diff --git a/policy-20080710.patch b/policy-20080710.patch index 4d14cbc..769ecf7 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -3571,7 +3571,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.5.8/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.8/policy/modules/apps/mozilla.if 2008-09-12 10:59:28.000000000 -0400 ++++ serefpolicy-3.5.8/policy/modules/apps/mozilla.if 2008-09-17 07:36:14.000000000 -0400 @@ -35,7 +35,10 @@ template(`mozilla_per_role_template',` gen_require(` @@ -3583,7 +3583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -45,20 +48,24 @@ +@@ -45,36 +48,44 @@ application_domain($1_mozilla_t, mozilla_exec_t) role $3 types $1_mozilla_t; @@ -3609,15 +3609,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_mozilla_t self:capability { sys_nice setgid setuid }; - allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit }; -+ allow $1_mozilla_t self:process { ptrace sigkill signal setsched getsched setrlimit }; ++ allow $1_mozilla_t self:process { ptrace sigkill signal signull setsched getsched setrlimit }; allow $1_mozilla_t self:fifo_file rw_fifo_file_perms; allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create }; allow $1_mozilla_t self:sem create_sem_perms; -@@ -66,15 +73,19 @@ + allow $1_mozilla_t self:socket create_socket_perms; allow $1_mozilla_t self:unix_stream_socket { listen accept }; # Browse the web, connect to printer - allow $1_mozilla_t self:tcp_socket create_socket_perms; +- allow $1_mozilla_t self:tcp_socket create_socket_perms; - allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms; ++ allow $1_mozilla_t self:tcp_socket create_stream_socket_perms; # for bash - old mozilla binary can_exec($1_mozilla_t, mozilla_exec_t) @@ -3720,15 +3721,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Browse the web, connect to printer corenet_all_recvfrom_unlabeled($1_mozilla_t) -@@ -139,7 +178,6 @@ +@@ -137,9 +176,9 @@ + corenet_tcp_sendrecv_ipp_port($1_mozilla_t) + corenet_tcp_connect_http_port($1_mozilla_t) corenet_tcp_connect_http_cache_port($1_mozilla_t) ++ corenet_tcp_connect_flash_port($1_mozilla_t) corenet_tcp_connect_ftp_port($1_mozilla_t) corenet_tcp_connect_ipp_port($1_mozilla_t) - corenet_tcp_connect_generic_port($1_mozilla_t) corenet_sendrecv_http_client_packets($1_mozilla_t) corenet_sendrecv_http_cache_client_packets($1_mozilla_t) corenet_sendrecv_ftp_client_packets($1_mozilla_t) -@@ -165,13 +203,28 @@ +@@ -165,13 +204,28 @@ files_read_var_files($1_mozilla_t) files_read_var_symlinks($1_mozilla_t) files_dontaudit_getattr_boot_dirs($1_mozilla_t) @@ -3757,7 +3761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so($1_mozilla_t) libs_use_shared_libs($1_mozilla_t) -@@ -180,16 +233,8 @@ +@@ -180,17 +234,10 @@ miscfiles_read_fonts($1_mozilla_t) miscfiles_read_localization($1_mozilla_t) @@ -3774,9 +3778,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + userdom_dontaudit_read_user_tmp_files($1, $1_mozilla_t) + userdom_dontaudit_use_user_terminals($1, $1_mozilla_t) ++ xserver_read_xdm_pid($1_mozilla_t) xserver_user_x_domain_template($1, $1_mozilla, $1_mozilla_t, $1_mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t) -@@ -211,131 +256,8 @@ + xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t) +@@ -211,131 +258,8 @@ fs_manage_cifs_symlinks($1_mozilla_t) ') @@ -3910,7 +3916,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -350,57 +272,48 @@ +@@ -350,57 +274,48 @@ optional_policy(` cups_read_rw_config($1_mozilla_t) cups_dbus_chat($1_mozilla_t) @@ -3984,7 +3990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -430,11 +343,11 @@ +@@ -430,11 +345,11 @@ # template(`mozilla_read_user_home_files',` gen_require(` @@ -3999,7 +4005,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -464,11 +377,10 @@ +@@ -464,11 +379,10 @@ # template(`mozilla_write_user_home_files',` gen_require(` @@ -4013,7 +4019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -573,3 +485,27 @@ +@@ -573,3 +487,27 @@ allow $2 $1_mozilla_t:tcp_socket rw_socket_perms; ') @@ -4074,8 +4080,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +typealias mozilla_tmp_t alias user_mozilla_tmp_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.5.8/policy/modules/apps/mplayer.fc --- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.8/policy/modules/apps/mplayer.fc 2008-09-12 10:59:28.000000000 -0400 -@@ -10,4 +10,4 @@ ++++ serefpolicy-3.5.8/policy/modules/apps/mplayer.fc 2008-09-17 07:30:05.000000000 -0400 +@@ -1,13 +1,8 @@ + # +-# /etc +-# +-/etc/mplayer(/.