From ef5e60099963c3670e1bb6b1acb3e7e6587a398f Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 24 2008 19:41:22 +0000 Subject: - Don't run crontab from unconfined_t --- diff --git a/policy-20071130.patch b/policy-20071130.patch index 82d3eb7..959c394 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -8,6 +8,106 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.3.1/ - Label /proc/kallsyms with system_map_t. - 64-bit capabilities from Stephen Smalley. - Labeled networking peer object class updates. +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile +--- nsaserefpolicy/Makefile 2008-02-06 10:33:22.000000000 -0500 ++++ serefpolicy-3.3.1/Makefile 2008-04-21 11:02:47.842805000 -0400 +@@ -235,7 +235,7 @@ + appdir := $(contextpath) + user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) + user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) +-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names) ++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names) + net_contexts := $(builddir)net_contexts + + all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) +@@ -309,20 +309,22 @@ + + # parse-rolemap modulename,outputfile + define parse-rolemap +- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ +- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 ++ echo "" >> $2 ++# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ ++# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 + endef + + # perrole-expansion modulename,outputfile + define perrole-expansion +- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 +- $(call parse-rolemap,$1,$2) +- $(verbose) echo "')" >> $2 +- +- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 +- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 +- $(call parse-rolemap-compat,$1,$2) +- $(verbose) echo "')" >> $2 ++ echo "No longer doing perrole-expansion" ++# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 ++# $(call parse-rolemap,$1,$2) ++# $(verbose) echo "')" >> $2 ++ ++# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 ++# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 ++# $(call parse-rolemap-compat,$1,$2) ++# $(verbose) echo "')" >> $2 + endef + + # create-base-per-role-tmpl modulenames,outputfile +@@ -521,6 +523,10 @@ + @mkdir -p $(appdir)/users + $(verbose) $(INSTALL) -m 644 $^ $@ + ++$(appdir)/initrc_context: $(tmpdir)/initrc_context ++ @mkdir -p $(appdir) ++ $(verbose) $(INSTALL) -m 644 $< $@ ++ + $(appdir)/%: $(appconf)/% + @mkdir -p $(appdir) + $(verbose) $(INSTALL) -m 644 $< $@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular +--- nsaserefpolicy/Rules.modular 2007-12-19 05:32:18.000000000 -0500 ++++ serefpolicy-3.3.1/Rules.modular 2008-04-21 11:02:47.848797000 -0400 +@@ -73,8 +73,8 @@ + $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te + @echo "Compliling $(NAME) $(@F) module" + @test -d $(tmpdir) || mkdir -p $(tmpdir) +- $(call perrole-expansion,$(basename $(@F)),$@.role) +- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) ++# $(call perrole-expansion,$(basename $(@F)),$@.role) ++ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) + $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ + + $(tmpdir)/%.mod.fc: $(m4support) %.fc +@@ -129,7 +129,7 @@ + @test -d $(tmpdir) || mkdir -p $(tmpdir) + # define all available object classes + $(verbose) $(genperm) $(avs) $(secclass) > $@ +- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) ++# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) + $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true + + $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy +@@ -147,7 +147,7 @@ + $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy + $(tmpdir)/rolemap.conf: $(rolemap) + $(verbose) echo "" > $@ +- $(call parse-rolemap,base,$@) ++# $(call parse-rolemap,base,$@) + + $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy + $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic +--- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500 ++++ serefpolicy-3.3.1/Rules.monolithic 2008-04-21 11:02:47.854791000 -0400 +@@ -96,7 +96,7 @@ + # + # Load the binary policy + # +-reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles) ++reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles) + @echo "Loading $(NAME) $(loadpath)" + $(verbose) $(LOADPOLICY) -q $(loadpath) + @touch $(tmpdir)/load diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context --- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context 2008-04-21 11:02:47.859787000 -0400 @@ -691,62 +791,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xg +system_r:sshd_t xguest_r:xguest_t +system_r:crond_t xguest_r:xguest_crond_t +system_r:xdm_t xguest_r:xguest_t -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile ---- nsaserefpolicy/Makefile 2008-02-06 10:33:22.000000000 -0500 -+++ serefpolicy-3.3.1/Makefile 2008-04-21 11:02:47.842805000 -0400 -@@ -235,7 +235,7 @@ - appdir := $(contextpath) - user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) - user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) --appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names) -+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names) - net_contexts := $(builddir)net_contexts - - all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) -@@ -309,20 +309,22 @@ - - # parse-rolemap modulename,outputfile - define parse-rolemap -- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ -- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 -+ echo "" >> $2 -+# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ -+# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 - endef - - # perrole-expansion modulename,outputfile - define perrole-expansion -- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 -- $(call parse-rolemap,$1,$2) -- $(verbose) echo "')" >> $2 -- -- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 -- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 -- $(call parse-rolemap-compat,$1,$2) -- $(verbose) echo "')" >> $2 -+ echo "No longer doing