diff --git a/modules-targeted.conf b/modules-targeted.conf index c3e62e4..3368a87 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1598,6 +1598,11 @@ unprivuser = module prelude = module # Layer: services +# Module: pads +# +pads = module + +# Layer: services # Module: kerneloops # # program to collect and submit kernel oopses to kerneloops.org diff --git a/policy-20080710.patch b/policy-20080710.patch index bf169e1..a517d78 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -33240,7 +33240,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.8/policy/modules/system/userdomain.if 2008-09-15 11:58:54.000000000 -0400 ++++ serefpolicy-3.5.8/policy/modules/system/userdomain.if 2008-09-16 09:56:01.000000000 -0400 @@ -28,10 +28,14 @@ class context contains; ') @@ -34377,7 +34377,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1189,36 +1183,45 @@ +@@ -1189,36 +1183,49 @@ ') ') @@ -34416,6 +34416,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - setroubleshoot_stream_connect($1_t) ++ cron_per_role_template($1, $1_usertype, $1_r) ++ ') ++ ++ optional_policy(` + nsplugin_per_role_template($1, $1_usertype, $1_r) + ') + @@ -34436,7 +34440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1295,8 +1298,6 @@ +@@ -1295,8 +1302,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -34445,7 +34449,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1318,8 +1319,6 @@ +@@ -1318,8 +1323,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -34454,7 +34458,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1374,13 +1373,6 @@ +@@ -1374,13 +1377,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -34468,7 +34472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1432,6 +1424,7 @@ +@@ -1432,6 +1428,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -34476,7 +34480,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1461,10 +1454,6 @@ +@@ -1461,10 +1458,6 @@ seutil_run_semanage($1,$2,$3) seutil_run_setfiles($1, $2, $3) @@ -34487,7 +34491,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` aide_run($1,$2, $3) ') -@@ -1484,6 +1473,14 @@ +@@ -1484,6 +1477,14 @@ optional_policy(` netlabel_run_mgmt($1,$2, $3) ') @@ -34502,7 +34506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1741,11 +1738,15 @@ +@@ -1741,11 +1742,15 @@ # template(`userdom_user_home_content',` gen_require(` @@ -34521,7 +34525,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1841,11 +1842,11 @@ +@@ -1841,11 +1846,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -34535,7 +34539,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1875,11 +1876,11 @@ +@@ -1875,11 +1880,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -34549,7 +34553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1923,12 +1924,12 @@ +@@ -1923,12 +1928,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -34565,7 +34569,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1958,10 +1959,11 @@ +@@ -1958,10 +1963,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -34579,7 +34583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1993,11 +1995,47 @@ +@@ -1993,11 +1999,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -34629,7 +34633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2029,10 +2067,10 @@ +@@ -2029,10 +2071,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -34642,7 +34646,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2062,11 +2100,11 @@ +@@ -2062,11 +2104,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -34656,7 +34660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2096,11 +2134,11 @@ +@@ -2096,11 +2138,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -34671,7 +34675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2130,10 +2168,14 @@ +@@ -2130,10 +2172,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -34688,7 +34692,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2163,11 +2205,11 @@ +@@ -2163,11 +2209,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -34702,7 +34706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2197,11 +2239,11 @@ +@@ -2197,11 +2243,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -34716,7 +34720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2231,10 +2273,10 @@ +@@ -2231,10 +2277,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -34729,7 +34733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2266,12 +2308,12 @@ +@@ -2266,12 +2312,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -34745,7 +34749,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2303,10 +2345,10 @@ +@@ -2303,10 +2349,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -34758,7 +34762,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2338,12 +2380,12 @@ +@@ -2338,12 +2384,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -34774,7 +34778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2375,12 +2417,12 @@ +@@ -2375,12 +2421,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -34790,7 +34794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2412,12 +2454,12 @@ +@@ -2412,12 +2458,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -34806,7 +34810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2462,11 +2504,11 @@ +@@ -2462,11 +2508,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -34820,7 +34824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2511,11 +2553,11 @@ +@@ -2511,11 +2557,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -34834,7 +34838,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2555,11 +2597,11 @@ +@@ -2555,11 +2601,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -34848,7 +34852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2589,11 +2631,11 @@ +@@ -2589,11 +2635,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -34862,7 +34866,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2623,11 +2665,11 @@ +@@ -2623,11 +2669,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -34876,7 +34880,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2659,10 +2701,10 @@ +@@ -2659,10 +2705,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -34889,7 +34893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2694,10 +2736,10 @@ +@@ -2694,10 +2740,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -34902,7 +34906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2727,12 +2769,12 @@ +@@ -2727,12 +2773,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -34918,7 +34922,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2764,10 +2806,10 @@ +@@ -2764,10 +2810,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -34931,7 +34935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2799,10 +2841,10 @@ +@@ -2799,10 +2845,10 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -34944,7 +34948,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2832,12 +2874,12 @@ +@@ -2832,12 +2878,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -34960,7 +34964,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2869,10 +2911,10 @@ +@@ -2869,10 +2915,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -34973,7 +34977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2904,12 +2946,12 @@ +@@ -2904,12 +2950,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -34989,7 +34993,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2941,11 +2983,11 @@ +@@ -2941,11 +2987,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -35003,7 +35007,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2977,11 +3019,11 @@ +@@ -2977,11 +3023,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -35017,7 +35021,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3013,11 +3055,11 @@ +@@ -3013,11 +3059,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -35031,7 +35035,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3049,11 +3091,11 @@ +@@ -3049,11 +3095,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -35045,7 +35049,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3085,11 +3127,11 @@ +@@ -3085,11 +3131,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -35059,7 +35063,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3134,10 +3176,10 @@ +@@ -3134,10 +3180,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -35072,7 +35076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_tmp($2) ') -@@ -3178,19 +3220,19 @@ +@@ -3178,19 +3224,19 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -35096,7 +35100,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This is a templated interface, and should only -@@ -4616,11 +4658,11 @@ +@@ -4616,11 +4662,11 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -35110,7 +35114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4640,6 +4682,14 @@ +@@ -4640,6 +4686,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -35125,7 +35129,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4677,6 +4727,8 @@ +@@ -4677,6 +4731,8 @@ ') dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; @@ -35134,7 +35138,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4721,6 +4773,25 @@ +@@ -4721,6 +4777,25 @@ ######################################## ##

@@ -35160,7 +35164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4946,7 +5017,7 @@ +@@ -4946,7 +5021,7 @@ ######################################## ## @@ -35169,11 +35173,103 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5318,6 +5389,42 @@ +@@ -5318,7 +5393,7 @@ ######################################## ## +-## Read and write unprivileged user ttys. +## Write all unprivileged users files in /tmp + ## + ## + ## +@@ -5326,18 +5401,17 @@ + ## + ## + # +-interface(`userdom_use_unpriv_users_ttys',` ++interface(`userdom_manage_unpriv_users_tmp_files',` + gen_require(` +- attribute user_ttynode; ++ type user_tmp_t; + ') + +- allow $1 user_ttynode:chr_file rw_term_perms; ++ manage_files_pattern($1, user_tmp_t, user_tmp_t) + ') + + ######################################## + ## +-## Do not audit attempts to use unprivileged +-## user ttys. ++## Write all unprivileged users lnk_files in /tmp + ## + ## + ## +@@ -5345,17 +5419,17 @@ + ## + ## + # +-interface(`userdom_dontaudit_use_unpriv_users_ttys',` ++interface(`userdom_manage_unpriv_users_tmp_symlinks',` + gen_require(` +- attribute user_ttynode; ++ type user_tmp_t; + ') + +- dontaudit $1 user_ttynode:chr_file rw_file_perms; ++ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) + ') + + ######################################## + ## +-## Read the process state of all user domains. ++## Read and write unprivileged user ttys. + ## + ## + ## +@@ -5363,18 +5437,18 @@ + ## + ## + # +-interface(`userdom_read_all_users_state',` ++interface(`userdom_use_unpriv_users_ttys',` + gen_require(` +- attribute userdomain; ++ attribute user_ttynode; + ') + +- read_files_pattern($1,userdomain,userdomain) +- kernel_search_proc($1) ++ allow $1 user_ttynode:chr_file rw_term_perms; + ') + + ######################################## + ## +-## Get the attributes of all user domains. ++## Do not audit attempts to use unprivileged ++## user ttys. + ## + ## + ## +@@ -5382,17 +5456,54 @@ + ## + ## + # +-interface(`userdom_getattr_all_users',` ++interface(`userdom_dontaudit_use_unpriv_users_ttys',` + gen_require(` +- attribute userdomain; ++ attribute user_ttynode; + ') + +- allow $1 userdomain:process getattr; ++ dontaudit $1 user_ttynode:chr_file rw_file_perms; + ') + + ######################################## + ## +-## Inherit the file descriptors from all user domains ++## Read the process state of all user domains. +## +## +## @@ -35181,17 +35277,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`userdom_manage_unpriv_users_tmp_files',` ++interface(`userdom_read_all_users_state',` + gen_require(` -+ type user_tmp_t; ++ attribute userdomain; + ') + -+ manage_files_pattern($1, user_tmp_t, user_tmp_t) ++ ps_process_pattern($1, userdomain) ++ kernel_search_proc($1) +') + +######################################## +## -+## Write all unprivileged users lnk_files in /tmp ++## Get the attributes of all user domains. +## +## +## @@ -35199,42 +35296,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`userdom_manage_unpriv_users_tmp_symlinks',` ++interface(`userdom_getattr_all_users',` + gen_require(` -+ type user_tmp_t; ++ attribute userdomain; + ') + -+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) ++ allow $1 userdomain:process getattr; +') + +######################################## +## - ## Read and write unprivileged user ttys. ++## Inherit the file descriptors from all user domains ## ## -@@ -5368,7 +5475,7 @@ - attribute userdomain; - ') - -- read_files_pattern($1,userdomain,userdomain) -+ ps_process_pattern($1, userdomain) - kernel_search_proc($1) - ') - -@@ -5483,7 +5590,7 @@ + ## +@@ -5483,6 +5594,42 @@ ######################################## ## --## Send a dbus message to all user domains. +## Manage keys for all user domains. - ## - ## - ## -@@ -5491,7 +5598,43 @@ - ## - ## - # --interface(`userdom_dbus_send_all_users',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userdom_manage_all_users_keys',` + gen_require(` + attribute userdomain; @@ -35263,19 +35350,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## -+## Send a dbus message to all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_dbus_send_all_users',` - gen_require(` - attribute userdomain; - class dbus send_msg; -@@ -5513,3 +5656,524 @@ + ## Send a dbus message to all user domains. + ## + ## +@@ -5513,3 +5660,524 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/sources b/sources index 2284fad..4c951a3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -1b4c8999f49501d5bcfc81fb2498b2e6 serefpolicy-3.5.8.tgz +dcacf4cddcb4232564044e8d33c4d28e serefpolicy-3.5.8.tgz