From af0cf6e4168e280e73d3c484467314cdb9bca244 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Aug 13 2008 18:39:06 +0000 Subject: - Allow ifconfig_t to read dhcpc_state_t --- diff --git a/policy-20080710.patch b/policy-20080710.patch index 54e9f47..0da3334 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -79,16 +79,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rul $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.5.4/config/appconfig-mcs/default_contexts --- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.4/config/appconfig-mcs/default_contexts 2008-08-11 16:39:48.000000000 -0400 -@@ -2,7 +2,7 @@ - system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 - system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 - system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 ++++ serefpolicy-3.5.4/config/appconfig-mcs/default_contexts 2008-08-13 13:51:31.000000000 -0400 +@@ -1,15 +0,0 @@ +-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0 +-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 +-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 +-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 -system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 -+system_r:sulogin_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 - system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 - - staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +-system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 +- +-staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +-staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 +- +-sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +-sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 +- +-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.5.4/config/appconfig-mcs/failsafe_context --- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-08-07 11:15:14.000000000 -0400 +++ serefpolicy-3.5.4/config/appconfig-mcs/failsafe_context 2008-08-11 16:39:48.000000000 -0400 @@ -97,12 +104,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:unconfined_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.5.4/config/appconfig-mcs/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.4/config/appconfig-mcs/guest_u_default_contexts 2008-08-11 16:39:48.000000000 -0400 -@@ -0,0 +1,4 @@ ++++ serefpolicy-3.5.4/config/appconfig-mcs/guest_u_default_contexts 2008-08-13 13:52:31.000000000 -0400 +@@ -0,0 +1,6 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 +system_r:sshd_t:s0 guest_r:guest_t:s0 +system_r:crond_t:s0 guest_r:guest_crond_t:s0 ++system_r:initrc_su_t:s0 guest_r:guest_t:s0 ++guest_r:guest_t:s0 guest_r:guest_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.5.4/config/appconfig-mcs/root_default_contexts --- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-08-07 11:15:14.000000000 -0400 +++ serefpolicy-3.5.4/config/appconfig-mcs/root_default_contexts 2008-08-11 16:39:48.000000000 -0400 @@ -119,6 +128,47 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con # -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.5.4/config/appconfig-mcs/seusers +--- nsaserefpolicy/config/appconfig-mcs/seusers 2008-08-07 11:15:14.000000000 -0400 ++++ serefpolicy-3.5.4/config/appconfig-mcs/seusers 2008-08-13 13:53:52.000000000 -0400 +@@ -1,3 +1,3 @@ + system_u:system_u:s0-mcs_systemhigh +-root:root:s0-mcs_systemhigh +-__default__:user_u:s0 ++root:unconfined_u:s0-mcs_systemhigh ++__default__:unconfined_u:s0 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.5.4/config/appconfig-mcs/staff_u_default_contexts +--- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 ++++ serefpolicy-3.5.4/config/appconfig-mcs/staff_u_default_contexts 2008-08-13 13:52:19.000000000 -0400 +@@ -5,6 +5,8 @@ + system_r:xdm_t:s0 staff_r:staff_t:s0 + staff_r:staff_su_t:s0 staff_r:staff_t:s0 + staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 ++system_r:initrc_su_t:s0 staff_r:staff_t:s0 ++staff_r:staff_t:s0 staff_r:staff_t:s0 + sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 + sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.5.4/config/appconfig-mcs/unconfined_u_default_contexts +--- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 ++++ serefpolicy-3.5.4/config/appconfig-mcs/unconfined_u_default_contexts 2008-08-13 13:52:08.000000000 -0400 +@@ -6,4 +6,6 @@ + system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 + system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 + system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 ++system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0 ++unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 + system_r:xdm_t:s0 unconfined_r:unconfined_t:s0 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.5.4/config/appconfig-mcs/user_u_default_contexts +--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 ++++ serefpolicy-3.5.4/config/appconfig-mcs/user_u_default_contexts 2008-08-13 13:53:05.000000000 -0400 +@@ -5,4 +5,5 @@ + system_r:xdm_t:s0 user_r:user_t:s0 + user_r:user_su_t:s0 user_r:user_t:s0 + user_r:user_sudo_t:s0 user_r:user_t:s0 +- ++system_r:initrc_su_t:s0 user_r:user_t:s0 ++user_r:user_t:s0 user_r:user_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.5.4/config/appconfig-mcs/userhelper_context --- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-08-07 11:15:14.000000000 -0400 +++ serefpolicy-3.5.4/config/appconfig-mcs/userhelper_context 2008-08-11 16:39:48.000000000 -0400 @@ -127,13 +177,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_u:system_r:unconfined_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.5.4/config/appconfig-mcs/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.4/config/appconfig-mcs/xguest_u_default_contexts 2008-08-11 16:39:48.000000000 -0400 -@@ -0,0 +1,5 @@ ++++ serefpolicy-3.5.4/config/appconfig-mcs/xguest_u_default_contexts 2008-08-13 13:52:27.000000000 -0400 +@@ -0,0 +1,7 @@ +system_r:local_login_t xguest_r:xguest_t:s0 +system_r:remote_login_t xguest_r:xguest_t:s0 +system_r:sshd_t xguest_r:xguest_t:s0 +system_r:crond_t xguest_r:xguest_crond_t:s0 +system_r:xdm_t xguest_r:xguest_t:s0 ++system_r:initrc_su_t:s0 xguest_r:xguest_t:s0 ++xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.5.4/config/appconfig-mls/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.5.4/config/appconfig-mls/guest_u_default_contexts 2008-08-11 16:39:48.000000000 -0400 @@ -1421,7 +1473,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol usermanage_domtrans_useradd(rpm_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.5.4/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/admin/su.if 2008-08-11 16:39:48.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/admin/su.if 2008-08-12 17:04:57.000000000 -0400 @@ -41,15 +41,13 @@ allow $2 $1_su_t:process signal; @@ -1440,7 +1492,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern($2, su_exec_t, $1_su_t) # By default, revert to the calling domain when a shell is executed. -@@ -89,6 +87,7 @@ +@@ -89,28 +87,24 @@ libs_use_ld_so($1_su_t) libs_use_shared_libs($1_su_t) @@ -1448,30 +1500,58 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg($1_su_t) miscfiles_read_localization($1_su_t) -@@ -112,6 +111,10 @@ - userdom_spec_domtrans_unpriv_users($1_su_t) - ') +- ifdef(`distro_rhel4',` +- domain_role_change_exemption($1_su_t) +- domain_subj_id_change_exemption($1_su_t) +- domain_obj_id_change_exemption($1_su_t) +- +- selinux_get_fs_mount($1_su_t) +- selinux_validate_context($1_su_t) +- selinux_compute_access_vector($1_su_t) +- selinux_compute_create_context($1_su_t) +- selinux_compute_relabel_context($1_su_t) +- selinux_compute_user_contexts($1_su_t) ++ auth_login_pgm_domain($1_su_t) + + seutil_read_config($1_su_t) + seutil_read_default_contexts($1_su_t) + + # Only allow transitions to unprivileged user domains. + userdom_spec_domtrans_unpriv_users($1_su_t) +- ') ++ + # Deal with unconfined_terminals. + term_use_all_user_ttys($1_su_t) + term_use_all_user_ptys($1_su_t) -+ ++ term_relabel_all_user_ttys($1_su_t) ++ term_relabel_all_user_ptys($1_su_t) + optional_policy(` cron_read_pipes($1_su_t) - ') -@@ -119,11 +122,6 @@ - optional_policy(` +@@ -120,10 +114,17 @@ kerberos_use($1_su_t) ') -- + - ifdef(`TODO',` - # Caused by su - init scripts - dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; - ') dnl end TODO ++ optional_policy(` ++ xserver_domtrans_user_xauth($1, $1_su_t) ++ ') ++ ++ tunable_policy(`use_nfs_home_dirs',` ++ fs_search_nfs($1_su_t) ++ ') ++ ++ tunable_policy(`use_samba_home_dirs',` ++ fs_search_cifs($1_su_t) ++ ') ') ####################################### -@@ -172,14 +170,14 @@ +@@ -172,14 +173,14 @@ domain_interactive_fd($1_su_t) role $3 types $1_su_t; @@ -1490,7 +1570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Transition from the user domain to this domain. domtrans_pattern($2, su_exec_t, $1_su_t) -@@ -188,7 +186,7 @@ +@@ -188,7 +189,7 @@ corecmd_shell_domtrans($1_su_t, $2) allow $2 $1_su_t:fd use; allow $2 $1_su_t:fifo_file rw_file_perms; @@ -1499,7 +1579,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state($1_su_t) kernel_read_kernel_sysctls($1_su_t) -@@ -203,15 +201,15 @@ +@@ -203,15 +204,15 @@ # needed for pam_rootok selinux_compute_access_vector($1_su_t) @@ -1518,7 +1598,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files($1_su_t) files_read_etc_runtime_files($1_su_t) files_search_var_lib($1_su_t) -@@ -226,12 +224,14 @@ +@@ -226,12 +227,14 @@ libs_use_ld_so($1_su_t) libs_use_shared_libs($1_su_t) @@ -1534,7 +1614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_rhel4',` domain_role_change_exemption($1_su_t) -@@ -295,13 +295,7 @@ +@@ -295,13 +298,7 @@ xserver_domtrans_user_xauth($1, $1_su_t) ') @@ -2037,7 +2117,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.5.4/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/apps/gnome.if 2008-08-11 16:39:48.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/apps/gnome.if 2008-08-13 13:39:13.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` type gconfd_exec_t, gconf_etc_t; @@ -2082,15 +2162,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - allow $1_gconfd_t $2:unix_stream_socket connectto; + manage_dirs_pattern($1_gconfd_t, gconf_home_t, gconf_home_t) + manage_files_pattern($1_gconfd_t, gconf_home_t, gconf_home_t) - -- allow $1_gconfd_t gconf_etc_t:dir list_dir_perms; -- read_files_pattern($1_gconfd_t, gconf_etc_t, gconf_etc_t) ++ + manage_dirs_pattern($1_gconfd_t, gconf_tmp_t, gconf_tmp_t) + manage_files_pattern($1_gconfd_t, gconf_tmp_t, gconf_tmp_t) + userdom_user_home_dir_filetrans($1, $1_gconfd_t, gconf_home_t, dir) + userdom_user_tmp_filetrans($1, $1_gconfd_t, gconf_tmp_t, { dir file }) + userdom_tmp_filetrans_user_tmp($1, $1_gconfd_t, dir) -+ + +- allow $1_gconfd_t gconf_etc_t:dir list_dir_perms; +- read_files_pattern($1_gconfd_t, gconf_etc_t, gconf_etc_t) + domtrans_pattern($2, gconfd_exec_t, $1_gconfd_t) + allow $1_gconfd_t $2:unix_stream_socket connectto; + allow $2 $1_gconfd_t:unix_stream_socket connectto; @@ -2175,14 +2255,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This is a templated interface, and should only -@@ -169,6 +186,30 @@ +@@ -169,7 +186,7 @@ ######################################## ##

+-## manage gnome homedir content (.config) +## read gnome homedir content (.config) + ## + ## + ## +@@ -183,11 +200,71 @@ + ## + ## + # ++template(`gnome_read_gnome_config',` ++ gen_require(` ++ type gnome_home_t; ++ ') ++ ++ read_files_pattern($2, gnome_home_t, gnome_home_t) ++') ++ ++######################################## ++## ++## manage gnome homedir content (.config) +## +## -+## ++## nn +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## @@ -2193,21 +2292,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+template(`gnome_read_gnome_config',` -+ gen_require(` -+ type gnome_home_t; -+ ') -+ -+ read_files_pattern($2, gnome_home_t, gnome_home_t) -+') -+ -+######################################## -+## - ## manage gnome homedir content (.config) - ## - ## -@@ -185,9 +226,29 @@ - # template(`gnome_manage_user_gnome_config',` gen_require(` - type $1_gnome_home_t; @@ -2232,13 +2316,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`gnome_exec_gconf',` + gen_require(` + type gconfd_exec_t; ++ ') ++ ++ can_exec($1, gconfd_exec_t) ++') ++######################################## ++## ++## Read gconf home files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_read_gconf_home_files',` ++ gen_require(` ++ type gconf_home_t; ') - allow $2 $1_gnome_home_t:dir manage_dir_perms; - allow $2 $1_gnome_home_t:file manage_file_perms; -+ can_exec($1, gconfd_exec_t) ++ read_files_pattern($1, gconf_home_t, gconf_home_t) ') -+ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.5.4/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2008-08-07 11:15:03.000000000 -0400 +++ serefpolicy-3.5.4/policy/modules/apps/gnome.te 2008-08-11 16:39:48.000000000 -0400 @@ -4498,8 +4598,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.4/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.4/policy/modules/apps/nsplugin.te 2008-08-11 16:39:48.000000000 -0400 -@@ -0,0 +1,217 @@ ++++ serefpolicy-3.5.4/policy/modules/apps/nsplugin.te 2008-08-13 13:27:02.000000000 -0400 +@@ -0,0 +1,218 @@ + +policy_module(nsplugin, 1.0.0) + @@ -4579,6 +4679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +dev_write_sound(nsplugin_t) +dev_read_video_dev(nsplugin_t) +dev_write_video_dev(nsplugin_t) ++dev_getattr_dri_dev(nsplugin_t) + +kernel_read_kernel_sysctls(nsplugin_t) +kernel_read_system_state(nsplugin_t) @@ -6166,7 +6267,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.4/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/kernel/devices.if 2008-08-11 16:39:48.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/kernel/devices.if 2008-08-13 13:24:17.000000000 -0400 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1, device_t, device_node) @@ -8347,7 +8448,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.5.4/policy/modules/roles/unprivuser.if --- nsaserefpolicy/policy/modules/roles/unprivuser.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/roles/unprivuser.if 2008-08-11 16:39:48.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/roles/unprivuser.if 2008-08-13 13:23:06.000000000 -0400 @@ -62,6 +62,26 @@ files_home_filetrans($1, user_home_dir_t, dir) ') @@ -11902,7 +12003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.5.4/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/services/bluetooth.te 2008-08-11 16:39:48.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/services/bluetooth.te 2008-08-12 16:11:27.000000000 -0400 @@ -32,19 +32,22 @@ type bluetooth_var_run_t; files_pid_file(bluetooth_var_run_t) @@ -13489,7 +13590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.4/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/services/cups.te 2008-08-11 16:39:48.