From 94b7be909e89f85111fc8d9d2d42330212dcfe2d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mar 18 2008 21:10:02 +0000 Subject: --- diff --git a/policy-20071130.patch b/policy-20071130.patch index 2a31a44..0118935 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -14850,6 +14850,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. +# This is caused by a bug in hald and PolicyKit. +# Should be removed when this is fixed +cron_read_system_job_lib_files(hald_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.if serefpolicy-3.3.1/policy/modules/services/inetd.if +--- nsaserefpolicy/policy/modules/services/inetd.if 2007-03-26 10:39:04.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/inetd.if 2008-03-18 14:31:20.000000000 -0400 +@@ -115,6 +115,10 @@ + + allow $1 inetd_t:tcp_socket rw_stream_socket_perms; + allow $1 inetd_t:udp_socket rw_socket_perms; ++ ++ optional_policy(` ++ stunnel_service_domain($1,$2) ++ ') + ') + + ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.3.1/policy/modules/services/inetd.te --- nsaserefpolicy/policy/modules/services/inetd.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/inetd.te 2008-03-10 16:49:55.000000000 -0400 @@ -19191,8 +19205,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.3.1/policy/modules/services/privoxy.fc --- nsaserefpolicy/policy/modules/services/privoxy.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/privoxy.fc 2008-02-26 08:29:22.000000000 -0500 -@@ -4,3 +4,6 @@ ++++ serefpolicy-3.3.1/policy/modules/services/privoxy.fc 2008-03-18 08:36:03.000000000 -0400 +@@ -1,6 +1,10 @@ + + /etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) ++/etc/privoxy/default\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) + /usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0) /var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0) @@ -20405,6 +20423,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) + +/var/log/rsync.log -- gen_context(system_u:object_r:rsync_log_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.3.1/policy/modules/services/rsync.if +--- nsaserefpolicy/policy/modules/services/rsync.if 2006-11-16 17:15:21.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/rsync.if 2008-03-18 14:28:53.000000000 -0400 +@@ -103,3 +103,5 @@ + + can_exec($1,rsync_exec_t) + ') ++ ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.3.1/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/rsync.te 2008-02-26 08:29:22.000000000 -0500 @@ -21408,7 +21435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.3.1/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/sendmail.te 2008-02-26 09:14:48.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/sendmail.te 2008-03-18 14:40:00.000000000 -0400 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -21461,7 +21488,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send auth_use_nsswitch(sendmail_t) -@@ -97,20 +106,35 @@ +@@ -91,26 +100,42 @@ + libs_read_lib_files(sendmail_t) + + logging_send_syslog_msg(sendmail_t) ++logging_dontaudit_write_generic_logs(sendmail_t) + + miscfiles_read_certs(sendmail_t) + miscfiles_read_localization(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) userdom_dontaudit_search_sysadm_home_dirs(sendmail_t) @@ -21498,7 +21532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send postfix_exec_master(sendmail_t) postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) -@@ -118,6 +142,7 @@ +@@ -118,6 +143,7 @@ optional_policy(` procmail_domtrans(sendmail_t) @@ -21506,7 +21540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send ') optional_policy(` -@@ -125,24 +150,25 @@ +@@ -125,24 +151,25 @@ ') optional_policy(` @@ -23452,6 +23486,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. unconfined_shell_domtrans(sshd_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.if serefpolicy-3.3.1/policy/modules/services/stunnel.if +--- nsaserefpolicy/policy/modules/services/stunnel.if 2006-11-16 17:15:20.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/stunnel.if 2008-03-18 14:31:14.000000000 -0400 +@@ -1 +1,24 @@ + ## SSL Tunneling Proxy ++ ++######################################## ++## ++## Define the specified domain as a stunnel inetd service. ++## ++## ++## ++## The type associated with the stunnel inetd service process. ++## ++## ++## ++## ++## The type associated with the process program. ++## ++## ++# ++interface(`stunnel_service_domain',` ++ gen_require(` ++ type stunnel_t; ++ ') ++ ++ domtrans_pattern(stunnel_t,$2,$1) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.3.1/policy/modules/services/telnet.te --- nsaserefpolicy/policy/modules/services/telnet.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/telnet.te 2008-02-26 08:29:22.000000000 -0500 @@ -25198,7 +25260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-11 19:35:25.