From b40e71f972d6c4ce3ac2eefd3878adf59e6b648a Mon Sep 17 00:00:00 2001
From: Daniel J Walsh
Date: Oct 09 2008 03:10:15 +0000
Subject: - Allow rsync to fownee and fsetid
---
diff --git a/policy-20071130.patch b/policy-20071130.patch
index 9e00af7..08e3b96 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -26478,7 +26478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.3.1/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-10-08 17:01:58.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-10-08 23:00:59.000000000 -0400
@@ -17,6 +17,13 @@
##
@@ -26664,8 +26664,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+tunable_policy(`samba_create_home_dirs',`
+ allow smbd_t self:capability chown;
-+ unprivuser_create_home_dir(smbd_t)
-+ unprivuser_home_filetrans_home_dir(smbd_t)
++ userdom_create_generic_home_dir_files(smbd_t)
++ userdom_home_filetrans_generic_user_home_dir(smbd_t)
+')
+
tunable_policy(`samba_export_all_ro',`
@@ -37902,7 +37902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-10-03 11:04:47.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-10-08 23:00:48.000000000 -0400
@@ -29,9 +29,14 @@
')
@@ -39203,7 +39203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2038,11 +2070,48 @@
+@@ -2038,11 +2070,67 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -39251,10 +39251,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ ')
+
+ dontaudit $2 user_home_dir_t:file create;
++')
++
++########################################
++##
++## Create generic user home directories
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_create_generic_home_dir_files',`
++ gen_require(`
++ type user_home_dir_t;
++ ')
++
++ files_search_home($1)
++ allow $1 user_home_dir_t:dir create_dir_perms;
')
########################################
-@@ -2074,10 +2143,10 @@
+@@ -2074,10 +2162,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -39267,7 +39286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2107,11 +2176,11 @@
+@@ -2107,11 +2195,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -39281,7 +39300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2141,11 +2210,11 @@
+@@ -2141,11 +2229,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -39296,7 +39315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2175,10 +2244,14 @@
+@@ -2175,10 +2263,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -39313,7 +39332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2208,11 +2281,11 @@
+@@ -2208,11 +2300,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -39327,7 +39346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2242,11 +2315,11 @@
+@@ -2242,11 +2334,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -39341,7 +39360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2276,10 +2349,10 @@
+@@ -2276,10 +2368,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -39354,7 +39373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2311,12 +2384,12 @@
+@@ -2311,12 +2403,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -39370,7 +39389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2348,10 +2421,10 @@
+@@ -2348,10 +2440,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -39383,7 +39402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2383,12 +2456,12 @@
+@@ -2383,12 +2475,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -39399,7 +39418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2420,12 +2493,12 @@
+@@ -2420,12 +2512,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -39415,7 +39434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2457,12 +2530,12 @@
+@@ -2457,12 +2549,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -39431,7 +39450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2507,11 +2580,11 @@
+@@ -2507,11 +2599,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -39445,7 +39464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2556,11 +2629,11 @@
+@@ -2556,11 +2648,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -39459,7 +39478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2600,11 +2673,11 @@
+@@ -2600,11 +2692,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -39473,7 +39492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2634,11 +2707,11 @@
+@@ -2634,11 +2726,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -39487,7 +39506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2668,11 +2741,11 @@
+@@ -2668,11 +2760,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -39501,7 +39520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2704,10 +2777,10 @@
+@@ -2704,10 +2796,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -39514,7 +39533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2739,10 +2812,10 @@
+@@ -2739,10 +2831,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -39527,7 +39546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2772,12 +2845,12 @@
+@@ -2772,12 +2864,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -39543,7 +39562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2809,20 +2882,20 @@
+@@ -2809,20 +2901,20 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -39568,7 +39587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## temporary files.
##
##
-@@ -2842,21 +2915,23 @@
+@@ -2842,21 +2934,23 @@
##
##
#
@@ -39597,7 +39616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
## This is a templated interface, and should only
-@@ -2871,65 +2946,136 @@
+@@ -2871,35 +2965,106 @@
##
##
##
@@ -39635,42 +39654,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
-## be called from a per-userdomain template.
-##
-##
--##
--##
--## The prefix of the user domain (e.g., user
--## is the prefix for user_t).
--##
--##
- ##
- ##
--## Domain to not audit.
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--template(`userdom_dontaudit_manage_user_tmp_files',`
++##
++##
++#
+interface(`userdom_unlink_unpriv_users_tmp_files',`
- gen_require(`
-- type $1_tmp_t;
++ gen_require(`
+ attribute user_tmpfile;
- ')
-
-- dontaudit $2 $1_tmp_t:file manage_file_perms;
++ ')
++
+ files_delete_tmp_dir_entry($1)
+ allow $1 user_tmpfile:file unlink;
- ')
-
- ########################################
- ##
--## Read user
--## temporary symbolic links.
++')
++
++########################################
++##
+## Connect to unpriviledged users over an unix stream socket.
- ##
--##
--##
--## Read user
--## temporary symbolic links.
--##
++##
+##
+##
+## Domain allowed access.
