From 972ea0da6b81751a89ca983456d121717ab897e2 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 02 2009 15:01:06 +0000 Subject: - Add labeling for /var/run/kdm --- diff --git a/modules-minimum.conf b/modules-minimum.conf index 685bcbb..e6e2923 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -728,6 +728,13 @@ jabber = module # java = module +# Layer: apps +# Module: execmem +# +# execmem executable +# +execmem = module + # Layer: system # Module: kdump # diff --git a/modules-targeted.conf b/modules-targeted.conf index 685bcbb..e6e2923 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -728,6 +728,13 @@ jabber = module # java = module +# Layer: apps +# Module: execmem +# +# execmem executable +# +execmem = module + # Layer: system # Module: kdump # diff --git a/policy-F12.patch b/policy-F12.patch index 303bbb3..1cbb60f 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -1711,8 +1711,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2009-10-02 08:23:19.000000000 -0400 -@@ -0,0 +1,52 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2009-10-02 11:00:23.000000000 -0400 +@@ -0,0 +1,57 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -1765,6 +1765,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +miscfiles_read_localization(chrome_sandbox_t) +miscfiles_read_fonts(chrome_sandbox_t) ++ ++optional_policy(` ++ execmem_exec(chrome_sandbox_t) ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.32/policy/modules/apps/cpufreqselector.te --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-09-09 09:23:16.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/apps/cpufreqselector.te 2009-09-30 16:12:48.000000000 -0400 @@ -1777,6 +1782,126 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.6.32/policy/modules/apps/execmem.fc +--- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/apps/execmem.fc 2009-10-02 10:45:59.000000000 -0400 +@@ -0,0 +1,27 @@ ++/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++ifdef(`distro_gentoo',` ++/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++') ++/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib64/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/usr/lib(64)?/chromium-browser/chromium-browser gen_context(system_u:object_r:execmem_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if +--- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2009-10-02 10:33:33.000000000 -0400 +@@ -0,0 +1,70 @@ ++## execmem domain ++ ++######################################## ++## ++## Execute the execmem program in the execmem domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`execmem_exec',` ++ gen_require(` ++ type execmem_exec_t; ++ ') ++ ++ can_exec($1, execmem_exec_t) ++') ++ ++####################################### ++## ++## The role template for the execmem module. ++## ++## ++##

++## This template creates a derived domains which are used ++## for execmem applications. ++##

++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## The role associated with the user domain. ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++# ++template(`execmem_role_template',` ++ gen_require(` ++ type execmem_exec_t; ++ ') ++ ++ type $1_execmem_t; ++ domain_type($1_execmem_t) ++ domain_entry_file($1_execmem_t, execmem_exec_t) ++ role $2 types $1_execmem_t; ++ ++ userdom_unpriv_usertype($1, $1_execmem_t) ++ userdom_manage_tmpfs_role($2, $1_execmem_t) ++ ++ allow $1_execmem_t self:process { execmem execstack }; ++ allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms }; ++ domtrans_pattern($3, execmem_exec_t, $1_execmem_t) ++ corecmd_bin_domtrans($1_execmem_t, $1_t) ++ ++ optional_policy(` ++ xserver_common_app($1_execmem_t) ++ xserver_role($1_r, $1_execmem_t) ++ ') ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.6.32/policy/modules/apps/execmem.te +--- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/apps/execmem.te 2009-10-02 10:36:43.000000000 -0400 +@@ -0,0 +1,11 @@ ++ ++policy_module(execmem, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type execmem_exec_t; ++application_executable_file(execmem_exec_t) ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.6.32/policy/modules/apps/firewallgui.fc --- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.fc 2009-09-30 16:12:48.000000000 -0400 @@ -2912,7 +3037,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.32/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-10-02 08:15:50.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-10-02 11:00:19.000000000 -0400 @@ -59,6 +59,7 @@ manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) @@ -5021,7 +5146,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-07-30 13:09:10.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-10-02 08:03:28.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-10-02 10:34:35.000000000 -0400 @@ -1,4 +1,4 @@ - +c @@ -5071,7 +5196,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0) -@@ -315,3 +323,23 @@ +@@ -315,3 +323,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -5093,8 +5218,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) + +/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -+ -+/usr/lib(64)?/chromium-browser/chromium-browser gen_context(system_u:object_r:bin_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.32/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.if 2009-09-30 16:12:48.000000000 -0400 @@ -7508,45 +7631,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2009-10-02 08:54:17.000000000 -0400 -@@ -0,0 +1,34 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2009-10-02 10:25:25.000000000 -0400 +@@ -0,0 +1,8 @@ +# Add programs here which should not be confined by SELinux +# e.g.: +# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) +# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t -+/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) -+/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+ifdef(`distro_gentoo',` -+/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -+') -+/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ +/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) + -+/usr/lib64/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.32/policy/modules/roles/unconfineduser.if --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.if 2009-10-02 10:23:36.000000000 -0400 @@ -0,0 +1,638 @@ +## Unconfiend user role + @@ -8188,8 +8285,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-10-02 