diff --git a/modules-targeted.conf b/modules-targeted.conf index 768b39f..8b0b82e 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1662,3 +1662,9 @@ guest = module # xguest = module +# Layer: services +# Module: courier +# +# IMAP and POP3 email servers +# +courier = module diff --git a/policy-20080509.patch b/policy-20080509.patch index 52eb672..30d0a10 100644 --- a/policy-20080509.patch +++ b/policy-20080509.patch @@ -4439,8 +4439,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.4.1/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.4.1/policy/modules/apps/nsplugin.te 2008-05-30 14:08:10.632900000 -0400 -@@ -0,0 +1,204 @@ ++++ serefpolicy-3.4.1/policy/modules/apps/nsplugin.te 2008-05-30 16:08:40.343792000 -0400 +@@ -0,0 +1,207 @@ + +policy_module(nsplugin,1.0.0) + @@ -4541,7 +4541,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + +miscfiles_read_localization(nsplugin_t) +miscfiles_read_fonts(nsplugin_t) -+miscfiles_manage_home_fonts(nsplugin_t) + +unprivuser_manage_tmp_dirs(nsplugin_t) +unprivuser_manage_tmp_files(nsplugin_t) @@ -4588,6 +4587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + xserver_read_xdm_pid(nsplugin_t) + xserver_read_user_xauth(user, nsplugin_t) + xserver_use_user_fonts(user, nsplugin_t) ++ xserver_manage_home_fonts(nsplugin_t) +') + +######################################## @@ -4628,7 +4628,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + +miscfiles_read_localization(nsplugin_config_t) +miscfiles_read_fonts(nsplugin_config_t) -+miscfiles_read_home_fonts(nsplugin_config_t) + +userdom_search_all_users_home_content(nsplugin_config_t) + @@ -4643,6 +4642,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +nsplugin_domtrans(nsplugin_config_t) + +optional_policy(` ++ xserver_read_home_fonts(nsplugin_config_t) ++') ++ ++optional_policy(` + mozilla_read_user_home_files(user, nsplugin_config_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.4.1/policy/modules/apps/openoffice.fc @@ -25721,8 +25724,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. +miscfiles_read_certs(httpd_w3c_validator_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.4.1/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2008-05-19 10:26:37.000000000 -0400 -+++ serefpolicy-3.4.1/policy/modules/services/xserver.fc 2008-05-30 15:38:19.179414000 -0400 -@@ -1,13 +1,13 @@ ++++ serefpolicy-3.4.1/policy/modules/services/xserver.fc 2008-05-30 16:00:19.268636000 -0400 +@@ -1,13 +1,12 @@ # # HOME_DIR # @@ -25734,7 +25737,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser -HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) -HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) +HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:fonts_config_home_t,s0) -+HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:fonts_home_t,s0) +HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:fonts_cache_home_t,s0) +HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:fonts_cache_home_t,s0) +HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) @@ -25743,7 +25745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # # /dev -@@ -32,11 +32,6 @@ +@@ -32,11 +31,6 @@ /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -25755,7 +25757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # # /opt # -@@ -58,7 +53,8 @@ +@@ -58,7 +52,8 @@ # /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) @@ -25765,7 +25767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) -@@ -78,7 +74,7 @@ +@@ -78,7 +73,7 @@ /usr/X11R6/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/X11R6/bin/XFree86 -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/X11R6/bin/Xipaq -- gen_context(system_u:object_r:xserver_exec_t,s0) @@ -25774,7 +25776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /usr/X11R6/bin/Xwrapper -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0) /usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0) -@@ -89,16 +85,23 @@ +@@ -89,17 +84,26 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -25800,9 +25802,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) + ') ++HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:fonts_home_t,s0) ++HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:fonts_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.4.1/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-05-19 10:26:38.000000000 -0400 -+++ serefpolicy-3.4.1/policy/modules/services/xserver.if 2008-05-30 15:21:13.276047000 -0400 ++++ serefpolicy-3.4.1/policy/modules/services/xserver.if 2008-05-30 16:01:24.987195000 -0400 @@ -128,18 +128,24 @@ dev_rw_agp($1_xserver_t) dev_rw_framebuffer($1_xserver_t) @@ -25850,7 +25855,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_unallocated_ttys($1_xserver_t) term_use_unallocated_ttys($1_xserver_t) -@@ -280,35 +290,25 @@ +@@ -270,6 +280,9 @@ + gen_require(` + type iceauth_exec_t, xauth_exec_t; + attribute fonts_type, fonts_cache_type, fonts_config_type; ++ type fonts_home_t; ++ type fonts_cache_home_t; ++ type fonts_config_home_t; + ') + + ############################## +@@ -280,35 +293,25 @@ xserver_common_domain_template($1) role $3 types $1_xserver_t; @@ -25893,7 +25908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ############################## # -@@ -317,24 +317,24 @@ +@@ -317,24 +320,24 @@ domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t) @@ -25928,7 +25943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser stream_connect_pattern($2,$1_xserver_tmp_t,$1_xserver_tmp_t,$1_xserver_t) -@@ -375,12 +375,12 @@ +@@ -375,12 +378,12 @@ allow $1_xauth_t self:process signal; allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; @@ -25946,7 +25961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domtrans_pattern($2, xauth_exec_t, $1_xauth_t) -@@ -389,11 +389,11 @@ +@@ -389,11 +392,11 @@ # allow ps to show xauth ps_process_pattern($2,$1_xauth_t) @@ -25962,7 +25977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domain_use_interactive_fds($1_xauth_t) -@@ -435,16 +435,16 @@ +@@ -435,16 +438,16 @@ domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t) @@ -25984,7 +25999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser fs_search_auto_mountpoints($1_iceauth_t) -@@ -610,7 +610,7 @@ +@@ -610,7 +613,7 @@ # refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') gen_require(` type xdm_t, xdm_tmp_t; @@ -25993,7 +26008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') allow $2 self:shm create_shm_perms; -@@ -618,8 +618,8 @@ +@@ -618,8 +621,8 @@ allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -26004,7 +26019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -880,7 +880,7 @@ +@@ -880,7 +883,7 @@ template(`xserver_user_x_domain_template',` gen_require(` type xdm_t, xdm_tmp_t; @@ -26013,7 +26028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') allow $3 self:shm create_shm_perms; -@@ -888,8 +888,8 @@ +@@ -888,8 +891,8 @@ allow $3 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -26024,19 +26039,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $3 xdm_t:fd use; -@@ -952,26 +952,44 @@ +@@ -952,26 +955,43 @@ # template(`xserver_use_user_fonts',` gen_require(` - type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t; -+ type fonts_home_t, fonts_cache_home_t, fonts_config_home_t; ++ type fonts_cache_home_t, fonts_config_home_t; ') # Read per user fonts - allow $2 $1_fonts_t:dir list_dir_perms; - allow $2 $1_fonts_t:file read_file_perms; -+ allow $2 fonts_home_t:dir list_dir_perms; -+ allow $2 fonts_home_t:file read_file_perms; ++ read_files_pattern($2, fonts_home_t, fonts_home_t) # Manipulate the global font cache - manage_dirs_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t) @@ -26076,7 +26090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -1005,6 +1023,73 @@ +@@ -1005,6 +1025,73 @@ ######################################## ## @@ -26150,7 +26164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -1030,10 +1115,10 @@ +@@ -1030,10 +1117,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -26163,7 +26177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1219,6 +1304,25 @@ +@@ -1219,6 +1306,25 @@ ######################################## ## @@ -26189,7 +26203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Read xdm-writable configuration files. ## ## -@@ -1273,6 +1377,7 @@ +@@ -1273,6 +1379,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) @@ -26197,7 +26211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1291,7 +1396,7 @@ +@@ -1291,7 +1398,7 @@ ') files_search_pids($1) @@ -26206,7 +26220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1314,6 +1419,24 @@ +@@ -1314,6 +1421,24 @@ ######################################## ## @@ -26231,7 +26245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Execute the X server in the XDM X server domain. ## ## -@@ -1324,15 +1447,47 @@ +@@ -1324,15 +1449,47 @@ # interface(`xserver_domtrans_xdm_xserver',` gen_require(` @@ -26280,7 +26294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1482,7 +1637,7 @@ +@@ -1482,7 +1639,7 @@ type xdm_xserver_tmp_t; ') @@ -26289,7 +26303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1674,6 +1829,65 @@ +@@ -1674,6 +1831,65 @@ ######################################## ## @@ -26355,7 +26369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1691,3 +1905,41 @@ +@@ -1691,3 +1907,82 @@ typeattribute $1 xserver_unconfined_type; ') @@ -26397,9 +26411,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + files_search_pids($1) + write_files_pattern($1,xserver_var_run_t,xserver_var_run_t) +') ++ ++######################################## ++## ++## Read user homedir fonts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`xserver_manage_home_fonts',` ++ gen_require(` ++ type fonts_home_t; ++ ') ++ ++ manage_dirs_pattern($1, fonts_home_t, fonts_home_t) ++ manage_files_pattern($1, fonts_home_t, fonts_home_t) ++ manage_lnk_files_pattern($1, fonts_home_t, fonts_home_t) ++') ++ ++######################################## ++## ++## Read user homedir fonts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`xserver_read_home_fonts',` ++ gen_require(` ++ type fonts_home_t; ++ ') ++ ++ read_files_pattern($1,fonts_home_t,fonts_home_t) ++ read_lnk_files_pattern($1,fonts_home_t,fonts_home_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.4.