*)? gen_context(system_u:object_r:mplayer_etc_t,s0) +- +-# + # /usr + # + /usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0) /usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0) /usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0) @@ -4786,8 +4801,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.5.8/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.8/policy/modules/apps/openoffice.if 2008-09-12 10:59:28.000000000 -0400 -@@ -0,0 +1,102 @@ ++++ serefpolicy-3.5.8/policy/modules/apps/openoffice.if 2008-09-17 07:25:52.000000000 -0400 +@@ -0,0 +1,103 @@ +## Openoffice + +####################################### @@ -4834,6 +4849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + # + + domtrans_pattern($2, openoffice_exec_t, $1_openoffice_t) ++ allow $2 $1_openoffice_t:process { signal sigkill }; +') + +####################################### @@ -8413,8 +8429,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.5.8/policy/modules/roles/guest.te --- nsaserefpolicy/policy/modules/roles/guest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.8/policy/modules/roles/guest.te 2008-09-12 10:59:28.000000000 -0400 -@@ -0,0 +1,44 @@ ++++ serefpolicy-3.5.8/policy/modules/roles/guest.te 2008-09-17 07:32:27.000000000 -0400 +@@ -0,0 +1,46 @@ + +policy_module(guest, 1.0.0) + @@ -8458,6 +8474,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + domtrans_pattern(xguest_mozilla_t, openoffice_exec_t, xguest_openoffice_t) ++ allow xguest_mozilla_t xguest_openoffice_t:process { signal sigkill }; ++ allow xguest_openoffice_t xguest_mozilla_t:unix_sream_socket connectto; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.5.8/policy/modules/roles/logadm.fc --- nsaserefpolicy/policy/modules/roles/logadm.fc 1969-12-31 19:00:00.000000000 -0500 @@ -9966,7 +9984,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.5.8/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.8/policy/modules/services/apache.fc 2008-09-12 10:59:28.000000000 -0400 ++++ serefpolicy-3.5.8/policy/modules/services/apache.fc 2008-09-16 15:29:22.000000000 -0400 @@ -1,10 +1,10 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -13058,7 +13076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.8/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.8/policy/modules/services/cron.if 2008-09-12 16:29:28.000000000 -0400 ++++ serefpolicy-3.5.8/policy/modules/services/cron.if 2008-09-16 14:09:27.000000000 -0400 @@ -35,39 +35,24 @@ # template(`cron_per_role_template',` @@ -13362,7 +13380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -584,3 +500,44 @@ +@@ -584,3 +500,45 @@ dontaudit $1 system_crond_tmp_t:file append; ') @@ -13382,6 +13400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`cron_dontaudit_write_system_job_tmp_files',` + gen_require(` + type system_crond_tmp_t; ++ type cron_var_run_t; + type system_crond_var_run_t; + ') + @@ -20379,8 +20398,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.8/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.8/policy/modules/services/polkit.if 2008-09-12 10:59:28.000000000 -0400 -@@ -0,0 +1,212 @@ ++++ serefpolicy-3.5.8/policy/modules/services/polkit.if 2008-09-16 15:04:25.000000000 -0400 +@@ -0,0 +1,213 @@ + +## policy for polkit_auth + @@ -20484,6 +20503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow polkit_resolve_t $1:dir list_dir_perms; + read_files_pattern(polkit_resolve_t, $1, $1) + read_lnk_files_pattern(polkit_resolve_t, $1, $1) ++ allow polkit_resolve_t $1:process getattr; +') + +######################################## @@ -27459,7 +27479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.8/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.8/policy/modules/services/xserver.if 2008-09-12 10:59:29.000000000 -0400 ++++ serefpolicy-3.5.8/policy/modules/services/xserver.if 2008-09-17 07:35:23.000000000 -0400 @@ -16,6 +16,7 @@ gen_require(` type xkb_var_lib_t, xserver_exec_t, xserver_log_t; @@ -33260,7 +33280,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.8/policy/modules/system/userdomain.if 2008-09-16 09:56:01.000000000 -0400 ++++ serefpolicy-3.5.8/policy/modules/system/userdomain.if 2008-09-17 07:27:44.000000000 -0400 @@ -28,10 +28,14 @@ class context contains; ') @@ -34287,7 +34307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1042,12 +1029,24 @@ +@@ -1042,12 +1029,25 @@ # # privileged home directory writers @@ -34313,12 +34333,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + optional_policy(` + cups_dbus_chat($1_usertype) ++ cups_dbus_chat_config($1_usertype) + ') + ') optional_policy(` loadkeys_run($1_t,$1_r,$1_tty_device_t) -@@ -1087,14 +1086,16 @@ +@@ -1087,14 +1087,16 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -34340,7 +34361,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1102,28 +1103,23 @@ +@@ -1102,28 +1104,23 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -34374,7 +34395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1134,8 +1130,7 @@ +@@ -1134,8 +1131,7 @@ ## ## ##