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-18 15:08:05.000000000 -0400 @@ -8,6 +8,14 @@ ## @@ -25353,19 +25415,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` prelink_object_file(xkb_var_lib_t) ') -@@ -95,8 +196,9 @@ +@@ -95,8 +196,11 @@ # XDM Local policy # -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; +allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; ++dontaudit xdm_t self:capability sys_admin; ++ +allow xdm_t self:process { getattr setexec setpgid getsched ptrace setsched setrlimit signal_perms }; + allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; -@@ -109,6 +211,8 @@ +@@ -109,6 +213,8 @@ allow xdm_t self:key { search link write }; allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; @@ -25374,7 +25438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -131,15 +235,22 @@ +@@ -131,15 +237,22 @@ manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) @@ -25398,7 +25462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -@@ -153,6 +264,7 @@ +@@ -153,6 +266,7 @@ allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xdm_xserver_t:shm rw_shm_perms; @@ -25406,7 +25470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) -@@ -173,6 +285,8 @@ +@@ -173,6 +287,8 @@ corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) @@ -25415,7 +25479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) -@@ -184,6 +298,7 @@ +@@ -184,6 +300,7 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) @@ -25423,7 +25487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t -@@ -196,6 +311,7 @@ +@@ -196,6 +313,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -25431,7 +25495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -208,8 +324,8 @@ +@@ -208,8 +326,8 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -25442,7 +25506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_getattr_power_mgmt_dev(xdm_t) dev_setattr_power_mgmt_dev(xdm_t) -@@ -226,6 +342,7 @@ +@@ -226,6 +344,7 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -25450,7 +25514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser fs_getattr_all_fs(xdm_t) fs_search_auto_mountpoints(xdm_t) -@@ -237,6 +354,7 @@ +@@ -237,6 +356,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -25458,7 +25522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -245,6 +363,7 @@ +@@ -245,6 +365,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -25466,7 +25530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -256,12 +375,11 @@ +@@ -256,12 +377,11 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -25480,7 +25544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_dontaudit_search_sysadm_home_dirs(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -270,8 +388,13 @@ +@@ -270,8 +390,13 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -25494,7 +25558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -304,7 +427,11 @@ +@@ -304,7 +429,11 @@ ') optional_policy(` @@ -25507,7 +25571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -312,6 +439,23 @@ +@@ -312,6 +441,23 @@ ') optional_policy(` @@ -25531,7 +25595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) -@@ -322,6 +466,10 @@ +@@ -322,6 +468,10 @@ ') optional_policy(` @@ -25542,7 +25606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser loadkeys_exec(xdm_t) ') -@@ -335,6 +483,11 @@ +@@ -335,6 +485,11 @@ ') optional_policy(` @@ -25554,7 +25618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser seutil_sigchld_newrole(xdm_t) ') -@@ -343,8 +496,8 @@ +@@ -343,8 +498,8 @@ ') optional_policy(` @@ -25564,7 +25628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -380,7 +533,7 @@ +@@ -380,7 +535,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -25573,7 +25637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -392,6 +545,15 @@ +@@ -392,6 +547,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -25589,7 +25653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -404,9 +566,17 @@ +@@ -404,9 +568,17 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_unpriv_users_home_content_files(xdm_xserver_t) @@ -25607,7 +25671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) -@@ -420,6 +590,22 @@ +@@ -420,6 +592,22 @@ ') optional_policy(` @@ -25630,7 +25694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -429,47 +615,139 @@ +@@ -429,47 +617,139 @@ ') optional_policy(` @@ -25654,6 +25718,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + # xserver signals unconfined user on startx + unconfined_signal(xdm_xserver_t) + unconfined_getpgid(xdm_xserver_t) ++') ++ ++ ++tunable_policy(`allow_xserver_execmem', ` ++ allow xdm_xserver_t self:process { execheap execmem execstack }; ') -ifdef(`TODO',` @@ -25677,25 +25746,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser -allow xdm_t polymember:lnk_file { create unlink }; -# xdm needs access for copying .Xauthority into new home -allow xdm_t