diff --git a/policy-20081111.patch b/policy-20081111.patch index 239570d..502a25b 100644 --- a/policy-20081111.patch +++ b/policy-20081111.patch @@ -24786,8 +24786,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.1/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/unconfined.te 2008-11-25 09:45:43.000000000 -0500 -@@ -6,35 +6,75 @@ ++++ serefpolicy-3.6.1/policy/modules/system/unconfined.te 2008-12-02 14:32:40.000000000 -0500 +@@ -6,35 +6,76 @@ # Declarations # @@ -24822,6 +24822,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_restricted_user_template(unconfined) +#userdom_common_user_template(unconfined) +#userdom_xwindows_client_template(unconfined) ++userdom_execmod_user_home_files(unconfined_t) type unconfined_exec_t; init_system_domain(unconfined_t, unconfined_exec_t) @@ -24870,7 +24871,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_run_ldconfig(unconfined_t, unconfined_r) -@@ -42,26 +82,39 @@ +@@ -42,26 +83,39 @@ logging_run_auditctl(unconfined_t, unconfined_r) mount_run_unconfined(unconfined_t, unconfined_r) @@ -24912,7 +24913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -102,12 +155,24 @@ +@@ -102,12 +156,24 @@ ') optional_policy(` @@ -24937,7 +24938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -119,7 +184,7 @@ +@@ -119,7 +185,7 @@ ') optional_policy(` @@ -24946,7 +24947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -127,23 +192,25 @@ +@@ -127,23 +193,25 @@ ') optional_policy(` @@ -24977,7 +24978,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -155,36 +222,38 @@ +@@ -155,36 +223,38 @@ ') optional_policy(` @@ -25028,7 +25029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -192,7 +261,7 @@ +@@ -192,7 +262,7 @@ ') optional_policy(` @@ -25037,7 +25038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -204,11 +273,12 @@ +@@ -204,11 +274,12 @@ ') optional_policy(` @@ -25052,7 +25053,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -218,14 +288,58 @@ +@@ -218,14 +289,58 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -25125,7 +25126,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-02 11:36:42.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-02 14:39:39.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -25377,10 +25378,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - gen_require(` - type $1_t; - ') -- ++interface(`userdom_basic_networking',` + - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; -+interface(`userdom_basic_networking',` ++ allow $1 self:tcp_socket create_stream_socket_perms; ++ allow $1 self:udp_socket create_socket_perms; - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) @@ -25392,9 +25395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_all_client_packets($1_t) -+ allow $1 self:tcp_socket create_stream_socket_perms; -+ allow $1 self:udp_socket create_socket_perms; - +- - corenet_all_recvfrom_labeled($1_t, $1_t) + corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) @@ -25511,26 +25512,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) -- -- corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) -- corenet_udp_bind_all_nodes($1_t) -- corenet_udp_bind_generic_port($1_t) +- corecmd_exec_bin($1_t) + corenet_udp_bind_all_nodes($1_usertype) + corenet_udp_bind_generic_port($1_usertype) -- dev_read_rand($1_t) -- dev_write_sound($1_t) -- dev_read_sound($1_t) -- dev_read_sound_mixer($1_t) -- dev_write_sound_mixer($1_t) +- corenet_udp_bind_all_nodes($1_t) +- corenet_udp_bind_generic_port($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) +- dev_read_rand($1_t) +- dev_write_sound($1_t) +- dev_read_sound($1_t) +- dev_read_sound_mixer($1_t) +- dev_write_sound_mixer($1_t) +- - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) @@ -25967,29 +25968,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - alsa_read_rw_config($1_t) -- ') -- -- optional_policy(` ++ alsa_read_rw_config($1_usertype) + ') + + optional_policy(` - dbus_role_template($1, $1_r, $1_t) - dbus_system_bus_client($1_t) - - optional_policy(` - consolekit_dbus_chat($1_t) -+ alsa_read_rw_config($1_usertype) ++ apache_role($1_r, $1_usertype) ') optional_policy(` - cups_dbus_chat($1_t) - ') -+ apache_role($1_r, $1_usertype) - ') - - optional_policy(` -- java_role($1_r, $1_t) + openoffice_role_template($1, $1_r, $1_usertype) ') optional_policy(` +- java_role($1_r, $1_t) +- ') +- +- optional_policy(` - setroubleshoot_dontaudit_stream_connect($1_t) + polkit_role($1_r, $1_usertype) ') @@ -26413,7 +26414,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a dbus message to all user domains. ## ## -@@ -2981,3 +3165,226 @@ +@@ -2981,3 +3165,247 @@ allow $1 userdomain:dbus send_msg; ') @@ -26638,7 +26639,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + attribute + ') + -+ allow $1 unpriv_userdomain;:unix_dgram_socket sendto; ++ allow $1 unpriv_userdomain:unix_dgram_socket sendto; ++') ++ ++ ++ ++####################################### ++## ++## Allow execmod on files in homedirectory ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_execmod_user_home_files',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ allow $1 user_home_t:file execmod; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.1/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2008-11-13 18:40:02.000000000 -0500