diff --git a/policy-F12.patch b/policy-F12.patch index 04c3ee2..0bc8d1e 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -1008,7 +1008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol java_domtrans_unconfined(rpm_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.26/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/admin/sudo.if 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/admin/sudo.if 2009-08-05 07:57:19.000000000 -0400 @@ -66,8 +66,8 @@ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; allow $1_sudo_t self:unix_dgram_socket sendto; @@ -1041,6 +1041,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_sudo_t) +@@ -147,6 +149,11 @@ + optional_policy(` + dbus_system_bus_client($1_sudo_t) + ') ++ ++ optional_policy(` ++ fprintd_dbus_chat($1_sudo_t) ++ ') ++ + ') + + ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.26/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-07-28 13:28:33.000000000 -0400 +++ serefpolicy-3.6.26/policy/modules/admin/tmpreaper.te 2009-07-30 15:33:08.000000000 -0400 @@ -2575,8 +2587,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.26/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.26/policy/modules/apps/nsplugin.te 2009-07-30 15:33:08.000000000 -0400 -@@ -0,0 +1,287 @@ ++++ serefpolicy-3.6.26/policy/modules/apps/nsplugin.te 2009-08-05 07:20:45.000000000 -0400 +@@ -0,0 +1,285 @@ + +policy_module(nsplugin, 1.0.0) + @@ -2769,12 +2781,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_common_app(nsplugin_t) + xserver_rw_shm(nsplugin_t) + xserver_read_xdm_tmp_files(nsplugin_t) -+ xserver_read_xdm_pid(nsplugin_t) + xserver_read_user_xauth(nsplugin_t) + xserver_read_user_iceauth(nsplugin_t) + xserver_use_user_fonts(nsplugin_t) + xserver_manage_home_fonts(nsplugin_t) -+ xserver_dontaudit_rw_xdm_home_files(nsplugin_t) +') + +######################################## @@ -3948,8 +3958,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.26/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/apps/screen.if 2009-07-30 15:33:08.000000000 -0400 -@@ -157,3 +157,24 @@ ++++ serefpolicy-3.6.26/policy/modules/apps/screen.if 2009-08-05 07:38:57.000000000 -0400 +@@ -61,6 +61,8 @@ + manage_fifo_files_pattern($1_screen_t, screen_dir_t, screen_var_run_t) + manage_dirs_pattern($1_screen_t, screen_dir_t, screen_dir_t) + filetrans_pattern($1_screen_t, screen_dir_t, screen_var_run_t, fifo_file) ++ dontaudit $3 $1_var_run_t:fifo_file read; ++ + files_pid_filetrans($1_screen_t, screen_dir_t, dir) + + allow $1_screen_t screen_home_t:dir list_dir_perms; +@@ -91,6 +93,7 @@ + # Revert to the user domain when a shell is executed. + corecmd_shell_domtrans($1_screen_t, $3) + corecmd_bin_domtrans($1_screen_t, $3) ++ allow $3 $1_screen_t:process sigchld; + + corenet_all_recvfrom_unlabeled($1_screen_t) + corenet_all_recvfrom_netlabel($1_screen_t) +@@ -157,3 +160,24 @@ nscd_socket_use($1_screen_t) ') ') @@ -4561,7 +4588,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.26/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/domain.if 2009-08-03 08:04:07.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/domain.if 2009-08-05 08:03:44.000000000 -0400 @@ -44,34 +44,6 @@ interface(`domain_type',` # start with basic domain @@ -4744,7 +4771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.26/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/domain.te 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/domain.te 2009-08-05 07:21:34.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations @@ -4802,7 +4829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) -+ xserver_dontaudit_rw_xdm_home_files(domain) ++ xserver_dontaudit_append_xdm_home_files(domain) ') ######################################## @@ -5643,31 +5670,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_user(guest_u, user, guest_r, s0, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.26/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/roles/staff.te 2009-07-30 15:33:08.000000000 -0400 -@@ -15,156 +15,105 @@ ++++ serefpolicy-3.6.26/policy/modules/roles/staff.te 2009-08-05 07:37:10.000000000 -0400 +@@ -15,156 +15,110 @@ # Local policy # -optional_policy(` - apache_role(staff_r, staff_t) -') -+kernel_read_ring_buffer(staff_t) -+kernel_getattr_core_if(staff_t) -+kernel_getattr_message_if(staff_t) -+kernel_read_software_raid_state(staff_t) - +- -optional_policy(` - auth_role(staff_r, staff_t) -') -+auth_domtrans_pam_console(staff_t) - +- -optional_policy(` - auditadm_role_change(staff_r) -') -+seutil_run_newrole(staff_t, staff_r) -+netutils_run_ping(staff_t, staff_r) - - optional_policy(` +- +-optional_policy(` - bluetooth_role(staff_r, staff_t) -') - @@ -5682,7 +5702,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - dbus_role_template(staff, staff_r, staff_t) -') -- ++kernel_read_ring_buffer(staff_t) ++kernel_getattr_core_if(staff_t) ++kernel_getattr_message_if(staff_t) ++kernel_read_software_raid_state(staff_t) + -optional_policy(` - ethereal_role(staff_r, staff_t) -') @@ -5694,113 +5718,117 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - games_role(staff_r, staff_t) -') -- ++auth_domtrans_pam_console(staff_t) + -optional_policy(` - gift_role(staff_r, staff_t) -') -- --optional_policy(` ++seutil_run_newrole(staff_t, staff_r) ++netutils_run_ping(staff_t, staff_r) + + optional_policy(` - gnome_role(staff_r, staff_t) --') -- --optional_policy(` -- gpg_role(staff_r, staff_t) + sudo_role_template(staff, staff_r, staff_t) ') optional_policy(` -- irc_role(staff_r, staff_t) +- gpg_role(staff_r, staff_t) + auditadm_role_change(staff_r) ') optional_policy(` -- java_role(staff_r, staff_t) +- irc_role(staff_r, staff_t) + kerneloops_manage_tmp_files(staff_t) ') optional_policy(` -- lockdev_role(staff_r, staff_t) +- java_role(staff_r, staff_t) + logadm_role_change(staff_r) ') optional_policy(` -- lpd_role(staff_r, staff_t) +- lockdev_role(staff_r, staff_t) + postgresql_role(staff_r, staff_t) ') optional_policy(` -- mozilla_role(staff_r, staff_t) +- lpd_role(staff_r, staff_t) + rtkit_daemon_system_domain(staff_t) ') optional_policy(` -- mplayer_role(staff_r, staff_t) +- mozilla_role(staff_r, staff_t) + secadm_role_change(staff_r) ') optional_policy(` -- mta_role(staff_r, staff_t) +- mplayer_role(staff_r, staff_t) + ssh_role_template(staff, staff_r, staff_t) ') optional_policy(` -- oident_manage_user_content(staff_t) -- oident_relabel_user_content(staff_t) +- mta_role(staff_r, staff_t) + sysadm_role_change(staff_r) ') optional_policy(` -- pyzor_role(staff_r, staff_t) +- oident_manage_user_content(staff_t) +- oident_relabel_user_content(staff_t) + usernetctl_run(staff_t, staff_r) ') optional_policy(` -- razor_role(staff_r, staff_t) +- pyzor_role(staff_r, staff_t) + unconfined_role_change(staff_r) ') optional_policy(` -- rssh_role(staff_r, staff_t) +- razor_role(staff_r, staff_t) + webadm_role_change(staff_r) ') -optional_policy(` -- screen_role_template(staff, staff_r, staff_t) +- rssh_role(staff_r, staff_t) -') +domain_read_all_domains_state(staff_t) +domain_getattr_all_domains(staff_t) +domain_obj_id_change_exemption(staff_t) -optional_policy(` -- secadm_role_change(staff_r) +- screen_role_template(staff, staff_r, staff_t) -') +files_read_kernel_modules(staff_t) -optional_policy(` -- spamassassin_role(staff_r, staff_t) +- secadm_role_change(staff_r) -') +kernel_read_fs_sysctls(staff_t) -optional_policy(` -- ssh_role_template(staff, staff_r, staff_t) +- spamassassin_role(staff_r, staff_t) -') +modutils_read_module_config(staff_t) +modutils_read_module_deps(staff_t) -optional_policy(` -- su_role_template(staff, staff_r, staff_t) +- ssh_role_template(staff, staff_r, staff_t) -') +miscfiles_read_hwdata(staff_t) -optional_policy(` -- sudo_role_template(staff, staff_r, staff_t) +- su_role_template(staff, staff_r, staff_t) -') +term_use_unallocated_ttys(staff_t) optional_policy(` +- sudo_role_template(staff, staff_r, staff_t) ++ gnomeclock_dbus_chat(staff_t) + ') + + optional_policy(` - sysadm_role_change(staff_r) - userdom_dontaudit_use_user_terminals(staff_t) -+ gnomeclock_dbus_chat(staff_t) ++ lpd_list_spool(staff_t ') optional_policy(` @@ -5820,6 +5848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - userhelper_role_template(staff, staff_r, staff_t) ++ screen_role_template(staff, staff_r, staff_t) + screen_manage_var_run(staff_t) ') @@ -9828,7 +9857,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.26/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/dbus.if 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/dbus.if 2009-08-05 07:49:49.000000000 -0400 @@ -42,8 +42,10 @@ gen_require(` class dbus { send_msg acquire_svc }; @@ -9867,7 +9896,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_read_user_home_content_files($1_dbusd_t) ifdef(`hide_broken_symptoms', ` -@@ -153,6 +157,10 @@ +@@ -153,12 +157,15 @@ ') optional_policy(` @@ -9878,7 +9907,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hal_dbus_chat($1_dbusd_t) ') -@@ -178,10 +186,12 @@ + optional_policy(` +- xserver_use_xdm_fds($1_dbusd_t) +- xserver_rw_xdm_pipes($1_dbusd_t) ++ xserver_use_xdm($1_dbusd_t) + ') + ') + +@@ -178,10 +185,12 @@ type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; @@ -9892,7 +9928,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) -@@ -190,6 +200,10 @@ +@@ -190,6 +199,10 @@ files_search_pids($1) stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) dbus_read_config($1) @@ -9903,7 +9939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -256,7 +270,7 @@ +@@ -256,7 +269,7 @@ ######################################## ## @@ -10959,8 +10995,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.26/policy/modules/services/modemmanager.te --- nsaserefpolicy/policy/modules/services/modemmanager.