From 533c755e4de7ba4c8d0e9795e2dae3c652d1e1a0 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Feb 28 2008 03:32:23 +0000 Subject: - Allow nsplugin_config execstack/execmem - Allow nsplugin_t to read alsa config - Change apache to use user content --- diff --git a/policy-20071130.patch b/policy-20071130.patch index 052634b..b08228b 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -2340,7 +2340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te java_domtrans(rpm_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-02-27 12:44:10.000000000 -0500 @@ -55,7 +55,7 @@ # @@ -2350,7 +2350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_sudo_t self:process { setexec setrlimit }; allow $1_sudo_t self:fd use; -@@ -68,33 +68,33 @@ +@@ -68,33 +68,34 @@ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; allow $1_sudo_t self:unix_dgram_socket sendto; allow $1_sudo_t self:unix_stream_socket connectto; @@ -2370,6 +2370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if kernel_read_kernel_sysctls($1_sudo_t) kernel_read_system_state($1_sudo_t) - kernel_search_key($1_sudo_t) ++ kernel_link_key($1_sudo_t) dev_read_urand($1_sudo_t) @@ -2388,7 +2389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if domain_use_interactive_fds($1_sudo_t) domain_sigchld_interactive_fds($1_sudo_t) -@@ -106,32 +106,42 @@ +@@ -106,32 +107,42 @@ files_getattr_usr_files($1_sudo_t) # for some PAM modules and for cwd files_dontaudit_search_home($1_sudo_t) @@ -4322,7 +4323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # /bin diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.3.1/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-02-27 13:16:07.000000000 -0500 @@ -35,7 +35,10 @@ template(`mozilla_per_role_template',` gen_require(` @@ -5265,8 +5266,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-02-26 08:29:22.000000000 -0500 -@@ -0,0 +1,149 @@ ++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-02-27 12:47:03.000000000 -0500 +@@ -0,0 +1,154 @@ + +policy_module(nsplugin,1.0.0) + @@ -5311,6 +5312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + +tunable_policy(`allow_nsplugin_execmem',` + allow nsplugin_t self:process { execstack execmem }; ++ allow nsplugin_config_t self:process { execstack execmem }; +') + +manage_dirs_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t) @@ -5359,6 +5361,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +userdom_dontaudit_append_unpriv_home_content_files(nsplugin_t) + +optional_policy(` ++ alsa_read_rw_config(nsplugin_t) ++') ++ ++optional_policy(` + mozilla_read_user_home_files(user, nsplugin_t) + mozilla_write_user_home_files(user, nsplugin_t) +') @@ -6213,7 +6219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(xen, tcp,8002,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.3.1/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-12-12 11:35:27.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/devices.fc 2008-02-26 14:17:28.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/kernel/devices.fc 2008-02-27 17:11:50.000000000 -0500 @@ -1,7 +1,7 @@ /dev -d gen_context(system_u:object_r:device_t,s0) @@ -6282,7 +6288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0) /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) -@@ -69,9 +85,8 @@ +@@ -69,14 +85,14 @@ /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) @@ -6294,7 +6300,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -91,6 +106,7 @@ + ') + /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) ++/dev/vboxadd.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) + /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) + /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) +@@ -91,6 +107,7 @@ /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) @@ -6302,7 +6314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0) -@@ -98,13 +114,23 @@ +@@ -98,13 +115,23 @@ /dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -6326,7 +6338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/pts(/.*)? <> -@@ -134,3 +160,4 @@ +@@ -134,3 +161,4 @@ /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ') @@ -7148,7 +7160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # iso9660_t is the type for CD filesystems diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-02-27 16:58:04.000000000 -0500 @@ -851,9 +851,8 @@ type proc_t, proc_afs_t; ') @@ -7561,7 +7573,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav # amavis local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.3.1/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-02-26 16:33:46.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-02-27 13:12:43.000000000 -0500 +@@ -1,4 +1,4 @@ +-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0) ++HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) + + /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) + /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) @@ -16,7 +16,6 @@ /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -7609,7 +7627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-02-27 17:47:47.000000000 -0500 @@ -18,10 +18,6 @@ attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; @@ -7630,15 +7648,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) -@@ -87,7 +83,6 @@ +@@ -87,7 +83,8 @@ manage_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) manage_fifo_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) manage_sock_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) - files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file }) ++ read_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t) ++ read_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t) kernel_dontaudit_search_sysctl(httpd_$1_script_t) kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) -@@ -96,6 +91,7 @@ +@@ -96,6 +93,7 @@ dev_read_urand(httpd_$1_script_t) corecmd_exec_all_executables(httpd_$1_script_t) @@ -7646,7 +7666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_exec_etc_files(httpd_$1_script_t) files_read_etc_files(httpd_$1_script_t) -@@ -120,10 +116,6 @@ +@@ -120,10 +118,6 @@ can_exec(httpd_$1_script_t, httpdcontent) ') @@ -7657,7 +7677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) -@@ -177,48 +169,6 @@ +@@ -177,48 +171,6 @@ miscfiles_read_localization(httpd_$1_script_t) ') @@ -7706,58 +7726,173 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac optional_policy(` tunable_policy(`httpd_enable_cgi && allow_ypbind',` nis_use_ypbind_uncond(httpd_$1_script_t) -@@ -267,7 +217,7 @@ +@@ -265,72 +217,79 @@ + template(`apache_per_role_template', ` + gen_require(` attribute httpdcontent, httpd_script_domains; - attribute httpd_exec_scripts, httpd_user_content_type; - attribute httpd_user_script_exec_type; +- attribute httpd_exec_scripts, httpd_user_content_type; +- attribute httpd_user_script_exec_type; - type httpd_t, httpd_suexec_t, httpd_log_t; ++ attribute httpd_exec_scripts; + type httpd_t, httpd_suexec_t, httpd_log_t, httpd_sys_script_t; ++ type httpd_user_content_t; ++ type httpd_user_script_t; ++ type httpd_user_script_ra_t; ++ type httpd_user_script_rw_t; ++ type httpd_user_script_ro_t; ++ type httpd_user_script_exec_t; ++ type httpd_user_htaccess_t; ++ ') ++ ++ ++ ifelse(`$1',`user',`',` ++ typealias httpd_user_content_t alias httpd_$1_content_t; ++ typealias httpd_user_script_ra_t alias httpd_$1_script_ra_t; ++ typealias httpd_user_script_rw_t alias httpd_$1_script_rw_t; ++ typealias httpd_user_script_ro_t alias httpd_$1_script_ro_t; ++ typealias httpd_user_script_exec_t alias httpd_$1_script_exec_t; ++ typealias httpd_user_htaccess_t alias httpd_$1_htaccess_t; + ') + +- apache_content_template($1) + +- typeattribute httpd_$1_content_t httpd_user_content_type; +- typeattribute httpd_$1_script_ra_t httpd_user_content_type; +- typeattribute httpd_$1_script_rw_t httpd_user_content_type; +- typeattribute httpd_$1_script_ro_t httpd_user_content_type; +- typeattribute httpd_$1_script_exec_t httpd_user_script_exec_type; +- +- typeattribute httpd_$1_script_t httpd_script_domains; +- userdom_user_home_content($1,httpd_$1_content_t) +- +- role $3 types httpd_$1_script_t; +- +- allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom }; +- +- allow $2 httpd_$1_htaccess_t:file { manage_file_perms relabelto relabelfrom }; +- +- manage_dirs_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) +- manage_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) +- manage_lnk_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) +- relabel_dirs_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) +- relabel_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) +- relabel_lnk_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t) +- +- manage_dirs_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) +- manage_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) +- manage_lnk_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) +- relabel_dirs_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) +- relabel_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) +- relabel_lnk_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t) +- +- manage_dirs_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) +- manage_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) +- manage_lnk_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) +- relabel_dirs_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) +- relabel_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) +- relabel_lnk_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t) +- +- manage_dirs_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) +- manage_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) +- manage_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) +- relabel_dirs_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) +- relabel_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) +- relabel_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) ++ role $3 types httpd_user_script_t; ++ ++ allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom }; ++ ++ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; ++ ++ manage_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t) ++ manage_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t) ++ manage_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t) ++ relabel_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t) ++ relabel_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t) ++ relabel_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t) ++ ++ manage_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t) ++ manage_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t) ++ manage_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t) ++ relabel_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t) ++ relabel_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t) ++ relabel_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t) ++ ++ manage_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t) ++ manage_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t) ++ manage_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t) ++ relabel_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t) ++ relabel_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t) ++ relabel_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t) ++ ++ manage_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) ++ manage_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) ++ manage_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) ++ relabel_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) ++ relabel_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) ++ relabel_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) + + tunable_policy(`httpd_enable_cgi',` + # If a user starts a script by hand it gets the proper context +- domtrans_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_t) ++ domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) + ') + + tunable_policy(`httpd_enable_cgi && httpd_unified',` +- allow httpd_$1_script_t httpdcontent:file entrypoint; ++ allow httpd_user_script_t httpdcontent:file entrypoint; + +- domtrans_pattern($2, httpdcontent, httpd_$1_script_t) ++ domtrans_pattern($2, httpdcontent, httpd_user_script_t) ') - apache_content_template($1) -@@ -331,6 +281,7 @@ - userdom_search_user_home_dirs($1,httpd_t) - userdom_search_user_home_dirs($1,httpd_suexec_t) - userdom_search_user_home_dirs($1,httpd_$1_script_t) -+ userdom_search_user_home_dirs($1,httpd_sys_script_t) + # allow accessing files/dirs below the users home dir + tunable_policy(`httpd_enable_homedirs',` +- userdom_search_user_home_dirs($1,httpd_t) +- userdom_search_user_home_dirs($1,httpd_suexec_t) +- userdom_search_user_home_dirs($1,httpd_$1_script_t) ++ userdom_search_user_home_dirs(user,httpd_t) ++ userdom_search_user_home_dirs(user,httpd_suexec_t) ++ userdom_search_user_home_dirs(user,httpd_user_script_t) ++ userdom_search_user_home_dirs(user,httpd_sys_script_t) ') ') -@@ -352,12 +303,11 @@ +@@ -352,12 +311,11 @@ # template(`apache_read_user_scripts',` gen_require(` - type httpd_$1_script_exec_t; -+ attribute httpd_user_script_exec_type; ++ type httpd_user_script_exec_t; ') - - allow $2 httpd_$1_script_exec_t:dir list_dir_perms; - read_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) - read_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) -+ allow $2 httpd_user_script_exec_type:dir list_dir_perms; -+ read_files_pattern($2,httpd_user_script_exec_type,httpd_user_script_exec_type) -+ read_lnk_files_pattern($2,httpd_user_script_exec_type,httpd_user_script_exec_type) ++ allow $2 httpd_user_script_exec_t:dir list_dir_perms; ++ read_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) ++ read_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t) ') ######################################## -@@ -378,12 +328,12 @@ +@@ -378,12 +336,12 @@ # template(`apache_read_user_content',` gen_require(` - type httpd_$1_content_t; -+ attribute httpd_user_content_type; ++ type httpd_user_content_t; ') - allow $2 httpd_$1_content_t:dir list_dir_perms; - read_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t) - read_lnk_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t) -+ allow $2 httpd_user_content_type:dir list_dir_perms; -+ read_files_pattern($2,httpd_user_content_type,httpd_user_content_type) -+ read_lnk_files_pattern($2,httpd_user_content_type,httpd_user_content_type) ++ allow $2 httpd_user_content_t:dir list_dir_perms; ++ read_files_pattern($2,httpd_user_content_t,httpd_user_content_t) ++ read_lnk_files_pattern($2,httpd_user_content_t,httpd_user_content_t) ') ######################################## -@@ -761,6 +711,7 @@ +@@ -761,6 +719,7 @@ ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -7765,7 +7900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -845,6 +796,10 @@ +@@ -845,6 +804,10 @@ type httpd_sys_script_t; ') @@ -7776,7 +7911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern($1, httpdcontent, httpd_sys_script_t) ') -@@ -932,7 +887,7 @@ +@@ -932,7 +895,7 @@ type httpd_squirrelmail_t; ') @@ -7785,7 +7920,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1088,3 +1043,133 @@ +@@ -1023,16 +986,16 @@ + # + interface(`apache_manage_all_user_content',` + gen_require(` +- attribute httpd_user_content_type, httpd_user_script_exec_type; ++ type httpd_user_content_t, httpd_user_script_exec_t; + ') + +- manage_dirs_pattern($1,httpd_user_content_type,httpd_user_content_type) +- manage_files_pattern($1,httpd_user_content_type,httpd_user_content_type) +- manage_lnk_files_pattern($1,httpd_user_content_type,httpd_user_content_type) ++ manage_dirs_pattern($1,httpd_user_content_t,httpd_user_content_t) ++ manage_files_pattern($1,httpd_user_content_t,httpd_user_content_t) ++ manage_lnk_files_pattern($1,httpd_user_content_t,httpd_user_content_t) + +- manage_dirs_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type) +- manage_files_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type) +- manage_lnk_files_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type) ++ manage_dirs_pattern($1,httpd_user_script_exec_t,httpd_user_script_exec_t) ++ manage_files_pattern($1,httpd_user_script_exec_t,httpd_user_script_exec_t) ++ manage_lnk_files_pattern($1,httpd_user_script_exec_t,httpd_user_script_exec_t) + ') + + ######################################## +@@ -1088,3 +1051,133 @@ allow httpd_t $1:process signal; ') @@ -7921,7 +8080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-02-27 17:28:38.000000000 -0500 @@ -20,6 +20,8 @@ # Declarations # @@ -7971,7 +8130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## the terminal. ##

