From bc2add38858893c442d2b69e89d784c27db7096a Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Feb 03 2009 20:23:12 +0000 Subject: - Add boolean to disallow unconfined_t login --- diff --git a/policy-20090105.patch b/policy-20090105.patch index 7e13851..d6f88c8 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -2875,7 +2875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.3/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.te 2009-02-02 09:39:29.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.te 2009-02-03 10:55:18.000000000 -0500 @@ -0,0 +1,288 @@ + +policy_module(nsplugin, 1.0.0) @@ -2897,7 +2897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## Allow nsplugin code to connect to unreserved ports +##

+## -+gen_tunable(nsplugin_can_network, True) ++gen_tunable(nsplugin_can_network, true) + +type nsplugin_exec_t; +application_executable_file(nsplugin_exec_t) @@ -12453,7 +12453,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.3/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/dnsmasq.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/dnsmasq.te 2009-02-03 14:14:11.000000000 -0500 @@ -69,21 +69,22 @@ # allow access to dnsmasq.conf @@ -12480,6 +12480,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` +@@ -96,4 +97,5 @@ + + optional_policy(` + virt_manage_lib_files(dnsmasq_t) ++ virt_read_pid_files(dnsmasq_t) + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.3/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-11-11 16:13:47.000000000 -0500 +++ serefpolicy-3.6.3/policy/modules/services/dovecot.fc 2009-01-19 13:10:02.000000000 -0500 @@ -13022,7 +13028,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.3/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/ftp.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/ftp.te 2009-02-03 11:10:55.000000000 -0500 +@@ -26,7 +26,7 @@ + ## + ##

+ ## Allow ftp servers to use cifs +-## used for public file transfer services. ++## for public file transfer services. + ##

+ ## + gen_tunable(allow_ftpd_use_cifs, false) +@@ -34,7 +34,7 @@ + ## + ##

+ ## Allow ftp servers to use nfs +-## used for public file transfer services. ++## for public file transfer services. + ##

