From 70d5ccf0982639de2d13b915c70cd35cdeab96dd Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jan 19 2009 22:10:11 +0000 Subject: - Add devicekit policy --- diff --git a/policy-20090105.patch b/policy-20090105.patch index b12e2f9..cfa36fe 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -11412,6 +11412,216 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_udp_sendrecv_generic_if(dcc_client_t) corenet_udp_sendrecv_generic_node(dcc_client_t) corenet_udp_sendrecv_all_ports(dcc_client_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.3/policy/modules/services/devicekit.fc +--- nsaserefpolicy/policy/modules/services/devicekit.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/devicekit.fc 2009-01-19 17:04:16.000000000 -0500 +@@ -0,0 +1,4 @@ ++ ++/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) ++/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) ++/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.3/policy/modules/services/devicekit.if +--- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/devicekit.if 2009-01-19 17:09:09.000000000 -0500 +@@ -0,0 +1,139 @@ ++ ++## policy for devicekit ++ ++######################################## ++## ++## Execute a domain transition to run devicekit. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`devicekit_domtrans',` ++ gen_require(` ++ type devicekit_t; ++ type devicekit_exec_t; ++ ') ++ ++ domtrans_pattern($1,devicekit_exec_t,devicekit_t) ++') ++ ++ ++######################################## ++## ++## Read devicekit PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_read_pid_files',` ++ gen_require(` ++ type devicekit_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 devicekit_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Manage devicekit var_run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_manage_var_run',` ++ gen_require(` ++ type devicekit_var_run_t; ++ ') ++ ++ manage_dirs_pattern($1,devicekit_var_run_t,devicekit_var_run_t) ++ manage_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t) ++ manage_lnk_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t) ++') ++ ++ ++######################################## ++## ++## Send and receive messages from ++## devicekit over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_dbus_chat',` ++ gen_require(` ++ type devicekit_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 devicekit_t:dbus send_msg; ++ allow devicekit_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## Send and receive messages from ++## devicekit power over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_power_dbus_chat',` ++ gen_require(` ++ type devicekit_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 devicekit_power_t:dbus send_msg; ++ allow devicekit_power_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an devicekit environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the devicekit domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`devicekit_admin',` ++ gen_require(` ++ type devicekit_t; ++ ') ++ ++ allow $1 devicekit_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, devicekit_t, devicekit_t) ++ ++ ++ devicekit_manage_var_run($1) ++ ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.3/policy/modules/services/devicekit.te +--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/devicekit.te 2009-01-19 17:06:44.000000000 -0500 +@@ -0,0 +1,55 @@ ++policy_module(devicekit,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type devicekit_t; ++type devicekit_exec_t; ++dbus_system_domain(devicekit_t, devicekit_exec_t) ++ ++permissive devicekit_t; ++ ++type devicekit_power_t; ++type devicekit_power_exec_t; ++dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) ++ ++permissive devicekit_power_t; ++ ++type devicekit_var_run_t; ++files_pid_file(devicekit_var_run_t) ++ ++# ++# DeviceKit local policy ++# ++ ++manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) ++manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) ++files_pid_filetrans(devicekit_t,devicekit_var_run_t, { file dir }) ++ ++fs_list_inotifyfs(devicekit_t) ++ ++optional_policy(` ++ dbus_system_bus_client(devicekit_t) ++') ++ ++# ++# DeviceKit-Power local policy ++# ++ ++dev_rw_netcontrol(devicekit_power_t) ++files_read_etc_files(devicekit_power_t) ++fs_list_inotifyfs(devicekit_power_t) ++ ++optional_policy(` ++ polkit_read_reload(devicekit_power_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(devicekit_power_t) ++ allow devicekit_power_t devicekit_t:dbus send_msg; ++ allow devicekit_t devicekit_power_t:dbus send_msg; ++') ++ ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.3/policy/modules/services/dhcp.if --- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500 +++ serefpolicy-3.6.3/policy/modules/services/dhcp.if 2009-01-19 13:10:02.000000000 -0500 @@ -21508,7 +21718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## display. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-19 14:47:14.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-19 17:08:51.