From 86881dd93f9143ba1ecb824dc497ef1ef478c7bd Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 29 2008 16:05:11 +0000 Subject: - Change unconfined_t to transition to unconfined_mono_t when running mono - Change XXX_mono_t to transition to XXX_t when executing bin_t files, so gnome-do will work --- diff --git a/policy-20071130.patch b/policy-20071130.patch index d2e9e4b..bca837b 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -793,7 +793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xg +system_r:xdm_t xguest_r:xguest_t diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.3.1/man/man8/ftpd_selinux.8 --- nsaserefpolicy/man/man8/ftpd_selinux.8 2007-10-12 08:56:10.000000000 -0400 -+++ serefpolicy-3.3.1/man/man8/ftpd_selinux.8 2008-04-28 08:39:05.840182000 -0400 ++++ serefpolicy-3.3.1/man/man8/ftpd_selinux.8 2008-04-28 08:39:05.000000000 -0400 @@ -35,10 +35,6 @@ directorories, you need to set the ftp_home_dir boolean. .TP @@ -3239,7 +3239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.3.1/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/apps/gnome.if 2008-04-21 11:02:48.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/apps/gnome.if 2008-04-29 09:37:23.004992000 -0400 @@ -33,9 +33,60 @@ ## # @@ -4522,8 +4522,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys +userdom_dontaudit_list_sysadm_home_dirs(loadkeys_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.3.1/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/mono.if 2008-04-21 11:02:48.000000000 -0400 -@@ -18,3 +18,101 @@ ++++ serefpolicy-3.3.1/policy/modules/apps/mono.if 2008-04-29 11:57:14.653875000 -0400 +@@ -18,3 +18,102 @@ corecmd_search_bin($1) domtrans_pattern($1, mono_exec_t, mono_t) ') @@ -4624,6 +4624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if + domtrans_pattern($2, mono_exec_t, $1_mono_t) + + fs_dontaudit_rw_tmpfs_files($1_mono_t) ++ corecmd_bin_domtrans($1_mono_t, $1_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.3.1/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2007-12-19 05:32:09.000000000 -0500 @@ -7480,7 +7481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device type lvm_control_t; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.3.1/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2007-11-29 13:29:34.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/domain.if 2008-04-28 09:14:07.261479000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/domain.if 2008-04-28 09:14:07.000000000 -0400 @@ -1242,18 +1242,34 @@ ## ## @@ -7917,7 +7918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.3.1/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-24 15:00:24.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-04-28 17:00:20.022613000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-04-28 17:00:20.000000000 -0400 @@ -310,6 +310,25 @@ ######################################## @@ -8616,7 +8617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.3.1/policy/modules/kernel/storage.fc --- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/storage.fc 2008-04-28 15:02:52.901366000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/storage.fc 2008-04-28 15:02:52.000000000 -0400 @@ -13,6 +13,7 @@ /dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -8635,7 +8636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag /dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.3.1/policy/modules/kernel/storage.if --- nsaserefpolicy/policy/modules/kernel/storage.if 2008-02-26 08:17:43.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/storage.if 2008-04-28 16:19:58.789387000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/storage.if 2008-04-28 16:19:58.000000000 -0400 @@ -81,6 +81,26 @@ ######################################## @@ -8665,7 +8666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag ## SELinux protections for filesystem objects, and diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.3.1/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2007-09-12 10:34:17.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/terminal.if 2008-04-28 15:49:59.242976000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/terminal.if 2008-04-28 15:49:59.000000000 -0400 @@ -525,11 +525,13 @@ interface(`term_use_generic_ptys',` gen_require(` @@ -12506,7 +12507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.3.1/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-04-28 15:33:05.015286000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-04-28 15:33:05.000000000 -0400 @@ -43,14 +43,13 @@ type cupsd_var_run_t; @@ -13211,7 +13212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-04-21 12:08:05.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-04-29 10:45:04.731105000 -0400 @@ -53,6 +53,7 @@ gen_require(` type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; @@ -13478,7 +13479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-04-28 17:24:06.516754000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-04-28 17:24:06.000000000 -0400 @@ -9,9 +9,10 @@ # # Delcarations @@ -15489,7 +15490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.3.1/policy/modules/services/gnomeclock.te --- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te 2008-04-28 10:32:02.385047000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te 2008-04-28 10:32:02.000000000 -0400 @@ -0,0 +1,55 @@ +policy_module(gnomeclock,1.0.0) +######################################## @@ -17421,7 +17422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq +/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.3.1/policy/modules/services/mysql.if --- nsaserefpolicy/policy/modules/services/mysql.if 2007-01-02 12:57:43.