polymember:file { create getattr write }; -+ -+tunable_policy(`allow_xserver_execmem', ` -+ allow xdm_xserver_t self:process { execheap execmem execstack }; -+') -+ +ifndef(`distro_redhat',` + allow xdm_xserver_t self:process { execheap execmem }; -+') -+ -+ifdef(`distro_rhel4',` -+ allow xdm_xserver_t self:process { execheap execmem }; ') ++ifdef(`distro_rhel4',` ++ allow xdm_xserver_t self:process { execheap execmem }; ++') ++ +############################## # -# Wants to delete .xsession-errors file +# xauth_t Local policy - # --allow xdm_t user_home_type:file unlink; ++# +domtrans_pattern(xdm_xserver_t, xauth_exec_t, xauth_t) + +userdom_user_home_dir_filetrans(user,xauth_t,user_xauth_home_t,file) @@ -25742,11 +25805,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + +############################## # --# Should fix exec of pam_timestamp_check is not closing xdm file descriptor +-allow xdm_t user_home_type:file unlink; +# iceauth_t Local policy - # --allow pam_t xdm_t:fifo_file { getattr ioctl write }; --') dnl end TODO ++# + +allow iceauth_t user_iceauth_home_t:file manage_file_perms; +userdom_user_home_dir_filetrans($1,iceauth_t,user_iceauth_home_t,file) @@ -25770,9 +25831,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +userdom_sysadm_home_dir_filetrans(xauth_t, admin_xauth_home_t, file) + +######################################## -+# + # +-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor +# Rules for unconfined access to this module -+# + # +-allow pam_t xdm_t:fifo_file { getattr ioctl write }; +-') dnl end TODO + +allow xserver_unconfined_type x_server_domain:x_server *; +allow xserver_unconfined_type { x_domain x_rootwindow_t self }:x_drawable *; @@ -27184,7 +27248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.3.1/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2008-02-26 08:17:43.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-03-18 14:40:44.000000000 -0400 @@ -4,6 +4,7 @@ /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) @@ -27202,16 +27266,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin /var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) -@@ -57,3 +58,6 @@ +@@ -57,3 +58,8 @@ /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_script_exec_t,s0) +/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0) ++ ++/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.3.1/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2007-12-12 11:35:28.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-03-18 14:41:32.000000000 -0400 @@ -213,12 +213,7 @@ ## # @@ -27235,7 +27301,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -@@ -705,6 +702,7 @@ +@@ -641,6 +638,25 @@ + + ######################################## + ## ++## Dontaudit Write generic log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`logging_dontaudit_write_generic_logs',` ++ gen_require(` ++ type var_log_t; ++ ') ++ ++ files_search_var($1) ++ dontaudit $1 var_log_t:file write; ++') ++ ++######################################## ++## + ## Read and write generic log files. + ## + ## +@@ -705,6 +721,7 @@ interface(`logging_admin_audit',` gen_require(` type auditd_t, auditd_etc_t, auditd_log_t; @@ -27243,7 +27335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin type auditd_var_run_t; ') -@@ -719,6 +717,15 @@ +@@ -719,6 +736,15 @@ manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t) manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t) @@ -27259,7 +27351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -@@ -749,6 +756,7 @@ +@@ -749,6 +775,7 @@ type syslogd_tmp_t, syslogd_var_lib_t; type syslogd_var_run_t, klogd_var_run_t; type klogd_tmp_t, var_log_t; @@ -27267,7 +27359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') allow $1 syslogd_t:process { ptrace signal_perms }; -@@ -776,6 +784,13 @@ +@@ -776,6 +803,13 @@ manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -27281,7 +27373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -@@ -804,3 +819,127 @@ +@@ -804,3 +838,127 @@ logging_admin_audit($1, $2, $3) logging_admin_syslog($1, $2, $3) ') @@ -29745,7 +29837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-03-13 20:23:44.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-03-18 09:14:04.000000000 -0400 @@ -6,35 +6,67 @@ # Declarations # @@ -30025,7 +30117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -219,14 +278,34 @@ +@@ -219,14 +278,41 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -30033,7 +30125,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf optional_policy(` - dbus_stub(unconfined_execmem_t) -- ++ gen_require(` ++ type unconfined_dbusd_t; ++ ') ++ unconfined_domain(unconfined_dbusd_t) ++') + ++optional_policy(` init_dbus_chat_script(unconfined_execmem_t) + dbus_system_bus_client_template(unconfined_execmem, unconfined_execmem_t) unconfined_dbus_chat(unconfined_execmem_t) @@ -30080,7 +30178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-14 14:50:39.