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.26/policy/modules/services/modemmanager.te 2009-07-30 15:33:08.000000000 -0400 -@@ -0,0 +1,41 @@ ++++ serefpolicy-3.6.26/policy/modules/services/modemmanager.te 2009-08-05 15:31:50.000000000 -0400 +@@ -0,0 +1,46 @@ +policy_module(ModemManager,1.0.0) + +######################################## @@ -10992,6 +11028,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +files_read_etc_files(ModemManager_t) + ++term_use_unallocated_ttys(ModemManager_t) ++ +miscfiles_read_localization(ModemManager_t) + +logging_send_syslog_msg(ModemManager_t) @@ -11000,8 +11038,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + networkmanager_dbus_chat(ModemManager_t) +') + -+permissive ModemManager_t; ++optional_policy(` ++ udev_read_db(ModemManager_t) ++') + ++permissive ModemManager_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.26/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2009-07-29 15:15:33.000000000 -0400 +++ serefpolicy-3.6.26/policy/modules/services/mta.fc 2009-07-30 15:33:09.000000000 -0400 @@ -11536,7 +11577,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.26/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/networkmanager.te 2009-07-30 15:33:09.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/networkmanager.te 2009-08-05 08:04:33.000000000 -0400 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -11564,20 +11605,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow NetworkManager_t self:tcp_socket create_stream_socket_perms; allow NetworkManager_t self:udp_socket create_socket_perms; allow NetworkManager_t self:packet_socket create_socket_perms; -@@ -51,8 +55,10 @@ +@@ -51,8 +55,11 @@ manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) -rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) -files_search_tmp(NetworkManager_t) ++manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) +manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) -+files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file) ++files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) + +manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -@@ -63,6 +69,8 @@ +@@ -63,6 +70,8 @@ kernel_read_network_state(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t) kernel_load_module(NetworkManager_t) @@ -11586,7 +11628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(NetworkManager_t) corenet_all_recvfrom_netlabel(NetworkManager_t) -@@ -81,13 +89,18 @@ +@@ -81,13 +90,18 @@ corenet_sendrecv_isakmp_server_packets(NetworkManager_t) corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) corenet_sendrecv_all_client_packets(NetworkManager_t) @@ -11605,7 +11647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mls_file_read_all_levels(NetworkManager_t) -@@ -98,15 +111,20 @@ +@@ -98,15 +112,20 @@ domain_use_interactive_fds(NetworkManager_t) domain_read_confined_domains_state(NetworkManager_t) @@ -11627,7 +11669,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) -@@ -116,25 +134,40 @@ +@@ -116,25 +135,40 @@ seutil_read_config(NetworkManager_t) @@ -11675,7 +11717,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -146,8 +179,25 @@ +@@ -146,8 +180,25 @@ ') optional_policy(` @@ -11703,7 +11745,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -155,23 +205,51 @@ +@@ -155,23 +206,51 @@ ') optional_policy(` @@ -11757,7 +11799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -179,12 +257,15 @@ +@@ -179,12 +258,15 @@ ') optional_policy(` @@ -12592,7 +12634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.26/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/policykit.te 2009-08-03 06:50:17.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/policykit.te 2009-08-05 15:36:05.000000000 -0400 @@ -38,9 +38,10 @@ allow policykit_t self:capability { setgid setuid }; @@ -12650,7 +12692,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) -@@ -104,6 +119,7 @@ +@@ -96,6 +111,7 @@ + files_read_usr_files(policykit_auth_t) + + auth_use_nsswitch(policykit_auth_t) ++auth_domtrans_chk_passwd(policykit_auth_t) + + logging_send_syslog_msg(policykit_auth_t) + +@@ -104,6 +120,7 @@ userdom_dontaudit_read_user_home_content_files(policykit_auth_t) optional_policy(` @@ -12658,7 +12708,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -116,6 +132,13 @@ +@@ -116,6 +133,13 @@ hal_read_state(policykit_auth_t) ') @@ -12672,7 +12722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # polkit_grant local policy -@@ -123,7 +146,8 @@ +@@ -123,7 +147,8 @@ allow policykit_grant_t self:capability setuid; allow policykit_grant_t self:process getattr; @@ -12682,7 +12732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -153,9 +177,12 @@ +@@ -153,9 +178,12 @@ userdom_read_all_users_state(policykit_grant_t) optional_policy(` @@ -12696,7 +12746,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -167,7 +194,8 @@ +@@ -167,7 +195,8 @@ allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; allow policykit_resolve_t self:process getattr; @@ -14979,7 +15029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.26/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/setroubleshoot.te 2009-07-30 15:33:09.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/setroubleshoot.te 2009-08-05 08:03:58.000000000 -0400 @@ -22,13 +22,19 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) @@ -15013,7 +15063,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) -@@ -68,16 +77,25 @@ +@@ -68,16 +77,26 @@ dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) @@ -15021,6 +15071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +dev_getattr_all_chr_files(setroubleshootd_t) domain_dontaudit_search_all_domains_state(setroubleshootd_t) ++domain_signull_all_domains(setroubleshootd_t) files_read_usr_files(setroubleshootd_t) files_read_etc_files(setroubleshootd_t) @@ -15040,7 +15091,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -@@ -94,23 +112,54 @@ +@@ -94,23 +113,54 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -16637,7 +16688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.26/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/virt.te 2009-08-04 05:06:14.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/virt.te 2009-08-05 15:13:13.000000000 -0400 @@ -20,6 +20,28 @@ ## gen_tunable(virt_use_samba, false) @@ -16855,7 +16906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -195,8 +290,154 @@ +@@ -195,8 +290,155 @@ xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) @@ -16885,6 +16936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +manage_dirs_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) +manage_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) ++manage_sock_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) +manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) +files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file }) +stream_connect_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t, virtd_t) @@ -17107,7 +17159,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.26/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/xserver.if 2009-08-03 06:49:41.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/xserver.if 2009-08-05 07:48:30.000000000 -0400 @@ -90,7 +90,7 @@ allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; @@ -17418,7 +17470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern($1, xserver_exec_t, xserver_t) ') -@@ -1159,6 +1281,276 @@ +@@ -1159,6 +1281,278 @@ ######################################## ## @@ -17541,7 +17593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## -+## Dontaudit write to .xsession-errors file ++## Dontaudit append to .xsession-errors file +## +## +## @@ -17549,7 +17601,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`xserver_dontaudit_rw_xdm_home_files',` ++interface(`xserver_dontaudit_append_xdm_home_files',` + gen_require(` + type xdm_home_t; + ') @@ -17574,6 +17626,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + gen_require(` + type xdm_t, xdm_tmp_t; + type xdm_xproperty_t; ++ type xdm_home_t; + class x_client all_x_client_perms; + class x_drawable all_x_drawable_perms; + class x_property all_x_property_perms; @@ -17589,11 +17642,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_xdm_stream_connect($1) + xserver_setattr_xdm_tmp_dirs($1) + xserver_read_xdm_pid($1) ++ xserver_search_xdm_lib($1) + + allow $1 xdm_t:x_client { getattr destroy }; + allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child }; + allow $1 xdm_xproperty_t:x_property { write read }; -+ ++ allow $1 xdm_home_t:file append_file_perms; +') + +######################################## @@ -17695,7 +17749,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1172,7 +1564,103 @@ +@@ -1172,7 +1566,103 @@ interface(`xserver_unconfined',` gen_require(` attribute xserver_unconfined_type; @@ -19251,7 +19305,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.26/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-07-30 09:44:08.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/system/init.te 2009-07-30 15:33:09.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/system/init.te 2009-08-05 07:18:15.