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/services/cups.te 2008-08-12 13:58:26.000000000 -0400 @@ -48,6 +48,9 @@ type hplip_t; type hplip_exec_t; @@ -13525,7 +13626,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /usr/lib/cups/backend/serial needs sys_admin(?!) -allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config }; -+allow cupsd_t self:capability { dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_admin sys_rawio sys_resource sys_tty_config }; ++allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config }; dontaudit cupsd_t self:capability { sys_tty_config net_admin }; -allow cupsd_t self:process { setsched signal_perms }; -allow cupsd_t self:fifo_file rw_file_perms; @@ -13547,7 +13648,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_t cupsd_exec_t:lnk_file read; manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) -@@ -116,6 +133,13 @@ +@@ -116,13 +133,19 @@ manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) @@ -13561,15 +13662,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_t cupsd_var_run_t:dir setattr; manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -@@ -123,6 +147,7 @@ - - read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) + files_pid_filetrans(cupsd_t, cupsd_var_run_t, file) +-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) +- +allow cupsd_t hplip_t:process sigkill; allow cupsd_t hplip_var_run_t:file { read getattr }; stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) -@@ -149,32 +174,35 @@ +@@ -149,32 +172,35 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -13609,7 +13710,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp corecmd_exec_shell(cupsd_t) corecmd_exec_bin(cupsd_t) -@@ -186,7 +214,7 @@ +@@ -186,7 +212,7 @@ # read python modules files_read_usr_files(cupsd_t) # for /var/lib/defoma @@ -13618,7 +13719,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -@@ -195,15 +223,16 @@ +@@ -195,15 +221,16 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) @@ -13639,7 +13740,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(cupsd_t) libs_use_ld_so(cupsd_t) -@@ -219,17 +248,22 @@ +@@ -219,17 +246,22 @@ miscfiles_read_fonts(cupsd_t) seutil_read_config(cupsd_t) @@ -13664,7 +13765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -242,12 +276,21 @@ +@@ -242,12 +274,21 @@ optional_policy(` dbus_system_bus_client_template(cupsd, cupsd_t) @@ -13686,7 +13787,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -263,6 +306,10 @@ +@@ -263,6 +304,10 @@ ') optional_policy(` @@ -13697,7 +13798,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) -@@ -326,6 +373,7 @@ +@@ -326,6 +371,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -13705,7 +13806,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -353,6 +401,7 @@ +@@ -353,6 +399,7 @@ logging_send_syslog_msg(cupsd_config_t) miscfiles_read_localization(cupsd_config_t) @@ -13713,7 +13814,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_dontaudit_search_config(cupsd_config_t) -@@ -373,6 +422,10 @@ +@@ -373,6 +420,10 @@ ') optional_policy(` @@ -13724,7 +13825,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -388,6 +441,7 @@ +@@ -388,6 +439,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -13732,7 +13833,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -500,7 +554,7 @@ +@@ -500,7 +552,7 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; @@ -13741,6 +13842,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cups_stream_connect(hplip_t) +@@ -509,6 +561,8 @@ + read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) + files_search_etc(hplip_t) + ++read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) ++ + manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) + files_pid_filetrans(hplip_t, hplip_var_run_t, file) + @@ -538,7 +592,8 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) @@ -14206,7 +14316,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.4/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/services/dbus.if 2008-08-11 16:39:48.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/services/dbus.if 2008-08-13 14:33:26.000000000 -0400 @@ -53,6 +53,7 @@ gen_require(` type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; @@ -14304,21 +14414,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`read_default_t',` files_list_default($1_dbusd_t) files_read_default_files($1_dbusd_t) -@@ -180,8 +195,13 @@ +@@ -180,8 +195,15 @@ ') optional_policy(` + gnome_read_gnome_config($1, $1_dbusd_t) ++ gnome_read_gconf_home_files($1_dbusd_t) + ') + + optional_policy(` xserver_use_xdm_fds($1_dbusd_t) xserver_rw_xdm_pipes($1_dbusd_t) + xserver_dontaudit_xdm_lib_search($1_dbusd_t) ++ xserver_rw_xdm_home_files',` ') ') -@@ -207,14 +227,12 @@ +@@ -207,14 +229,12 @@ type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; @@ -14336,7 +14448,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($2) -@@ -223,6 +241,10 @@ +@@ -223,6 +243,10 @@ files_search_pids($2) stream_connect_pattern($2, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) dbus_read_config($2) @@ -14347,7 +14459,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -251,18 +273,16 @@ +@@ -251,18 +275,16 @@ template(`dbus_user_bus_client_template',` gen_require(` type $1_dbusd_t; @@ -14368,7 +14480,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -292,6 +312,55 @@ +@@ -292,6 +314,55 @@ ######################################## ## @@ -14424,7 +14536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read dbus configuration. ## ## -@@ -366,3 +435,75 @@ +@@ -366,3 +437,75 @@ allow $1 system_dbusd_t:dbus *; ') @@ -14502,7 +14614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.5.4/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/services/dbus.te 2008-08-11 16:39:48.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/services/dbus.te 2008-08-13 14:33:09.000000000 -0400 @@ -9,9 +9,10 @@ # # Delcarations @@ -15763,7 +15875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.5.4/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/services/exim.te 2008-08-11 16:39:48.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/services/exim.te 2008-08-13 13:26:25.000000000 -0400 @@ -21,9 +21,20 @@ ## gen_tunable(exim_manage_user_files, false) @@ -15843,7 +15955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(exim_t) auth_use_nsswitch(exim_t) -@@ -99,23 +122,85 @@ +@@ -99,23 +122,86 @@ logging_send_syslog_msg(exim_t) miscfiles_read_localization(exim_t) @@ -15851,6 +15963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -sysnet_dns_name_resolve(exim_t) +fs_getattr_xattr_fs(exim_t) ++fs_list_inotifyfs(exim_t) unprivuser_dontaudit_search_home_dirs(exim_t) @@ -17886,7 +17999,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.5.4/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/services/mta.if 2008-08-11 16:39:48.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/services/mta.if 2008-08-12 12:19:16.000000000 -0400 @@ -133,6 +133,15 @@ sendmail_create_log($1_mail_t) ') @@ -22533,6 +22646,45 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_use_unpriv_users_fds(remote_login_t) userdom_search_all_users_home_content(remote_login_t) # Only permit unprivileged user domains to be entered via rlogin, +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.5.4/policy/modules/services/ricci.te +--- nsaserefpolicy/policy/modules/services/ricci.te 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/services/ricci.te 2008-08-13 10:14:21.000000000 -0400 +@@ -205,7 +205,7 @@ + corecmd_exec_shell(ricci_modcluster_t) + corecmd_exec_bin(ricci_modcluster_t) + +-domain_dontaudit_read_all_domains_state(ricci_modcluster_t) ++domain_read_all_domains_state(ricci_modcluster_t) + + files_search_locks(ricci_modcluster_t) + files_read_etc_runtime_files(ricci_modcluster_t) +@@ -293,7 +293,7 @@ + corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t) + corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t) + +-domain_dontaudit_read_all_domains_state(ricci_modclusterd_t) ++domain_read_all_domains_state(ricci_modclusterd_t) + + files_read_etc_files(ricci_modclusterd_t) + files_read_etc_runtime_files(ricci_modclusterd_t) +@@ -337,7 +337,7 @@ + + corecmd_exec_bin(ricci_modlog_t) + +-domain_dontaudit_read_all_domains_state(ricci_modlog_t) ++domain_read_all_domains_state(ricci_modlog_t) + + files_read_etc_files(ricci_modlog_t) + files_search_usr(ricci_modlog_t) +@@ -450,7 +450,7 @@ + dev_read_urand(ricci_modstorage_t) + dev_manage_generic_blk_files(ricci_modstorage_t) + +-domain_dontaudit_read_all_domains_state(ricci_modstorage_t) ++domain_read_all_domains_state(ricci_modstorage_t) + + #Needed for editing /etc/fstab + files_manage_etc_files(ricci_modstorage_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.5.4/policy/modules/services/rlogin.te --- nsaserefpolicy/policy/modules/services/rlogin.te 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.5.4/policy/modules/services/rlogin.te 2008-08-11 16:39:48.000000000 -0400 @@ -23443,7 +23595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.5.4/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/services/samba.te 2008-08-11 16:39:48.