8 @@ ') optional_policy(` @@ -21287,7 +21373,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -571,6 +666,10 @@ +@@ -571,6 +663,10 @@ ') optional_policy(` @@ -21298,7 +21384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -635,6 +734,15 @@ +@@ -635,6 +731,15 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -21314,7 +21400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Create files in /var/log with the xserver_log_t type. manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) logging_log_filetrans(xserver_t, xserver_log_t,file) -@@ -682,6 +790,7 @@ +@@ -682,6 +787,7 @@ dev_rw_input_dev(xserver_t) dev_rwx_zero(xserver_t) @@ -21322,7 +21408,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_mmap_low(xserver_t) files_read_etc_files(xserver_t) -@@ -697,6 +806,7 @@ +@@ -697,6 +803,7 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -21330,7 +21416,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mls_xwin_read_to_clearance(xserver_t) -@@ -806,7 +916,7 @@ +@@ -806,7 +913,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -21339,7 +21425,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -830,6 +940,10 @@ +@@ -830,6 +937,10 @@ xserver_use_user_fonts(xserver_t) @@ -21350,7 +21436,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -844,11 +958,14 @@ +@@ -844,11 +955,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -21366,7 +21452,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -856,6 +973,11 @@ +@@ -856,6 +970,11 @@ rhgb_rw_tmpfs_files(xserver_t) ') @@ -21378,7 +21464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Rules common to all X window domains -@@ -972,6 +1094,21 @@ +@@ -972,6 +1091,21 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -21400,7 +21486,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`TODO',` tunable_policy(`allow_polyinstantiation',` # xdm needs access for linking .X11-unix to poly /tmp -@@ -986,3 +1123,13 @@ +@@ -986,3 +1120,13 @@ # allow xdm_t user_home_type:file unlink; ') dnl end TODO @@ -23398,7 +23484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.1/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/mount.te 2008-11-27 06:40:08.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/mount.te 2008-12-08 11:14:40.000000000 -0500 @@ -18,17 +18,18 @@ init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; @@ -23498,7 +23584,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(mount_t) -@@ -133,7 +146,7 @@ +@@ -116,6 +129,7 @@ + seutil_read_config(mount_t) + + userdom_use_all_users_fds(mount_t) ++userdom_manage_user_home_content_dirs(mount_t) + + ifdef(`distro_redhat',` + optional_policy(` +@@ -133,7 +147,7 @@ tunable_policy(`allow_mount_anyfile',` auth_read_all_dirs_except_shadow(mount_t) @@ -23507,7 +23601,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_mounton_non_security(mount_t) ') -@@ -164,6 +177,8 @@ +@@ -164,6 +178,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -23516,7 +23610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -171,6 +186,15 @@ +@@ -171,6 +187,15 @@ ') optional_policy(` @@ -23532,7 +23626,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -178,6 +202,11 @@ +@@ -178,6 +203,11 @@ ') ') @@ -23544,7 +23638,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -185,6 +214,7 @@ +@@ -185,6 +215,7 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -23552,7 +23646,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -195,4 +225,26 @@ +@@ -195,4 +226,26 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t,file) unconfined_domain(unconfined_mount_t) @@ -25461,7 +25555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-04 16:31:37.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-08 11:32:11.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -25642,18 +25736,50 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -232,7 +246,10 @@ +@@ -220,9 +234,10 @@ + interface(`userdom_manage_home_role',` + gen_require(` + type user_home_t, user_home_dir_t; ++ attribute user_home_type; + ') + +- role $1 types { user_home_t user_home_dir_t }; ++ role $1 types { user_home_type user_home_dir_t }; + + ############################## + # +@@ -232,17 +247,20 @@ type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory + allow $2 user_home_t:dir mounton; allow $2 user_home_t:file entrypoint; -+ -+ allow $2 user_home_t:dir_file_class_set { relabelto relabelfrom }; - manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) -@@ -250,25 +267,23 @@ +- manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) ++ ++ allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom }; ++ manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) ++ manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) ++ manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) ++ manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) ++ manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) ++ relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) ++ relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) ++ relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) ++ relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) ++ relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) + files_list_home($2) + +@@ -250,25 +268,23 @@ allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -25683,7 +25809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -303,6 +318,7 @@ +@@ -303,6 +319,7 @@ manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) @@ -25691,7 +25817,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -368,46 +384,41 @@ +@@ -368,46 +385,41 @@ ####################################### ## @@ -25713,12 +25839,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - gen_require(` - type $1_t; - ') -+interface(`userdom_basic_networking',` - +- - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; -+ allow $1 self:tcp_socket create_stream_socket_perms; -+ allow $1 self:udp_socket create_socket_perms; ++interface(`userdom_basic_networking',` - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) @@ -25730,7 +25854,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_all_client_packets($1_t) -- ++ allow $1 self:tcp_socket create_stream_socket_perms; ++ allow $1 self:udp_socket create_socket_perms; + - corenet_all_recvfrom_labeled($1_t, $1_t) + corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) @@ -25758,7 +25884,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -420,34 +431,39 @@ +@@ -420,34 +432,39 @@ ## is the prefix for user_t). ## ## @@ -25816,7 +25942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -497,11 +513,7 @@ +@@ -497,11 +514,7 @@ attribute unpriv_userdomain; ') @@ -25829,7 +25955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -512,189 +524,192 @@ +@@ -512,189 +525,194 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -25847,26 +25973,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) +- +- corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) -- corecmd_exec_bin($1_t) +- corenet_udp_bind_all_nodes($1_t) +- corenet_udp_bind_generic_port($1_t) + corenet_udp_bind_all_nodes($1_usertype) + corenet_udp_bind_generic_port($1_usertype) -- corenet_udp_bind_all_nodes($1_t) -- corenet_udp_bind_generic_port($1_t) +- dev_read_rand($1_t) +- dev_write_sound($1_t) +- dev_read_sound($1_t) +- dev_read_sound_mixer($1_t) +- dev_write_sound_mixer($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) -- dev_read_rand($1_t) -- dev_write_sound($1_t) -- dev_read_sound($1_t) -- dev_read_sound_mixer($1_t) -- dev_write_sound_mixer($1_t) -- - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) @@ -25976,6 +26102,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - dbus_system_bus_client($1_t) + dbus_system_bus_client($1_usertype) ++ ++ allow $1_usertype $1_usertype:dbus send_msg; optional_policy(` - bluetooth_dbus_chat($1_t) @@ -26065,16 +26193,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - postgresql_stream_connect($1_t) - postgresql_tcp_connect($1_t) + postgresql_stream_connect($1_usertype) ++ ') ') ++ ++ optional_policy(` ++ # to allow monitoring of pcmcia status ++ pcmcia_read_pid($1_usertype) ') optional_policy(` - resmgr_stream_connect($1_t) -+ # to allow monitoring of pcmcia status -+ pcmcia_read_pid($1_usertype) -+ ') -+ -+ optional_policy(` + pcscd_read_pub_files($1_usertype) + pcscd_stream_connect($1_usertype) ') @@ -26104,25 +26232,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -722,15 +737,27 @@ +@@ -722,15 +740,27 @@ userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_change_password_template($1) ++ ++ userdom_manage_home_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) -+ userdom_manage_home_role($1_r, $1_usertype) ++ userdom_manage_tmp_role($1_r, $1_usertype) ++ userdom_manage_tmpfs_role($1_r, $1_usertype) - userdom_exec_user_tmp_files($1_t) - userdom_exec_user_home_content_files($1_t) -+ userdom_manage_tmp_role($1_r, $1_usertype) -+ userdom_manage_tmpfs_role($1_r, $1_usertype) ++ gen_tunable(allow_$1_exec_content, true) - userdom_change_password_template($1) -+ gen_tunable(allow_$1_exec_content, true) -+ + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -26138,7 +26266,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -746,70 +773,72 @@ +@@ -746,70 +776,72 @@ allow $1_t self:context contains; @@ -26244,7 +26372,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -846,6 +875,27 @@ +@@ -846,6 +878,28 @@ # Local policy # @@ -26256,8 +26384,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + optional_policy(` -+ dbus_role_template($1, $1_r, $1_t) -+ dbus_system_bus_client($1_t) ++ dbus_role_template($1, $1_r, $1_usertype) ++ dbus_system_bus_client($1_usertype) ++ allow $1_usertype $1_usertype:dbus send_msg; + + optional_policy(` + consolekit_dbus_chat($1_usertype) @@ -26272,7 +26401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -876,7 +926,7 @@ +@@ -876,7 +930,7 @@ userdom_restricted_user_template($1) @@ -26281,7 +26410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -884,14 +934,18 @@ +@@ -884,14 +938,18 @@ # auth_role($1_r, $1_t) @@ -26305,7 +26434,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -899,28 +953,24 @@ +@@ -899,28 +957,24 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -26340,7 +26469,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -931,8 +981,7 @@ +@@ -931,8 +985,7 @@ ## ## ##

@@ -26350,7 +26479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This template creates a user domain, types, and -@@ -954,8 +1003,8 @@ +@@ -954,8 +1007,8 @@ # Declarations # @@ -26360,7 +26489,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -964,11 +1013,10 @@ +@@ -964,11 +1017,10 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -26373,7 +26502,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -986,36 +1034,37 @@ +@@ -986,36 +1038,37 @@ ') ') @@ -26424,7 +26553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1050,7 +1099,7 @@ +@@ -1050,7 +1103,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -26433,7 +26562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1059,8 +1108,7 @@ +@@ -1059,8 +1112,7 @@ # # Inherit rules for ordinary users. @@ -26443,7 +26572,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1083,7 +1131,8 @@ +@@ -1083,7 +1135,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -26453,7 +26582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1106,8 +1155,6 @@ +@@ -1106,8 +1159,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -26462,7 +26591,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1162,20 +1209,6 @@ +@@ -1162,20 +1213,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -26483,7 +26612,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1221,6 +1254,7 @@ +@@ -1221,6 +1258,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -26491,16 +26620,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1291,6 +1325,8 @@ +@@ -1286,11 +1324,15 @@ + interface(`userdom_user_home_content',` + gen_require(` + type user_home_t; ++ attribute user_home_type; + ') + allow $1 user_home_t:filesystem associate; files_type($1) ubac_constrained($1) + + files_poly_member($1) ++ typeattribute $1 user_home_type; ') ######################################## -@@ -1387,7 +1423,7 @@ +@@ -1387,7 +1429,7 @@ ######################################## ##

