diff --git a/policy-F13.patch b/policy-F13.patch index ed5a490..fb01c63 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -32868,8 +32868,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.19/policy/modules/system/lvm.fc --- nsaserefpolicy/policy/modules/system/lvm.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/lvm.fc 2010-04-14 10:48:18.000000000 -0400 -@@ -28,6 +28,7 @@ ++++ serefpolicy-3.7.19/policy/modules/system/lvm.fc 2010-05-24 17:32:23.000000000 -0400 +@@ -28,10 +28,12 @@ # /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -32877,6 +32877,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc # # /sbin + # ++/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.19/policy/modules/system/lvm.if --- nsaserefpolicy/policy/modules/system/lvm.if 2009-11-25 11:47:19.000000000 -0500 +++ serefpolicy-3.7.19/policy/modules/system/lvm.if 2010-04-22 12:09:51.000000000 -0400 @@ -33296,7 +33301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.19/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-05-20 09:42:45.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-05-24 17:17:58.000000000 -0400 @@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -33338,7 +33343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # setuid/setgid needed to mount cifs -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; -+allow mount_t self:capability { fsetid ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid }; ++allow mount_t self:capability { fsetid ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid }; +allow mount_t self:process { getcap getsched ptrace setcap signal }; +allow mount_t self:fifo_file rw_fifo_file_perms; +allow mount_t self:unix_stream_socket create_stream_socket_perms; @@ -35833,8 +35838,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.19/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-05-24 14:15:38.000000000 -0400 -@@ -1,4 +1,12 @@ ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-05-24 17:24:42.000000000 -0400 +@@ -1,4 +1,13 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) @@ -35844,13 +35849,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) -+HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) ++HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) ++HOME_DIR/local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) +HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-05-24 14:25:06.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-05-24 17:22:40.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -36135,7 +36141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -303,6 +319,47 @@ +@@ -303,6 +319,27 @@ manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) @@ -36160,30 +36166,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t) + files_search_home($1) -+') -+ -+####################################### -+## -+## Execute user bin files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_exec_user_bin_files',` -+ gen_require(` -+ attribute user_home_type; -+ type home_bin_t, user_home_dir_t; -+ ') -+ -+ exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t) -+ files_search_home($1) ') ####################################### -@@ -322,6 +379,7 @@ +@@ -322,6 +359,7 @@ ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -36191,7 +36177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($1) ') -@@ -368,46 +426,41 @@ +@@ -368,46 +406,41 @@ ####################################### ## @@ -36213,10 +36199,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - gen_require(` - type $1_t; - ') -- ++interface(`userdom_basic_networking',` + - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; -+interface(`userdom_basic_networking',` ++ allow $1 self:tcp_socket create_stream_socket_perms; ++ allow $1 self:udp_socket create_socket_perms; - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) @@ -36228,9 +36216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_all_client_packets($1_t) -+ allow $1 self:tcp_socket create_stream_socket_perms; -+ allow $1 self:udp_socket create_socket_perms; - +- - corenet_all_recvfrom_labeled($1_t, $1_t) + corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) @@ -36258,7 +36244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -438,6 +491,7 @@ +@@ -438,6 +471,7 @@ dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -36266,7 +36252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -498,7 +552,7 @@ +@@ -498,7 +532,7 @@ attribute unpriv_userdomain; ') @@ -36275,7 +36261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -508,71 +562,78 @@ +@@ -508,71 +542,78 @@ # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -36296,27 +36282,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) +- +- corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) -- corecmd_exec_bin($1_t) +- corenet_udp_bind_generic_node($1_t) +- corenet_udp_bind_generic_port($1_t) + corenet_udp_bind_generic_node($1_usertype) + corenet_udp_bind_generic_port($1_usertype) -- corenet_udp_bind_generic_node($1_t) -- corenet_udp_bind_generic_port($1_t) +- dev_read_rand($1_t) +- dev_write_sound($1_t) +- dev_read_sound($1_t) +- dev_read_sound_mixer($1_t) +- dev_write_sound_mixer($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) -- dev_read_rand($1_t) -- dev_write_sound($1_t) -- dev_read_sound($1_t) -- dev_read_sound_mixer($1_t) -- dev_write_sound_mixer($1_t) -- - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) @@ -36392,7 +36378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') tunable_policy(`user_ttyfile_stat',` -@@ -580,65 +641,108 @@ +@@ -580,65 +621,108 @@ ') optional_policy(` @@ -36404,19 +36390,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) + apm_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ canna_stream_connect($1_usertype) ') optional_policy(` - canna_stream_connect($1_t) -+ chrome_role($1_r, $1_usertype) ++ canna_stream_connect($1_usertype) ') optional_policy(` - dbus_system_bus_client($1_t) ++ chrome_role($1_r, $1_usertype) ++ ') ++ ++ optional_policy(` + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; @@ -36432,58 +36418,58 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + optional_policy(` + bluetooth_dbus_chat($1_usertype) + ') ++ ++ optional_policy(` ++ consolekit_dbus_chat($1_usertype) ++ consolekit_read_log($1_usertype) ++ ') ++ ++ optional_policy(` ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ++ ') ++ ++ optional_policy(` ++ evolution_dbus_chat($1_usertype) ++ evolution_alarm_dbus_chat($1_usertype) ++ ') optional_policy(` - bluetooth_dbus_chat($1_t) -+ consolekit_dbus_chat($1_usertype) -+ consolekit_read_log($1_usertype) ++ gnome_dbus_chat_gconfdefault($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) ++ hal_dbus_chat($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ evolution_dbus_chat($1_usertype) -+ evolution_alarm_dbus_chat($1_usertype) ++ modemmanager_dbus_chat($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ gnome_dbus_chat_gconfdefault($1_usertype) ++ networkmanager_dbus_chat($1_usertype) ++ networkmanager_read_var_lib_files($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) -+ hal_dbus_chat($1_usertype) - ') -+ -+ optional_policy(` -+ modemmanager_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ networkmanager_dbus_chat($1_usertype) -+ networkmanager_read_var_lib_files($1_usertype) -+ ') -+ -+ optional_policy(` + vpn_dbus_chat($1_usertype) -+ ') -+ ') -+ -+ optional_policy(` -+ git_session_role($1_r, $1_usertype) + ') ') optional_policy(` - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) ++ git_session_role($1_r, $1_usertype) ++ ') ++ ++ optional_policy(` + inetd_use_fds($1_usertype) + inetd_rw_tcp_sockets($1_usertype) ') @@ -36506,20 +36492,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` - modutils_read_module_config($1_t) + modutils_read_module_config($1_usertype) ++ ') ++ ++ optional_policy(` ++ mta_rw_spool($1_usertype) ++ mta_manage_queue($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) -+ mta_rw_spool($1_usertype) -+ mta_manage_queue($1_usertype) -+ ') -+ -+ optional_policy(` + nsplugin_role($1_r, $1_usertype) ') optional_policy(` -@@ -649,41 +753,50 @@ +@@ -649,41 +733,50 @@ optional_policy(` # to allow monitoring of pcmcia status @@ -36546,42 +36532,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` - resmgr_stream_connect($1_t) + resmgr_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ rpc_dontaudit_getattr_exports($1_usertype) -+ rpc_manage_nfs_rw_content($1_usertype) -+ ') -+ -+ optional_policy(` -+ rpcbind_stream_connect($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ samba_stream_connect_winbind($1_usertype) ++ rpc_dontaudit_getattr_exports($1_usertype) ++ rpc_manage_nfs_rw_content($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ sandbox_transition($1_usertype, $1_r) ++ rpcbind_stream_connect($1_usertype) ') optional_policy(` - slrnpull_search_spool($1_t) -+ seunshare_role_template($1, $1_r, $1_t) ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - usernetctl_run($1_t,$1_r) -+ slrnpull_search_spool($1_usertype) ++ sandbox_transition($1_usertype, $1_r) ') + ++ optional_policy(` ++ seunshare_role_template($1, $1_r, $1_t) ++ ') ++ ++ optional_policy(` ++ slrnpull_search_spool($1_usertype) ++ ') ++ ') ####################################### -@@ -711,13 +824,26 @@ +@@ -711,13 +804,26 @@ userdom_base_user_template($1) @@ -36590,12 +36576,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) -+ -+ ifelse(`$1',`unconfined',`',` -+ gen_tunable(allow_$1_exec_content, true) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) ++ ifelse(`$1',`unconfined',`',` ++ gen_tunable(allow_$1_exec_content, true) + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -36603,9 +36591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -36613,7 +36599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_change_password_template($1) -@@ -735,70 +861,73 @@ +@@ -735,70 +841,73 @@ allow $1_t self:context contains; @@ -36678,10 +36664,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) ++ ++ seutil_read_config($1_usertype) - seutil_read_config($1_t) -+ seutil_read_config($1_usertype) -+ + optional_policy(` + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) @@ -36720,7 +36706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -830,12 +959,35 @@ +@@ -830,12 +939,35 @@ typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -36756,7 +36742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo loadkeys_run($1_t,$1_r) ') ') -@@ -871,45 +1023,83 @@ +@@ -871,45 +1003,83 @@ # auth_role($1_r, $1_t) @@ -36831,14 +36817,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + optional_policy(` + policykit_role($1_r, $1_usertype) ++ ') ++ ++ optional_policy(` ++ pulseaudio_role($1_r, $1_usertype) ') optional_policy(` - java_role($1_r, $1_t) -+ pulseaudio_role($1_r, $1_usertype) -+ ') -+ -+ optional_policy(` + rtkit_scheduled($1_usertype) ') @@ -36855,7 +36841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -944,7 +1134,7 @@ +@@ -944,7 +1114,7 @@ # # Inherit rules for ordinary users. @@ -36864,7 +36850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_common_user_template($1) ############################## -@@ -953,54 +1143,73 @@ +@@ -953,54 +1123,73 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -36913,36 +36899,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - netutils_run_ping_cond($1_t,$1_r) - netutils_run_traceroute_cond($1_t,$1_r) + cdrecord_role($1_r, $1_t) - ') - -- # Run pppd in pppd_t by default for user - optional_policy(` -- ppp_run_cond($1_t,$1_r) -+ cron_role($1_r, $1_t) - ') - - optional_policy(` -- setroubleshoot_stream_connect($1_t) -+ games_rw_data($1_usertype) + ') + + optional_policy(` -+ gpg_role($1_r, $1_usertype) ++ cron_role($1_r, $1_t) + ') + + optional_policy(` -+ gnomeclock_dbus_chat($1_t) ++ games_rw_data($1_usertype) + ') + + optional_policy(` -+ gpm_stream_connect($1_usertype) ++ gpg_role($1_r, $1_usertype) + ') + + optional_policy(` -+ execmem_role_template($1, $1_r, $1_t) ++ gnomeclock_dbus_chat($1_t) + ') + + optional_policy(` ++ gpm_stream_connect($1_usertype) + ') + +- # Run pppd in pppd_t by default for user + optional_policy(` +- ppp_run_cond($1_t,$1_r) ++ execmem_role_template($1, $1_r, $1_t) + ') + + optional_policy(` +- setroubleshoot_stream_connect($1_t) + java_role_template($1, $1_r, $1_t) + ') + @@ -36968,7 +36954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1036,7 +1245,7 @@ +@@ -1036,7 +1225,7 @@ template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -36977,7 +36963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ############################## -@@ -1071,6 +1280,9 @@ +@@ -1071,6 +1260,9 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -36987,7 +36973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1085,6 +1297,7 @@ +@@ -1085,6 +1277,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -36995,7 +36981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1116,10 +1329,13 @@ +@@ -1116,10 +1309,13 @@ domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -37009,7 +36995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1139,6 +1355,7 @@ +@@ -1139,6 +1335,7 @@ logging_send_syslog_msg($1_t) modutils_domtrans_insmod($1_t) @@ -37017,7 +37003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1207,6 +1424,8 @@ +@@ -1207,6 +1404,8 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -37026,7 +37012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1234,6 +1453,7 @@ +@@ -1234,6 +1433,7 @@ seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -37034,7 +37020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo seutil_run_setfiles($1, $2) optional_policy(` -@@ -1272,11 +1492,15 @@ +@@ -1272,11 +1472,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -37050,7 +37036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1387,6 +1611,7 @@ +@@ -1387,6 +1591,7 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -37058,7 +37044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_home($1) ') -@@ -1433,6 +1658,14 @@ +@@ -1433,6 +1638,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -37073,7 +37059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1448,9 +1681,11 @@ +@@ -1448,9 +1661,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -37085,7 +37071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1507,6 +1742,42 @@ +@@ -1507,6 +1722,42 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -37128,7 +37114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## ## Create directories in the home dir root with -@@ -1581,6 +1852,8 @@ +@@ -1581,6 +1832,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -37137,7 +37123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1595,10 +1868,12 @@ +@@ -1595,10 +1848,12 @@ # interface(`userdom_list_user_home_content',` gen_require(` @@ -37152,7 +37138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1641,6 +1916,24 @@ +@@ -1641,6 +1896,24 @@ ######################################## ## @@ -37177,7 +37163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1692,6 +1985,7 @@ +@@ -1692,6 +1965,7 @@ type user_home_dir_t, user_home_t; ') @@ -37185,7 +37171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1708,11 +2002,14 @@ +@@ -1708,11 +1982,14 @@ # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -37203,7 +37189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1802,8 +2099,7 @@ +@@ -1802,8 +2079,7 @@ type user_home_dir_t, user_home_t; ') @@ -37213,7 +37199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1815,24 +2111,17 @@ +@@ -1815,25 +2091,18 @@ ## Domain allowed access. ## ## @@ -37231,18 +37217,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') --') +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) +- ') +-') +- ######################################## ## -@@ -1866,6 +2155,7 @@ + ## Do not audit attempts to execute user home files. +@@ -1866,6 +2135,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -37250,11 +37237,53 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2102,6 +2392,25 @@ +@@ -2102,7 +2372,7 @@ ######################################## ## +-## Do not audit attempts to list user +## Do not audit attempts to search user + ## temporary directories. + ## + ## +@@ -2111,17 +2381,17 @@ + ## + ## + # +-interface(`userdom_dontaudit_list_user_tmp',` ++interface(`userdom_dontaudit_search_user_tmp',` + gen_require(` + type user_tmp_t; + ') + +- dontaudit $1 user_tmp_t:dir list_dir_perms; ++ dontaudit $1 user_tmp_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Do not audit attempts to manage users ++## Do not audit attempts to list user + ## temporary directories. + ## + ## +@@ -2130,12 +2400,31 @@ + ## + ## + # +-interface(`userdom_dontaudit_manage_user_tmp_dirs',` ++interface(`userdom_dontaudit_list_user_tmp',` + gen_require(` + type user_tmp_t; + ') + +- dontaudit $1 user_tmp_t:dir manage_dir_perms; ++ dontaudit $1 user_tmp_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to manage users +## temporary directories. +## +## @@ -37263,20 +37292,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +## +# -+interface(`userdom_dontaudit_search_user_tmp',` ++interface(`userdom_dontaudit_manage_user_tmp_dirs',` + gen_require(` + type user_tmp_t; + ') + -+ dontaudit $1 user_tmp_t:dir search_dir_perms; -+') -+ -+######################################## -+## - ## Do not audit attempts to list user - ## temporary directories. - ## -@@ -2218,6 +2527,25 @@ ++ dontaudit $1 user_tmp_t:dir manage_dir_perms; + ') + + ######################################## +@@ -2218,6 +2507,25 @@ ######################################## ## @@ -37302,7 +37327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to manage users ## temporary files. ## -@@ -2427,13 +2755,14 @@ +@@ -2427,13 +2735,14 @@ ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -37318,7 +37343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -2454,6 +2783,24 @@ +@@ -2454,6 +2763,24 @@ ######################################## ## @@ -37343,7 +37368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Get the attributes of a user domain tty. ## ## -@@ -2747,6 +3094,25 @@ +@@ -2747,6 +3074,25 @@ ######################################## ## @@ -37369,7 +37394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Execute bin_t in the unprivileged user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). -@@ -2787,7 +3153,7 @@ +@@ -2787,7 +3133,7 @@ domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -37378,7 +37403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow unpriv_userdomain $1:process sigchld; ') -@@ -2803,11 +3169,13 @@ +@@ -2803,11 +3149,13 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -37394,7 +37419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2944,7 +3312,7 @@ +@@ -2944,7 +3292,7 @@ type user_tmp_t; ') @@ -37403,7 +37428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2981,6 +3349,7 @@ +@@ -2981,6 +3329,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -37411,7 +37436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -3111,3 +3480,682 @@ +@@ -3111,3 +3460,682 @@ allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index dd589d6..732e730 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -469,7 +469,7 @@ exit 0 %endif %changelog -* Monu May 24 2010 Dan Walsh 3.7.19-21 +* Mon May 24 2010 Dan Walsh 3.7.19-21 - Allow login programs to read krb5_home_t Resolves: #594833 - Add obsoletes for cachefilesfd-selinux package