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/mysql.if 2008-04-28 14:00:53.714473000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/mysql.if 2008-04-28 14:00:53.000000000 -0400 @@ -32,9 +32,11 @@ interface(`mysql_stream_connect',` gen_require(` @@ -17786,7 +17787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.3.1/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc 2008-04-28 17:01:05.578193000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc 2008-04-28 17:01:05.000000000 -0400 @@ -1,7 +1,11 @@ /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) @@ -17801,7 +17802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +/etc/NetworkManager/dispatcher.d(/.*) gen_context(system_u:object_r:NetworkManager_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.3.1/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-12 10:15:45.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.if 2008-04-28 17:23:33.835317000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.if 2008-04-28 17:23:33.000000000 -0400 @@ -97,3 +97,40 @@ allow $1 NetworkManager_t:dbus send_msg; allow NetworkManager_t $1:dbus send_msg; @@ -17845,7 +17846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.3.1/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-04-28 17:20:44.106667000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-04-28 17:20:44.000000000 -0400 @@ -13,6 +13,13 @@ type NetworkManager_var_run_t; files_pid_file(NetworkManager_var_run_t) @@ -18872,7 +18873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.3.1/policy/modules/services/polkit.fc --- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/polkit.fc 2008-04-28 15:14:56.271771000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/polkit.fc 2008-04-28 15:14:56.000000000 -0400 @@ -0,0 +1,9 @@ + +/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) @@ -18885,7 +18886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.3.1/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/polkit.if 2008-04-28 15:56:30.712486000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/polkit.if 2008-04-28 15:56:30.000000000 -0400 @@ -0,0 +1,208 @@ + +## policy for polkit_auth @@ -19097,7 +19098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.3.1/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-04-28 16:10:18.292199000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-04-28 16:10:18.000000000 -0400 @@ -0,0 +1,190 @@ +policy_module(polkit_auth,1.0.0) + @@ -21410,7 +21411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.3.1/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-04-28 16:23:06.250792000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-04-28 16:23:06.000000000 -0400 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write,false) @@ -22999,7 +23000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.3.1/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/setroubleshoot.te 2008-04-28 15:21:41.039805000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/setroubleshoot.te 2008-04-28 15:21:41.000000000 -0400 @@ -22,13 +22,16 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) @@ -25255,7 +25256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-04-25 13:53:23.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-04-29 09:37:38.934561000 -0400 @@ -12,9 +12,15 @@ ## ## @@ -26631,7 +26632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-23 10:06:49.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-29 11:09:45.700467000 -0400 @@ -8,6 +8,14 @@ ## @@ -26820,7 +26821,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -131,15 +239,22 @@ +@@ -124,6 +232,8 @@ + manage_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t) + manage_sock_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t) + files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) ++relabelfrom_dirs_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t) ++relabelfrom_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t) + + manage_dirs_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) + manage_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) +@@ -131,15 +241,22 @@ manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) @@ -26845,7 +26855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -@@ -153,6 +268,7 @@ +@@ -153,6 +270,7 @@ allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xdm_xserver_t:shm rw_shm_perms; @@ -26853,7 +26863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) -@@ -173,6 +289,8 @@ +@@ -173,6 +291,8 @@ corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) @@ -26862,7 +26872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) -@@ -184,6 +302,7 @@ +@@ -184,6 +304,7 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) @@ -26870,7 +26880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t -@@ -196,6 +315,7 @@ +@@ -196,6 +317,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -26878,7 +26888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -208,14 +328,15 @@ +@@ -208,14 +330,15 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -26896,7 +26906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -226,9 +347,13 @@ +@@ -226,9 +349,13 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -26910,7 +26920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -237,6 +362,7 @@ +@@ -237,6 +364,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -26918,7 +26928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -245,6 +371,7 @@ +@@ -245,6 +373,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -26926,7 +26936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -256,22 +383,29 @@ +@@ -256,22 +385,29 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -26959,7 +26969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -297,14 +431,20 @@ +@@ -297,14 +433,20 @@ # xserver_rw_session_template(xdm,unpriv_userdomain) # dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write }; # allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms; @@ -26981,7 +26991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -312,6 +452,23 @@ +@@ -312,6 +454,23 @@ ') optional_policy(` @@ -27005,7 +27015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) -@@ -322,6 +479,10 @@ +@@ -322,6 +481,10 @@ ') optional_policy(` @@ -27016,7 +27026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser loadkeys_exec(xdm_t) ') -@@ -335,6 +496,11 @@ +@@ -335,6 +498,11 @@ ') optional_policy(` @@ -27028,7 +27038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser seutil_sigchld_newrole(xdm_t) ') -@@ -343,8 +509,8 @@ +@@ -343,8 +511,8 @@ ') optional_policy(` @@ -27038,7 +27048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -380,7 +546,7 @@ +@@ -380,7 +548,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -27047,7 +27057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -392,6 +558,15 @@ +@@ -392,6 +560,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -27063,7 +27073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -404,9 +579,18 @@ +@@ -404,9 +581,18 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_unpriv_users_home_content_files(xdm_xserver_t) @@ -27082,7 +27092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) -@@ -420,6 +604,22 @@ +@@ -420,6 +606,22 @@ ') optional_policy(` @@ -27105,7 +27115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -429,47 +629,138 @@ +@@ -429,47 +631,138 @@ ') optional_policy(` @@ -27506,7 +27516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-02-01 09:12:53.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-28 09:15:47.070186000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-29 10:58:08.742336000 -0400 @@ -99,7 +99,7 @@ template(`authlogin_per_role_template',` @@ -27553,7 +27563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo # for SSP/ProPolice dev_read_urand($1) # for fingerprint readers -@@ -226,8 +243,38 @@ +@@ -226,8 +243,40 @@ seutil_read_config($1) seutil_read_default_contexts($1) @@ -27589,10 +27599,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo files_polyinstantiate_all($1) + userdom_manage_user_home_content_dirs(user, $1) + userdom_manage_user_home_content_files(user, $1) ++ userdom_relabel_all_home_dirs($1) ++ userdom_relabel_all_home_files($1) ') ') -@@ -342,6 +389,8 @@ +@@ -342,6 +391,8 @@ optional_policy(` kerberos_use($1) @@ -27601,7 +27613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') optional_policy(` -@@ -356,6 +405,28 @@ +@@ -356,6 +407,28 @@ optional_policy(` samba_stream_connect_winbind($1) ') @@ -27630,7 +27642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -369,12 +440,12 @@ +@@ -369,12 +442,12 @@ ## ## ## @@ -27645,7 +27657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## ## # -@@ -386,6 +457,7 @@ +@@ -386,6 +459,7 @@ auth_domtrans_chk_passwd($1) role $2 types system_chkpwd_t; allow system_chkpwd_t $3:chr_file rw_file_perms; @@ -27653,7 +27665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -1457,6 +1529,7 @@ +@@ -1457,6 +1531,7 @@ optional_policy(` samba_stream_connect_winbind($1) samba_read_var_files($1) @@ -27661,7 +27673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -1491,3 +1564,59 @@ +@@ -1491,3 +1566,59 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -27915,7 +27927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f - diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.3.1/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/init.if 2008-04-28 09:15:35.654776000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/init.if 2008-04-28 09:15:35.000000000 -0400 @@ -211,6 +211,13 @@ kernel_dontaudit_use_fds($1) ') @@ -28593,7 +28605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.3.1/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2008-02-18 14:30:18.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/iscsi.te 2008-04-28 10:29:25.956857000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/iscsi.te 2008-04-28 10:29:25.000000000 -0400 @@ -29,7 +29,7 @@ # @@ -28838,7 +28850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.3.1/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2007-12-12 11:35:28.