@@ -26509,7 +26645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1420,6 +1456,14 @@ +@@ -1420,6 +1462,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -26524,7 +26660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1435,9 +1479,11 @@ +@@ -1435,9 +1485,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -26536,7 +26672,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1494,6 +1540,25 @@ +@@ -1494,6 +1546,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -26562,7 +26698,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1547,9 +1612,9 @@ +@@ -1547,9 +1618,9 @@ type user_home_dir_t, user_home_t; ') @@ -26574,7 +26710,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1568,6 +1633,8 @@ +@@ -1568,6 +1639,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -26583,7 +26719,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1741,6 +1808,62 @@ +@@ -1643,6 +1716,7 @@ + type user_home_dir_t, user_home_t; + ') + ++ list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t }) + read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + files_search_home($1) + ') +@@ -1741,6 +1815,62 @@ ######################################## ## @@ -26646,7 +26790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute user home files. ## ## -@@ -1757,14 +1880,6 @@ +@@ -1757,14 +1887,6 @@ files_search_home($1) exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) @@ -26661,7 +26805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1787,6 +1902,46 @@ +@@ -1787,6 +1909,46 @@ ######################################## ## @@ -26708,7 +26852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete files ## in a user home subdirectory. ## -@@ -2819,6 +2974,24 @@ +@@ -2819,6 +2981,24 @@ ######################################## ## @@ -26733,7 +26877,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to use user ttys. ## ## -@@ -2965,6 +3138,24 @@ +@@ -2965,6 +3145,24 @@ ######################################## ## @@ -26758,7 +26902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a dbus message to all user domains. ## ## -@@ -2981,3 +3172,263 @@ +@@ -2981,3 +3179,263 @@ allow $1 userdomain:dbus send_msg; ') @@ -27024,7 +27168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.1/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2008-11-13 18:40:02.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/userdomain.te 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/userdomain.te 2008-12-08 10:35:36.000000000 -0500 @@ -8,13 +8,6 @@ ## @@ -27053,20 +27197,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow user to r/w files on filesystems ## that do not have extended attributes (FAT, CDROM, FLOPPY) ##

-@@ -58,6 +44,12 @@ - attribute untrusted_content_type; - attribute untrusted_content_tmp_type; +@@ -55,8 +41,14 @@ + # unprivileged user domains + attribute unpriv_userdomain; +-attribute untrusted_content_type; +-attribute untrusted_content_tmp_type; ++# unprivileged user domains ++attribute user_home_type; ++ +type admin_home_t; +files_type(admin_home_t) +files_associate_tmp(admin_home_t) +fs_associate_tmpfs(admin_home_t) +files_mountpoint(admin_home_t) -+ + type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) - files_type(user_home_dir_t) -@@ -95,3 +87,7 @@ +@@ -70,6 +62,7 @@ + + type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; + typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; ++typeattribute user_home_t user_home_type; + userdom_user_home_content(user_home_t) + fs_associate_tmpfs(user_home_t) + files_associate_tmp(user_home_t) +@@ -95,3 +88,7 @@ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) @@ -27451,6 +27607,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.1/Rules.modular +--- nsaserefpolicy/Rules.modular 2008-11-11 16:13:50.000000000 -0500 ++++ serefpolicy-3.6.1/Rules.modular 2008-11-25 09:45:43.000000000 -0500 +@@ -73,8 +73,8 @@ + $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te + @echo "Compliling $(NAME) $(@F) module" + @test -d $(tmpdir) || mkdir -p $(tmpdir) +- $(call perrole-expansion,$(basename $(@F)),$@.role) +- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) ++# $(call perrole-expansion,$(basename $(@F)),$@.role) ++ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) + $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ + + $(tmpdir)/%.mod.fc: $(m4support) %.fc +@@ -129,7 +129,7 @@ + @test -d $(tmpdir) || mkdir -p $(tmpdir) + # define all available object classes + $(verbose) $(genperm) $(avs) $(secclass) > $@ +- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) ++# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) + $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true + + $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy +@@ -146,7 +146,7 @@ + $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy + $(tmpdir)/rolemap.conf: $(rolemap) + $(verbose) echo "" > $@ +- $(call parse-rolemap,base,$@) ++# $(call parse-rolemap,base,$@) + + $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy + $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.1/support/Makefile.devel --- nsaserefpolicy/support/Makefile.devel 2008-11-11 16:13:50.000000000 -0500 +++ serefpolicy-3.6.1/support/Makefile.devel 2008-11-25 09:45:43.000000000 -0500 diff --git a/selinux-policy.spec b/selinux-policy.spec index 13c4855..eb9f115 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.1 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz