From 2a4bdae89c2dbd30b9f8e4d95e68de7aa1dcaa33 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jan 21 2009 16:17:40 +0000 Subject: - Fixed for DeviceKit --- diff --git a/modules-mls.conf b/modules-mls.conf index 9c88089..eea74cd 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -340,6 +340,13 @@ dcc = module # ddcprobe = off +# Layer: services +# Module: devicekit +# +# devicekit-daemon +# +devicekit = module + # Layer: kernel # Module: devices # Required in base @@ -1672,6 +1679,28 @@ openoffice = module podsleuth = module # Layer: role +# Module: logadm +# +# logadm account on tty logins +# +logadm = module + +# Layer: role +# Module: secadm +# +# secadm account on tty logins +# +secadm = module + +# Layer: role +# Module: auditadm +# +# auditadm account on tty logins +# +auditadm = module + +# +# Layer: role # Module: guest # # Minimally privs guest account on tty logins diff --git a/policy-20090105.patch b/policy-20090105.patch index 80b808c..19d0b5c 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -523,6 +523,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.3/policy/modules/admin/mrtg.te +--- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-01-19 11:07:34.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/admin/mrtg.te 2009-01-20 16:16:42.000000000 -0500 +@@ -116,6 +116,7 @@ + userdom_use_user_terminals(mrtg_t) + userdom_dontaudit_read_user_home_content_files(mrtg_t) + userdom_dontaudit_use_unpriv_user_fds(mrtg_t) ++userdom_dontaudit_list_admin_dir(mrtg_t) + + ifdef(`enable_mls',` + corenet_udp_sendrecv_lo_if(mrtg_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.3/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.3/policy/modules/admin/netutils.te 2009-01-19 13:10:02.000000000 -0500 @@ -4053,8 +4064,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +xserver_user_x_domain_template(user, wm_t, wm_tmpfs_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc 2009-01-19 13:10:02.000000000 -0500 -@@ -130,6 +130,8 @@ ++++ serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc 2009-01-20 14:46:23.000000000 -0500 +@@ -58,6 +58,8 @@ + + /etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) + ++/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) ++ + /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0) +@@ -130,6 +132,8 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -4063,7 +4083,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr # -@@ -203,6 +205,7 @@ +@@ -203,6 +207,7 @@ /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -4071,7 +4091,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -@@ -223,14 +226,15 @@ +@@ -223,14 +228,15 @@ /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -4089,7 +4109,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) -@@ -293,3 +297,8 @@ +@@ -293,3 +299,8 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -4386,7 +4406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.3/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/kernel/devices.if 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/kernel/devices.if 2009-01-20 16:50:48.000000000 -0500 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1, device_t, device_node) @@ -4532,7 +4552,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write generic the USB devices. ## ## -@@ -2785,6 +2879,97 @@ +@@ -2785,6 +2879,115 @@ ######################################## ## @@ -4591,6 +4611,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Read the kernel messages ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_kmsg',` ++ gen_require(` ++ type device_t, kmsg_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, kmsg_device_t) ++') ++ ++######################################## ++## +## Read the kvm devices. +## +## @@ -4630,7 +4668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Mount a usbfs filesystem. ## ## -@@ -3320,3 +3505,223 @@ +@@ -3320,3 +3523,223 @@ typeattribute $1 devices_unconfined_type; ') @@ -5414,7 +5452,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.3/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/kernel/filesystem.if 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/kernel/filesystem.if 2009-01-20 14:57:41.000000000 -0500 @@ -534,6 +534,24 @@ ######################################## @@ -5858,7 +5896,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.3/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/kernel/kernel.if 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/kernel/kernel.if 2009-01-20 16:17:37.000000000 -0500 @@ -1197,6 +1197,7 @@ ') @@ -5939,9 +5977,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Unconfined access to kernel module resources. ## ## +@@ -2595,3 +2637,23 @@ + + typeattribute $1 kern_unconfined; + ') ++ ++######################################## ++## ++## Allow the specified domain to connect to ++## the kernel with a unix socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_stream_connect',` ++ gen_require(` ++ type kernel_t; ++ ') ++ ++ allow $1 kernel_t:unix_stream_socket connectto; ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.3/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/kernel/kernel.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/kernel/kernel.te 2009-01-20 17:15:33.000000000 -0500 @@ -63,6 +63,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -5977,7 +6039,44 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -273,6 +287,8 @@ +@@ -198,6 +212,8 @@ + allow kernel_t self:sock_file read_sock_file_perms; + allow kernel_t self:fd use; + ++allow kernel_t debugfs_t:dir search; ++ + allow kernel_t proc_t:dir list_dir_perms; + allow kernel_t proc_t:file read_file_perms; + allow kernel_t proc_t:lnk_file read_lnk_file_perms; +@@ -246,7 +263,8 @@ + + selinux_load_policy(kernel_t) + +-term_use_console(kernel_t) ++term_use_all_terms(kernel_t) ++term_use_ptmx(kernel_t) + + corecmd_exec_shell(kernel_t) + corecmd_list_bin(kernel_t) +@@ -260,6 +278,8 @@ + files_list_etc(kernel_t) + files_list_home(kernel_t) + files_read_usr_files(kernel_t) ++files_manage_mounttab(kernel_t) ++files_manage_generic_spool_dirs(kernel_t) + + mcs_process_set_categories(kernel_t) + +@@ -267,12 +287,17 @@ + mls_process_write_down(kernel_t) + mls_file_write_all_levels(kernel_t) + mls_file_read_all_levels(kernel_t) ++mls_socket_write_all_levels(kernel_t) ++ ++logging_manage_generic_logs(kernel_t) + + ifdef(`distro_redhat',` + # Bugzilla 222337 fs_rw_tmpfs_chr_files(kernel_t) ') @@ -5986,6 +6085,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`read_default_t',` files_list_default(kernel_t) files_read_default_files(kernel_t) +@@ -357,6 +382,10 @@ + unconfined_domain(kernel_t) + ') + ++optional_policy(` ++ xserver_xdm_manage_spool(kernel_t) ++') ++ + ######################################## + # + # Unlabeled process local policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.3/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-01-19 11:03:28.000000000 -0500 +++ serefpolicy-3.6.3/policy/modules/kernel/selinux.if 2009-01-19 13:32:33.000000000 -0500 @@ -6069,7 +6179,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.3/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/kernel/terminal.if 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/kernel/terminal.if 2009-01-20 14:48:49.000000000 -0500 +@@ -173,7 +173,7 @@ + + dev_list_all_dev_nodes($1) + allow $1 devpts_t:dir list_dir_perms; +- allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; ++ allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; + ') + + ######################################## @@ -250,9 +250,11 @@ interface(`term_dontaudit_use_console',` gen_require(` @@ -8349,7 +8468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.3/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-20 07:55:29.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-21 11:01:33.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -10010,7 +10129,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.3/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/cron.if 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/cron.if 2009-01-20 15:16:32.000000000 -0500 @@ -12,6 +12,10 @@ ## # @@ -10048,7 +10167,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization($1_t) -@@ -343,6 +357,24 @@ +@@ -261,6 +275,7 @@ + allow $1 system_cronjob_t:fifo_file rw_file_perms; + allow $1 system_cronjob_t:process sigchld; + ++ domain_auto_trans(crond_t, $2, $1) + allow $1 crond_t:fifo_file rw_file_perms; + allow $1 crond_t:fd use; + allow $1 crond_t:process sigchld; +@@ -343,6 +358,24 @@ ######################################## ## @@ -10073,7 +10200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write a cron daemon unnamed pipe. ## ## -@@ -361,7 +393,7 @@ +@@ -361,7 +394,7 @@ ######################################## ## @@ -10082,7 +10209,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -369,7 +401,7 @@ +@@ -369,7 +402,7 @@ ## ## # @@ -10091,7 +10218,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol gen_require(` type crond_t; ') -@@ -481,11 +513,14 @@ +@@ -481,11 +514,14 @@ # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -10107,7 +10234,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -506,3 +541,82 @@ +@@ -506,3 +542,82 @@ dontaudit $1 system_cronjob_tmp_t:file append; ') @@ -10192,7 +10319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.3/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/cron.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/cron.te 2009-01-20 16:52:23.000000000 -0500 @@ -38,6 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -10249,7 +10376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; -@@ -149,15 +163,14 @@ +@@ -149,19 +163,19 @@ allow crond_t crond_var_run_t:file manage_file_perms; files_pid_filetrans(crond_t,crond_var_run_t,file) @@ -10268,7 +10395,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(crond_t) kernel_search_key(crond_t) -@@ -183,6 +196,8 @@ + ++dev_read_kmsg(crond_t) + dev_read_sysfs(crond_t) + selinux_get_fs_mount(crond_t) + selinux_validate_context(crond_t) +@@ -183,6 +197,8 @@ corecmd_read_bin_symlinks(crond_t) domain_use_interactive_fds(crond_t) @@ -10277,7 +10409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(crond_t) files_read_generic_spool(crond_t) -@@ -192,10 +207,13 @@ +@@ -192,10 +208,13 @@ files_search_default(crond_t) init_rw_utmp(crond_t) @@ -10291,7 +10423,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -208,6 +226,7 @@ +@@ -208,6 +227,7 @@ userdom_list_user_home_dirs(crond_t) mta_send_mail(crond_t) @@ -10299,7 +10431,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_debian',` # pam_limits is used -@@ -227,21 +246,45 @@ +@@ -227,21 +247,45 @@ ') ') @@ -10346,7 +10478,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -283,6 +326,9 @@ +@@ -283,7 +327,14 @@ allow system_cronjob_t cron_var_lib_t:file manage_file_perms; files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) @@ -10354,9 +10486,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_pid_filetrans(system_cronjob_t, cron_var_run_t, file) + allow system_cronjob_t system_cron_spool_t:file read_file_perms; ++ ++# anacron forces the following ++allow system_cronjob_t system_cron_spool_t:file { write setattr }; ++ # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are -@@ -314,9 +360,13 @@ + # not directly executed, crond must ensure that +@@ -314,9 +365,13 @@ filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -10371,7 +10508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -370,7 +420,8 @@ +@@ -370,7 +425,8 @@ init_read_utmp(system_cronjob_t) init_dontaudit_rw_utmp(system_cronjob_t) # prelink tells init to restart it self, we either need to allow or dontaudit @@ -10381,7 +10518,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(system_cronjob_t) -@@ -378,6 +429,7 @@ +@@ -378,6 +434,7 @@ libs_exec_ld_so(system_cronjob_t) logging_read_generic_logs(system_cronjob_t) @@ -10389,7 +10526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(system_cronjob_t) miscfiles_read_localization(system_cronjob_t) -@@ -428,11 +480,20 @@ +@@ -428,11 +485,20 @@ ') optional_policy(` @@ -10410,7 +10547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -460,8 +521,7 @@ +@@ -460,8 +526,7 @@ ') optional_policy(` @@ -10420,7 +10557,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -469,24 +529,17 @@ +@@ -469,24 +534,17 @@ ') optional_policy(` @@ -10429,16 +10566,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unconfined_domain(crond_t) unconfined_domain(system_cronjob_t) - userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) --') -- + ') + -ifdef(`TODO',` -ifdef(`mta.te', ` -allow system_cronjob_t mail_spool_t:lnk_file read; -allow mta_user_agent system_cronjob_t:fd use; -r_dir_file(system_mail_t, crond_tmp_t) - ') +-') -') dnl end TODO - +- ######################################## # # User cronjobs local policy @@ -10448,6 +10585,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cronjob_t self:process { signal_perms setsched }; allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; +@@ -570,6 +628,9 @@ + userdom_manage_user_home_content_sockets(cronjob_t) + #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) + ++list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) ++read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) ++ + tunable_policy(`fcron_crond', ` + allow crond_t user_cron_spool_t:file manage_file_perms; + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.3/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.3/policy/modules/services/cups.fc 2009-01-19 13:10:02.000000000 -0500 @@ -11417,8 +11564,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.3/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/devicekit.if 2009-01-19 17:17:14.000000000 -0500 -@@ -0,0 +1,139 @@ ++++ serefpolicy-3.6.3/policy/modules/services/devicekit.if 2009-01-20 17:22:44.000000000 -0500 +@@ -0,0 +1,157 @@ + +## policy for devicekit + @@ -11458,7 +11605,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + files_search_pids($1) -+ allow $1 devicekit_var_run_t:file read_file_perms; ++ read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) +') + +######################################## @@ -11505,6 +11652,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Send signal devicekit power ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_power_signal',` ++ gen_require(` ++ type devicekit_power_t; ++ ') ++ ++ allow $1 devicekit_power_t:process signal; ++') ++ ++######################################## ++## +## Send and receive messages from +## devicekit power over dbus. +## @@ -11560,8 +11725,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.3/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/devicekit.te 2009-01-19 17:06:44.000000000 -0500 -@@ -0,0 +1,55 @@ ++++ serefpolicy-3.6.3/policy/modules/services/devicekit.te 2009-01-20 17:10:23.000000000 -0500 +@@ -0,0 +1,71 @@ +policy_module(devicekit,1.0.0) + +######################################## @@ -11587,13 +11752,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +# DeviceKit local policy +# ++allow devicekit_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) +manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) +files_pid_filetrans(devicekit_t,devicekit_var_run_t, { file