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-21 11:02:50.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-29 08:53:40.798973000 -0400 @@ -213,12 +213,7 @@ ## # @@ -29304,7 +29316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc +/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-04-23 10:09:00.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-04-29 08:38:10.482745000 -0400 @@ -22,7 +22,7 @@ role system_r types lvm_t; @@ -29615,7 +29627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.3.1/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2008-02-06 10:33:22.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/modutils.te 2008-04-21 11:02:50.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/modutils.te 2008-04-29 08:36:55.595920000 -0400 @@ -22,6 +22,8 @@ type insmod_exec_t; application_domain(insmod_t,insmod_exec_t) @@ -30246,7 +30258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.3.1/policy/modules/system/qemu.te --- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/qemu.te 2008-04-28 16:14:23.857051000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/qemu.te 2008-04-28 16:14:23.000000000 -0400 @@ -0,0 +1,49 @@ +policy_module(qemu,1.0.0) + @@ -30299,7 +30311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.3.1/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/raid.te 2008-04-21 11:02:50.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/raid.te 2008-04-29 08:35:21.523317000 -0400 @@ -19,7 +19,7 @@ # Local policy # @@ -30623,7 +30635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.3.1/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-02-06 10:33:22.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-04-28 10:24:53.045591000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-04-28 10:24:53.000000000 -0400 @@ -75,7 +75,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) @@ -31165,7 +31177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet xen_append_log(ifconfig_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.3.1/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2007-01-02 12:57:49.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/udev.if 2008-04-28 10:54:03.940707000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/udev.if 2008-04-29 08:34:43.098742000 -0400 @@ -96,6 +96,24 @@ ######################################## @@ -31191,7 +31203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i ## Allow process to read list of devices. ## ## -@@ -106,11 +124,11 @@ +@@ -106,11 +124,13 @@ # interface(`udev_read_db',` gen_require(` @@ -31201,11 +31213,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i dev_list_all_dev_nodes($1) - allow $1 udev_tdb_t:file read_file_perms; ++ allow $1 udev_tbl_t:dir list_dir_perms; + read_files_pattern($1, udev_tbl_t, udev_tbl_t) ++ read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t) ') ######################################## -@@ -125,9 +143,9 @@ +@@ -125,9 +145,9 @@ # interface(`udev_rw_db',` gen_require(` @@ -31646,7 +31660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-25 14:52:17.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-29 12:04:03.912060000 -0400 @@ -6,35 +6,74 @@ # Declarations # @@ -31819,26 +31833,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -134,82 +188,97 @@ +@@ -134,14 +188,6 @@ ') optional_policy(` - mono_domtrans(unconfined_t) -+ oddjob_domtrans_mkhomedir(unconfined_t) - ') - - optional_policy(` +-') +- +-optional_policy(` - mta_per_role_template(unconfined, unconfined_t, unconfined_r) -+ prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +-') +- +-optional_policy(` + oddjob_domtrans_mkhomedir(unconfined_t) ') - optional_policy(` -- oddjob_domtrans_mkhomedir(unconfined_t) -+ portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +@@ -154,38 +200,46 @@ ') optional_policy(` -- prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +- postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +- # cjp: this should probably be removed: +- postfix_domtrans_master(unconfined_t) +-') +- +- +-optional_policy(` +- pyzor_per_role_template(unconfined) + tunable_policy(`allow_unconfined_qemu_transition', ` + qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + ', ` @@ -31849,7 +31870,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -- portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +- # cjp: this should probably be removed: +- rpc_domtrans_nfsd(unconfined_t) + rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + # Allow SELinux aware applications to request rpm_script execution + rpm_transition_script(unconfined_t) @@ -31857,9 +31879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -- postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -- # cjp: this should probably be removed: -- postfix_domtrans_master(unconfined_t) +- rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + cron_per_role_template(unconfined, unconfined_t, unconfined_r) + # this is disallowed usage: + unconfined_domain(unconfined_crond_t) @@ -31868,81 +31888,66 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + rpm_transition_script(unconfined_crond_t) ') -- optional_policy(` -- pyzor_per_role_template(unconfined) -+ samba_per_role_template(unconfined) + samba_per_role_template(unconfined) +- samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + samba_run_unconfined_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+ samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + samba_run_smbcontrol(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` -- # cjp: this should probably be removed: -- rpc_domtrans_nfsd(unconfined_t) +- spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r) + sendmail_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` -- rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+ sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+ sysnet_dbus_chat_dhcpc(unconfined_t) + sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + sysnet_dbus_chat_dhcpc(unconfined_t) + sysnet_role_transition_dhcpc(unconfined_r) ') optional_policy(` -- samba_per_role_template(unconfined) -- samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -- samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+ tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - ') - - optional_policy(` -- spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r) -+ vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - ') - - optional_policy(` -- sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -- sysnet_dbus_chat_dhcpc(unconfined_t) -+ webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - ') - - optional_policy(` -- tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+ wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +@@ -193,23 +247,33 @@ ') optional_policy(` - usermanage_run_admin_passwd(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` - vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+ mono_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` - webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r) -+ unconfined_domain(unconfined_mozilla_t) -+ allow unconfined_mozilla_t self:process { execstack execmem }; ++ wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` - wine_domtrans(unconfined_t) -+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) ++ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` - xserver_domtrans_xdm_xserver(unconfined_t) ++ mono_per_role_template(unconfined, unconfined_t, unconfined_r) ++ unconfined_domain(unconfined_mono_t) ++') ++ ++optional_policy(` ++ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) ++') ++ ++optional_policy(` + xserver_run_xdm_xserver(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + xserver_xdm_rw_shm(unconfined_t) ') ######################################## -@@ -219,14 +288,35 @@ +@@ -219,14 +283,35 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -31998,7 +32003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-28 15:32:37.832254000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-29 10:58:27.618425000 -0400 @@ -29,9 +29,14 @@ ') @@ -34596,7 +34601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5704,3 +6135,370 @@ +@@ -5704,3 +6135,408 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -34967,6 +34972,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +') + + ++######################################## ++## ++## Relabel to all user home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_relabel_all_home_dirs',` ++ gen_require(` ++ type user_home_type; ++ ') ++ ++ files_search_home($1) ++ relabel_dirs_pattern($1, user_home_type, user_home_type) ++') ++ ++######################################## ++## ++## Relabel to all user home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_relabel_all_home_files',` ++ gen_require(` ++ type user_home_type; ++ ') ++ ++ files_search_home($1) ++ relabel_files_pattern($1, user_home_type, user_home_type) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.3.1/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/system/userdomain.te 2008-04-21 11:02:50.000000000 -0400 @@ -35294,7 +35337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.f +/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.3.1/policy/modules/system/virt.if --- nsaserefpolicy/policy/modules/system/virt.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/virt.if 2008-04-28 16:10:44.344207000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/virt.if 2008-04-28 16:10:44.000000000 -0400 @@ -0,0 +1,324 @@ + +## policy for virt @@ -35622,7 +35665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te --- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-28 16:24:22.547363000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-28 16:24:22.000000000 -0400 @@ -0,0 +1,197 @@ + +policy_module(virt,1.0.0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 24b7dfe..5952351 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 43%{?dist} +Release: 44%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -385,6 +385,10 @@ exit 0 %endif %changelog +* Mon Apr 28 2008 Dan Walsh 3.3.1-44 +- Change unconfined_t to transition to unconfined_mono_t when running mono +- Change XXX_mono_t to transition to XXX_t when executing bin_t files, so gnome-do will work + * Mon Apr 28 2008 Dan Walsh 3.3.1-43 - Remove old booleans from targeted-booleans.conf file