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-18 14:56:01.000000000 -0400 @@ -29,9 +29,14 @@ ') @@ -30097,7 +30195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) -@@ -45,66 +50,74 @@ +@@ -45,66 +50,76 @@ type $1_tty_device_t; term_user_tty($1_t,$1_tty_device_t) @@ -30112,23 +30210,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - allow $1_t self:msg { send receive }; - allow $1_t self:context contains; - dontaudit $1_t self:socket create; -- -- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; -- term_create_pty($1_t,$1_devpts_t) -- -- allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; -- -- kernel_read_kernel_sysctls($1_t) -- kernel_dontaudit_list_unlabeled($1_t) -- kernel_dontaudit_getattr_unlabeled_files($1_t) -- kernel_dontaudit_getattr_unlabeled_symlinks($1_t) -- kernel_dontaudit_getattr_unlabeled_pipes($1_t) -- kernel_dontaudit_getattr_unlabeled_sockets($1_t) -- kernel_dontaudit_getattr_unlabeled_blk_files($1_t) -- kernel_dontaudit_getattr_unlabeled_chr_files($1_t) -- -- dev_dontaudit_getattr_all_blk_files($1_t) -- dev_dontaudit_getattr_all_chr_files($1_t) + allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; + allow $1_usertype $1_usertype:fd use; + allow $1_usertype $1_t:key { create view read write search link setattr }; @@ -30145,14 +30226,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + allow $1_usertype $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; + term_create_pty($1_usertype,$1_devpts_t) -+ + +- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; +- term_create_pty($1_t,$1_devpts_t) + allow $1_usertype $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; -+ + +- allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; + application_exec_all($1_usertype) + +- kernel_read_kernel_sysctls($1_t) +- kernel_dontaudit_list_unlabeled($1_t) +- kernel_dontaudit_getattr_unlabeled_files($1_t) +- kernel_dontaudit_getattr_unlabeled_symlinks($1_t) +- kernel_dontaudit_getattr_unlabeled_pipes($1_t) +- kernel_dontaudit_getattr_unlabeled_sockets($1_t) +- kernel_dontaudit_getattr_unlabeled_blk_files($1_t) +- kernel_dontaudit_getattr_unlabeled_chr_files($1_t) ++ files_exec_usr_files($1_t) + + kernel_read_kernel_sysctls($1_usertype) + kernel_read_all_sysctls($1_usertype) -+ + +- dev_dontaudit_getattr_all_blk_files($1_t) +- dev_dontaudit_getattr_all_chr_files($1_t) + kernel_dontaudit_list_unlabeled($1_usertype) + kernel_dontaudit_getattr_unlabeled_files($1_usertype) + kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) @@ -30200,9 +30296,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - libs_use_ld_so($1_t) - libs_use_shared_libs($1_t) - libs_exec_ld_so($1_t) -- -- miscfiles_read_localization($1_t) -- miscfiles_read_certs($1_t) + files_dontaudit_getattr_all_dirs($1_usertype) + files_dontaudit_list_non_security($1_usertype) + files_dontaudit_getattr_non_security_files($1_usertype) @@ -30219,13 +30312,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + libs_use_shared_libs($1_usertype) + libs_exec_ld_so($1_usertype) +- miscfiles_read_localization($1_t) +- miscfiles_read_certs($1_t) +- - sysnet_read_config($1_t) + miscfiles_read_localization($1_usertype) + miscfiles_read_certs($1_usertype) tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -115,6 +128,10 @@ +@@ -115,6 +130,10 @@ # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -30236,7 +30332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -141,33 +158,13 @@ +@@ -141,33 +160,13 @@ # template(`userdom_ro_home_template',` gen_require(` @@ -30275,7 +30371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -175,13 +172,14 @@ +@@ -175,13 +174,14 @@ # # read-only home directory @@ -30297,7 +30393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_list_home($1_t) tunable_policy(`use_nfs_home_dirs',` -@@ -231,30 +229,14 @@ +@@ -231,30 +231,14 @@ # template(`userdom_manage_home_template',` gen_require(` @@ -30334,7 +30430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -262,43 +244,46 @@ +@@ -262,43 +246,46 @@ # # full control of the home directory @@ -30409,7 +30505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -316,14 +301,20 @@ +@@ -316,14 +303,20 @@ ## # template(`userdom_exec_home_template',` @@ -30435,7 +30531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -341,11 +332,10 @@ +@@ -341,11 +334,10 @@ ## # template(`userdom_poly_home_template',` @@ -30451,7 +30547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -369,18 +359,18 @@ +@@ -369,18 +361,18 @@ # template(`userdom_manage_tmp_template',` gen_require(` @@ -30480,7 +30576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -396,7 +386,13 @@ +@@ -396,7 +388,13 @@ ## # template(`userdom_exec_tmp_template',` @@ -30495,7 +30591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -445,12 +441,12 @@ +@@ -445,12 +443,12 @@ type $1_tmpfs_t, $1_file_type; files_tmpfs_file($1_tmpfs_t) @@ -30514,7 +30610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -510,10 +506,6 @@ +@@ -510,10 +508,6 @@ ## # template(`userdom_exec_generic_pgms_template',` @@ -30525,18 +30621,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corecmd_exec_bin($1_t) ') -@@ -531,27 +523,20 @@ +@@ -531,27 +525,20 @@ ## # template(`userdom_basic_networking_template',` - gen_require(` - type $1_t; - ') - +- - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; -+ allow $1_usertype self:tcp_socket create_stream_socket_perms; -+ allow $1_usertype self:udp_socket create_socket_perms; - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) @@ -30548,7 +30642,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_all_client_packets($1_t) -- ++ allow $1_usertype self:tcp_socket create_stream_socket_perms; ++ allow $1_usertype self:udp_socket create_socket_perms; + - optional_policy(` - ipsec_match_default_spd($1_t) - ') @@ -30565,7 +30661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -568,30 +553,32 @@ +@@ -568,30 +555,32 @@ # template(`userdom_xwindows_client_template',` gen_require(` @@ -30614,7 +30710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -622,13 +609,7 @@ +@@ -622,13 +611,7 @@ ## ## The template for allowing the user to change roles. ## @@ -30629,7 +30725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). -@@ -692,183 +673,194 @@ +@@ -692,183 +675,194 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -30905,7 +31001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -895,6 +887,8 @@ +@@ -895,6 +889,8 @@ ## # template(`userdom_login_user_template', ` @@ -30914,7 +31010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_base_user_template($1) userdom_manage_home_template($1) -@@ -923,26 +917,26 @@ +@@ -923,70 +919,68 @@ allow $1_t self:context contains; @@ -30946,16 +31042,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - fs_rw_anon_inodefs_files($1_t) + files_dontaudit_list_default($1_usertype) + files_dontaudit_read_default_files($1_usertype) -+ + +- auth_dontaudit_write_login_records($1_t) + fs_get_all_fs_quotas($1_usertype) + fs_getattr_all_fs($1_usertype) + fs_search_all($1_usertype) + fs_list_inotifyfs($1_usertype) + fs_rw_anon_inodefs_files($1_usertype) - auth_dontaudit_write_login_records($1_t) - -@@ -950,43 +944,43 @@ +- application_exec_all($1_t) ++ auth_dontaudit_write_login_records($1_t) # The library functions always try to open read-write first, # then fall back to read-only if it fails. @@ -31158,7 +31254,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1193,12 +1203,11 @@ +@@ -1164,7 +1174,6 @@ + # Need the following rule to allow users to run vpnc + corenet_tcp_bind_xserver_port($1_t) + +- files_exec_usr_files($1_t) + # cjp: why? + files_read_kernel_symbol_table($1_t) + +@@ -1193,12 +1202,11 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -31173,7 +31277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') # Run pppd in pppd_t by default for user -@@ -1207,7 +1216,27 @@ +@@ -1207,7 +1215,27 @@ ') optional_policy(` @@ -31202,7 +31306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1284,8 +1313,6 @@ +@@ -1284,8 +1312,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -31211,7 +31315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1363,13 +1390,6 @@ +@@ -1363,13 +1389,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -31225,7 +31329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` userhelper_exec($1_t) ') -@@ -1422,6 +1442,7 @@ +@@ -1422,6 +1441,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -31233,7 +31337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1787,10 +1808,14 @@ +@@ -1787,10 +1807,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -31249,7 +31353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1886,11 +1911,11 @@ +@@ -1886,11 +1910,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -31263,7 +31367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1920,11 +1945,11 @@ +@@ -1920,11 +1944,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -31277,7 +31381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1968,12 +1993,12 @@ +@@ -1968,12 +1992,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -31293,7 +31397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2003,10 +2028,10 @@ +@@ -2003,10 +2027,10 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -31306,7 +31410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2038,11 +2063,47 @@ +@@ -2038,11 +2062,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -31356,7 +31460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2074,10 +2135,10 @@ +@@ -2074,10 +2134,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -31369,7 +31473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2107,11 +2168,11 @@ +@@ -2107,11 +2167,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -31383,7 +31487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2141,11 +2202,11 @@ +@@ -2141,11 +2201,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -31398,7 +31502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2175,10 +2236,14 @@ +@@ -2175,10 +2235,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -31415,7 +31519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2208,11 +2273,11 @@ +@@ -2208,11 +2272,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -31429,7 +31533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2242,11 +2307,11 @@ +@@ -2242,11 +2306,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -31443,7 +31547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2276,10 +2341,10 @@ +@@ -2276,10 +2340,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -31456,7 +31560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2311,12 +2376,12 @@ +@@ -2311,12 +2375,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -31472,7 +31576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2348,10 +2413,10 @@ +@@ -2348,10 +2412,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -31485,7 +31589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2383,12 +2448,12 @@ +@@ -2383,12 +2447,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -31501,7 +31605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2420,12 +2485,12 @@ +@@ -2420,12 +2484,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -31517,7 +31621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2457,12 +2522,12 @@ +@@ -2457,12 +2521,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -31533,7 +31637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2507,11 +2572,11 @@ +@@ -2507,11 +2571,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -31547,7 +31651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2556,11 +2621,11 @@ +@@ -2556,11 +2620,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -31561,7 +31665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2600,11 +2665,11 @@ +@@ -2600,11 +2664,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -31575,7 +31679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2634,11 +2699,11 @@ +@@ -2634,11 +2698,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -31589,7 +31693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2668,11 +2733,11 @@ +@@ -2668,11 +2732,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -31603,7 +31707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2704,10 +2769,10 @@ +@@ -2704,10 +2768,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -31616,7 +31720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2739,10 +2804,10 @@ +@@ -2739,10 +2803,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -31629,7 +31733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2772,12 +2837,12 @@ +@@ -2772,12 +2836,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -31645,7 +31749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2809,10 +2874,10 @@ +@@ -2809,10 +2873,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -31658,7 +31762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2844,10 +2909,48 @@ +@@ -2844,10 +2908,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -31709,7 +31813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2877,12 +2980,12 @@ +@@ -2877,12 +2979,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -31725,7 +31829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2914,10 +3017,10 @@ +@@ -2914,10 +3016,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -31738,7 +31842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2949,12 +3052,12 @@ +@@ -2949,12 +3051,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -31754,7 +31858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2986,11 +3089,11 @@ +@@ -2986,11 +3088,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -31768,7 +31872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3022,11 +3125,11 @@ +@@ -3022,11 +3124,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -31782,7 +31886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3058,11 +3161,11 @@ +@@ -3058,11 +3160,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -31796,7 +31900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3094,11 +3197,11 @@ +@@ -3094,11 +3196,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -31810,7 +31914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3130,11 +3233,11 @@ +@@ -3130,11 +3232,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -31824,7 +31928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3179,10 +3282,10 @@ +@@ -3179,10 +3281,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -31837,7 +31941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3223,10 +3326,10 @@ +@@ -3223,10 +3325,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -31850,7 +31954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3254,6 +3357,42 @@ +@@ -3254,6 +3356,42 @@ ## ## # @@ -31893,7 +31997,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo template(`userdom_rw_user_tmpfs_files',` gen_require(` type $1_tmpfs_t; -@@ -4231,11 +4370,11 @@ +@@ -4231,11 +4369,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -31907,7 +32011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4251,10 +4390,10 @@ +@@ -4251,10 +4389,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -31920,7 +32024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4270,11 +4409,11 @@ +@@ -4270,11 +4408,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -31934,7 +32038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4289,16 +4428,16 @@ +@@ -4289,16 +4427,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -31954,7 +32058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4307,12 +4446,27 @@ +@@ -4307,12 +4445,27 @@ ## ## # @@ -31985,7 +32089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4327,13 +4481,13 @@ +@@ -4327,13 +4480,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -32003,7 +32107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4531,10 +4685,10 @@ +@@ -4531,10 +4684,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -32016,7 +32120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4551,10 +4705,10 @@ +@@ -4551,10 +4704,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -32029,7 +32133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4569,10 +4723,10 @@ +@@ -4569,10 +4722,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -32042,7 +32146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4588,10 +4742,10 @@ +@@ -4588,10 +4741,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -32055,7 +32159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4606,10 +4760,10 @@ +@@ -4606,10 +4759,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -32068,7 +32172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4625,10 +4779,10 @@ +@@ -4625,10 +4778,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -32081,7 +32185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4644,12 +4798,11 @@ +@@ -4644,12 +4797,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -32097,7 +32201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4676,10 +4829,10 @@ +@@ -4676,10 +4828,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -32110,7 +32214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4694,10 +4847,10 @@ +@@ -4694,10 +4846,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -32123,7 +32227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4712,13 +4865,13 @@ +@@ -4712,13 +4864,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -32141,7 +32245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4754,11 +4907,49 @@ +@@ -4754,11 +4906,49 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -32192,7 +32296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4778,6 +4969,14 @@ +@@ -4778,6 +4968,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -32207,7 +32311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4839,6 +5038,26 @@ +@@ -4839,6 +5037,26 @@ ######################################## ## @@ -32234,7 +32338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all directories ## in all users home directories. ## -@@ -4859,6 +5078,25 @@ +@@ -4859,6 +5077,25 @@ ######################################## ## @@ -32260,7 +32364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4879,6 +5117,26 @@ +@@ -4879,6 +5116,26 @@ ######################################## ## @@ -32287,7 +32391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all symlinks ## in all users home directories. ## -@@ -5115,7 +5373,7 @@ +@@ -5115,7 +5372,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -32296,7 +32400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5304,6 +5562,50 @@ +@@ -5304,6 +5561,50 @@ ######################################## ## @@ -32347,7 +32451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5509,6 +5811,42 @@ +@@ -5509,6 +5810,42 @@ ######################################## ## @@ -32390,7 +32494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5674,6 +6012,42 @@ +@@ -5674,6 +6011,42 @@ ######################################## ## @@ -32433,7 +32537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5704,3 +6078,370 @@ +@@ -5704,3 +6077,370 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 2d31cf7..b6953dc 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 21%{?dist} +Release: 22%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -387,6 +387,8 @@ exit 0 %endif %changelog +* Tue Mar 18 2008 Dan Walsh 3.3.1-22 + * Mon Mar 17 2008 Dan Walsh 3.3.1-21 - Fixes for qemu/virtd