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -19641,7 +19695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + +optional_policy(` -+ xserver_rw_xdm_home_files(daemon) ++ xserver_dontaudit_append_xdm_home_files(daemon) + tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_rw_nfs_files(daemon) + ') @@ -22990,7 +23044,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.26/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/system/userdomain.if 2009-07-30 15:33:09.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/system/userdomain.if 2009-08-05 07:54:48.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -23900,7 +23954,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -891,28 +953,43 @@ +@@ -891,28 +953,47 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -23916,6 +23970,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + devicekit_dbus_chat_power($1_usertype) ++ ') ++ ++ optional_policy(` ++ fprintd_dbus_chat($1_t) ') optional_policy(` @@ -23951,7 +24009,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -946,8 +1023,8 @@ +@@ -946,8 +1027,8 @@ # Declarations # @@ -23961,7 +24019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -956,11 +1033,12 @@ +@@ -956,11 +1037,12 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -23976,7 +24034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -978,37 +1056,55 @@ +@@ -978,37 +1060,55 @@ ') ') @@ -24046,7 +24104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -1042,7 +1138,7 @@ +@@ -1042,7 +1142,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -24055,7 +24113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1051,8 +1147,7 @@ +@@ -1051,8 +1151,7 @@ # # Inherit rules for ordinary users. @@ -24065,7 +24123,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1075,7 +1170,8 @@ +@@ -1075,7 +1174,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -24075,7 +24133,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1091,6 +1187,7 @@ +@@ -1091,6 +1191,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -24083,7 +24141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1098,8 +1195,6 @@ +@@ -1098,8 +1199,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -24092,7 +24150,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1154,20 +1249,6 @@ +@@ -1154,20 +1253,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -24113,7 +24171,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1213,6 +1294,7 @@ +@@ -1213,6 +1298,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -24121,7 +24179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1278,11 +1360,15 @@ +@@ -1278,11 +1364,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -24137,7 +24195,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1374,12 +1460,13 @@ +@@ -1374,12 +1464,13 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -24152,7 +24210,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1412,6 +1499,14 @@ +@@ -1412,6 +1503,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -24167,7 +24225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1427,9 +1522,11 @@ +@@ -1427,9 +1526,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -24179,7 +24237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1486,6 +1583,25 @@ +@@ -1486,6 +1587,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -24205,7 +24263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1560,6 +1676,8 @@ +@@ -1560,6 +1680,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -24214,7 +24272,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1653,6 +1771,7 @@ +@@ -1653,6 +1775,7 @@ type user_home_dir_t, user_home_t; ') @@ -24222,7 +24280,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1780,19 +1899,32 @@ +@@ -1780,19 +1903,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -24262,7 +24320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1827,6 +1959,7 @@ +@@ -1827,6 +1963,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -24270,7 +24328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2374,7 +2507,7 @@ +@@ -2374,7 +2511,7 @@ ######################################## ## @@ -24279,7 +24337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2728,11 +2861,32 @@ +@@ -2728,11 +2865,32 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -24314,7 +24372,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2860,7 +3014,25 @@ +@@ -2860,7 +3018,25 @@ type user_tmp_t; ') @@ -24341,7 +24399,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2897,6 +3069,7 @@ +@@ -2897,6 +3073,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -24349,7 +24407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3027,3 +3200,501 @@ +@@ -3027,3 +3204,501 @@ allow $1 userdomain:dbus send_msg; ')