08:30:26.000000000 -0400 -@@ -0,0 +1,406 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-10-02 10:45:40.000000000 -0400 +@@ -0,0 +1,397 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -8239,14 +8336,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +role system_r types unconfined_t; +typealias unconfined_t alias { unconfined_dbusd_t unconfined_crontab_t }; + -+type unconfined_execmem_t; -+type execmem_exec_t; -+init_system_domain(unconfined_execmem_t, execmem_exec_t) -+role unconfined_r types unconfined_execmem_t; -+typealias execmem_exec_t alias unconfined_execmem_exec_t; -+userdom_unpriv_usertype(unconfined, unconfined_execmem_t) -+userdom_manage_tmpfs_role(unconfined_r, unconfined_execmem_t) -+ +type unconfined_notrans_t; +type unconfined_notrans_exec_t; +init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t) @@ -8262,8 +8351,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow unconfined_t self:system syslog_read; +dontaudit unconfined_t self:capability sys_module; + -+domtrans_pattern(unconfined_t, execmem_exec_t, unconfined_execmem_t) -+ +files_create_boot_flag(unconfined_t) +files_create_default_dir(unconfined_t) + @@ -8529,7 +8616,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# Unconfined Execmem Local policy +# + -+allow unconfined_execmem_t self:process { execstack execmem }; ++execmem_role_template(unconfined, unconfined_r, unconfined_t) ++typealias unconfined_execmem_t alias execmem_t; +unconfined_domain_noaudit(unconfined_execmem_t) +allow unconfined_execmem_t unconfined_t:process transition; +rpm_transition_script(unconfined_execmem_t) @@ -8545,9 +8633,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + avahi_dbus_chat(unconfined_execmem_t) +') + -+ optional_policy(` -+ hal_dbus_chat(unconfined_execmem_t) -+ ') ++optional_policy(` ++ hal_dbus_chat(unconfined_execmem_t) ++') + +optional_policy(` + xserver_rw_shm(unconfined_execmem_t) @@ -21974,7 +22062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') dnl end TODO diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.32/policy/modules/system/application.if --- nsaserefpolicy/policy/modules/system/application.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/application.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/application.if 2009-10-02 10:28:50.000000000 -0400 @@ -2,7 +2,7 @@ ######################################## @@ -27167,7 +27255,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-02 08:25:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-02 10:53:53.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -28193,7 +28281,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -975,36 +1086,53 @@ +@@ -975,36 +1086,57 @@ ') ') @@ -28240,6 +28328,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + optional_policy(` ++ execmem_role_template($1, $1_r, $1_t) ++ ') ++ ++ optional_policy(` + java_role_template($1, $1_r, $1_t) + ') + @@ -28261,7 +28353,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1040,7 +1168,7 @@ +@@ -1040,7 +1172,7 @@ template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -28270,7 +28362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1049,8 +1177,7 @@ +@@ -1049,8 +1181,7 @@ # # Inherit rules for ordinary users. @@ -28280,7 +28372,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1075,6 +1202,9 @@ +@@ -1075,6 +1206,9 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -28290,7 +28382,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1089,6 +1219,7 @@ +@@ -1089,6 +1223,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -28298,7 +28390,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1096,8 +1227,6 @@ +@@ -1096,8 +1231,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -28307,7 +28399,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1124,6 +1253,8 @@ +@@ -1124,6 +1257,8 @@ files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) @@ -28316,7 +28408,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1152,20 +1283,6 @@ +@@ -1152,20 +1287,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -28337,7 +28429,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1211,6 +1328,7 @@ +@@ -1211,6 +1332,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -28345,7 +28437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1276,11 +1394,15 @@ +@@ -1276,11 +1398,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -28361,7 +28453,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1391,12 +1513,13 @@ +@@ -1391,12 +1517,13 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -28376,7 +28468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1429,6 +1552,14 @@ +@@ -1429,6 +1556,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -28391,7 +28483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1444,9 +1575,11 @@ +@@ -1444,9 +1579,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -28403,7 +28495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1503,6 +1636,25 @@ +@@ -1503,6 +1640,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -28429,7 +28521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1577,6 +1729,8 @@ +@@ -1577,6 +1733,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -28438,7 +28530,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1670,6 +1824,7 @@ +@@ -1670,6 +1828,7 @@ type user_home_dir_t, user_home_t; ') @@ -28446,7 +28538,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1797,19 +1952,32 @@ +@@ -1797,19 +1956,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -28486,7 +28578,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1844,6 +2012,7 @@ +@@ -1844,6 +2016,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -28494,7 +28586,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2391,27 +2560,7 @@ +@@ -2391,27 +2564,7 @@ ######################################## ## @@ -28523,7 +28615,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2765,11 +2914,32 @@ +@@ -2765,11 +2918,32 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -28558,7 +28650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2897,7 +3067,25 @@ +@@ -2897,7 +3071,25 @@ type user_tmp_t; ') @@ -28585,7 +28677,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2934,6 +3122,7 @@ +@@ -2934,6 +3126,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -28593,7 +28685,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3064,3 +3253,559 @@ +@@ -3064,3 +3257,559 @@ allow $1 userdomain:dbus send_msg; ')