dir }) + ++dev_read_sysfs(devicekit_t) ++dev_read_urand(devicekit_t) ++ ++files_read_etc_files(devicekit_t) ++ +fs_list_inotifyfs(devicekit_t) + ++miscfiles_read_localization(devicekit_t) ++ +optional_policy(` + dbus_system_bus_client(devicekit_t) +') @@ -11601,11 +11774,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +# DeviceKit-Power local policy +# ++allow devicekit_power_t self:unix_dgram_socket create_socket_perms; + ++dev_rw_generic_usb_dev(devicekit_power_t) +dev_rw_netcontrol(devicekit_power_t) ++dev_read_sysfs(devicekit_power_t) ++ +files_read_etc_files(devicekit_power_t) ++ +fs_list_inotifyfs(devicekit_power_t) + ++miscfiles_read_localization(devicekit_power_t) ++ +optional_policy(` + polkit_read_reload(devicekit_power_t) +') @@ -11614,9 +11794,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dbus_system_bus_client(devicekit_power_t) + allow devicekit_power_t devicekit_t:dbus send_msg; + allow devicekit_t devicekit_power_t:dbus send_msg; ++ optional_policy(` ++ consolekit_dbus_chat(devicekit_power_t) ++ ') +') -+ -+ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.3/policy/modules/services/dhcp.if --- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500 +++ serefpolicy-3.6.3/policy/modules/services/dhcp.if 2009-01-19 13:10:02.000000000 -0500 @@ -12512,7 +12693,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.3/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/hal.if 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/hal.if 2009-01-20 15:29:07.000000000 -0500 @@ -51,10 +51,7 @@ type hald_t; ') @@ -12527,7 +12708,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.3/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/hal.te 2009-01-19 14:46:49.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/hal.te 2009-01-20 11:41:48.000000000 -0500 @@ -49,6 +49,15 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -12638,7 +12819,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) allow hald_t hald_mac_t:process signal; -@@ -418,3 +453,49 @@ +@@ -374,6 +409,8 @@ + + auth_use_nsswitch(hald_mac_t) + ++logging_send_syslog_msg(hald_mac_t) ++ + miscfiles_read_localization(hald_mac_t) + + ######################################## +@@ -418,3 +455,49 @@ files_read_usr_files(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) @@ -19908,7 +20098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.3/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/setroubleshoot.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/setroubleshoot.te 2009-01-21 11:01:41.000000000 -0500 @@ -11,6 +11,9 @@ domain_type(setroubleshootd_t) init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -19941,7 +20131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) -@@ -68,16 +74,23 @@ +@@ -68,16 +74,24 @@ dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) @@ -19963,10 +20153,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +fs_read_fusefs_symlinks(setroubleshootd_t) +fs_dontaudit_read_nfs_files(setroubleshootd_t) +fs_dontaudit_read_cifs_files(setroubleshootd_t) ++fs_list_inotifyfs(setroubleshootd_t) selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -@@ -94,22 +107,24 @@ +@@ -94,22 +108,24 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -21174,7 +21365,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.3/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/virt.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/virt.te 2009-01-20 14:57:03.000000000 -0500 +@@ -53,7 +53,7 @@ + # virtd local policy + # + +-allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace }; ++allow virtd_t self:capability { dac_override kill net_admin net_raw setuid setgid sys_nice sys_ptrace }; + allow virtd_t self:process { getsched sigkill signal execmem }; + allow virtd_t self:fifo_file rw_file_perms; + allow virtd_t self:unix_stream_socket create_stream_socket_perms; @@ -96,7 +96,7 @@ corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) @@ -21192,7 +21392,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_runtime_files(virtd_t) files_search_all(virtd_t) files_list_kernel_modules(virtd_t) -@@ -173,16 +174,17 @@ +@@ -129,6 +130,8 @@ + + logging_send_syslog_msg(virtd_t) + ++sysnet_domtrans_ifconfig(virtd_t) ++ + userdom_read_all_users_state(virtd_t) + + tunable_policy(`virt_use_nfs',` +@@ -173,16 +176,17 @@ iptables_domtrans(virtd_t) ') @@ -21305,8 +21514,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.3/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/xserver.if 2009-01-19 13:10:02.000000000 -0500 -@@ -156,7 +156,7 @@ ++++ serefpolicy-3.6.3/policy/modules/services/xserver.if 2009-01-21 11:14:55.000000000 -0500 +@@ -116,6 +116,7 @@ + # setattr: gnome-settings-daemon X11:GrabKey + # manage: metacity X11:ChangeWindowAttributes + allow $2 rootwindow_t:x_drawable { read write manage setattr }; ++ allow $2 $2:x_drawable all_x_drawable_perms; + + # setattr: metacity X11:InstallColormap + allow $2 xserver_t:x_screen { saver_getattr saver_setattr