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -21838,7 +22048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -515,12 +572,35 @@ +@@ -515,12 +572,41 @@ ') optional_policy(` @@ -21852,14 +22062,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dbus_system_bus_client(xdm_t) + + optional_policy(` ++ devicekit_power_dbus_chat(xdm_t) ++ ') ++ ++ optional_policy(` + hal_dbus_chat(xdm_t) + ') + + optional_policy(` + networkmanager_dbus_chat(xdm_t) + ') ++ +') + ++ +optional_policy(` # Talk to the console mouse server. gpm_stream_connect(xdm_t) @@ -21874,7 +22090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -542,6 +622,19 @@ +@@ -542,6 +628,19 @@ ') optional_policy(` @@ -21894,7 +22110,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +643,8 @@ +@@ -550,8 +649,8 @@ ') optional_policy(` @@ -21904,7 +22120,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -571,6 +664,10 @@ +@@ -571,6 +670,10 @@ ') optional_policy(` @@ -21915,7 +22131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -635,6 +732,15 @@ +@@ -635,6 +738,15 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -21931,7 +22147,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Create files in /var/log with the xserver_log_t type. manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) logging_log_filetrans(xserver_t, xserver_log_t,file) -@@ -682,6 +788,7 @@ +@@ -682,6 +794,7 @@ dev_rw_input_dev(xserver_t) dev_rwx_zero(xserver_t) @@ -21939,7 +22155,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_mmap_low(xserver_t) files_read_etc_files(xserver_t) -@@ -697,6 +804,7 @@ +@@ -697,6 +810,7 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -21947,7 +22163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mls_xwin_read_to_clearance(xserver_t) -@@ -806,7 +914,7 @@ +@@ -806,7 +920,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -21956,7 +22172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -830,6 +938,10 @@ +@@ -830,6 +944,10 @@ xserver_use_user_fonts(xserver_t) @@ -21967,7 +22183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -844,11 +956,14 @@ +@@ -844,11 +962,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -21983,7 +22199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -856,6 +971,11 @@ +@@ -856,6 +977,11 @@ rhgb_rw_tmpfs_files(xserver_t) ') @@ -21995,7 +22211,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Rules common to all X window domains -@@ -972,6 +1092,37 @@ +@@ -972,6 +1098,37 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -22033,7 +22249,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`TODO',` tunable_policy(`allow_polyinstantiation',` # xdm needs access for linking .X11-unix to poly /tmp -@@ -986,3 +1137,13 @@ +@@ -986,3 +1143,13 @@ # allow xdm_t user_home_type:file unlink; ') dnl end TODO @@ -26194,7 +26410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-19 17:08:20.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -26594,7 +26810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -512,189 +525,194 @@ +@@ -512,189 +525,198 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -26763,54 +26979,57 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - hal_dbus_chat($1_t) -+ evolution_dbus_chat($1_usertype) -+ evolution_alarm_dbus_chat($1_usertype) ++ devkit_power_dbus_chat($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) - ') -+ hal_dbus_chat($1_usertype) ++ evolution_dbus_chat($1_usertype) ++ evolution_alarm_dbus_chat($1_usertype) ') optional_policy(` - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) -+ networkmanager_dbus_chat($1_usertype) ++ hal_dbus_chat($1_usertype) ') optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) -+ vpnc_dbus_chat($1_usertype) -+ ') ++ networkmanager_dbus_chat($1_usertype) ') optional_policy(` - locate_read_lib_files($1_t) -+ inetd_use_fds($1_usertype) -+ inetd_rw_tcp_sockets($1_usertype) ++ vpnc_dbus_chat($1_usertype) ++ ') ') - # for running depmod as part of the kernel packaging process optional_policy(` - modutils_read_module_config($1_t) -+ inn_read_config($1_usertype) -+ inn_read_news_lib($1_usertype) -+ inn_read_news_spool($1_usertype) ++ inetd_use_fds($1_usertype) ++ inetd_rw_tcp_sockets($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) -+ locate_read_lib_files($1_usertype) ++ inn_read_config($1_usertype) ++ inn_read_news_lib($1_usertype) ++ inn_read_news_spool($1_usertype) ') -+ # for running depmod as part of the kernel packaging process optional_policy(` - tunable_policy(`allow_user_mysql_connect',` - mysql_stream_connect($1_t) -- ') ++ locate_read_lib_files($1_usertype) + ') ++ ++ # for running depmod as part of the kernel packaging process ++ optional_policy(` + modutils_read_module_config($1_usertype) ') @@ -26832,16 +27051,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - postgresql_stream_connect($1_t) - postgresql_tcp_connect($1_t) + postgresql_stream_connect($1_usertype) ++ ') ') ++ ++ optional_policy(` ++ # to allow monitoring of pcmcia status ++ pcmcia_read_pid($1_usertype) ') optional_policy(` - resmgr_stream_connect($1_t) -+ # to allow monitoring of pcmcia status -+ pcmcia_read_pid($1_usertype) -+ ') -+ -+ optional_policy(` + pcscd_read_pub_files($1_usertype) + pcscd_stream_connect($1_usertype) ') @@ -26871,7 +27090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -722,15 +740,29 @@ +@@ -722,15 +744,29 @@ userdom_base_user_template($1) @@ -26907,7 +27126,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -746,70 +778,72 @@ +@@ -746,70 +782,72 @@ allow $1_t self:context contains; @@ -27013,7 +27232,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -846,6 +880,28 @@ +@@ -846,6 +884,28 @@ # Local policy # @@ -27042,7 +27261,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -876,7 +932,7 @@ +@@ -876,7 +936,7 @@ userdom_restricted_user_template($1) @@ -27051,17 +27270,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -884,14 +940,18 @@ +@@ -884,14 +944,18 @@ # auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) + auth_search_pam_console_data($1_usertype) -+ -+ xserver_role($1_r, $1_t) - dev_read_sound($1_t) - dev_write_sound($1_t) ++ xserver_role($1_r, $1_t) ++ + dev_read_sound($1_usertype) + dev_write_sound($1_usertype) # gnome keyring wants to read this. @@ -27075,7 +27294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -899,28 +959,24 @@ +@@ -899,28 +963,24 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -27110,7 +27329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -931,8 +987,7 @@ +@@ -931,8 +991,7 @@ ## ## ##

@@ -27120,7 +27339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This template creates a user domain, types, and -@@ -954,8 +1009,8 @@ +@@ -954,8 +1013,8 @@ # Declarations # @@ -27130,7 +27349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -964,11 +1019,10 @@ +@@ -964,11 +1023,10 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -27143,7 +27362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -986,37 +1040,47 @@ +@@ -986,37 +1044,47 @@ ') ') @@ -27194,17 +27413,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + optional_policy(` + mount_run($1_t, $1_r) -+ ') + ') + + # Run pppd in pppd_t by default for user + optional_policy(` + ppp_run_cond($1_t, $1_r) - ') ++ ') + ') ####################################### -@@ -1050,7 +1114,7 @@ +@@ -1050,7 +1118,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -27213,7 +27432,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1059,8 +1123,7 @@ +@@ -1059,8 +1127,7 @@ # # Inherit rules for ordinary users. @@ -27223,7 +27442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1083,7 +1146,8 @@ +@@ -1083,7 +1150,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -27233,7 +27452,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1106,8 +1170,6 @@ +@@ -1106,8 +1174,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -27242,7 +27461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1162,20 +1224,6 @@ +@@ -1162,20 +1228,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -27263,7 +27482,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1221,6 +1269,7 @@ +@@ -1221,6 +1273,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -27271,7 +27490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1286,11 +1335,15 @@ +@@ -1286,11 +1339,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -27287,7 +27506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1387,7 +1440,7 @@ +@@ -1387,7 +1444,7 @@ ######################################## ##

@@ -27296,7 +27515,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1420,6 +1473,14 @@ +@@ -1420,6 +1477,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -27311,7 +27530,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1435,9 +1496,11 @@ +@@ -1435,9 +1500,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -27323,7 +27542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1494,6 +1557,25 @@ +@@ -1494,6 +1561,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -27349,7 +27568,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1547,9 +1629,9 @@ +@@ -1547,9 +1633,9 @@ type user_home_dir_t, user_home_t; ') @@ -27361,7 +27580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1568,6 +1650,8 @@ +@@ -1568,6 +1654,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -27370,7 +27589,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1643,6 +1727,7 @@ +@@ -1643,6 +1731,7 @@ type user_home_dir_t, user_home_t; ') @@ -27378,7 +27597,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1741,6 +1826,62 @@ +@@ -1741,6 +1830,62 @@ ######################################## ## @@ -27441,7 +27660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute user home files. ## ## -@@ -1757,14 +1898,6 @@ +@@ -1757,14 +1902,6 @@ files_search_home($1) exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) @@ -27456,7 +27675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1787,6 +1920,46 @@ +@@ -1787,6 +1924,46 @@ ######################################## ## @@ -27503,7 +27722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete files ## in a user home subdirectory. ## -@@ -2819,6 +2992,24 @@ +@@ -2819,6 +2996,24 @@ ######################################## ## @@ -27528,7 +27747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to use user ttys. ## ## -@@ -2851,6 +3042,7 @@ +@@ -2851,6 +3046,7 @@ ') read_files_pattern($1,userdomain,userdomain) @@ -27536,7 +27755,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -2965,6 +3157,24 @@ +@@ -2965,6 +3161,24 @@ ######################################## ## @@ -27561,7 +27780,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a dbus message to all user domains. ## ## -@@ -2981,3 +3191,264 @@ +@@ -2981,3 +3195,264 @@ allow $1 userdomain:dbus send_msg; ')