perrole-expansion" -+# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 -+# $(call parse-rolemap,$1,$2) -+# $(verbose) echo "')" >> $2 -+ -+# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 -+# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 -+# $(call parse-rolemap-compat,$1,$2) -+# $(verbose) echo "')" >> $2 - endef - - # create-base-per-role-tmpl modulenames,outputfile -@@ -521,6 +523,10 @@ - @mkdir -p $(appdir)/users - $(verbose) $(INSTALL) -m 644 $^ $@ - -+$(appdir)/initrc_context: $(tmpdir)/initrc_context -+ @mkdir -p $(appdir) -+ $(verbose) $(INSTALL) -m 644 $< $@ -+ - $(appdir)/%: $(appconf)/% - @mkdir -p $(appdir) - $(verbose) $(INSTALL) -m 644 $< $@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.3.1/man/man8/httpd_selinux.8 --- nsaserefpolicy/man/man8/httpd_selinux.8 2008-02-18 14:30:19.000000000 -0500 +++ serefpolicy-3.3.1/man/man8/httpd_selinux.8 2008-04-21 11:02:47.931714000 -0400 @@ -2533,109 +2577,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te usermanage_domtrans_groupadd(rpm_script_t) usermanage_domtrans_useradd(rpm_script_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if ---- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-04-21 11:02:48.070575000 -0400 -@@ -55,7 +55,7 @@ - # - - # Use capabilities. -- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource }; -+ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; - allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_sudo_t self:process { setexec setrlimit }; - allow $1_sudo_t self:fd use; -@@ -68,33 +68,35 @@ - allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; - allow $1_sudo_t self:unix_dgram_socket sendto; - allow $1_sudo_t self:unix_stream_socket connectto; -- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; -+ allow $1_sudo_t self:key manage_key_perms; -+ allow $1_sudo_t $1_t:key search; - - # Enter this derived domain from the user domain - domtrans_pattern($2, sudo_exec_t, $1_sudo_t) - - # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_sudo_t,$2) -+ corecmd_bin_domtrans($1_sudo_t,$2) - allow $2 $1_sudo_t:fd use; - allow $2 $1_sudo_t:fifo_file rw_file_perms; - allow $2 $1_sudo_t:process sigchld; - - kernel_read_kernel_sysctls($1_sudo_t) - kernel_read_system_state($1_sudo_t) -- kernel_search_key($1_sudo_t) -+ kernel_link_key($1_sudo_t) - - dev_read_urand($1_sudo_t) - - fs_search_auto_mountpoints($1_sudo_t) - fs_getattr_xattr_fs($1_sudo_t) - -- auth_domtrans_chk_passwd($1_sudo_t) -+ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t }) - # sudo stores a token in the pam_pid directory - auth_manage_pam_pid($1_sudo_t) - auth_use_nsswitch($1_sudo_t) - - corecmd_read_bin_symlinks($1_sudo_t) -- corecmd_getattr_all_executables($1_sudo_t) -+ corecmd_exec_all_executables($1_sudo_t) - - domain_use_interactive_fds($1_sudo_t) - domain_sigchld_interactive_fds($1_sudo_t) -@@ -106,32 +108,42 @@ - files_getattr_usr_files($1_sudo_t) - # for some PAM modules and for cwd - files_dontaudit_search_home($1_sudo_t) -+ files_list_tmp($1_sudo_t) - - init_rw_utmp($1_sudo_t) - - libs_use_ld_so($1_sudo_t) - libs_use_shared_libs($1_sudo_t) - -+ logging_send_audit_msgs($1_sudo_t) - logging_send_syslog_msg($1_sudo_t) - - miscfiles_read_localization($1_sudo_t) - -+ mta_per_role_template($1, $1_sudo_t, $3) -+ - userdom_manage_user_home_content_files($1,$1_sudo_t) - userdom_manage_user_home_content_symlinks($1,$1_sudo_t) - userdom_manage_user_tmp_files($1,$1_sudo_t) - userdom_manage_user_tmp_symlinks($1,$1_sudo_t) -+ userdom_exec_user_home_content_files($1,$1_sudo_t) - userdom_use_user_terminals($1,$1_sudo_t) - userdom_use_unpriv_users_fds($1_sudo_t) - # for some PAM modules and for cwd -+ userdom_search_sysadm_home_content_dirs($1_sudo_t) - userdom_dontaudit_search_all_users_home_content($1_sudo_t) - -- ifdef(`TODO',` -- # for when the network connection is killed -- dontaudit unpriv_userdomain $1_sudo_t:process signal; -- -- ifdef(`mta.te', ` -- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t) -- ') -+ domain_role_change_exemption($1_sudo_t) -+ userdom_spec_domtrans_all_users($1_sudo_t) - -- ') dnl end TODO -+ selinux_validate_context($1_sudo_t) -+ selinux_compute_relabel_context($1_sudo_t) -+ selinux_getattr_fs($1_sudo_t) -+ seutil_read_config($1_sudo_t) -+ seutil_search_default_contexts($1_sudo_t) -+ -+ term_use_all_user_ttys($1_sudo_t) -+ term_use_all_user_ptys($1_sudo_t) -+ term_relabel_all_user_ttys($1_sudo_t) -+ term_relabel_all_user_ptys($1_sudo_t) - ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.3.1/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/admin/su.if 2008-04-21 11:02:48.064582000 -0400 @@ -2766,6 +2707,109 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ') ####################################### +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if +--- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-04-21 11:02:48.070575000 -0400 +@@ -55,7 +55,7 @@ + # + + # Use capabilities. +- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource }; ++ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; + allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_sudo_t self:process { setexec setrlimit }; + allow $1_sudo_t self:fd use; +@@ -68,33 +68,35 @@ + allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; + allow $1_sudo_t self:unix_dgram_socket sendto; + allow $1_sudo_t self:unix_stream_socket connectto; +- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; ++ allow $1_sudo_t self:key manage_key_perms; ++ allow $1_sudo_t $1_t:key search; + + # Enter this derived domain from the user domain + domtrans_pattern($2, sudo_exec_t, $1_sudo_t) + + # By default, revert to the calling domain when a shell is executed. + corecmd_shell_domtrans($1_sudo_t,$2) ++ corecmd_bin_domtrans($1_sudo_t,$2) + allow $2 $1_sudo_t:fd use; + allow $2 $1_sudo_t:fifo_file rw_file_perms; + allow $2 $1_sudo_t:process sigchld; + + kernel_read_kernel_sysctls($1_sudo_t) + kernel_read_system_state($1_sudo_t) +- kernel_search_key($1_sudo_t) ++ kernel_link_key($1_sudo_t) + + dev_read_urand($1_sudo_t) + + fs_search_auto_mountpoints($1_sudo_t) + fs_getattr_xattr_fs($1_sudo_t) + +- auth_domtrans_chk_passwd($1_sudo_t) ++ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t }) + # sudo stores a token in the pam_pid directory + auth_manage_pam_pid($1_sudo_t) + auth_use_nsswitch($1_sudo_t) + + corecmd_read_bin_symlinks($1_sudo_t) +- corecmd_getattr_all_executables($1_sudo_t) ++ corecmd_exec_all_executables($1_sudo_t) + + domain_use_interactive_fds($1_sudo_t) + domain_sigchld_interactive_fds($1_sudo_t) +@@ -106,32 +108,42 @@ + files_getattr_usr_files($1_sudo_t) + # for some PAM modules and for cwd + files_dontaudit_search_home($1_sudo_t) ++ files_list_tmp($1_sudo_t) + + init_rw_utmp($1_sudo_t) + + libs_use_ld_so($1_sudo_t) + libs_use_shared_libs($1_sudo_t) + ++ logging_send_audit_msgs($1_sudo_t) + logging_send_syslog_msg($1_sudo_t) + + miscfiles_read_localization($1_sudo_t) + ++ mta_per_role_template($1, $1_sudo_t, $3) ++ + userdom_manage_user_home_content_files($1,$1_sudo_t) + userdom_manage_user_home_content_symlinks($1,$1_sudo_t) + userdom_manage_user_tmp_files($1,$1_sudo_t) + userdom_manage_user_tmp_symlinks($1,$1_sudo_t) ++ userdom_exec_user_home_content_files($1,$1_sudo_t) + userdom_use_user_terminals($1,$1_sudo_t) + userdom_use_unpriv_users_fds($1_sudo_t) + # for some PAM modules and for cwd ++ userdom_search_sysadm_home_content_dirs($1_sudo_t) + userdom_dontaudit_search_all_users_home_content($1_sudo_t) + +- ifdef(`TODO',` +- # for when the network connection is killed +- dontaudit unpriv_userdomain $1_sudo_t:process signal; +- +- ifdef(`mta.te', ` +- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t) +- ') ++ domain_role_change_exemption($1_sudo_t) ++ userdom_spec_domtrans_all_users($1_sudo_t) + +- ') dnl end TODO ++ selinux_validate_context($1_sudo_t) ++ selinux_compute_relabel_context($1_sudo_t) ++ selinux_getattr_fs($1_sudo_t) ++ seutil_read_config($1_sudo_t) ++ seutil_search_default_contexts($1_sudo_t) ++ ++ term_use_all_user_ttys($1_sudo_t) ++ term_use_all_user_ptys($1_sudo_t) ++ term_relabel_all_user_ttys($1_sudo_t) ++ term_relabel_all_user_ptys($1_sudo_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-02 09:54:52.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-04-21 11:02:48.075572000 -0400 @@ -11562,7 +11606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.3.1/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/cron.if 2008-04-21 11:02:48.891913000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/cron.if 2008-04-24 15:33:13.461240000 -0400 @@ -35,38 +35,23 @@ # template(`cron_per_role_template',` @@ -11754,7 +11798,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # create files in /var/spool/cron manage_files_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t) filetrans_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t,file) -@@ -236,6 +129,7 @@ +@@ -226,16 +119,20 @@ + # Run helper programs as the user domain + corecmd_bin_domtrans($1_crontab_t,$2) + corecmd_shell_domtrans($1_crontab_t,$2) ++ allow $2 $1_crontab_t:process sigchld; + + domain_use_interactive_fds($1_crontab_t) + + files_read_etc_files($1_crontab_t) + files_dontaudit_search_pids($1_crontab_t) + ++ auth_use_nsswitch($1_crontab_t) ++ + libs_use_ld_so($1_crontab_t) libs_use_shared_libs($1_crontab_t) logging_send_syslog_msg($1_crontab_t) @@ -11762,7 +11819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron miscfiles_read_localization($1_crontab_t) -@@ -247,6 +141,7 @@ +@@ -247,6 +144,7 @@ userdom_use_user_terminals($1,$1_crontab_t) # Read user crontabs userdom_read_user_home_content_files($1,$1_crontab_t) @@ -11770,7 +11827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron tunable_policy(`fcron_crond',` # fcron wants an instant update of a crontab change for the administrator -@@ -285,14 +180,12 @@ +@@ -285,14 +183,12 @@ template(`cron_admin_template',` gen_require(` attribute cron_spool_type; @@ -11786,7 +11843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # Manipulate other users crontab. selinux_get_fs_mount($1_crontab_t) selinux_validate_context($1_crontab_t) -@@ -438,6 +331,25 @@ +@@ -438,6 +334,25 @@ ######################################## ## @@ -11812,7 +11869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ## Read, and write cron daemon TCP sockets. ## ## -@@ -558,11 +470,14 @@ +@@ -558,11 +473,14 @@ # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -11828,7 +11885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') ######################################## -@@ -583,3 +498,45 @@ +@@ -583,3 +501,45 @@ dontaudit $1 system_crond_tmp_t:file append; ') @@ -19157,100 +19214,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Execute postfix user mail programs ## in their respective domains. ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc ---- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc 2007-11-08 09:29:27.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc 2008-04-21 11:02:49.588372000 -0400 -@@ -3,3 +3,5 @@ - /usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0) - - /var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0) -+ -+/etc/rc.d/init.d/postfixpolicyd -- gen_context(system_u:object_r:postfixpolicyd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if ---- nsaserefpolicy/policy/modules/services/postfixpolicyd.if 2007-11-08 09:29:27.