## -@@ -109,6 +118,27 @@ +@@ -109,14 +118,33 @@ ## gen_tunable(httpd_unified,false) @@ -7997,9 +8156,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +gen_tunable(allow_httpd_sys_script_anon_write,false) + attribute httpdcontent; - attribute httpd_user_content_type; +-attribute httpd_user_content_type; + + # domains that can exec all users scripts + attribute httpd_exec_scripts; -@@ -147,6 +177,9 @@ + attribute httpd_script_exec_type; +-attribute httpd_user_script_exec_type; + + # user script domains + attribute httpd_script_domains; +@@ -147,6 +175,9 @@ type httpd_log_t; logging_log_file(httpd_log_t) @@ -8009,7 +8176,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # httpd_modules_t is the type given to module files (libraries) # that come with Apache /etc/httpd/modules and /usr/lib/apache type httpd_modules_t; -@@ -207,7 +240,7 @@ +@@ -202,12 +233,15 @@ + prelink_object_file(httpd_modules_t) + ') + ++apache_content_template(user) ++userdom_user_home_content(user,httpd_user_content_t) ++ + ######################################## + # # Apache server local policy # @@ -8018,7 +8193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; -@@ -249,6 +282,7 @@ +@@ -249,6 +283,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) @@ -8026,7 +8201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -289,6 +323,7 @@ +@@ -289,6 +324,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -8034,7 +8209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -315,9 +350,7 @@ +@@ -315,9 +351,7 @@ auth_use_nsswitch(httpd_t) @@ -8045,7 +8220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac domain_use_interactive_fds(httpd_t) -@@ -335,6 +368,10 @@ +@@ -335,6 +369,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -8056,7 +8231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -351,25 +388,38 @@ +@@ -351,25 +389,38 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -8100,7 +8275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_relay',` # allow httpd to work as a relay corenet_tcp_connect_gopher_port(httpd_t) -@@ -382,6 +432,10 @@ +@@ -382,6 +433,10 @@ corenet_sendrecv_http_cache_client_packets(httpd_t) ') @@ -8111,7 +8286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) -@@ -399,11 +453,21 @@ +@@ -399,11 +454,21 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -8133,7 +8308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -437,8 +501,14 @@ +@@ -437,8 +502,14 @@ ') optional_policy(` @@ -8149,7 +8324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -450,19 +520,13 @@ +@@ -450,19 +521,13 @@ ') optional_policy(` @@ -8170,7 +8345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -472,13 +536,14 @@ +@@ -472,13 +537,14 @@ openca_kill(httpd_t) ') @@ -8189,7 +8364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -486,6 +551,7 @@ +@@ -486,6 +552,7 @@ ') optional_policy(` @@ -8197,11 +8372,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -521,6 +587,13 @@ +@@ -521,6 +588,19 @@ userdom_use_sysadm_terms(httpd_helper_t) ') +optional_policy(` ++ type httpd_unconfined_script_t; ++ type httpd_unconfined_script_exec_t; ++ domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t) ++ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) ++ unconfined_domain(httpd_unconfined_script_t) ++ + tunable_policy(`httpd_tty_comm',` + unconfined_use_terminals(httpd_helper_t) + ') @@ -8211,7 +8392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -550,18 +623,24 @@ +@@ -550,18 +630,24 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -8239,7 +8420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -585,6 +664,8 @@ +@@ -585,6 +671,8 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -8248,7 +8429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -593,9 +674,7 @@ +@@ -593,9 +681,7 @@ fs_search_auto_mountpoints(httpd_suexec_t) @@ -8259,7 +8440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -628,6 +707,7 @@ +@@ -628,6 +714,7 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -8267,7 +8448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) ') -@@ -638,6 +718,12 @@ +@@ -638,6 +725,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -8280,7 +8461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -655,10 +741,6 @@ +@@ -655,10 +748,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -8291,7 +8472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -668,7 +750,8 @@ +@@ -668,7 +757,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -8301,7 +8482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -682,15 +765,44 @@ +@@ -682,15 +772,44 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -8313,15 +8494,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +tunable_policy(`httpd_use_nfs', ` -+ fs_read_nfs_files(httpd_sys_script_t) -+ fs_read_nfs_symlinks(httpd_sys_script_t) -+') -+ -+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` fs_read_nfs_files(httpd_sys_script_t) fs_read_nfs_symlinks(httpd_sys_script_t) ') ++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` ++ fs_read_nfs_files(httpd_sys_script_t) ++ fs_read_nfs_symlinks(httpd_sys_script_t) ++') ++ +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` + allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_sys_script_t self:udp_socket create_socket_perms; @@ -8347,7 +8528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -700,9 +812,15 @@ +@@ -700,9 +819,15 @@ clamav_domtrans_clamscan(httpd_sys_script_t) ') @@ -8363,7 +8544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -724,3 +842,46 @@ +@@ -724,3 +849,46 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -13552,7 +13733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.3.1/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-02-27 16:57:40.000000000 -0500 @@ -49,6 +49,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -16034,7 +16215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.3.1/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/nscd.