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/services/samba.te 2008-08-13 14:00:13.000000000 -0400 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -23731,25 +23883,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -790,6 +860,14 @@ +@@ -790,6 +860,16 @@ # optional_policy(` + type samba_unconfined_net_t; + domain_type(samba_unconfined_net_t) -+ unconfined_domain(samba_unconfined_net_t) + role system_r types samba_unconfined_net_t; + ++ unconfined_domain(samba_unconfined_net_t) ++ + manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t) + filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file) ++') + type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -806,3 +884,37 @@ +@@ -800,9 +880,46 @@ + allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; + allow smbd_t samba_unconfined_script_exec_t:file ioctl; + ++optional_policy(` + unconfined_domain(samba_unconfined_script_t) ++') + + tunable_policy(`samba_run_unconfined',` domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) ++', ` ++ can_exec(smbd_t, samba_unconfined_script_exec_t) ') - ') +-') + +######################################## +# @@ -23989,7 +24153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.5.4/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/services/sendmail.te 2008-08-11 16:39:48.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/services/sendmail.te 2008-08-12 10:19:44.000000000 -0400 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -24048,7 +24212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(sendmail_t) -@@ -91,27 +101,46 @@ +@@ -91,34 +101,54 @@ libs_read_lib_files(sendmail_t) logging_send_syslog_msg(sendmail_t) @@ -24081,6 +24245,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` +- postfix_exec_master(sendmail_t) + cyrus_stream_connect(sendmail_t) + clamav_stream_connect(sendmail_t) +') @@ -24094,10 +24259,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` - postfix_exec_master(sendmail_t) ++ postfix_domtrans_master(sendmail_t) postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) -@@ -119,6 +148,7 @@ + ') optional_policy(` procmail_domtrans(sendmail_t) @@ -25981,7 +26146,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.4/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/services/ssh.if 2008-08-11 16:39:48.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/services/ssh.if 2008-08-12 12:21:36.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -26132,6 +26297,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` +@@ -710,3 +737,22 @@ + + dontaudit $1 sshd_key_t:file { getattr read }; + ') ++ ++####################################### ++## ++## Delete from the ssh temp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_delete_tmp',` ++ gen_require(` ++ type ssh_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ delete_files_pattern($1, ssh_tmp_t, ssh_tmp_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.4/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.5.4/policy/modules/services/ssh.te 2008-08-11 16:39:48.000000000 -0400 @@ -26726,8 +26914,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_certs(httpd_w3c_validator_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.5.4/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/services/xserver.fc 2008-08-11 16:39:48.000000000 -0400 -@@ -1,13 +1,14 @@ ++++ serefpolicy-3.5.4/policy/modules/services/xserver.fc 2008-08-13 13:09:52.000000000 -0400 +@@ -1,13 +1,15 @@ # # HOME_DIR # @@ -26746,10 +26934,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) +HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) # # /dev -@@ -32,11 +33,6 @@ +@@ -32,11 +34,6 @@ /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -26761,7 +26950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /opt # -@@ -58,7 +54,8 @@ +@@ -58,7 +55,8 @@ # /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) @@ -26771,7 +26960,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) -@@ -89,16 +86,23 @@ +@@ -89,16 +87,23 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -26799,7 +26988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.4/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/services/xserver.if 2008-08-11 16:39:48.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/services/xserver.if 2008-08-13 13:12:48.000000000 -0400 @@ -16,6 +16,7 @@ gen_require(` type xkb_var_lib_t, xserver_exec_t, xserver_log_t; @@ -26989,23 +27178,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern($2, xauth_exec_t, $1_xauth_t) -@@ -389,11 +388,11 @@ +@@ -389,11 +388,8 @@ # allow ps to show xauth ps_process_pattern($2,$1_xauth_t) - allow $2 $1_xauth_home_t:file manage_file_perms; - allow $2 $1_xauth_home_t:file { relabelfrom relabelto }; -+ allow $2 xauth_home_t:file manage_file_perms; -+ allow $2 xauth_home_t:file { relabelfrom relabelto }; - +- - allow xdm_t $1_xauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1, xdm_t, $1_xauth_home_t, file) -+ allow xdm_t xauth_home_t:file manage_file_perms; -+ userdom_user_home_dir_filetrans($1, xdm_t, xauth_home_t, file) ++ allow $2 xauth_home_t:file manage_file_perms; ++ allow $2 xauth_home_t:file { relabelfrom relabelto }; domain_use_interactive_fds($1_xauth_t) -@@ -435,16 +434,16 @@ +@@ -435,16 +431,16 @@ domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t) @@ -27027,7 +27214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints($1_iceauth_t) -@@ -467,34 +466,12 @@ +@@ -467,34 +463,12 @@ # # Device rules @@ -27064,7 +27251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # xrdb X11:ChangeProperty prop=RESOURCE_MANAGER allow $2 info_xproperty_t:x_property { create write append }; -@@ -610,7 +587,7 @@ +@@ -610,7 +584,7 @@ # refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') gen_require(` type xdm_t, xdm_tmp_t; @@ -27073,7 +27260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') allow $2 self:shm create_shm_perms; -@@ -618,8 +595,8 @@ +@@ -618,8 +592,8 @@ allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -27084,7 +27271,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -643,11 +620,80 @@ +@@ -643,13 +617,175 @@ xserver_read_xdm_tmp_files($2) @@ -27166,13 +27353,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + # setattr: metacity X11:InstallColormap + allow $3 $1_xserver_t:x_screen { getattr saver_setattr saver_getattr setattr }; - ') - - ####################################### -@@ -662,6 +708,99 @@ - ## is the prefix for user_t). - ## - ## ++') ++ ++####################################### ++## ++## Interface to provide X object permissions on a given X server to ++## an X client domain. Provides the minimal set required by a basic ++## X client application. ++## ++## ++## ++## The prefix of the X server domain (e.g., user ++## is the prefix for user_t). ++## ++## +## +## +## Client domain allowed access. @@ -27251,25 +27445,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +# xserver_use($1, $1, $2) + xserver_use(xdm, $1, $2) -+') -+ + ') + + -+####################################### -+## -+## Interface to provide X object permissions on a given X server to -+## an X client domain. Provides the minimal set required by a basic -+## X client application. -+## -+## -+## -+## The prefix of the X server domain (e.g., user -+## is the prefix for user_t). -+## -+## - ## - ## - ## The