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if 2008-04-21 11:02:49.593367000 -0400 -@@ -1 +1,68 @@ - ## Postfix policy server -+ -+######################################## -+## -+## Execute postfixpolicyd server in the postfixpolicyd domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`postfixpolicyd_script_domtrans',` -+ gen_require(` -+ type postfix_policyd_script_exec_t; -+ ') -+ -+ init_script_domtrans_spec($1,postfix_policyd_script_exec_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an postfixpolicyd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the postfixpolicyd domain. -+## -+## -+## -+## -+## The type of the user terminal. -+## -+## -+## -+# -+interface(`postfixpolicyd_admin',` -+ gen_require(` -+ type postfix_policyd_t; -+ type postfix_policyd_script_exec_t; -+ type postfix_policyd_conf_t; -+ type postfix_policyd_var_run_t; -+ ') -+ -+ allow $1 postfix_policyd_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postfix_policyd_t, postfix_policyd_t) -+ -+ # Allow postfix_policyd_t to restart the apache service -+ postfixpolicyd_script_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 postfix_policyd_script_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_etc($1) -+ manage_all_pattern($1,postfix_policyd_conf_t) -+ -+ files_list_pids($1) -+ manage_all_pattern($1,postfix_policyd_var_run_t) -+') -+ -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te ---- nsaserefpolicy/policy/modules/services/postfixpolicyd.te 2007-11-08 09:29:27.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te 2008-04-21 11:02:49.598362000 -0400 -@@ -16,6 +16,9 @@ - type postfix_policyd_var_run_t; - files_pid_file(postfix_policyd_var_run_t) - -+type postfix_policyd_script_exec_t; -+init_script_type(postfix_policyd_script_exec_t) -+ - ######################################## - # - # Local Policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-04-23 15:05:37.257075000 -0400 @@ -19443,6 +19406,100 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post corecmd_exec_shell(postfix_virtual_t) corecmd_exec_bin(postfix_virtual_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc +--- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc 2007-11-08 09:29:27.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc 2008-04-21 11:02:49.588372000 -0400 +@@ -3,3 +3,5 @@ + /usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0) + + /var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0) ++ ++/etc/rc.d/init.d/postfixpolicyd -- gen_context(system_u:object_r:postfixpolicyd_script_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if +--- nsaserefpolicy/policy/modules/services/postfixpolicyd.if 2007-11-08 09:29:27.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if 2008-04-21 11:02:49.593367000 -0400 +@@ -1 +1,68 @@ + ## Postfix policy server ++ ++######################################## ++## ++## Execute postfixpolicyd server in the postfixpolicyd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++# ++interface(`postfixpolicyd_script_domtrans',` ++ gen_require(` ++ type postfix_policyd_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1,postfix_policyd_script_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an postfixpolicyd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the postfixpolicyd domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`postfixpolicyd_admin',` ++ gen_require(` ++ type postfix_policyd_t; ++ type postfix_policyd_script_exec_t; ++ type postfix_policyd_conf_t; ++ type postfix_policyd_var_run_t; ++ ') ++ ++ allow $1 postfix_policyd_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, postfix_policyd_t, postfix_policyd_t) ++ ++ # Allow postfix_policyd_t to restart the apache service ++ postfixpolicyd_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 postfix_policyd_script_exec_t system_r; ++ allow $2 system_r; ++ ++ files_list_etc($1) ++ manage_all_pattern($1,postfix_policyd_conf_t) ++ ++ files_list_pids($1) ++ manage_all_pattern($1,postfix_policyd_var_run_t) ++') ++ ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te +--- nsaserefpolicy/policy/modules/services/postfixpolicyd.te 2007-11-08 09:29:27.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te 2008-04-21 11:02:49.598362000 -0400 +@@ -16,6 +16,9 @@ + type postfix_policyd_var_run_t; + files_pid_file(postfix_policyd_var_run_t) + ++type postfix_policyd_script_exec_t; ++init_script_type(postfix_policyd_script_exec_t) ++ + ######################################## + # + # Local Policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.3.1/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc 2008-04-21 11:02:49.603357000 -0400 @@ -21130,123 +21187,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roun ######################################## # # Local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.3.1/policy/modules/services/rpcbind.fc ---- nsaserefpolicy/policy/modules/services/rpcbind.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.fc 2008-04-21 11:02:49.886076000 -0400 -@@ -5,3 +5,5 @@ - /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) - /var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) - /var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0) -+ -+/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.3.1/policy/modules/services/rpcbind.if ---- nsaserefpolicy/policy/modules/services/rpcbind.if 2007-07-16 14:09:46.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.if 2008-04-21 11:02:49.891070000 -0400 -@@ -95,3 +95,70 @@ - manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t) - files_search_var_lib($1) - ') -+ -+######################################## -+## -+## Execute rpcbind server in the rpcbind domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`rpcbind_script_domtrans',` -+ gen_require(` -+ type rpcbind_script_exec_t; -+ ') -+ -+ init_script_domtrans_spec($1,rpcbind_script_exec_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an rpcbind environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the rpcbind domain. -+## -+## -+## -+## -+## The type of the user terminal. -+## -+## -+## -+# -+interface(`rpcbind_admin',` -+ gen_require(` -+ type rpcbind_t; -+ type rpcbind_script_exec_t; -+ type rpcbind_var_lib_t; -+ type rpcbind_var_run_t; -+ ') -+ -+ allow $1 rpcbind_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, rpcbind_t, rpcbind_t) -+ -+ # Allow rpcbind_t to restart the apache service -+ rpcbind_script_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 rpcbind_script_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_var_lib($1) -+ manage_all_pattern($1,rpcbind_var_lib_t) -+ -+ files_list_pids($1) -+ manage_all_pattern($1,rpcbind_var_run_t) -+') -+ -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.3.1/policy/modules/services/rpcbind.te ---- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.te 2008-04-21 11:02:49.897064000 -0400 -@@ -16,16 +16,21 @@ - type rpcbind_var_lib_t; - files_type(rpcbind_var_lib_t) - -+type rpcbind_script_exec_t; -+init_script_type(rpcbind_script_exec_t) -+ - ######################################## - # - # rpcbind local policy - # - --allow rpcbind_t self:capability setuid; -+allow rpcbind_t self:capability { dac_override setuid sys_tty_config }; - allow rpcbind_t self:fifo_file rw_file_perms; - allow rpcbind_t self:unix_stream_socket create_stream_socket_perms; - allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms; - allow rpcbind_t self:udp_socket create_socket_perms; -+# BROKEN ... -+dontaudit rpcbind_t self:udp_socket listen; - allow rpcbind_t self:tcp_socket create_stream_socket_perms; - - manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t) -@@ -37,6 +42,7 @@ - manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t) - files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file }) - -+kernel_read_system_state(rpcbind_t) - kernel_read_network_state(rpcbind_t) - - corenet_all_recvfrom_unlabeled(rpcbind_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.3.1/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2007-12-04 11:02:50.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/rpc.if 2008-04-21 11:02:49.875087000 -0400 @@ -21383,6 +21323,123 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. tunable_policy(`allow_gssd_read_tmp',` userdom_list_unpriv_users_tmp(gssd_t) userdom_read_unpriv_users_tmp_files(gssd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.3.1/policy/modules/services/rpcbind.fc +--- nsaserefpolicy/policy/modules/services/rpcbind.fc 2007-10-12 08:56:07.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.fc 2008-04-21 11:02:49.886076000 -0400 +@@ -5,3 +5,5 @@ + /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) + /var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) + /var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0) ++ ++/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_script_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.3.1/policy/modules/services/rpcbind.if +--- nsaserefpolicy/policy/modules/services/rpcbind.if 2007-07-16 14:09:46.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.if 2008-04-21 11:02:49.891070000 -0400 +@@ -95,3 +95,70 @@ + manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t) + files_search_var_lib($1) + ') ++ ++######################################## ++## ++## Execute rpcbind server in the rpcbind domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++# ++interface(`rpcbind_script_domtrans',` ++ gen_require(` ++ type rpcbind_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1,rpcbind_script_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an rpcbind environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the rpcbind domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`rpcbind_admin',` ++ gen_require(` ++ type rpcbind_t; ++ type rpcbind_script_exec_t; ++ type rpcbind_var_lib_t; ++ type rpcbind_var_run_t; ++ ') ++ ++ allow $1 rpcbind_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, rpcbind_t, rpcbind_t) ++ ++ # Allow rpcbind_t to restart the apache service ++ rpcbind_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 rpcbind_script_exec_t system_r; ++ allow $2 system_r; ++ ++ files_list_var_lib($1) ++ manage_all_pattern($1,rpcbind_var_lib_t) ++ ++ files_list_pids($1) ++ manage_all_pattern($1,rpcbind_var_run_t) ++') ++ ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.3.1/policy/modules/services/rpcbind.te +--- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.te 2008-04-21 11:02:49.897064000 -0400 +@@ -16,16 +16,21 @@ + type rpcbind_var_lib_t; + files_type(rpcbind_var_lib_t) + ++type rpcbind_script_exec_t; ++init_script_type(rpcbind_script_exec_t) ++ + ######################################## + # + # rpcbind local policy + # + +-allow rpcbind_t self:capability setuid; ++allow rpcbind_t self:capability { dac_override setuid sys_tty_config }; + allow rpcbind_t self:fifo_file rw_file_perms; + allow rpcbind_t self:unix_stream_socket create_stream_socket_perms; + allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms; + allow rpcbind_t self:udp_socket create_socket_perms; ++# BROKEN ... ++dontaudit rpcbind_t self:udp_socket listen; + allow rpcbind_t self:tcp_socket create_stream_socket_perms; + + manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t) +@@ -37,6 +42,7 @@ + manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t) + files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file }) + ++kernel_read_system_state(rpcbind_t) + kernel_read_network_state(rpcbind_t) + + corenet_all_recvfrom_unlabeled(rpcbind_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.3.1/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/rshd.te 2008-04-21 11:02:49.902059000 -0400 @@ -31625,7 +31682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-23 10:15:18.704057000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-24 15:08:40.156331000 -0400 @@ -29,9 +29,14 @@ ') @@ -32739,26 +32796,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1193,12 +1204,15 @@ +@@ -1193,12 +1204,11 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) - corenet_tcp_bind_generic_port($1_t) + corenet_tcp_bind_all_unreserved_ports($1_t) -+ ') -+ -+ optional_policy(` -+ hal_dbus_chat($1_t) ') optional_policy(` - netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) - netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -+ cron_per_role_template($1, $1_t, $1_r) ++ hal_dbus_chat($1_t) ') # Run pppd in pppd_t by default for user -@@ -1207,7 +1221,27 @@ +@@ -1207,7 +1217,27 @@ ') optional_policy(` @@ -32787,7 +32840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1284,8 +1318,6 @@ +@@ -1284,8 +1314,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -32796,7 +32849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1307,8 +1339,6 @@ +@@ -1307,8 +1335,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -32805,7 +32858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1363,13 +1393,6 @@ +@@ -1363,13 +1389,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -32819,7 +32872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` userhelper_exec($1_t) ') -@@ -1422,6 +1445,7 @@ +@@ -1422,6 +1441,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -32827,7 +32880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1787,10 +1811,14 @@ +@@ -1787,10 +1807,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -32843,7 +32896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1886,11 +1914,11 @@ +@@ -1886,11 +1910,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -32857,7 +32910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1920,11 +1948,11 @@ +@@ -1920,11 +1944,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -32871,7 +32924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1968,12 +1996,12 @@ +@@ -1968,12 +1992,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -32887,7 +32940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2003,10 +2031,11 @@ +@@ -2003,10 +2027,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -32901,7 +32954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2038,11 +2067,47 @@ +@@ -2038,11 +2063,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -32951,7 +33004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2074,10 +2139,10 @@ +@@ -2074,10 +2135,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -32964,7 +33017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2107,11 +2172,11 @@ +@@ -2107,11 +2168,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -32978,7 +33031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2141,11 +2206,11 @@ +@@ -2141,11 +2202,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -32993,7 +33046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2175,10 +2240,14 @@ +@@ -2175,10 +2236,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -33010,7 +33063,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2208,11 +2277,11 @@ +@@ -2208,11 +2273,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -33024,7 +33077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2242,11 +2311,11 @@ +@@ -2242,11 +2307,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -33038,7 +33091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2276,10 +2345,10 @@ +@@ -2276,10 +2341,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -33051,7 +33104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2311,12 +2380,12 @@ +@@ -2311,12 +2376,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -33067,7 +33120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2348,10 +2417,10 @@ +@@ -2348,10 +2413,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -33080,7 +33133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2383,12 +2452,12 @@ +@@ -2383,12 +2448,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -33096,7 +33149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2420,12 +2489,12 @@ +@@ -2420,12 +2485,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -33112,7 +33165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2457,12 +2526,12 @@ +@@ -2457,12 +2522,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -33128,7 +33181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2507,11 +2576,11 @@ +@@ -2507,11 +2572,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -33142,7 +33195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2556,11 +2625,11 @@ +@@ -2556,11 +2621,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -33156,7 +33209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2600,11 +2669,11 @@ +@@ -2600,11 +2665,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -33170,7 +33223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2634,11 +2703,11 @@ +@@ -2634,11 +2699,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -33184,7 +33237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2668,11 +2737,11 @@ +@@ -2668,11 +2733,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -33198,7 +33251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2704,10 +2773,10 @@ +@@ -2704,10 +2769,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -33211,7 +33264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2739,10 +2808,10 @@ +@@ -2739,10 +2804,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -33224,7 +33277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2772,12 +2841,12 @@ +@@ -2772,12 +2837,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -33240,7 +33293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2809,10 +2878,10 @@ +@@ -2809,10 +2874,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -33253,7 +33306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2844,10 +2913,48 @@ +@@ -2844,10 +2909,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -33304,7 +33357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2877,12 +2984,12 @@ +@@ -2877,12 +2980,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -33320,7 +33373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2914,10 +3021,10 @@ +@@ -2914,10 +3017,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -33333,7 +33386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2949,12 +3056,12 @@ +@@ -2949,12 +3052,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -33349,7 +33402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2986,11 +3093,11 @@ +@@ -2986,11 +3089,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -33363,7 +33416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3022,11 +3129,11 @@ +@@ -3022,11 +3125,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -33377,7 +33430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3058,11 +3165,11 @@ +@@ -3058,11 +3161,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -33391,7 +33444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3094,11 +3201,11 @@ +@@ -3094,11 +3197,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -33405,7 +33458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3130,11 +3237,11 @@ +@@ -3130,11 +3233,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -33419,7 +33472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3179,10 +3286,10 @@ +@@ -3179,10 +3282,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -33432,7 +33485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3223,10 +3330,10 @@ +@@ -3223,10 +3326,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -33445,7 +33498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3254,24 +3361,24 @@ +@@ -3254,24 +3357,24 @@ ## ## # @@ -33474,7 +33527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