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/nscd.te 2008-02-27 17:21:47.000000000 -0500 @@ -23,19 +23,22 @@ type nscd_log_t; logging_log_file(nscd_log_t) @@ -16070,16 +16251,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd kernel_read_kernel_sysctls(nscd_t) kernel_list_proc(nscd_t) kernel_read_proc_symlinks(nscd_t) -@@ -73,6 +78,8 @@ +@@ -73,6 +78,7 @@ corenet_udp_sendrecv_all_nodes(nscd_t) corenet_tcp_sendrecv_all_ports(nscd_t) corenet_udp_sendrecv_all_ports(nscd_t) +corenet_udp_bind_all_nodes(nscd_t) -+corenet_udp_bind_all_nodes(nscd_t) corenet_tcp_connect_all_ports(nscd_t) corenet_sendrecv_all_client_packets(nscd_t) corenet_rw_tun_tap_dev(nscd_t) -@@ -93,6 +100,7 @@ +@@ -93,6 +99,7 @@ libs_use_ld_so(nscd_t) libs_use_shared_libs(nscd_t) @@ -16087,7 +16267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd logging_send_syslog_msg(nscd_t) miscfiles_read_localization(nscd_t) -@@ -114,3 +122,12 @@ +@@ -114,3 +121,12 @@ xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') @@ -22506,7 +22686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-02-26 09:47:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-02-27 18:04:08.000000000 -0500 @@ -15,6 +15,11 @@ template(`xserver_common_domain_template',` gen_require(` @@ -22911,7 +23091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser - libs_use_ld_so($1_iceauth_t) - libs_use_shared_libs($1_iceauth_t) + # Device rules -+ allow xdm_x_domain $2:x_device { read getattr setattr setfocus grab bell }; ++ allow xdm_x_domain $2:x_device { getattr setattr setfocus grab bell }; - userdom_use_user_terminals($1,$1_iceauth_t) + allow $2 { input_xevent_t xdm_input_xevent_type }:x_event send; @@ -22957,7 +23137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -542,25 +539,356 @@ +@@ -542,25 +539,360 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -23051,6 +23231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + type screensaver_xext_t, unknown_xext_t, x_rootscreen_t; + type xdm_default_xproperty_t; + type disallowed_xext_t; ++ type output_xext_t; + + attribute x_server_domain, x_domain; + attribute xproperty_type; @@ -23100,7 +23281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + # Hacks + # everyone can get the input focus of everyone else + # this is a fundamental brokenness in the X protocol -+ allow $3 { x_domain x_server_domain }:x_device { getfocus setfocus use setattr bell read manage freeze getattr grab }; ++ allow $3 { x_domain x_server_domain }:x_device { getfocus setfocus use setattr bell manage freeze getattr grab }; + # everyone can grab the server + # everyone does it, it is basically a free DOS attack + allow $3 x_server_domain:x_server grab; @@ -23128,6 +23309,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + # X Properties + # can read and write client properties + allow $3 $2_default_xproperty_t:x_property { create destroy read write }; ++ allow $3 default_xproperty_t:x_property read; ++ allow $3 output_xext_t:x_extension use; ++ + allow $3 xdm_default_xproperty_t:x_property { write read }; + + type_transition $3 default_xproperty_t:x_property $2_default_xproperty_t; @@ -23228,7 +23412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + allow $3 xselection_type:x_selection *; + allow $3 x_domain:x_cursor *; + allow $3 { x_domain remote_xclient_t }:x_client *; -+ allow $3 { x_domain x_server_domain }:x_device *; ++ allow $3 { x_domain x_server_domain }:x_device ~{ read }; + allow $3 xextension_type:x_extension *; + allow $3 { x_domain x_server_domain }:x_resource *; + allow $3 xevent_type:{ x_event x_synthetic_event } *; @@ -23320,7 +23504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ') -@@ -593,26 +921,44 @@ +@@ -593,26 +925,44 @@ # template(`xserver_use_user_fonts',` gen_require(` @@ -23372,7 +23556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -638,10 +984,77 @@ +@@ -638,10 +988,77 @@ # template(`xserver_domtrans_user_xauth',` gen_require(` @@ -23452,7 +23636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -671,10 +1084,10 @@ +@@ -671,10 +1088,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -23465,7 +23649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -760,7 +1173,7 @@ +@@ -760,7 +1177,7 @@ type xconsole_device_t; ') @@ -23474,7 +23658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -860,6 +1273,25 @@ +@@ -860,6 +1277,25 @@ ######################################## ## @@ -23500,7 +23684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Read xdm-writable configuration files. ## ## -@@ -914,6 +1346,7 @@ +@@ -914,6 +1350,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) @@ -23508,7 +23692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -955,6 +1388,24 @@ +@@ -955,6 +1392,24 @@ ######################################## ## @@ -23533,7 +23717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Execute the X server in the XDM X server domain. ## ## -@@ -965,15 +1416,47 @@ +@@ -965,15 +1420,47 @@ # interface(`xserver_domtrans_xdm_xserver',` gen_require(` @@ -23582,7 +23766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1123,7 +1606,7 @@ +@@ -1123,7 +1610,7 @@ type xdm_xserver_tmp_t; ') @@ -23591,7 +23775,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1312,3 +1795,108 @@ +@@ -1312,3 +1799,108 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -23702,7 +23886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-02-27 18:04:32.000000000 -0500 @@ -16,21 +16,79 @@ ## @@ -24253,7 +24437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +allow xserver_unconfined_type xselection_type:x_selection *; +allow xserver_unconfined_type { x_domain self }:x_cursor *; +allow xserver_unconfined_type { x_domain remote_xclient_t self }:x_client *; -+allow xserver_unconfined_type { x_domain x_server_domain self }:x_device *; ++allow xserver_unconfined_type { x_domain x_server_domain self }:x_device ~{ read }; +allow xserver_unconfined_type xextension_type:x_extension *; +allow xserver_unconfined_type { x_domain x_server_domain self }:x_resource *; +allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -27984,7 +28168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-02-26 17:21:16.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-02-27 16:50:07.000000000 -0500 @@ -6,35 +6,67 @@ # Declarations # @@ -28068,7 +28252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -@@ -51,13 +86,25 @@ +@@ -51,14 +86,23 @@ userdom_priveleged_home_dir_manager(unconfined_t) optional_policy(` @@ -28090,13 +28274,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf optional_policy(` apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - apache_per_role_template(unconfined, unconfined_t, unconfined_r) +- apache_per_role_template(unconfined, unconfined_t, unconfined_r) - # this is disallowed usage: -+ # this is dissallowed usage: - unconfined_domain(httpd_unconfined_script_t) +- unconfined_domain(httpd_unconfined_script_t) ') -@@ -69,11 +116,11 @@ + optional_policy(` +@@ -69,11 +113,11 @@ bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') @@ -28113,7 +28297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf optional_policy(` init_dbus_chat_script(unconfined_t) -@@ -101,12 +148,24 @@ +@@ -101,12 +145,24 @@ ') optional_policy(` @@ -28138,7 +28322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -118,11 +177,7 @@ +@@ -118,11 +174,7 @@ ') optional_policy(` @@ -28151,7 +28335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -134,14 +189,6 @@ +@@ -134,14 +186,6 @@ ') optional_policy(` @@ -28166,7 +28350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf oddjob_domtrans_mkhomedir(unconfined_t) ') -@@ -154,38 +201,37 @@ +@@ -154,38 +198,37 @@ ') optional_policy(` @@ -28219,7 +28403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -205,11 +251,30 @@ +@@ -205,11 +248,30 @@ ') optional_policy(` @@ -28252,7 +28436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -219,14 +284,34 @@ +@@ -219,14 +281,34 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -28307,7 +28491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-02-27 13:18:26.000000000 -0500 @@ -29,9 +29,14 @@ ') @@ -29322,13 +29506,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1091,32 +1100,21 @@ +@@ -1091,32 +1100,25 @@ selinux_get_enforce_mode($1_t) optional_policy(` - alsa_read_rw_config($1_t) -- ') -- ++ alsa_read_rw_config($1_usertype) + ') + - optional_policy(` - dbus_per_role_template($1, $1_t, $1_r) - dbus_system_bus_client_template($1, $1_t) @@ -29340,11 +29525,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - optional_policy(` - cups_dbus_chat($1_t) - ') -+ alsa_read_rw_config($1_usertype) - ') - -- optional_policy(` -- java_per_role_template($1, $1_t, $1_r) - ') + # Broken Cover up bugzilla #345921 Should be removed when this is fixed + corenet_tcp_connect_soundd_port($1_t) @@ -29353,6 +29533,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + corenet_tcp_sendrecv_lo_node($1_t) optional_policy(` +- java_per_role_template($1, $1_t, $1_r) ++ apache_per_role_template($1, $1_usertype, $1_r) + ') + + optional_policy(` - mono_per_role_template($1, $1_t, $1_r) + nsplugin_per_role_template($1, $1_usertype, $1_r) ') @@ -29363,7 +29548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1127,10 +1125,10 @@ +@@ -1127,10 +1129,10 @@ ## ## ##

@@ -29378,7 +29563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1193,12 +1191,11 @@ +@@ -1193,12 +1195,11 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -29393,7 +29578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') # Run pppd in pppd_t by default for user -@@ -1207,7 +1204,23 @@ +@@ -1207,7 +1208,23 @@ ') optional_policy(` @@ -29418,7 +29603,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1284,8 +1297,6 @@ +@@ -1284,8 +1301,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -29427,7 +29612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1363,13 +1374,6 @@ +@@ -1363,13 +1378,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -29441,7 +29626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` userhelper_exec($1_t) ') -@@ -1422,6 +1426,7 @@ +@@ -1422,6 +1430,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -29449,7 +29634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1787,10 +1792,14 @@ +@@ -1787,10 +1796,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -29465,7 +29650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1886,11 +1895,11 @@ +@@ -1886,11 +1899,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -29479,7 +29664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1920,11 +1929,11 @@ +@@ -1920,11 +1933,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -29493,7 +29678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1968,12 +1977,12 @@ +@@ -1968,12 +1981,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -29509,7 +29694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2003,10 +2012,10 @@ +@@ -2003,10 +2016,10 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -29522,7 +29707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2038,11 +2047,47 @@ +@@ -2038,11 +2051,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -29572,7 +29757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2074,10 +2119,10 @@ +@@ -2074,10 +2123,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -29585,7 +29770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2107,11 +2152,11 @@ +@@ -2107,11 +2156,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -29599,7 +29784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2141,11 +2186,11 @@ +@@ -2141,11 +2190,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -29614,7 +29799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2175,10 +2220,14 @@ +@@ -2175,10 +2224,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -29631,7 +29816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2208,11 +2257,11 @@ +@@ -2208,11 +2261,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -29645,7 +29830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2242,11 +2291,11 @@ +@@ -2242,11 +2295,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -29659,7 +29844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2276,10 +2325,10 @@ +@@ -2276,10 +2329,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -29672,7 +29857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2311,12 +2360,12 @@ +@@ -2311,12 +2364,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -29688,7 +29873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2348,10 +2397,10 @@ +@@ -2348,10 +2401,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -29701,7 +29886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2383,12 +2432,12 @@ +@@ -2383,12 +2436,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -29717,7 +29902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2420,12 +2469,12 @@ +@@ -2420,12 +2473,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -29733,7 +29918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2457,12 +2506,12 @@ +@@ -2457,12 +2510,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -29749,7 +29934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2507,11 +2556,11 @@ +@@ -2507,11 +2560,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -29763,7 +29948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2556,11 +2605,11 @@ +@@ -2556,11 +2609,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -29777,7 +29962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2600,11 +2649,11 @@ +@@ -2600,11 +2653,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -29791,7 +29976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2634,11 +2683,11 @@ +@@ -2634,11 +2687,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -29805,7 +29990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2668,11 +2717,11 @@ +@@ -2668,11 +2721,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -29819,7 +30004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2704,10 +2753,10 @@ +@@ -2704,10 +2757,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -29832,7 +30017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2739,10 +2788,10 @@ +@@ -2739,10 +2792,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -29845,7 +30030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2772,12 +2821,12 @@ +@@ -2772,12 +2825,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -29861,7 +30046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2809,10 +2858,10 @@ +@@ -2809,10 +2862,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -29874,7 +30059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2844,10 +2893,48 @@ +@@ -2844,10 +2897,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -29925,7 +30110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2877,12 +2964,12 @@ +@@ -2877,12 +2968,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -29941,7 +30126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2914,10 +3001,10 @@ +@@ -2914,10 +3005,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -29954,7 +30139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2949,12 +3036,12 @@ +@@ -2949,12 +3040,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -29970,7 +30155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2986,11 +3073,11 @@ +@@ -2986,11 +3077,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -29984,7 +30169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3022,11 +3109,11 @@ +@@ -3022,11 +3113,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -29998,7 +30183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3058,11 +3145,11 @@ +@@ -3058,11 +3149,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -30012,7 +30197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3094,11 +3181,11 @@ +@@ -3094,11 +3185,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -30026,7 +30211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3130,11 +3217,11 @@ +@@ -3130,11 +3221,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -30040,7 +30225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3179,10 +3266,10 @@ +@@ -3179,10 +3270,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -30053,7 +30238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3223,10 +3310,10 @@ +@@ -3223,10 +3314,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -30066,7 +30251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3254,6 +3341,42 @@ +@@ -3254,6 +3345,42 @@ ## ## # @@ -30109,7 +30294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo template(`userdom_rw_user_tmpfs_files',` gen_require(` type $1_tmpfs_t; -@@ -4231,11 +4354,11 @@ +@@ -4231,11 +4358,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -30123,7 +30308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4251,10 +4374,10 @@ +@@ -4251,10 +4378,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -30136,7 +30321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4270,11 +4393,11 @@ +@@ -4270,11 +4397,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -30150,7 +30335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4289,16 +4412,16 @@ +@@ -4289,16 +4416,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -30170,7 +30355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4307,12 +4430,27 @@ +@@ -4307,12 +4434,27 @@ ## ## # @@ -30201,7 +30386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4327,13 +4465,13 @@ +@@ -4327,13 +4469,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -30219,7 +30404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4531,10 +4669,10 @@ +@@ -4531,10 +4673,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -30232,7 +30417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4551,10 +4689,10 @@ +@@ -4551,10 +4693,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -30245,7 +30430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4569,10 +4707,10 @@ +@@ -4569,10 +4711,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -30258,7 +30443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4588,10 +4726,10 @@ +@@ -4588,10 +4730,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -30271,7 +30456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4606,10 +4744,10 @@ +@@ -4606,10 +4748,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -30284,7 +30469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4625,10 +4763,10 @@ +@@ -4625,10 +4767,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -30297,7 +30482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4644,12 +4782,11 @@ +@@ -4644,12 +4786,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -30313,7 +30498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4676,10 +4813,10 @@ +@@ -4676,10 +4817,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -30326,7 +30511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4694,10 +4831,10 @@ +@@ -4694,10 +4835,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -30339,7 +30524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4712,13 +4849,13 @@ +@@ -4712,13 +4853,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -30357,7 +30542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4754,11 +4891,49 @@ +@@ -4754,11 +4895,49 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -30408,7 +30593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4778,6 +4953,14 @@ +@@ -4778,6 +4957,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -30423,7 +30608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4839,6 +5022,26 @@ +@@ -4839,6 +5026,26 @@ ######################################## ##

@@ -30450,7 +30635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all directories ## in all users home directories. ## -@@ -4859,6 +5062,25 @@ +@@ -4859,6 +5066,25 @@ ######################################## ## @@ -30476,7 +30661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4879,6 +5101,26 @@ +@@ -4879,6 +5105,26 @@ ######################################## ## @@ -30503,7 +30688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all symlinks ## in all users home directories. ## -@@ -5115,7 +5357,7 @@ +@@ -5115,7 +5361,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -30512,7 +30697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5304,6 +5546,50 @@ +@@ -5304,6 +5550,50 @@ ######################################## ## @@ -30563,7 +30748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5509,6 +5795,42 @@ +@@ -5509,6 +5799,42 @@ ######################################## ## @@ -30606,7 +30791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5674,6 +5996,42 @@ +@@ -5674,6 +6000,42 @@ ######################################## ## @@ -30649,7 +30834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5704,3 +6062,368 @@ +@@ -5704,3 +6066,368 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 28d5c2a..5874469 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -388,6 +388,11 @@ exit 0 %endif %changelog +* Tue Feb 26 2008 Dan Walsh 3.3.1-5 +- Allow nsplugin_config execstack/execmem +- Allow nsplugin_t to read alsa config +- Change apache to use user content + * Tue Feb 26 2008 Dan Walsh 3.3.1-4 - Add cyphesis policy