+ ## + gen_tunable(allow_ftpd_use_nfs, false) @@ -160,6 +160,7 @@ fs_search_auto_mountpoints(ftpd_t) @@ -22512,7 +22536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.3/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/virt.if 2009-01-30 09:30:42.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/virt.if 2009-02-03 14:14:04.000000000 -0500 @@ -293,6 +293,41 @@ ######################################## @@ -23335,7 +23359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-02-02 14:36:35.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-02-03 10:52:31.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -23735,7 +23759,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,9 +651,11 @@ +@@ -550,8 +651,9 @@ ') optional_policy(` @@ -23745,11 +23769,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unconfined_signal(xdm_t) +') -+optional_policy(` ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; +@@ -560,7 +662,6 @@ + ifdef(`distro_rhel4',` + allow xdm_t self:process { execheap execmem }; ') -@@ -571,6 +674,10 @@ +-') + + optional_policy(` + userhelper_dontaudit_search_config(xdm_t) +@@ -571,6 +672,10 @@ ') optional_policy(` @@ -23760,7 +23790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,7 +694,7 @@ +@@ -587,7 +692,7 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -23769,7 +23799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:memprotect mmap_zero; -@@ -602,9 +709,11 @@ +@@ -602,9 +707,11 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -23781,7 +23811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -@@ -622,7 +731,7 @@ +@@ -622,7 +729,7 @@ manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) @@ -23790,7 +23820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,6 +744,15 @@ +@@ -635,6 +742,15 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -23806,7 +23836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Create files in /var/log with the xserver_log_t type. manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) logging_log_filetrans(xserver_t, xserver_log_t,file) -@@ -680,9 +798,14 @@ +@@ -680,9 +796,14 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -23821,7 +23851,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -697,8 +820,13 @@ +@@ -697,8 +818,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -23835,7 +23865,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -720,6 +848,7 @@ +@@ -720,6 +846,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -23843,7 +23873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -742,7 +871,7 @@ +@@ -742,7 +869,7 @@ ') ifdef(`enable_mls',` @@ -23852,7 +23882,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -774,6 +903,10 @@ +@@ -774,6 +901,10 @@ ') optional_policy(` @@ -23863,7 +23893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rhgb_getpgid(xserver_t) rhgb_signal(xserver_t) ') -@@ -806,7 +939,7 @@ +@@ -806,7 +937,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -23872,7 +23902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -827,9 +960,14 @@ +@@ -827,9 +958,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -23887,7 +23917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -844,11 +982,14 @@ +@@ -844,11 +980,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -23903,7 +23933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -856,6 +997,11 @@ +@@ -856,6 +995,11 @@ rhgb_rw_tmpfs_files(xserver_t) ') @@ -23915,7 +23945,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Rules common to all X window domains -@@ -881,6 +1027,8 @@ +@@ -881,6 +1025,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -23924,7 +23954,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -905,6 +1053,8 @@ +@@ -905,6 +1051,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -23933,7 +23963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -972,6 +1122,37 @@ +@@ -972,6 +1120,37 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -23971,7 +24001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`TODO',` tunable_policy(`allow_polyinstantiation',` # xdm needs access for linking .X11-unix to poly /tmp -@@ -986,3 +1167,12 @@ +@@ -986,3 +1165,12 @@ # allow xdm_t user_home_type:file unlink; ') dnl end TODO @@ -24810,7 +24840,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.3/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/init.te 2009-01-28 09:55:56.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/init.te 2009-02-03 14:13:10.000000000 -0500 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -24988,7 +25018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +domain_dontaudit_use_interactive_fds(daemon) + -+userdom_dontaudit_search_admin_dir(daemon) ++userdom_dontaudit_list_admin_dir(daemon) + +tunable_policy(`allow_daemons_use_tty',` + term_use_unallocated_ttys(daemon) @@ -25292,7 +25322,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow iscsid_t iscsi_tmp_t:dir manage_dir_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.3/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/libraries.fc 2009-01-26 13:53:03.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/libraries.fc 2009-02-03 14:11:21.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -25322,7 +25352,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -115,9 +119,17 @@ +@@ -103,6 +107,7 @@ + # + /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + /usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) +@@ -115,9 +120,17 @@ /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -25340,7 +25378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -127,12 +139,14 @@ +@@ -127,12 +140,14 @@ /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -25355,7 +25393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -168,7 +182,8 @@ +@@ -168,7 +183,8 @@ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -25365,7 +25403,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -187,6 +202,7 @@ +@@ -187,6 +203,7 @@ /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -25373,7 +25411,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -246,12 +262,13 @@ +@@ -246,12 +263,13 @@ # Flash plugin, Macromedia HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -25389,7 +25427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -267,6 +284,9 @@ +@@ -267,6 +285,9 @@ /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -25399,7 +25437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -291,6 +311,8 @@ +@@ -291,6 +312,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -25408,7 +25446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -303,6 +325,8 @@ +@@ -303,6 +326,8 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) @@ -25417,7 +25455,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_suse',` /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) ') -@@ -310,3 +334,20 @@ +@@ -310,3 +335,20 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -27721,7 +27759,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.3/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/unconfined.if 2009-02-02 14:49:54.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/unconfined.if 2009-02-03 10:47:05.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -27784,14 +27822,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol interface(`unconfined_shell_domtrans',` gen_require(` - type unconfined_t; -+ type unconfined_login_domain; ++ attribute unconfined_login_domain; ') - - corecmd_shell_domtrans($1,unconfined_t) - allow unconfined_t $1:fd use; - allow unconfined_t $1:fifo_file rw_file_perms; - allow unconfined_t $1:process sigchld; -+ typeattribute $1 unconfined_login_domain ++ typeattribute $1 unconfined_login_domain; ') ######################################## @@ -27973,7 +28011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.3/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/unconfined.te 2009-02-02 14:52:21.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/unconfined.te 2009-02-03 15:14:47.000000000 -0500 @@ -5,36 +5,86 @@ # # Declarations @@ -28068,7 +28106,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_run_ldconfig(unconfined_t, unconfined_r) -@@ -42,26 +92,39 @@ +@@ -42,26 +92,46 @@ logging_run_auditctl(unconfined_t, unconfined_r) mount_run_unconfined(unconfined_t, unconfined_r) @@ -28084,6 +28122,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) ++tunable_policy(`unconfined_login',` ++ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t) ++ allow unconfined_t unconfined_login_domain:fd use; ++ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms; ++ allow unconfined_t unconfined_login_domain:process sigchld; ++') ++ +optional_policy(` + nsplugin_role_notrans(unconfined_r, unconfined_t) + tunable_policy(`allow_unconfined_nsplugin_transition',` @@ -28110,7 +28155,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -102,12 +165,24 @@ +@@ -102,12 +172,24 @@ ') optional_policy(` @@ -28135,7 +28180,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -119,31 +194,33 @@ +@@ -119,31 +201,33 @@ ') optional_policy(` @@ -28176,7 +28221,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -155,36 +232,38 @@ +@@ -155,36 +239,38 @@ ') optional_policy(` @@ -28227,7 +28272,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -192,7 +271,7 @@ +@@ -192,7 +278,7 @@ ') optional_policy(` @@ -28236,7 +28281,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -204,11 +283,12 @@ +@@ -204,11 +290,12 @@ ') optional_policy(` @@ -28251,7 +28296,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -218,14 +298,68 @@ +@@ -218,14 +305,61 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -28276,7 +28321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + xserver_rw_shm(unconfined_execmem_t) -+') + ') + +######################################## +# @@ -28295,7 +28340,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + type mplayer_exec_t; + ') + domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t) - ') ++') + +optional_policy(` +tunable_policy(`allow_unconfined_nsplugin_transition',`', ` @@ -28314,13 +28359,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -+ -+tunable_policy(`unconfined_login',` -+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t) -+ allow unconfined_t unconfined_login_domain:fd use; -+ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms; -+ allow unconfined_t unconfined_login_domain:process sigchld; -+') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.3/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-11-11 16:13:48.000000000 -0500