##

## This is a templated interface, and should only -@@ -3290,23 +3397,24 @@ +@@ -3290,23 +3393,24 @@ ## ## # @@ -33506,7 +33559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

##

## This is a templated interface, and should only -@@ -3321,13 +3429,84 @@ +@@ -3321,18 +3425,89 @@ ## ## ##

@@ -33520,8 +33573,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo gen_require(` - type $1_untrusted_content_t; + type $1_tmpfs_t; -+ ') -+ + ') + +- dontaudit $2 $1_untrusted_content_t:dir list_dir_perms; +-') +- + fs_search_tmpfs($2) + allow $2 $1_tmpfs_t:dir list_dir_perms; + delete_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t) @@ -33591,10 +33647,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +template(`userdom_dontaudit_list_user_untrusted_content',` + gen_require(` + type $1_untrusted_content_t; - ') - - dontaudit $2 $1_untrusted_content_t:dir list_dir_perms; -@@ -4231,11 +4410,11 @@ ++ ') ++ ++ dontaudit $2 $1_untrusted_content_t:dir list_dir_perms; ++') ++ + ######################################## + ## + ## Read user untrusted files. +@@ -4231,11 +4406,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -33608,7 +33669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4251,10 +4430,10 @@ +@@ -4251,10 +4426,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -33621,7 +33682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4270,11 +4449,11 @@ +@@ -4270,11 +4445,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -33635,7 +33696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4289,16 +4468,16 @@ +@@ -4289,16 +4464,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -33655,7 +33716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4307,12 +4486,35 @@ +@@ -4307,12 +4482,35 @@ ## ## # @@ -33664,9 +33725,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo gen_require(` - type staff_home_t; + type user_home_t; - ') - -- dontaudit $1 staff_home_t:file append; ++ ') ++ + dontaudit $1 user_home_t:file append_file_perms; + + tunable_policy(`use_nfs_home_dirs',` @@ -33675,9 +33735,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + tunable_policy(`use_samba_home_dirs',` + fs_dontaudit_append_cifs_files($1) -+ ') + ') +') -+ + +- dontaudit $1 staff_home_t:file append; +######################################## +## +## Do not audit attempts to append to the staff @@ -33694,7 +33755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4327,13 +4529,13 @@ +@@ -4327,13 +4525,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -33712,7 +33773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4531,10 +4733,10 @@ +@@ -4531,10 +4729,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -33725,7 +33786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4551,10 +4753,10 @@ +@@ -4551,10 +4749,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -33738,7 +33799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4569,10 +4771,10 @@ +@@ -4569,10 +4767,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -33751,7 +33812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4588,10 +4790,10 @@ +@@ -4588,10 +4786,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -33764,7 +33825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4606,10 +4808,10 @@ +@@ -4606,10 +4804,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -33777,7 +33838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4625,10 +4827,10 @@ +@@ -4625,10 +4823,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -33790,7 +33851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4644,12 +4846,11 @@ +@@ -4644,12 +4842,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -33806,7 +33867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4676,10 +4877,10 @@ +@@ -4676,10 +4873,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -33819,7 +33880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4694,10 +4895,10 @@ +@@ -4694,10 +4891,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -33832,7 +33893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4712,13 +4913,13 @@ +@@ -4712,13 +4909,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -33850,7 +33911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4754,11 +4955,49 @@ +@@ -4754,11 +4951,49 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -33901,22 +33962,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4778,6 +5017,14 @@ +@@ -4778,6 +5013,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; + + tunable_policy(`use_nfs_home_dirs',` -+ fs_list_nfs(crond_t) ++ fs_list_nfs($1) + ') + + tunable_policy(`use_samba_home_dirs',` -+ fs_list_cifs(crond_t) ++ fs_list_cifs($1) + ') ') ######################################## -@@ -4839,6 +5086,26 @@ +@@ -4839,6 +5082,26 @@ ######################################## ## @@ -33943,7 +34004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all directories ## in all users home directories. ## -@@ -4859,6 +5126,25 @@ +@@ -4859,6 +5122,25 @@ ######################################## ## @@ -33969,7 +34030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4879,6 +5165,26 @@ +@@ -4879,6 +5161,26 @@ ######################################## ## @@ -33996,7 +34057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all symlinks ## in all users home directories. ## -@@ -5115,7 +5421,7 @@ +@@ -5115,7 +5417,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -34005,7 +34066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5304,6 +5610,63 @@ +@@ -5304,6 +5606,63 @@ ######################################## ## @@ -34069,7 +34130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5509,7 +5872,7 @@ +@@ -5509,7 +5868,7 @@ ######################################## ## @@ -34078,7 +34139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5517,18 +5880,17 @@ +@@ -5517,18 +5876,17 @@ ## ## # @@ -34101,7 +34162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5536,17 +5898,17 @@ +@@ -5536,17 +5894,17 @@ ## ## # @@ -34123,7 +34184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5554,18 +5916,55 @@ +@@ -5554,12 +5912,49 @@ ## ## # @@ -34135,13 +34196,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') - read_files_pattern($1,userdomain,userdomain) -- kernel_search_proc($1) + allow $1 user_ttynode:chr_file rw_term_perms; - ') - - ######################################## - ## --## Get the attributes of all user domains. ++') ++ ++######################################## ++## +## Do not audit attempts to use unprivileged +## user ttys. +## @@ -34175,16 +34234,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + ') + + ps_process_pattern($1,userdomain) -+ kernel_search_proc($1) -+') -+ -+######################################## -+## -+## Get the attributes of all user domains. - ## - ## - ## -@@ -5674,6 +6073,42 @@ + kernel_search_proc($1) + ') + +@@ -5674,6 +6069,42 @@ ######################################## ## @@ -34227,7 +34280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5704,3 +6139,370 @@ +@@ -5704,3 +6135,370 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -35832,8 +35885,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i +## Policy for staff user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.3.1/policy/modules/users/staff.te --- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/users/staff.te 2008-04-21 11:02:50.734385000 -0400 -@@ -0,0 +1,20 @@ ++++ serefpolicy-3.3.1/policy/modules/users/staff.te 2008-04-24 15:09:37.398476000 -0400 +@@ -0,0 +1,23 @@ +policy_module(staff,1.0.1) +userdom_admin_login_user_template(staff) + @@ -35847,13 +35900,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t + xserver_domtrans_xdm_xserver(staff_t) +') + ++optional_policy(` ++ cron_per_role_template(staff, staff_t, staff_r) ++') ++ +ifndef(`enable_mls',` +optional_policy(` +userdom_role_change_template(staff, unconfined) +') +') + -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.fc serefpolicy-3.3.1/policy/modules/users/user.fc --- nsaserefpolicy/policy/modules/users/user.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/users/user.fc 2008-04-21 11:02:50.738381000 -0400 @@ -35866,12 +35922,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.if +## Policy for user user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.te serefpolicy-3.3.1/policy/modules/users/user.te --- nsaserefpolicy/policy/modules/users/user.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/users/user.te 2008-04-21 11:02:50.746372000 -0400 -@@ -0,0 +1,17 @@ ++++ serefpolicy-3.3.1/policy/modules/users/user.te 2008-04-24 15:09:03.056815000 -0400 +@@ -0,0 +1,18 @@ +policy_module(user,1.0.1) +userdom_unpriv_user_template(user) + +optional_policy(` ++ cron_per_role_template(user, user_t, user_r) ++') ++ ++optional_policy(` + kerneloops_dontaudit_dbus_chat(user_t) +') + @@ -35882,9 +35942,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.te +optional_policy(` + setroubleshoot_dontaudit_stream_connect(user_t) +') -+ -+ -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.3.1/policy/modules/users/webadm.fc --- nsaserefpolicy/policy/modules/users/webadm.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/users/webadm.fc 2008-04-21 11:02:50.749370000 -0400 @@ -36100,47 +36157,3 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.3 - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular ---- nsaserefpolicy/Rules.modular 2007-12-19 05:32:18.000000000 -0500 -+++ serefpolicy-3.3.1/Rules.modular 2008-04-21 11:02:47.848797000 -0400 -@@ -73,8 +73,8 @@ - $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te - @echo "Compliling $(NAME) $(@F) module" - @test -d $(tmpdir) || mkdir -p $(tmpdir) -- $(call perrole-expansion,$(basename $(@F)),$@.role) -- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) -+# $(call perrole-expansion,$(basename $(@F)),$@.role) -+ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) - $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ - - $(tmpdir)/%.mod.fc: $(m4support) %.fc -@@ -129,7 +129,7 @@ - @test -d $(tmpdir) || mkdir -p $(tmpdir) - # define all available object classes - $(verbose) $(genperm) $(avs) $(secclass) > $@ -- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) -+# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) - $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true - - $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy -@@ -147,7 +147,7 @@ - $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy - $(tmpdir)/rolemap.conf: $(rolemap) - $(verbose) echo "" > $@ -- $(call parse-rolemap,base,$@) -+# $(call parse-rolemap,base,$@) - - $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy - $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic ---- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500 -+++ serefpolicy-3.3.1/Rules.monolithic 2008-04-21 11:02:47.854791000 -0400 -@@ -96,7 +96,7 @@ - # - # Load the binary policy - # --reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles) -+reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles) - @echo "Loading $(NAME) $(loadpath)" - $(verbose) $(LOADPOLICY) -q $(loadpath) - @touch $(tmpdir)/load diff --git a/selinux-policy.spec b/selinux-policy.spec index 8f68461..6231f1c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 39%{?dist} +Release: 40%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -385,6 +385,9 @@ exit 0 %endif %changelog +* Thu Apr 24 2008 Dan Walsh 3.3.1-40 +- Don't run crontab from unconfined_t + * Wed Apr 23 2008 Dan Walsh 3.3.1-39 - Change etc files to config files to allow users to read them