prefix of the X client domain (e.g., user -@@ -676,7 +815,7 @@ + ####################################### + ## + ## Interface to provide X object permissions on a given X server to +@@ -676,7 +812,7 @@ # template(`xserver_common_x_domain_template',` gen_require(` @@ -27278,7 +27460,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type xproperty_t, info_xproperty_t, clipboard_xproperty_t; type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; type xevent_t, client_xevent_t; -@@ -685,7 +824,6 @@ +@@ -685,7 +821,6 @@ attribute x_server_domain, x_domain; attribute xproperty_type; attribute xevent_type, xextension_type; @@ -27286,7 +27468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol class x_drawable all_x_drawable_perms; class x_screen all_x_screen_perms; -@@ -709,20 +847,22 @@ +@@ -709,20 +844,22 @@ # Declarations # @@ -27312,7 +27494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # Local Policy -@@ -740,7 +880,7 @@ +@@ -740,7 +877,7 @@ allow $3 x_server_domain:x_server getattr; # everyone can do override-redirect windows. # this could be used to spoof labels @@ -27321,7 +27503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # everyone can receive management events on the root window # allows to know when new windows appear, among other things allow $3 manage_xevent_t:x_event receive; -@@ -749,7 +889,7 @@ +@@ -749,7 +886,7 @@ # can read server-owned resources allow $3 x_server_domain:x_resource read; # can mess with own clients @@ -27330,7 +27512,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Protocol Extensions allow $3 std_xext_t:x_extension { query use }; -@@ -758,27 +898,17 @@ +@@ -758,27 +895,17 @@ # X Properties # can read and write client properties @@ -27363,7 +27545,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Input # can receive own events -@@ -805,6 +935,12 @@ +@@ -805,6 +932,12 @@ allow $3 manage_xevent_t:x_synthetic_event send; allow $3 client_xevent_t:x_synthetic_event send; @@ -27376,7 +27558,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Selections # can use the clipboard allow $3 clipboard_xselection_t:x_selection { getattr setattr read }; -@@ -813,13 +949,15 @@ +@@ -813,13 +946,15 @@ # Other X Objects # can create and use cursors @@ -27396,7 +27578,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined($3), -@@ -879,17 +1017,17 @@ +@@ -879,17 +1014,17 @@ # template(`xserver_user_x_domain_template',` gen_require(` @@ -27421,7 +27603,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for when /tmp/.X11-unix is created by the system allow $3 xdm_t:fd use; -@@ -916,11 +1054,9 @@ +@@ -916,11 +1051,9 @@ # X object manager xserver_common_x_domain_template($1, $2, $3) @@ -27436,7 +27618,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -952,26 +1088,43 @@ +@@ -952,26 +1085,43 @@ # template(`xserver_use_user_fonts',` gen_require(` @@ -27487,7 +27669,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Transition to a user Xauthority domain. ## ## -@@ -1005,6 +1158,73 @@ +@@ -1005,6 +1155,73 @@ ######################################## ## @@ -27561,7 +27743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Transition to a user Xauthority domain. ## ## -@@ -1030,10 +1250,10 @@ +@@ -1030,10 +1247,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -27574,7 +27756,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1219,6 +1439,25 @@ +@@ -1219,6 +1436,25 @@ ######################################## ## @@ -27600,7 +27782,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read xdm-writable configuration files. ## ## -@@ -1273,6 +1512,7 @@ +@@ -1273,6 +1509,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) @@ -27608,7 +27790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1291,7 +1531,7 @@ +@@ -1291,7 +1528,7 @@ ') files_search_pids($1) @@ -27617,7 +27799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1314,6 +1554,24 @@ +@@ -1314,6 +1551,24 @@ ######################################## ## @@ -27642,7 +27824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute the X server in the XDM X server domain. ## ## -@@ -1324,15 +1582,47 @@ +@@ -1324,15 +1579,47 @@ # interface(`xserver_domtrans_xdm_xserver',` gen_require(` @@ -27691,7 +27873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1482,7 +1772,7 @@ +@@ -1482,7 +1769,7 @@ type xdm_xserver_tmp_t; ') @@ -27700,7 +27882,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1674,6 +1964,65 @@ +@@ -1674,6 +1961,65 @@ ######################################## ## @@ -27766,7 +27948,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1686,8 +2035,90 @@ +@@ -1686,8 +2032,108 @@ # interface(`xserver_unconfined',` gen_require(` @@ -27853,15 +28035,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`xserver_read_home_fonts',` + gen_require(` + type fonts_home_t; ++ ') ++ ++ read_files_pattern($1, fonts_home_t, fonts_home_t) ++ read_lnk_files_pattern($1, fonts_home_t, fonts_home_t) ++') ++ ++######################################## ++## ++## write to .xsession-errors file ++## ++## ++## ++## Domain to not audit ++## ++## ++# ++interface(`xserver_rw_xdm_home_files',` ++ gen_require(` ++ type xdm_home_t; ') - typeattribute $1 xserver_unconfined_type; -+ read_files_pattern($1, fonts_home_t, fonts_home_t) -+ read_lnk_files_pattern($1, fonts_home_t, fonts_home_t) ++ allow $1 xdm_home_t:file rw_file_perms; ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.4/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/services/xserver.te 2008-08-11 16:39:48.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/services/xserver.te 2008-08-13 13:23:17.000000000 -0400 @@ -8,6 +8,14 @@ ## @@ -27921,7 +28121,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type xdm_tmp_t; files_tmp_file(xdm_tmp_t) typealias xdm_tmp_t alias ice_tmp_t; -@@ -122,6 +144,27 @@ +@@ -107,6 +129,9 @@ + type xdm_tmpfs_t; + files_tmpfs_file(xdm_tmpfs_t) + ++type xdm_home_t; ++userdom_user_home_content(user, xdm_home_t) ++ + # type for /var/lib/xkb + type xkb_var_lib_t; + files_type(xkb_var_lib_t) +@@ -122,6 +147,27 @@ type xserver_log_t; logging_log_file(xserver_log_t) @@ -27949,7 +28159,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_common_domain_template(xdm) xserver_common_x_domain_template(xdm, xdm, xdm_t) init_system_domain(xdm_xserver_t, xserver_exec_t) -@@ -140,8 +183,9 @@ +@@ -140,8 +186,9 @@ # XDM Local policy # @@ -27961,16 +28171,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; -@@ -154,6 +198,8 @@ +@@ -154,6 +201,12 @@ allow xdm_t self:key { search link write }; allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) ++ ++manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) ++unprivuser_home_dir_filetrans(xdm_t, xdm_home_t, file) ++#userdom_manage_user_home_content_files(user, xdm_t) # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -169,6 +215,8 @@ +@@ -169,6 +222,8 @@ manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) @@ -27979,7 +28193,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -@@ -176,15 +224,25 @@ +@@ -176,15 +231,25 @@ manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) @@ -28007,7 +28221,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -@@ -198,6 +256,7 @@ +@@ -198,6 +263,7 @@ allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xdm_xserver_t:shm rw_shm_perms; @@ -28015,7 +28229,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t) -@@ -229,6 +288,7 @@ +@@ -229,6 +295,7 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) @@ -28023,7 +28237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t -@@ -241,6 +301,7 @@ +@@ -241,6 +308,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -28031,7 +28245,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -253,14 +314,17 @@ +@@ -253,14 +321,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -28051,7 +28265,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -271,9 +335,13 @@ +@@ -271,9 +342,13 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -28065,7 +28279,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -282,6 +350,7 @@ +@@ -282,6 +357,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -28073,7 +28287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -290,6 +359,7 @@ +@@ -290,6 +366,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -28081,7 +28295,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -301,21 +371,26 @@ +@@ -301,21 +378,25 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -28099,7 +28313,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -userdom_read_unpriv_users_home_content_files(xdm_t) +unprivuser_read_home_content_files(xdm_t) +unprivuser_dontaudit_write_home_content_files(xdm_t) -+userdom_manage_user_home_content_files(user, xdm_t) + # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) @@ -28113,7 +28326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -348,10 +423,12 @@ +@@ -348,10 +429,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -28126,7 +28339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -359,6 +436,22 @@ +@@ -359,6 +442,22 @@ ') optional_policy(` @@ -28149,7 +28362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) -@@ -382,16 +475,32 @@ +@@ -382,16 +481,32 @@ ') optional_policy(` @@ -28183,7 +28396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -427,7 +536,7 @@ +@@ -427,7 +542,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -28192,7 +28405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -439,6 +548,15 @@ +@@ -439,6 +554,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -28208,7 +28421,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -450,10 +568,19 @@ +@@ -450,10 +574,19 @@ # xdm_xserver_t may no longer have any reason # to read ROLE_home_t - examine this in more detail # (xauth?) @@ -28229,7 +28442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) -@@ -468,8 +595,19 @@ +@@ -468,8 +601,19 @@ optional_policy(` dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t) @@ -28249,7 +28462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` resmgr_stream_connect(xdm_t) -@@ -481,8 +619,25 @@ +@@ -481,8 +625,25 @@ ') optional_policy(` @@ -28277,7 +28490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_xserver_t self:process { execheap execmem }; -@@ -491,7 +646,6 @@ +@@ -491,7 +652,6 @@ ifdef(`distro_rhel4',` allow xdm_xserver_t self:process { execheap execmem }; ') @@ -28285,7 +28498,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -544,3 +698,10 @@ +@@ -544,3 +704,10 @@ # allow pam_t xdm_t:fifo_file { getattr ioctl write }; ') dnl end TODO @@ -28528,7 +28741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.5.4/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/system/authlogin.if 2008-08-11 16:39:48.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/system/authlogin.if 2008-08-12 11:21:47.000000000 -0400 @@ -56,10 +56,6 @@ miscfiles_read_localization($1_chkpwd_t) @@ -29018,8 +29231,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.5.4/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/system/init.if 2008-08-11 16:39:48.000000000 -0400 -@@ -211,6 +211,19 @@ ++++ serefpolicy-3.5.4/policy/modules/system/init.if 2008-08-13 13:14:34.000000000 -0400 +@@ -211,6 +211,23 @@ kernel_dontaudit_use_fds($1) ') ') @@ -29036,10 +29249,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + # these apps are often redirect output to random log files + logging_rw_all_logs($1) ++ ++ optional_policy(` ++ xserver_rw_xdm_home_files($1) ++ ') ') ######################################## -@@ -550,18 +563,19 @@ +@@ -550,18 +567,19 @@ # interface(`init_spec_domtrans_script',` gen_require(` @@ -29063,29 +29280,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -577,19 +591,66 @@ +@@ -577,23 +595,70 @@ # interface(`init_domtrans_script',` gen_require(` - type initrc_t, initrc_exec_t; + type initrc_t; + attribute initscript; -+ ') -+ -+ files_list_etc($1) + ') + + files_list_etc($1) +- domtrans_pattern($1,initrc_exec_t,initrc_t) + domtrans_pattern($1, initscript, initrc_t) -+ -+ ifdef(`enable_mcs',` + + ifdef(`enable_mcs',` +- range_transition $1 initrc_exec_t:process s0; + range_transition $1 initscript:process s0; -+ ') -+ -+ ifdef(`enable_mls',` + ') + + ifdef(`enable_mls',` +- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 initscript:process s0 - mls_systemhigh; -+ ') -+') -+ -+######################################## -+## + ') + ') + + ######################################## + ## +## Execute init a specific script with an automatic domain transition. +## +## @@ -29097,19 +29317,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`init_script_domtrans_spec',` + gen_require(` + type initrc_t; - ') - - files_list_etc($1) -- domtrans_pattern($1,initrc_exec_t,initrc_t) ++ ') ++ ++ files_list_etc($1) + domtrans_pattern($1, $2, initrc_t) - - ifdef(`enable_mcs',` -- range_transition $1 initrc_exec_t:process s0; ++ ++ ifdef(`enable_mcs',` + range_transition $1 $2:process s0; - ') - - ifdef(`enable_mls',` -- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; ++ ') ++ ++ ifdef(`enable_mls',` + range_transition $1 $2:process s0 - mls_systemhigh; + ') +') @@ -29128,13 +29345,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; - ') ++ ') + + corecmd_bin_domtrans($1, initrc_t) - ') - - ######################################## -@@ -619,11 +680,11 @@ ++') ++ ++######################################## ++## + ## Execute a init script in a specified domain. + ## + ## +@@ -619,11 +684,11 @@ # cjp: added for gentoo integrated run_init interface(`init_script_file_domtrans',` gen_require(` @@ -29148,7 +29369,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -694,11 +755,11 @@ +@@ -694,11 +759,11 @@ # interface(`init_getattr_script_files',` gen_require(` @@ -29162,7 +29383,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -713,11 +774,11 @@ +@@ -713,11 +778,11 @@ # interface(`init_exec_script_files',` gen_require(` @@ -29176,7 +29397,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1040,11 +1101,11 @@ +@@ -1040,11 +1105,11 @@ # interface(`init_read_script_files',` gen_require(` @@ -29190,7 +29411,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1107,6 +1168,25 @@ +@@ -1107,6 +1172,25 @@ ######################################## ## @@ -29216,7 +29437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create files in a init script ## temporary data directory. ## -@@ -1262,7 +1342,7 @@ +@@ -1262,7 +1346,7 @@ type initrc_var_run_t; ') @@ -29225,7 +29446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1318,3 +1398,113 @@ +@@ -1318,3 +1402,113 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -29341,7 +29562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.4/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/system/init.te 2008-08-11 16:39:48.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/system/init.te 2008-08-13 13:14:39.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -29566,7 +29787,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') -@@ -793,3 +858,8 @@ +@@ -793,3 +858,11 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -29575,6 +29796,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +unprivuser_write_tmp_files(daemon) +logging_append_all_logs(daemon) + ++optional_policy(` ++ xserver_rw_xdm_home_files(daemon) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.5.4/policy/modules/system/iptables.if --- nsaserefpolicy/policy/modules/system/iptables.if 2008-08-07 11:15:12.000000000 -0400 +++ serefpolicy-3.5.4/policy/modules/system/iptables.if 2008-08-11 16:39:48.000000000 -0400 @@ -31901,7 +32125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.4/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-08-11 11:23:34.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/system/sysnetwork.te 2008-08-11 16:39:48.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/system/sysnetwork.te 2008-08-12 11:25:04.000000000 -0400 @@ -20,6 +20,10 @@ init_daemon_domain(dhcpc_t,dhcpc_exec_t) role system_r types dhcpc_t; @@ -32022,7 +32246,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; -@@ -268,7 +275,10 @@ +@@ -262,13 +269,19 @@ + allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; + allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; + allow ifconfig_t self:tcp_socket { create ioctl }; ++ ++read_files_pattern(ifconfig_t,dhcpc_state_t,dhcpc_state_t) ++ + files_read_etc_files(ifconfig_t); + + kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) kernel_search_network_sysctl(ifconfig_t) @@ -32033,7 +32266,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_rw_tun_tap_dev(ifconfig_t) -@@ -279,8 +289,11 @@ +@@ -279,8 +292,11 @@ fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) @@ -32045,7 +32278,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(ifconfig_t) -@@ -320,11 +333,11 @@ +@@ -320,11 +336,11 @@ ') optional_policy(` @@ -32059,7 +32292,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -336,6 +349,14 @@ +@@ -336,6 +352,14 @@ ') optional_policy(` @@ -32945,7 +33178,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.4/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.4/policy/modules/system/userdomain.if 2008-08-11 16:39:48.000000000 -0400 ++++ serefpolicy-3.5.4/policy/modules/system/userdomain.if 2008-08-13 13:18:16.000000000 -0400 @@ -28,10 +28,14 @@ class context contains; ') @@ -33094,18 +33327,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -115,6 +135,10 @@ +@@ -115,6 +135,11 @@ # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') + + optional_policy(` + ssh_rw_stream_sockets($1_usertype) ++ ssh_delete_tmp($1_t) + ') ') ####################################### -@@ -141,33 +165,13 @@ +@@ -141,33 +166,13 @@ # template(`userdom_ro_home_template',` gen_require(` @@ -33144,7 +33378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -175,13 +179,14 @@ +@@ -175,13 +180,14 @@ # # read-only home directory @@ -33166,7 +33400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_list_home($1_t) tunable_policy(`use_nfs_home_dirs',` -@@ -190,9 +195,6 @@ +@@ -190,9 +196,6 @@ fs_read_nfs_symlinks($1_t) fs_read_nfs_named_sockets($1_t) fs_read_nfs_named_pipes($1_t) @@ -33176,7 +33410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`use_samba_home_dirs',` -@@ -201,9 +203,6 @@ +@@ -201,9 +204,6 @@ fs_read_cifs_symlinks($1_t) fs_read_cifs_named_sockets($1_t) fs_read_cifs_named_pipes($1_t) @@ -33186,7 +33420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -231,30 +230,14 @@ +@@ -231,30 +231,14 @@ # template(`userdom_manage_home_template',` gen_require(` @@ -33223,7 +33457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -262,43 +245,44 @@ +@@ -262,43 +246,44 @@ # # full control of the home directory @@ -33298,7 +33532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -316,14 +300,20 @@ +@@ -316,14 +301,20 @@ ## # template(`userdom_exec_home_template',` @@ -33324,7 +33558,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -341,11 +331,10 @@ +@@ -341,11 +332,10 @@ ## # template(`userdom_poly_home_template',` @@ -33340,7 +33574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -369,18 +358,18 @@ +@@ -369,18 +359,18 @@ # template(`userdom_manage_tmp_template',` gen_require(` @@ -33369,7 +33603,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -396,7 +385,13 @@ +@@ -396,7 +386,13 @@ ## # template(`userdom_exec_tmp_template',` @@ -33384,7 +33618,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -439,18 +434,18 @@ +@@ -439,18 +435,18 @@ # template(`userdom_manage_tmpfs_template',` gen_require(` @@ -33411,7 +33645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -468,17 +463,17 @@ +@@ -468,17 +464,17 @@ # template(`userdom_untrusted_content_template',` gen_require(` @@ -33432,7 +33666,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_tmp_file($1_untrusted_content_tmp_t) # Allow user to relabel untrusted content -@@ -510,10 +505,6 @@ +@@ -510,10 +506,6 @@ ## # template(`userdom_exec_generic_pgms_template',` @@ -33443,7 +33677,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin($1_t) ') -@@ -531,34 +522,20 @@ +@@ -531,34 +523,20 @@ ## # template(`userdom_basic_networking_template',` @@ -33490,7 +33724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -575,30 +552,33 @@ +@@ -575,30 +553,33 @@ # template(`userdom_xwindows_client_template',` gen_require(` @@ -33540,7 +33774,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -629,13 +609,7 @@ +@@ -629,13 +610,7 @@ ## ## The template for allowing the user to change roles. ## @@ -33555,7 +33789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). -@@ -699,188 +673,202 @@ +@@ -699,188 +674,202 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -33839,7 +34073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -902,9 +890,7 @@ +@@ -902,9 +891,7 @@ ## # template(`userdom_login_user_template', ` @@ -33850,7 +34084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_base_user_template($1) -@@ -934,70 +920,72 @@ +@@ -934,70 +921,72 @@ allow $1_t self:context contains; @@ -33956,7 +34190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1031,9 +1019,6 @@ +@@ -1031,9 +1020,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -33966,7 +34200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1042,12 +1027,24 @@ +@@ -1042,12 +1028,24 @@ # # privileged home directory writers @@ -33997,7 +34231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r,$1_tty_device_t) -@@ -1087,14 +1084,16 @@ +@@ -1087,14 +1085,16 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -34019,7 +34253,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1102,28 +1101,23 @@ +@@ -1102,28 +1102,23 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -34053,7 +34287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1134,8 +1128,7 @@ +@@ -1134,8 +1129,7 @@ ## ## ##

@@ -34063,7 +34297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This template creates a user domain, types, and -@@ -1167,11 +1160,10 @@ +@@ -1167,11 +1161,10 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -34076,7 +34310,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1189,36 +1181,45 @@ +@@ -1189,36 +1182,45 @@ ') ') @@ -34135,7 +34369,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1295,8 +1296,6 @@ +@@ -1295,8 +1297,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -34144,7 +34378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1318,8 +1317,6 @@ +@@ -1318,8 +1318,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -34153,7 +34387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1374,13 +1371,6 @@ +@@ -1374,13 +1372,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -34167,7 +34401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1432,6 +1422,7 @@ +@@ -1432,6 +1423,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -34175,7 +34409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1461,10 +1452,6 @@ +@@ -1461,10 +1453,6 @@ seutil_run_semanage($1,$2,$3) seutil_run_setfiles($1, $2, $3) @@ -34186,7 +34420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` aide_run($1,$2, $3) ') -@@ -1484,6 +1471,14 @@ +@@ -1484,6 +1472,14 @@ optional_policy(` netlabel_run_mgmt($1,$2, $3) ') @@ -34201,7 +34435,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1741,11 +1736,15 @@ +@@ -1741,11 +1737,15 @@ # template(`userdom_user_home_content',` gen_require(` @@ -34220,7 +34454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1841,11 +1840,11 @@ +@@ -1841,11 +1841,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -34234,7 +34468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1875,11 +1874,11 @@ +@@ -1875,11 +1875,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -34248,7 +34482,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1923,12 +1922,12 @@ +@@ -1923,12 +1923,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -34264,7 +34498,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1958,10 +1957,11 @@ +@@ -1958,10 +1958,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -34278,7 +34512,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1993,11 +1993,47 @@ +@@ -1993,11 +1994,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -34328,7 +34562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2029,10 +2065,10 @@ +@@ -2029,10 +2066,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -34341,7 +34575,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2062,11 +2098,11 @@ +@@ -2062,11 +2099,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -34355,7 +34589,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2096,11 +2132,11 @@ +@@ -2096,11 +2133,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -34370,7 +34604,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2130,10 +2166,14 @@ +@@ -2130,10 +2167,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -34387,7 +34621,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2163,11 +2203,11 @@ +@@ -2163,11 +2204,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -34401,7 +34635,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2197,11 +2237,11 @@ +@@ -2197,11 +2238,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -34415,7 +34649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2231,10 +2271,10 @@ +@@ -2231,10 +2272,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -34428,7 +34662,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2266,12 +2306,12 @@ +@@ -2266,12 +2307,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -34444,7 +34678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2303,10 +2343,10 @@ +@@ -2303,10 +2344,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -34457,7 +34691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2338,12 +2378,12 @@ +@@ -2338,12 +2379,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -34473,7 +34707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2375,12 +2415,12 @@ +@@ -2375,12 +2416,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -34489,7 +34723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2412,12 +2452,12 @@ +@@ -2412,12 +2453,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -34505,7 +34739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2462,11 +2502,11 @@ +@@ -2462,11 +2503,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -34519,7 +34753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2511,11 +2551,11 @@ +@@ -2511,11 +2552,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -34533,7 +34767,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2555,11 +2595,11 @@ +@@ -2555,11 +2596,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -34547,7 +34781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2589,11 +2629,11 @@ +@@ -2589,11 +2630,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -34561,7 +34795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2623,11 +2663,11 @@ +@@ -2623,11 +2664,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -34575,7 +34809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2659,10 +2699,10 @@ +@@ -2659,10 +2700,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -34588,7 +34822,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2694,10 +2734,10 @@ +@@ -2694,10 +2735,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -34601,7 +34835,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2727,12 +2767,12 @@ +@@ -2727,12 +2768,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -34617,7 +34851,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2764,10 +2804,10 @@ +@@ -2764,10 +2805,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -34630,7 +34864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2799,10 +2839,10 @@ +@@ -2799,10 +2840,10 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -34643,7 +34877,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2832,12 +2872,12 @@ +@@ -2832,12 +2873,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -34659,7 +34893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2869,10 +2909,10 @@ +@@ -2869,10 +2910,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -34672,7 +34906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2904,12 +2944,12 @@ +@@ -2904,12 +2945,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -34688,7 +34922,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2941,11 +2981,11 @@ +@@ -2941,11 +2982,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -34702,7 +34936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2977,11 +3017,11 @@ +@@ -2977,11 +3018,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -34716,7 +34950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3013,11 +3053,11 @@ +@@ -3013,11 +3054,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -34730,7 +34964,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3049,11 +3089,11 @@ +@@ -3049,11 +3090,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -34744,7 +34978,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3085,11 +3125,11 @@ +@@ -3085,11 +3126,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -34758,7 +34992,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3134,10 +3174,10 @@ +@@ -3134,10 +3175,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -34771,7 +35005,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_tmp($2) ') -@@ -3178,19 +3218,19 @@ +@@ -3178,19 +3219,19 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -34795,7 +35029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This is a templated interface, and should only -@@ -4616,11 +4656,11 @@ +@@ -4616,11 +4657,11 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -34809,7 +35043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4640,6 +4680,14 @@ +@@ -4640,6 +4681,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -34824,7 +35058,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4677,6 +4725,8 @@ +@@ -4677,6 +4726,8 @@ ') dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; @@ -34833,7 +35067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4721,6 +4771,25 @@ +@@ -4721,6 +4772,25 @@ ######################################## ##

@@ -34859,7 +35093,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4946,7 +5015,7 @@ +@@ -4946,7 +5016,7 @@ ######################################## ## @@ -34868,7 +35102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5318,6 +5387,42 @@ +@@ -5318,6 +5388,42 @@ ######################################## ## @@ -34911,7 +35145,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write unprivileged user ttys. ## ## -@@ -5368,7 +5473,7 @@ +@@ -5368,7 +5474,7 @@ attribute userdomain; ') @@ -34920,7 +35154,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -5483,7 +5588,7 @@ +@@ -5483,7 +5589,7 @@ ######################################## ## @@ -34929,7 +35163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5491,10 +5596,46 @@ +@@ -5491,10 +5597,46 @@ ## ## # @@ -34978,7 +35212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') allow $1 userdomain:dbus send_msg; -@@ -5513,3 +5654,525 @@ +@@ -5513,3 +5655,525 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -35400,7 +35634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +interface(`userdom_relabel_all_home_dirs',` + gen_require(` -+ type user_home_type; ++ attribute user_home_type; + ') + + files_search_home($1) @@ -35419,7 +35653,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +interface(`userdom_relabel_all_home_files',` + gen_require(` -+ type user_home_type; ++ attribute user_home_type; + ') + + files_search_home($1)