setattr }; +@@ -156,7 +157,7 @@ allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -21315,7 +21532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Client read xserver shm allow $1 xserver_t:fd use; -@@ -219,12 +219,12 @@ +@@ -219,12 +220,12 @@ allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -21331,7 +21548,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 xdm_tmp_t:dir search; allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -397,11 +397,12 @@ +@@ -397,11 +398,12 @@ gen_require(` type xdm_t, xdm_tmp_t; type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; @@ -21347,7 +21564,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Read .Xauthority file allow $2 xauth_home_t:file read_file_perms; -@@ -409,7 +410,7 @@ +@@ -409,7 +411,7 @@ # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; @@ -21356,7 +21573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $2 xdm_tmp_t:dir search_dir_perms; allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; -@@ -437,6 +438,10 @@ +@@ -437,6 +439,10 @@ allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') @@ -21367,7 +21584,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -639,7 +644,7 @@ +@@ -639,7 +645,7 @@ type xdm_t; ') @@ -21376,7 +21593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -738,6 +743,7 @@ +@@ -738,6 +744,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) @@ -21384,7 +21601,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -756,7 +762,26 @@ +@@ -756,7 +763,26 @@ ') files_search_pids($1) @@ -21412,7 +21629,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -779,6 +804,31 @@ +@@ -779,6 +805,31 @@ ######################################## ## @@ -21444,7 +21661,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1018,10 +1068,11 @@ +@@ -1018,10 +1069,11 @@ # interface(`xserver_domtrans',` gen_require(` @@ -21457,7 +21674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern($1, xserver_exec_t, xserver_t) ') -@@ -1159,6 +1210,253 @@ +@@ -1159,6 +1211,272 @@ ######################################## ## @@ -21690,6 +21907,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Manage the xdm_spool files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_xdm_manage_spool',` ++ gen_require(` ++ type xdm_spool_t; ++ ') ++ ++ files_search_spool($1) ++ manage_files_pattern($1, xdm_spool_t, xdm_spool_t) ++') ++ ++######################################## ++## +## Ptrace XDM +## +## @@ -21713,7 +21949,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## display. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-19 17:08:51.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-21 11:00:16.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -22126,7 +22362,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -635,6 +738,15 @@ +@@ -587,7 +690,7 @@ + # execheap needed until the X module loader is fixed. + # NVIDIA Needs execstack + +-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; ++allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; + dontaudit xserver_t self:capability chown; + allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow xserver_t self:memprotect mmap_zero; +@@ -602,6 +705,7 @@ + allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow xserver_t self:tcp_socket create_stream_socket_perms; + allow xserver_t self:udp_socket create_socket_perms; ++allow xserver_t self:netlink_selinux_socket create_socket_perms; + + # Device rules + allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell }; +@@ -635,6 +739,15 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -22142,15 +22395,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Create files in /var/log with the xserver_log_t type. manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) logging_log_filetrans(xserver_t, xserver_log_t,file) -@@ -682,6 +794,7 @@ +@@ -680,9 +793,13 @@ + dev_rw_xserver_misc(xserver_t) + # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) ++dev_read_raw_memory(xserver_t) ++dev_write_raw_memory(xserver_t) dev_rwx_zero(xserver_t) +domain_mmap_low_type(xserver_t) domain_mmap_low(xserver_t) ++domain_dontaudit_read_all_domains_state(xserver_t) files_read_etc_files(xserver_t) -@@ -697,6 +810,7 @@ + files_read_etc_runtime_files(xserver_t) +@@ -697,6 +814,7 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -22158,7 +22417,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mls_xwin_read_to_clearance(xserver_t) -@@ -806,7 +920,7 @@ +@@ -720,6 +838,7 @@ + + miscfiles_read_localization(xserver_t) + miscfiles_read_fonts(xserver_t) ++miscfiles_read_hwdata(xserver_t) + + modutils_domtrans_insmod(xserver_t) + +@@ -774,6 +893,10 @@ + ') + + optional_policy(` ++ devicekit_power_signal(xserver_t) ++') ++ ++optional_policy(` + rhgb_getpgid(xserver_t) + rhgb_signal(xserver_t) + ') +@@ -806,7 +929,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -22167,7 +22445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -830,6 +944,10 @@ +@@ -830,6 +953,10 @@ xserver_use_user_fonts(xserver_t) @@ -22178,7 +22456,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -844,11 +962,14 @@ +@@ -844,11 +971,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -22194,7 +22472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -856,6 +977,11 @@ +@@ -856,6 +986,11 @@ rhgb_rw_tmpfs_files(xserver_t) ') @@ -22206,7 +22484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Rules common to all X window domains -@@ -972,6 +1098,37 @@ +@@ -972,6 +1107,37 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -22244,7 +22522,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`TODO',` tunable_policy(`allow_polyinstantiation',` # xdm needs access for linking .X11-unix to poly /tmp -@@ -986,3 +1143,13 @@ +@@ -986,3 +1152,13 @@ # allow xdm_t user_home_type:file unlink; ') dnl end TODO @@ -22398,7 +22676,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.3/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/authlogin.if 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/authlogin.if 2009-01-20 10:57:35.000000000 -0500 @@ -43,6 +43,7 @@ interface(`auth_login_pgm_domain',` gen_require(` @@ -22717,7 +22995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.3/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/authlogin.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/authlogin.te 2009-01-20 10:58:05.000000000 -0500 @@ -12,7 +12,7 @@ type chkpwd_t, can_read_shadow_passwords; @@ -22737,7 +23015,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # var_auth_t is the type of /var/lib/auth, usually # used for auth data in pam_able -@@ -121,6 +124,11 @@ +@@ -121,9 +124,18 @@ ') optional_policy(` @@ -22749,7 +23027,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kerberos_use(chkpwd_t) ') -@@ -168,6 +176,11 @@ ++optional_policy(` ++ nis_authenticate(chkpwd_t) ++') ++ + ######################################## + # + # PAM local policy +@@ -168,6 +180,11 @@ logging_send_syslog_msg(pam_t) @@ -22761,7 +23046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(pam_t) -@@ -183,7 +196,7 @@ +@@ -183,7 +200,7 @@ # PAM console local policy # @@ -22770,7 +23055,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit pam_console_t self:capability sys_tty_config; allow pam_console_t self:process { sigchld sigkill sigstop signull signal }; -@@ -201,6 +214,8 @@ +@@ -201,6 +218,8 @@ dev_read_sysfs(pam_console_t) dev_getattr_apm_bios_dev(pam_console_t) dev_setattr_apm_bios_dev(pam_console_t) @@ -22779,7 +23064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_getattr_dri_dev(pam_console_t) dev_setattr_dri_dev(pam_console_t) dev_getattr_input_dev(pam_console_t) -@@ -225,6 +240,10 @@ +@@ -225,6 +244,10 @@ dev_setattr_video_dev(pam_console_t) dev_getattr_xserver_misc_dev(pam_console_t) dev_setattr_xserver_misc_dev(pam_console_t) @@ -22868,7 +23153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.3/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/init.if 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/init.if 2009-01-20 14:42:59.000000000 -0500 @@ -280,6 +280,27 @@ kernel_dontaudit_use_fds($1) ') @@ -23049,7 +23334,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.3/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/init.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/init.te 2009-01-20 17:11:43.000000000 -0500 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -23152,11 +23437,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol can_exec(initrc_t,initrc_tmp_t) allow initrc_t initrc_tmp_t:file manage_file_perms; -@@ -251,13 +280,14 @@ +@@ -249,15 +278,18 @@ + kernel_rw_all_sysctls(initrc_t) + # for lsof which is used by alsa shutdown: kernel_dontaudit_getattr_message_if(initrc_t) ++kernel_stream_connect(initrc_t) files_read_kernel_symbol_table(initrc_t) +files_exec_etc_files(initrc_t) ++fs_list_inotifyfs(initrc_t) corenet_all_recvfrom_unlabeled(initrc_t) corenet_all_recvfrom_netlabel(initrc_t) @@ -23171,7 +23460,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -274,7 +304,7 @@ +@@ -274,7 +306,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) @@ -23180,7 +23469,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -328,7 +358,7 @@ +@@ -328,7 +360,7 @@ domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -23189,7 +23478,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -367,6 +397,7 @@ +@@ -367,6 +399,7 @@ libs_rw_ld_so_cache(initrc_t) libs_exec_lib_files(initrc_t) @@ -23197,7 +23486,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) -@@ -498,6 +529,7 @@ +@@ -498,6 +531,7 @@ optional_policy(` #for /etc/rc.d/init.d/nfs to create /etc/exports rpc_write_exports(initrc_t) @@ -23205,7 +23494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -516,6 +548,31 @@ +@@ -516,6 +550,31 @@ ') ') @@ -23237,7 +23526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -570,6 +627,10 @@ +@@ -570,6 +629,10 @@ dbus_read_config(initrc_t) optional_policy(` @@ -23248,7 +23537,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol networkmanager_dbus_chat(initrc_t) ') ') -@@ -655,12 +716,6 @@ +@@ -655,12 +718,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -23261,7 +23550,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ifdef(`distro_redhat',` -@@ -721,6 +776,9 @@ +@@ -721,6 +778,9 @@ # why is this needed: rpm_manage_db(initrc_t) @@ -23271,7 +23560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -733,10 +791,12 @@ +@@ -733,10 +793,12 @@ squid_manage_logs(initrc_t) ') @@ -23284,7 +23573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -754,6 +814,11 @@ +@@ -754,6 +816,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -23296,7 +23585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` unconfined_domain(initrc_t) -@@ -768,6 +833,10 @@ +@@ -768,6 +835,10 @@ ') optional_policy(` @@ -23307,7 +23596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') -@@ -790,3 +859,11 @@ +@@ -790,3 +861,11 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -23820,7 +24109,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.3/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/logging.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/logging.te 2009-01-20 16:07:48.000000000 -0500 @@ -126,7 +126,7 @@ allow auditd_t self:process { signal_perms setpgid setsched }; allow auditd_t self:file rw_file_perms; @@ -23852,7 +24141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow audisp_t self:unix_stream_socket create_stream_socket_perms; allow audisp_t self:unix_dgram_socket create_socket_perms; -@@ -226,20 +228,32 @@ +@@ -226,13 +228,18 @@ manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) @@ -23866,12 +24155,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_read_etc_runtime_files(audisp_t) mls_file_write_all_levels(audisp_t) - -+auth_use_nsswitch(audisp_t) ++mls_dbus_send_all_levels(audisp_t) + ++auth_use_nsswitch(audisp_t) + logging_send_syslog_msg(audisp_t) - miscfiles_read_localization(audisp_t) +@@ -240,6 +247,14 @@ sysnet_dns_name_resolve(audisp_t) @@ -23886,7 +24176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Audit remote logger local policy -@@ -253,11 +267,16 @@ +@@ -253,11 +268,16 @@ corenet_tcp_sendrecv_generic_node(audisp_remote_t) corenet_tcp_connect_audit_port(audisp_remote_t) corenet_sendrecv_audit_client_packets(audisp_remote_t) @@ -23903,7 +24193,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(audisp_remote_t) sysnet_dns_name_resolve(audisp_remote_t) -@@ -337,7 +356,7 @@ +@@ -337,7 +357,7 @@ allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; allow syslogd_t self:unix_dgram_socket sendto; @@ -23930,7 +24220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.3/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/lvm.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/lvm.te 2009-01-20 15:26:33.000000000 -0500 @@ -10,6 +10,9 @@ type clvmd_exec_t; init_daemon_domain(clvmd_t,clvmd_exec_t) @@ -24071,7 +24361,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(lvm_t) kernel_read_kernel_sysctls(lvm_t) -@@ -221,6 +256,7 @@ +@@ -192,6 +227,7 @@ + kernel_read_kernel_sysctls(lvm_t) + # it has no reason to need this + kernel_dontaudit_getattr_core_if(lvm_t) ++kernel_use_fds(lvm_t) + + selinux_get_fs_mount(lvm_t) + selinux_validate_context(lvm_t) +@@ -221,6 +257,7 @@ dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -24079,14 +24377,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_xattr_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) -@@ -239,12 +275,17 @@ +@@ -239,12 +276,16 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) +mls_file_read_all_levels(lvm_t) + -+term_getattr_all_user_ttys(lvm_t) -+term_list_ptys(lvm_t) ++term_use_all_terms(lvm_t) corecmd_exec_bin(lvm_t) corecmd_exec_shell(lvm_t) @@ -24167,7 +24464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.3/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/modutils.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/modutils.te 2009-01-21 10:30:56.000000000 -0500 @@ -42,7 +42,7 @@ # insmod local policy # @@ -24216,10 +24513,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(insmod_t) logging_search_logs(insmod_t) -@@ -110,18 +113,29 @@ +@@ -109,19 +112,30 @@ + seutil_read_file_contexts(insmod_t) - userdom_use_user_terminals(insmod_t) +-userdom_use_user_terminals(insmod_t) ++term_use_all_terms(insmod_t) +userdom_dontaudit_search_user_home_dirs(insmod_t) -ifdef(`distro_ubuntu',` @@ -25370,7 +25669,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.3/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/sysnetwork.if 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/sysnetwork.if 2009-01-20 14:55:03.000000000 -0500 @@ -192,7 +192,25 @@ type dhcpc_state_t; ') @@ -25724,8 +26023,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.3/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/udev.te 2009-01-19 13:10:02.000000000 -0500 -@@ -83,6 +83,7 @@ ++++ serefpolicy-3.6.3/policy/modules/system/udev.te 2009-01-20 15:21:24.000000000 -0500 +@@ -83,10 +83,12 @@ kernel_rw_unix_dgram_sockets(udev_t) kernel_dgram_send(udev_t) kernel_signal(udev_t) @@ -25733,7 +26032,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) -@@ -139,6 +140,7 @@ + kernel_read_network_state(udev_t) ++kernel_read_software_raid_state(udev_t) + + corecmd_exec_all_executables(udev_t) + +@@ -139,6 +141,7 @@ logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) @@ -25741,7 +26045,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(udev_t) -@@ -186,6 +188,7 @@ +@@ -186,6 +189,7 @@ optional_policy(` alsa_domtrans(udev_t) @@ -25749,7 +26053,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol alsa_read_rw_config(udev_t) ') -@@ -194,6 +197,10 @@ +@@ -194,6 +198,10 @@ ') optional_policy(` @@ -25760,7 +26064,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consoletype_exec(udev_t) ') -@@ -230,6 +237,10 @@ +@@ -202,6 +210,10 @@ + ') + + optional_policy(` ++ devicekit_read_pid_files(udev_t) ++') ++ ++optional_policy(` + fstools_domtrans(udev_t) + ') + +@@ -230,6 +242,10 @@ ') optional_policy(` @@ -25771,7 +26086,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_write_xen_state(udev_t) kernel_read_xen_state(udev_t) xen_manage_log(udev_t) -@@ -237,5 +248,9 @@ +@@ -237,5 +253,9 @@ ') optional_policy(` @@ -26405,7 +26720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-19 17:15:36.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-20 16:18:13.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -27447,7 +27762,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1106,8 +1174,6 @@ +@@ -1099,6 +1167,7 @@ + kernel_sigstop_unlabeled($1_t) + kernel_signull_unlabeled($1_t) + kernel_sigchld_unlabeled($1_t) ++ kernel_signal($1_t) + + corenet_tcp_bind_generic_port($1_t) + # allow setting up tunnels +@@ -1106,8 +1175,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -27456,7 +27779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1162,20 +1228,6 @@ +@@ -1162,20 +1229,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -27477,7 +27800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1221,6 +1273,7 @@ +@@ -1221,6 +1274,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -27485,7 +27808,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1286,11 +1339,15 @@ +@@ -1286,11 +1340,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -27501,7 +27824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1387,7 +1444,7 @@ +@@ -1387,7 +1445,7 @@ ######################################## ## @@ -27510,7 +27833,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1420,6 +1477,14 @@ +@@ -1420,6 +1478,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -27525,7 +27848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1435,9 +1500,11 @@ +@@ -1435,9 +1501,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -27537,7 +27860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1494,6 +1561,25 @@ +@@ -1494,6 +1562,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -27563,7 +27886,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1547,9 +1633,9 @@ +@@ -1547,9 +1634,9 @@ type user_home_dir_t, user_home_t; ') @@ -27575,7 +27898,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1568,6 +1654,8 @@ +@@ -1568,6 +1655,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -27584,7 +27907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1643,6 +1731,7 @@ +@@ -1643,6 +1732,7 @@ type user_home_dir_t, user_home_t; ') @@ -27592,7 +27915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1741,6 +1830,62 @@ +@@ -1741,6 +1831,62 @@ ######################################## ## @@ -27655,7 +27978,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute user home files. ## ## -@@ -1757,14 +1902,6 @@ +@@ -1757,14 +1903,6 @@ files_search_home($1) exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) @@ -27670,7 +27993,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1787,6 +1924,46 @@ +@@ -1787,6 +1925,46 @@ ######################################## ## @@ -27717,7 +28040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete files ## in a user home subdirectory. ## -@@ -2819,6 +2996,24 @@ +@@ -2819,6 +2997,24 @@ ######################################## ## @@ -27742,7 +28065,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to use user ttys. ## ## -@@ -2851,6 +3046,7 @@ +@@ -2851,6 +3047,7 @@ ') read_files_pattern($1,userdomain,userdomain) @@ -27750,7 +28073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -2965,6 +3161,24 @@ +@@ -2965,6 +3162,24 @@ ######################################## ## @@ -27775,7 +28098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a dbus message to all user domains. ## ## -@@ -2981,3 +3195,264 @@ +@@ -2981,3 +3196,264 @@ allow $1 userdomain:dbus send_msg; ') @@ -27857,7 +28180,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +template(`userdom_admin_login_user_template',` + -+ userdom_unpriv_user_template($1) ++ userdom_admin_user_template($1) + + domain_read_all_domains_state($1_t) + domain_getattr_all_domains($1_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 47c8aaa..ad3b6a3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.3 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -445,6 +445,9 @@ exit 0 %endif %changelog +* Tue Jan 20 2009 Dan Walsh 3.6.3-3 +- Fixed for DeviceKit + * Mon Jan 19 2009 Dan Walsh 3.6.3-2 - Add devicekit policy