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2008-05-19 10:26:37.000000000 -0400 -+++ serefpolicy-3.4.1/policy/modules/services/xserver.te 2008-05-30 15:12:02.166012000 -0400 ++++ serefpolicy-3.4.1/policy/modules/services/xserver.te 2008-05-30 16:11:13.428347000 -0400 @@ -8,6 +8,14 @@ ## @@ -26451,13 +26506,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser type xdm_tmp_t; files_tmp_file(xdm_tmp_t) typealias xdm_tmp_t alias ice_tmp_t; -@@ -122,6 +143,27 @@ +@@ -122,6 +143,24 @@ type xserver_log_t; logging_log_file(xserver_log_t) -+type fonts_home_t, fonts_type; -+userdom_user_home_content(user,fonts_home_t) -+ +type fonts_cache_home_t, fonts_cache_type; +userdom_user_home_content(user,fonts_cache_home_t) + @@ -26479,7 +26531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_common_domain_template(xdm) xserver_common_x_domain_template(xdm,xdm,xdm_t) init_system_domain(xdm_xserver_t,xserver_exec_t) -@@ -142,6 +184,7 @@ +@@ -142,6 +181,7 @@ allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; @@ -26487,7 +26539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; -@@ -154,6 +197,8 @@ +@@ -154,6 +194,8 @@ allow xdm_t self:key { search link write }; allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; @@ -26496,7 +26548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -169,6 +214,8 @@ +@@ -169,6 +211,8 @@ manage_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t) manage_sock_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t) files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) @@ -26505,7 +26557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) manage_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) -@@ -176,15 +223,22 @@ +@@ -176,15 +220,24 @@ manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) @@ -26513,6 +26565,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +fs_getattr_all_fs(xdm_t) +fs_search_inotifyfs(xdm_t) +fs_list_all(xdm_t) ++ ++manage_files_pattern(xdm_t, fonts_home_t, fonts_home_t) manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) @@ -26530,7 +26584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -@@ -198,6 +252,7 @@ +@@ -198,6 +251,7 @@ allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xdm_xserver_t:shm rw_shm_perms; @@ -26538,7 +26592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) -@@ -229,6 +284,7 @@ +@@ -229,6 +283,7 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) @@ -26546,7 +26600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t -@@ -241,6 +297,7 @@ +@@ -241,6 +296,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -26554,7 +26608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -253,14 +310,15 @@ +@@ -253,14 +309,15 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -26572,7 +26626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -271,9 +329,13 @@ +@@ -271,9 +328,13 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -26586,7 +26640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -282,6 +344,7 @@ +@@ -282,6 +343,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -26594,7 +26648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -290,6 +353,7 @@ +@@ -290,6 +352,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -26602,18 +26656,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -301,21 +365,25 @@ +@@ -301,21 +364,25 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) +logging_send_audit_msgs(xdm_t) miscfiles_read_localization(xdm_t) --miscfiles_read_fonts(xdm_t) + miscfiles_read_fonts(xdm_t) - -sysnet_read_config(xdm_t) -+miscfiles_manage_fonts(xdm_t) -+miscfiles_dontaudit_write_locale(xdm_t) ++miscfiles_manage_localization(xdm_t) userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) @@ -26634,24 +26687,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -348,10 +416,15 @@ +@@ -348,10 +415,12 @@ optional_policy(` alsa_domtrans(xdm_t) + alsa_read_rw_config(xdm_t) -+') -+ -+optional_policy(` -+ bootloader_domtrans(xdm_t) ') optional_policy(` -- consolekit_dbus_chat(xdm_t) + consolekit_dbus_chat(xdm_t) + consolekit_read_log(xdm_t) ') optional_policy(` -@@ -359,6 +432,23 @@ +@@ -359,6 +428,19 @@ ') optional_policy(` @@ -26659,10 +26708,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + dbus_system_bus_client_template(xdm, xdm_t) + + optional_policy(` -+ consolekit_dbus_chat(xdm_t) -+ ') -+ -+ optional_policy(` + hal_dbus_chat(xdm_t) + ') + @@ -26675,7 +26720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) -@@ -369,6 +459,10 @@ +@@ -369,6 +451,10 @@ ') optional_policy(` @@ -26686,7 +26731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser loadkeys_exec(xdm_t) ') -@@ -382,16 +476,25 @@ +@@ -382,16 +468,25 @@ ') optional_policy(` @@ -26713,7 +26758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -427,7 +530,7 @@ +@@ -427,7 +522,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -26722,7 +26767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -439,6 +542,15 @@ +@@ -439,6 +534,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -26738,7 +26783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -450,10 +562,19 @@ +@@ -450,10 +554,19 @@ # xdm_xserver_t may no longer have any reason # to read ROLE_home_t - examine this in more detail # (xauth?) @@ -26759,7 +26804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) -@@ -467,6 +588,22 @@ +@@ -467,6 +580,22 @@ ') optional_policy(` @@ -26782,7 +26827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -476,16 +613,32 @@ +@@ -476,16 +605,32 @@ ') optional_policy(` @@ -29095,7 +29140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.4.1/policy/modules/system/miscfiles.fc --- nsaserefpolicy/policy/modules/system/miscfiles.fc 2008-05-19 10:26:42.000000000 -0400 -+++ serefpolicy-3.4.1/policy/modules/system/miscfiles.fc 2008-05-30 14:08:12.108651000 -0400 ++++ serefpolicy-3.4.1/policy/modules/system/miscfiles.fc 2008-05-30 16:00:01.493565000 -0400 @@ -11,6 +11,7 @@ /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) @@ -29104,98 +29149,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi # # /opt -@@ -80,3 +81,4 @@ - /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) - /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) - ') -+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.4.1/policy/modules/system/miscfiles.if ---- nsaserefpolicy/policy/modules/system/miscfiles.if 2008-05-19 10:26:42.000000000 -0400 -+++ serefpolicy-3.4.1/policy/modules/system/miscfiles.if 2008-05-30 14:08:12.112653000 -0400 -@@ -490,3 +490,65 @@ - manage_lnk_files_pattern($1,locale_t,locale_t) - ') - -+######################################## -+## -+## Read user homedir fonts. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`miscfiles_read_home_fonts',` -+ gen_require(` -+ type user_fonts_home_t; -+ ') -+ -+ read_files_pattern($1,user_fonts_home_t,user_fonts_home_t) -+ read_lnk_files_pattern($1,user_fonts_home_t,user_fonts_home_t) -+') -+ -+######################################## -+## -+## Read user homedir fonts. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`miscfiles_manage_home_fonts',` -+ gen_require(` -+ type user_fonts_home_t; -+ ') -+ -+ manage_dirs_pattern($1,user_fonts_home_t,user_fonts_home_t) -+ manage_files_pattern($1,user_fonts_home_t,user_fonts_home_t) -+ manage_lnk_files_pattern($1,user_fonts_home_t,user_fonts_home_t) -+') -+ -+ -+######################################## -+## -+## dontaudit_attempts to write locale files -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`miscfiles_dontaudit_write_locale',` -+ gen_require(` -+ type locale_t; -+ ') -+ -+ dontaudit $1 locale_t:dir write; -+ dontaudit $1 locale_t:file write; -+') -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.4.1/policy/modules/system/miscfiles.te ---- nsaserefpolicy/policy/modules/system/miscfiles.te 2008-05-19 10:26:42.000000000 -0400 -+++ serefpolicy-3.4.1/policy/modules/system/miscfiles.te 2008-05-30 14:08:12.127651000 -0400 -@@ -20,6 +20,14 @@ - files_type(fonts_t) - - # -+# fonts_t is the type of various font -+# files in /usr -+# -+type user_fonts_home_t; -+userdom_user_home_type(user_fonts_home_t) -+files_type(user_fonts_home_t) -+ -+# - # type for /usr/share/hwdata - # - type hwdata_t; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.4.1/policy/modules/system/modutils.if --- nsaserefpolicy/policy/modules/system/modutils.if 2008-05-19 10:26:42.000000000 -0400 +++ serefpolicy-3.4.1/policy/modules/system/modutils.if 2008-05-30 14:08:12.131651000 -0400 @@ -30477,7 +30430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.4.1/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-05-29 15:55:43.000000000 -0400 -+++ serefpolicy-3.4.1/policy/modules/system/selinuxutil.te 2008-05-30 15:07:02.678597000 -0400 ++++ serefpolicy-3.4.1/policy/modules/system/selinuxutil.te 2008-05-30 15:45:01.953760000 -0400 @@ -1,5 +1,5 @@ -policy_module(selinuxutil, 1.9.2) @@ -30678,14 +30631,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ',` # Handle pp files created in homedir and /tmp - sysadm_read_home_content_files(semanage_t) -- sysadm_read_tmp_files(semanage_t) ++ userdom_read_sysadm_home_content_files(semanage_t) + sysadm_read_tmp_files(semanage_t) - - optional_policy(` - unconfined_read_home_content_files(semanage_t) - unconfined_read_tmp_files(semanage_t) - ') -+ userdom_read_sysadm_home_content_files(semanage_t) -+ userdom_read_sysadm_tmp_files(semanage_t) + userdom_read_unpriv_users_home_content_files(semanage_t) + userdom_read_unpriv_users_tmp_files(semanage_t) ')