@@ -39736,40 +39738,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+## be called from a per-userdomain template.
+##
+##
-+##
-+##
-+## The prefix of the user domain (e.g., user
-+## is the prefix for user_t).
-+##
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+template(`userdom_dontaudit_manage_user_tmp_files',`
-+ gen_require(`
+ ##
+ ##
+ ## The prefix of the user domain (e.g., user
+@@ -2914,10 +3079,10 @@
+ #
+ template(`userdom_dontaudit_manage_user_tmp_files',`
+ gen_require(`
+- type $1_tmp_t;
+ type user_tmp_t;
-+ ')
-+
+ ')
+
+- dontaudit $2 $1_tmp_t:file manage_file_perms;
+ dontaudit $2 user_tmp_t:file manage_file_perms;
-+')
-+
-+########################################
-+##
-+## Read user
-+## temporary symbolic links.
-+##
-+##
-+##
-+## Read user
-+## temporary symbolic links.
-+##
- ##
- ## This is a templated interface, and should only
- ## be called from a per-userdomain template.
-@@ -2949,12 +3095,12 @@
+ ')
+
+ ########################################
+@@ -2949,12 +3114,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -39785,7 +39770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2986,11 +3132,11 @@
+@@ -2986,11 +3151,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -39799,7 +39784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3022,11 +3168,11 @@
+@@ -3022,11 +3187,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -39813,7 +39798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3058,11 +3204,11 @@
+@@ -3058,11 +3223,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -39827,7 +39812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3094,11 +3240,11 @@
+@@ -3094,11 +3259,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -39841,7 +39826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3130,11 +3276,11 @@
+@@ -3130,11 +3295,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -39855,7 +39840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3179,10 +3325,10 @@
+@@ -3179,10 +3344,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -39868,7 +39853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($2)
')
-@@ -3223,10 +3369,10 @@
+@@ -3223,10 +3388,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -39881,7 +39866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3254,6 +3400,42 @@
+@@ -3254,6 +3419,42 @@
##
##
#
@@ -39924,7 +39909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
type $1_tmpfs_t;
-@@ -3267,6 +3449,42 @@
+@@ -3267,6 +3468,42 @@
########################################
##
@@ -39967,7 +39952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## List users untrusted directories.
##
##
-@@ -3962,6 +4180,24 @@
+@@ -3962,6 +4199,24 @@
########################################
##
@@ -39992,7 +39977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Manage unpriviledged user SysV shared
## memory segments.
##
-@@ -4231,11 +4467,11 @@
+@@ -4231,11 +4486,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -40006,7 +39991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4251,10 +4487,10 @@
+@@ -4251,10 +4506,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -40019,7 +40004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4270,11 +4506,11 @@
+@@ -4270,11 +4525,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -40033,7 +40018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4289,16 +4525,16 @@
+@@ -4289,16 +4544,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -40053,7 +40038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## users home directory.
##
##
-@@ -4307,12 +4543,54 @@
+@@ -4307,12 +4562,54 @@
##
##
#
@@ -40111,7 +40096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4327,13 +4605,13 @@
+@@ -4327,13 +4624,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -40129,7 +40114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4531,10 +4809,10 @@
+@@ -4531,10 +4828,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -40142,7 +40127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4551,10 +4829,10 @@
+@@ -4551,10 +4848,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -40155,7 +40140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4569,10 +4847,10 @@
+@@ -4569,10 +4866,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -40168,7 +40153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4588,10 +4866,10 @@
+@@ -4588,10 +4885,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -40181,7 +40166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4606,10 +4884,10 @@
+@@ -4606,10 +4903,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -40194,7 +40179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4625,10 +4903,10 @@
+@@ -4625,10 +4922,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -40207,7 +40192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4644,12 +4922,29 @@
+@@ -4644,12 +4941,29 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -40241,7 +40226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4676,10 +4971,10 @@
+@@ -4676,10 +4990,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -40254,7 +40239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4694,10 +4989,10 @@
+@@ -4694,10 +5008,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -40267,7 +40252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4712,13 +5007,13 @@
+@@ -4712,13 +5026,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -40285,99 +40270,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4754,16 +5049,16 @@
+@@ -4754,11 +5068,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
-- attribute home_dir_type;
+ attribute user_home_dir_type;
- ')
-
- files_list_home($1)
-- allow $1 home_dir_type:dir search_dir_perms;
-+ allow $1 user_home_dir_type:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## List all users home directories.
-+## Read all users home directories symlinks.
- ##
- ##
- ##
-@@ -4771,18 +5066,18 @@
- ##
- ##
- #
--interface(`userdom_list_all_users_home_dirs',`
-+interface(`userdom_read_all_users_home_dirs_symlinks',`
- gen_require(`
- attribute home_dir_type;
- ')
-
- files_list_home($1)
-- allow $1 home_dir_type:dir list_dir_perms;
-+ allow $1 home_dir_type:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
- ##
--## Search all users home directories.
-+## Read all users home directories symlinks.
- ##
- ##
- ##
-@@ -4790,31 +5085,79 @@
- ##
- ##
- #
--interface(`userdom_search_all_users_home_content',`
-+interface(`userdom_read_all_users_home_content_symlinks',`
- gen_require(`
-- attribute home_dir_type, home_type;
-+ type user_home_t;
- ')
-
- files_list_home($1)
-- allow $1 { home_dir_type home_type }:dir search_dir_perms;
-+ allow $1 user_home_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to search all users home directories.
-+## List all users home directories.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`userdom_dontaudit_search_all_users_home_content',`
-+interface(`userdom_list_all_users_home_dirs',`
- gen_require(`
-- attribute home_dir_type, home_type;
-+ attribute home_dir_type;
- ')
-
-- dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
-+ files_list_home($1)
-+ allow $1 home_dir_type:dir list_dir_perms;
-+
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_list_nfs($1)
+ ')
+
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_list_cifs($1)
-+ ')
++ files_list_home($1)
++ allow $1 user_home_dir_type:dir search_dir_perms;
+')
+
+########################################
+##
-+## Search all users home directories.
++## Read all users home directories symlinks.
+##
+##
+##
@@ -40385,49 +40291,74 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+##
+##
+#
-+interface(`userdom_search_all_users_home_content',`
++interface(`userdom_read_all_users_home_dirs_symlinks',`
+ gen_require(`
-+ attribute home_dir_type, home_type;
-+ ')
-+
-+ files_list_home($1)
-+ allow $1 { home_dir_type home_type }:dir search_dir_perms;
+ attribute home_dir_type;
+ ')
+
+ files_list_home($1)
+- allow $1 home_dir_type:dir search_dir_perms;
++ allow $1 home_dir_type:lnk_file read_lnk_file_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to search all users home directories.
++## Read all users home directories symlinks.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`userdom_dontaudit_search_all_users_home_content',`
++interface(`userdom_read_all_users_home_content_symlinks',`
+ gen_require(`
-+ attribute home_dir_type, home_type;
++ type user_home_t;
+ ')
+
-+ dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
++ files_list_home($1)
++ allow $1 user_home_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -4778,6 +5130,14 @@
+
+ files_list_home($1)
+ allow $1 home_dir_type:dir list_dir_perms;
++
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_list_nfs($1)
++ ')
++
++ tunable_policy(`use_samba_home_dirs',`
++ fs_list_cifs($1)
++ ')
+ ')
+
+ ########################################
+@@ -4815,6 +5175,8 @@
+ ')
+
+ dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
+ fs_dontaudit_list_nfs($1)
+ fs_dontaudit_list_cifs($1)
')
########################################
-@@ -4839,6 +5182,26 @@
+@@ -4839,7 +5201,7 @@
########################################
##
+-## Create, read, write, and delete all directories
+## delete all directories
-+## in all users home directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ## in all users home directories.
+ ##
+ ##
+@@ -4848,7 +5210,27 @@
+ ##
+ ##
+ #
+-interface(`userdom_manage_all_users_home_content_dirs',`
+interface(`userdom_delete_all_users_home_content_dirs',`
+ gen_require(`
+ attribute home_type;
@@ -40439,10 +40370,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+########################################
+##
- ## Create, read, write, and delete all directories
- ## in all users home directories.
- ##
-@@ -4859,6 +5222,25 @@
++## Create, read, write, and delete all directories
++## in all users home directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_all_users_home_content_dirs',`
+ gen_require(`
+ attribute home_type;
+ ')
+@@ -4859,6 +5241,25 @@
########################################
##
@@ -40468,7 +40409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all files
## in all users home directories.
##
-@@ -4879,6 +5261,26 @@
+@@ -4879,6 +5280,26 @@
########################################
##
@@ -40495,7 +40436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all symlinks
## in all users home directories.
##
-@@ -5115,7 +5517,7 @@
+@@ -5115,7 +5536,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -40504,7 +40445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_search_home($1)
-@@ -5304,6 +5706,63 @@
+@@ -5304,6 +5725,63 @@
########################################
##
@@ -40568,7 +40509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete directories in
## unprivileged users home directories.
##
-@@ -5509,6 +5968,43 @@
+@@ -5509,6 +5987,43 @@
########################################
##
@@ -40612,7 +40553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Read and write unprivileged user ttys.
##
##
-@@ -5559,7 +6055,7 @@
+@@ -5559,7 +6074,7 @@
attribute userdomain;
')
@@ -40621,7 +40562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -5674,6 +6170,42 @@
+@@ -5674,6 +6189,42 @@
########################################
##
@@ -40664,7 +40605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains.
##
##
-@@ -5704,3 +6236,408 @@
+@@ -5704,3 +6255,408 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 51c7d5d..74bc830 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 99%{?dist}
+Release: 100%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -386,6 +386,9 @@ exit 0
%endif
%changelog
+* Mon Oct 6 2008 Dan Walsh 3.3.1-100
+- Allow rsync to fownee and fsetid
+
* Mon Oct 6 2008 Dan Walsh 3.3.1-99
- Fix file contexts