@@ -34384,7 +34405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This template creates a user domain, types, and -@@ -1167,11 +1162,10 @@ +@@ -1167,11 +1163,10 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -34397,7 +34418,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1189,36 +1183,49 @@ +@@ -1189,36 +1184,49 @@ ') ') @@ -34460,7 +34481,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1295,8 +1302,6 @@ +@@ -1295,8 +1303,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -34469,7 +34490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1318,8 +1323,6 @@ +@@ -1318,8 +1324,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -34478,7 +34499,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1374,13 +1377,6 @@ +@@ -1374,13 +1378,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -34492,7 +34513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1432,6 +1428,7 @@ +@@ -1432,6 +1429,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -34500,7 +34521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1461,10 +1458,6 @@ +@@ -1461,10 +1459,6 @@ seutil_run_semanage($1,$2,$3) seutil_run_setfiles($1, $2, $3) @@ -34511,7 +34532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` aide_run($1,$2, $3) ') -@@ -1484,6 +1477,14 @@ +@@ -1484,6 +1478,14 @@ optional_policy(` netlabel_run_mgmt($1,$2, $3) ') @@ -34526,7 +34547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1741,11 +1742,15 @@ +@@ -1741,11 +1743,15 @@ # template(`userdom_user_home_content',` gen_require(` @@ -34545,7 +34566,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1841,11 +1846,11 @@ +@@ -1841,11 +1847,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -34559,7 +34580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1875,11 +1880,11 @@ +@@ -1875,11 +1881,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -34573,7 +34594,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1923,12 +1928,12 @@ +@@ -1923,12 +1929,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -34589,7 +34610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1958,10 +1963,11 @@ +@@ -1958,10 +1964,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -34603,7 +34624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1993,11 +1999,47 @@ +@@ -1993,11 +2000,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -34653,7 +34674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2029,10 +2071,10 @@ +@@ -2029,10 +2072,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -34666,7 +34687,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2062,11 +2104,11 @@ +@@ -2062,11 +2105,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -34680,7 +34701,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2096,11 +2138,11 @@ +@@ -2096,11 +2139,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -34695,7 +34716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2130,10 +2172,14 @@ +@@ -2130,10 +2173,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -34712,7 +34733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2163,11 +2209,11 @@ +@@ -2163,11 +2210,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -34726,7 +34747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2197,11 +2243,11 @@ +@@ -2197,11 +2244,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -34740,7 +34761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2231,10 +2277,10 @@ +@@ -2231,10 +2278,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -34753,7 +34774,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2266,12 +2312,12 @@ +@@ -2266,12 +2313,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -34769,7 +34790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2303,10 +2349,10 @@ +@@ -2303,10 +2350,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -34782,7 +34803,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2338,12 +2384,12 @@ +@@ -2338,12 +2385,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -34798,7 +34819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2375,12 +2421,12 @@ +@@ -2375,12 +2422,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -34814,7 +34835,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2412,12 +2458,12 @@ +@@ -2412,12 +2459,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -34830,7 +34851,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2462,11 +2508,11 @@ +@@ -2462,11 +2509,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -34844,7 +34865,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2511,11 +2557,11 @@ +@@ -2511,11 +2558,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -34858,7 +34879,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2555,11 +2601,11 @@ +@@ -2555,11 +2602,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -34872,7 +34893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2589,11 +2635,11 @@ +@@ -2589,11 +2636,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -34886,7 +34907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2623,11 +2669,11 @@ +@@ -2623,11 +2670,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -34900,7 +34921,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2659,10 +2705,10 @@ +@@ -2659,10 +2706,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -34913,7 +34934,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2694,10 +2740,10 @@ +@@ -2694,10 +2741,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -34926,7 +34947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2727,12 +2773,12 @@ +@@ -2727,12 +2774,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -34942,7 +34963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2764,10 +2810,10 @@ +@@ -2764,10 +2811,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -34955,7 +34976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2799,10 +2845,10 @@ +@@ -2799,10 +2846,10 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -34968,7 +34989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2832,12 +2878,12 @@ +@@ -2832,12 +2879,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -34984,7 +35005,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2869,10 +2915,10 @@ +@@ -2869,10 +2916,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -34997,7 +35018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2904,12 +2950,12 @@ +@@ -2904,12 +2951,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -35013,7 +35034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2941,11 +2987,11 @@ +@@ -2941,11 +2988,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -35027,7 +35048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2977,11 +3023,11 @@ +@@ -2977,11 +3024,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -35041,7 +35062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3013,11 +3059,11 @@ +@@ -3013,11 +3060,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -35055,7 +35076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3049,11 +3095,11 @@ +@@ -3049,11 +3096,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -35069,7 +35090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3085,11 +3131,11 @@ +@@ -3085,11 +3132,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -35083,7 +35104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3134,10 +3180,10 @@ +@@ -3134,10 +3181,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -35096,7 +35117,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_tmp($2) ') -@@ -3178,19 +3224,19 @@ +@@ -3178,19 +3225,19 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -35120,7 +35141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This is a templated interface, and should only -@@ -4616,11 +4662,11 @@ +@@ -4616,11 +4663,11 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -35134,7 +35155,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4640,6 +4686,14 @@ +@@ -4640,6 +4687,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -35149,7 +35170,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4677,6 +4731,8 @@ +@@ -4677,6 +4732,8 @@ ') dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; @@ -35158,7 +35179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4721,6 +4777,25 @@ +@@ -4721,6 +4778,25 @@ ######################################## ##

@@ -35184,7 +35205,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4946,7 +5021,7 @@ +@@ -4946,7 +5022,7 @@ ######################################## ## @@ -35193,7 +35214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5318,7 +5393,7 @@ +@@ -5318,7 +5394,7 @@ ######################################## ## @@ -35202,7 +35223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5326,18 +5401,17 @@ +@@ -5326,18 +5402,17 @@ ## ## # @@ -35225,7 +35246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5345,17 +5419,17 @@ +@@ -5345,17 +5420,17 @@ ## ## # @@ -35247,7 +35268,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5363,18 +5437,18 @@ +@@ -5363,18 +5438,18 @@ ## ## # @@ -35271,7 +35292,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5382,17 +5456,54 @@ +@@ -5382,17 +5457,54 @@ ## ## # @@ -35330,7 +35351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5483,6 +5594,42 @@ +@@ -5483,6 +5595,42 @@ ######################################## ## @@ -35373,7 +35394,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a dbus message to all user domains. ## ## -@@ -5513,3 +5660,524 @@ +@@ -5513,3 +5661,524 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ')