diff --git a/policy-F16.patch b/policy-F16.patch index 24fcf61..8275a64 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -226,7 +226,7 @@ index 4705ab6..0f0bb47 100644 +gen_tunable(allow_console_login,false) + diff --git a/policy/mcs b/policy/mcs -index df8e0fa..92b6177 100644 +index df8e0fa..09eea90 100644 --- a/policy/mcs +++ b/policy/mcs @@ -69,16 +69,32 @@ gen_levels(1,mcs_num_cats) @@ -266,7 +266,23 @@ index df8e0fa..92b6177 100644 # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. -@@ -101,6 +117,9 @@ mlsconstrain process { ptrace } +@@ -87,10 +103,13 @@ mlsconstrain file { create relabelto } + + # new file labels must be dominated by the relabeling subject clearance + mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } +- ( h1 dom h2 ); ++ (( h1 dom h2 ) or ( t1 == mcswriteall )); ++ ++mlsconstrain { file lnk_file fifo_file } { create relabelto } ++ ( l2 eq h2 ); + + mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } +- (( h1 dom h2 ) and ( l2 eq h2 )); ++ ( h1 dom h2 ); + + mlsconstrain process { transition dyntransition } + (( h1 dom h2 ) or ( t1 == mcssetcats )); +@@ -101,6 +120,9 @@ mlsconstrain process { ptrace } mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 == mcskillall )); @@ -276,7 +292,7 @@ index df8e0fa..92b6177 100644 # # MCS policy for SELinux-enabled databases # -@@ -144,4 +163,21 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } +@@ -144,4 +166,21 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } ( h1 dom h2 ); @@ -2790,7 +2806,7 @@ index d33daa8..8ba0f86 100644 + allow rpm_script_t $1:process sigchld; +') diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te -index 47a8f7d..17b5426 100644 +index 47a8f7d..a485d76 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,10 +1,11 @@ @@ -3002,17 +3018,15 @@ index 47a8f7d..17b5426 100644 tzdata_domtrans(rpm_t) tzdata_domtrans(rpm_script_t) ') -@@ -377,8 +417,9 @@ optional_policy(` +@@ -377,7 +417,7 @@ optional_policy(` ') optional_policy(` - unconfined_domain(rpm_script_t) + unconfined_domain_noaudit(rpm_script_t) unconfined_domtrans(rpm_script_t) -+ unconfined_execmem_domtrans(rpm_script_t) optional_policy(` - java_domtrans_unconfined(rpm_script_t) diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te index c8ef84b..eb4bd05 100644 --- a/policy/modules/admin/sectoolm.te @@ -3547,7 +3561,7 @@ index 7bddc02..2b59ed0 100644 + +/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if -index 975af1a..634c47a 100644 +index 975af1a..748db5b 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -32,6 +32,7 @@ template(`sudo_role_template',` @@ -3558,9 +3572,11 @@ index 975af1a..634c47a 100644 attribute sudodomain; ') -@@ -47,26 +48,11 @@ template(`sudo_role_template',` +@@ -46,27 +47,13 @@ template(`sudo_role_template',` + domain_role_change_exemption($1_sudo_t) ubac_constrained($1_sudo_t) role $2 types $1_sudo_t; ++ userdom_home_manager($1_sudo_t) - ############################## - # @@ -3589,7 +3605,7 @@ index 975af1a..634c47a 100644 allow $1_sudo_t $3:key search; -@@ -76,88 +62,19 @@ template(`sudo_role_template',` +@@ -76,88 +63,19 @@ template(`sudo_role_template',` # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_sudo_t, $3) corecmd_bin_domtrans($1_sudo_t, $3) @@ -3684,7 +3700,7 @@ index 975af1a..634c47a 100644 ') ######################################## -@@ -177,3 +94,22 @@ interface(`sudo_sigchld',` +@@ -177,3 +95,22 @@ interface(`sudo_sigchld',` allow $1 sudodomain:process sigchld; ') @@ -3708,10 +3724,10 @@ index 975af1a..634c47a 100644 + can_exec($1, sudo_exec_t) +') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te -index 2731fa1..71bf5e8 100644 +index 2731fa1..9ce39dd 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te -@@ -7,3 +7,112 @@ attribute sudodomain; +@@ -7,3 +7,104 @@ attribute sudodomain; type sudo_exec_t; application_executable_file(sudo_exec_t) @@ -3809,14 +3825,6 @@ index 2731fa1..71bf5e8 100644 +userdom_search_admin_dir(sudodomain) +userdom_manage_all_users_keys(sudodomain) + -+tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_files(sudodomain) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_files(sudodomain) -+') -+ +optional_policy(` + dbus_system_bus_client(sudodomain) +') @@ -4194,7 +4202,7 @@ index 81fb26f..66cf96c 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 441cf22..cc0406f 100644 +index 441cf22..6bcfc8c 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto; @@ -4421,7 +4429,15 @@ index 441cf22..cc0406f 100644 auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) -@@ -498,21 +517,11 @@ seutil_domtrans_setfiles(useradd_t) +@@ -495,24 +514,19 @@ seutil_read_file_contexts(useradd_t) + seutil_read_default_contexts(useradd_t) + seutil_domtrans_semanage(useradd_t) + seutil_domtrans_setfiles(useradd_t) ++seutil_domtrans_loadpolicy(useradd_t) ++seutil_manage_bin_policy(useradd_t) ++seutil_manage_module_store(useradd_t) ++seutil_get_semanage_trans_lock(useradd_t) ++seutil_get_semanage_read_lock(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories @@ -4550,7 +4566,7 @@ index 283ff0d..53f9ba1 100644 ## ## diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te -index 46ea44f..f7183ef 100644 +index 46ea44f..49ce279 100644 --- a/policy/modules/apps/cdrecord.te +++ b/policy/modules/apps/cdrecord.te @@ -56,7 +56,7 @@ logging_send_syslog_msg(cdrecord_t) @@ -4562,6 +4578,19 @@ index 46ea44f..f7183ef 100644 userdom_read_user_home_content_files(cdrecord_t) # Handle nfs home dirs +@@ -109,11 +109,7 @@ tunable_policy(`cdrecord_read_content',` + userdom_dontaudit_read_user_home_content_files(cdrecord_t) + ') + +-tunable_policy(`use_nfs_home_dirs',` +- files_search_mnt(cdrecord_t) +- fs_read_nfs_files(cdrecord_t) +- fs_read_nfs_symlinks(cdrecord_t) +-') ++userdom_home_manager(cdrecord_t) + + optional_policy(` + resmgr_stream_connect(cdrecord_t) diff --git a/policy/modules/apps/chrome.fc b/policy/modules/apps/chrome.fc new file mode 100644 index 0000000..5901e21 @@ -4715,10 +4744,10 @@ index 0000000..1553356 +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..6c642a2 +index 0000000..acb325c --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,180 @@ +@@ -0,0 +1,175 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -4813,11 +4842,6 @@ index 0000000..6c642a2 +sysnet_dns_name_resolve(chrome_sandbox_t) + +optional_policy(` -+ execmem_exec(chrome_sandbox_t) -+ execmem_execmod(chrome_sandbox_t) -+') -+ -+optional_policy(` + gnome_rw_inherited_config(chrome_sandbox_t) + gnome_read_home_config(chrome_sandbox_t) +') @@ -5052,215 +5076,6 @@ index cd70958..e8c94b1 100644 -optional_policy(` - nscd_socket_use(evolution_webcal_t) -') -diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc -new file mode 100644 -index 0000000..5e09952 ---- /dev/null -+++ b/policy/modules/apps/execmem.fc -@@ -0,0 +1,49 @@ -+ -+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/dosbox -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/plasma-desktop -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+ifdef(`distro_gentoo',` -+/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -+') -+/usr/lib/chromium-browser/chromium-browser gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/libexec/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/opt/secondlife-install/bin/SLPlugin -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/opt/real/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/usr/lib/gimp/[^/]+/plug-ins/help-browser -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/thunderbird-[^/]+/thunderbird-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0) -diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if -new file mode 100644 -index 0000000..e23f640 ---- /dev/null -+++ b/policy/modules/apps/execmem.if -@@ -0,0 +1,132 @@ -+## execmem domain -+ -+######################################## -+## -+## Execute the execmem program -+## in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`execmem_exec',` -+ gen_require(` -+ type execmem_exec_t; -+ ') -+ -+ can_exec($1, execmem_exec_t) -+') -+ -+####################################### -+## -+## The role template for the execmem module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for execmem applications. -+##

-+##
-+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+# -+template(`execmem_role_template',` -+ gen_require(` -+ type execmem_exec_t; -+ ') -+ -+ type $1_execmem_t; -+ domain_type($1_execmem_t) -+ domain_entry_file($1_execmem_t, execmem_exec_t) -+ role $2 types $1_execmem_t; -+ -+ userdom_unpriv_usertype($1, $1_execmem_t) -+ userdom_manage_tmp_role($2, $1_execmem_t) -+ userdom_manage_tmpfs_role($2, $1_execmem_t) -+ -+ allow $1_execmem_t self:process { execmem execstack }; -+ allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms }; -+ domtrans_pattern($3, execmem_exec_t, $1_execmem_t) -+ -+ files_execmod_tmp($1_execmem_t) -+ -+ allow $3 execmem_exec_t:file execmod; -+ allow $1_execmem_t execmem_exec_t:file execmod; -+ -+ # needed by plasma-desktop -+ optional_policy(` -+ gnome_read_usr_config($1_execmem_t) -+ ') -+ -+ optional_policy(` -+ mozilla_execmod_user_home_files($1_execmem_t) -+ ') -+ -+ optional_policy(` -+ nsplugin_rw_shm($1_execmem_t) -+ nsplugin_rw_semaphores($1_execmem_t) -+ ') -+ -+ optional_policy(` -+ xserver_role($2, $1_execmem_t) -+ ') -+') -+ -+######################################## -+## -+## Execute a execmem_exec file -+## in the specified domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the new process. -+## -+## -+# -+interface(`execmem_domtrans',` -+ gen_require(` -+ type execmem_exec_t; -+ ') -+ -+ domtrans_pattern($1, execmem_exec_t, $2) -+') -+ -+######################################## -+## -+## Execmod the execmem_exec applications -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`execmem_execmod',` -+ gen_require(` -+ type execmem_exec_t; -+ ') -+ -+ allow $1 execmem_exec_t:file execmod; -+') -+ -diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te -new file mode 100644 -index 0000000..a7d37e2 ---- /dev/null -+++ b/policy/modules/apps/execmem.te -@@ -0,0 +1,10 @@ -+policy_module(execmem, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type execmem_exec_t alias unconfined_execmem_exec_t; -+application_executable_file(execmem_exec_t) -+ diff --git a/policy/modules/apps/firewallgui.fc b/policy/modules/apps/firewallgui.fc new file mode 100644 index 0000000..ce498b3 @@ -5409,18 +5224,47 @@ index ac4f509..4b7b763 100644 ') diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te -index 6e4add5..10a2ce4 100644 +index 6e4add5..5c81832 100644 --- a/policy/modules/apps/gift.te +++ b/policy/modules/apps/gift.te -@@ -132,7 +132,7 @@ miscfiles_read_localization(giftd_t) +@@ -70,17 +70,7 @@ sysnet_read_config(gift_t) + # giftui looks in .icons, .themes. + userdom_dontaudit_read_user_home_content_files(gift_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(gift_t) +- fs_manage_nfs_files(gift_t) +- fs_manage_nfs_symlinks(gift_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(gift_t) +- fs_manage_cifs_files(gift_t) +- fs_manage_cifs_symlinks(gift_t) +-') ++userdom_home_manager(gift_t) + + optional_policy(` + nscd_socket_use(gift_t) +@@ -132,16 +122,5 @@ miscfiles_read_localization(giftd_t) sysnet_read_config(giftd_t) -userdom_use_user_terminals(giftd_t) +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(giftd_t) +- fs_manage_nfs_files(giftd_t) +- fs_manage_nfs_symlinks(giftd_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(giftd_t) +- fs_manage_cifs_files(giftd_t) +- fs_manage_cifs_symlinks(giftd_t) +-') +userdom_use_inherited_user_terminals(giftd_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(giftd_t) ++userdom_home_manager(gitd_t) diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc index 00a19e3..9f6139c 100644 --- a/policy/modules/apps/gnome.fc @@ -5474,10 +5318,10 @@ index 00a19e3..9f6139c 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..deab06c 100644 +index f5afe78..8fe4b66 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if -@@ -1,44 +1,786 @@ +@@ -1,44 +1,819 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -5552,6 +5396,8 @@ index f5afe78..deab06c 100644 + ubac_constrained($1_gkeyringd_t) + domain_user_exemption_target($1_gkeyringd_t) + ++ userdom_home_manager($1_gkeyringd_t) ++ + role $2 types $1_gkeyringd_t; + + domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) @@ -5780,6 +5626,37 @@ index f5afe78..deab06c 100644 + +######################################## +## ++## Create objects in a Gnome cache home directory ++## with an automatic type transition to ++## a specified private type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to create. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++# ++interface(`gnome_config_filetrans',` ++ gen_require(` ++ type config_home_t; ++ ') ++ ++ filetrans_pattern($1, config_home_t, $2, $3, $4) ++ userdom_search_user_home_dirs($1) ++') ++ ++######################################## ++## +## Read generic cache home files (.cache) +## +## @@ -6283,7 +6160,7 @@ index f5afe78..deab06c 100644 ## ## ## -@@ -46,37 +788,117 @@ interface(`gnome_role',` +@@ -46,37 +821,117 @@ interface(`gnome_role',` ## ## # @@ -6411,7 +6288,7 @@ index f5afe78..deab06c 100644 ## ## ## -@@ -84,37 +906,53 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +939,53 @@ template(`gnome_read_gconf_config',` ## ## # @@ -6476,7 +6353,7 @@ index f5afe78..deab06c 100644 ## ## ## -@@ -122,17 +960,17 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +993,17 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -6498,7 +6375,7 @@ index f5afe78..deab06c 100644 ## ## ## -@@ -140,51 +978,299 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +1011,299 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -6815,7 +6692,7 @@ index f5afe78..deab06c 100644 + type_transition $1 gkeyringd_exec_t:process $2; +') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te -index 2505654..45b4ca9 100644 +index 2505654..14d7e30 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -5,12 +5,29 @@ policy_module(gnome, 2.1.0) @@ -6893,7 +6770,7 @@ index 2505654..45b4ca9 100644 ############################## # # Local Policy -@@ -75,3 +113,168 @@ optional_policy(` +@@ -75,3 +113,151 @@ optional_policy(` xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') @@ -6937,15 +6814,7 @@ index 2505654..45b4ca9 100644 + policykit_read_reload(gconfdefaultsm_t) +') + -+tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_dirs(gconfdefaultsm_t) -+ fs_manage_nfs_files(gconfdefaultsm_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(gconfdefaultsm_t) -+ fs_manage_cifs_files(gconfdefaultsm_t) -+') ++userdom_home_manager(gconfdefaultsm_t) + +####################################### +# @@ -7017,6 +6886,7 @@ index 2505654..45b4ca9 100644 + +dev_read_rand(gkeyringd_domain) +dev_read_urand(gkeyringd_domain) ++dev_read_sysfs(gkeyringd_domain) + +files_read_etc_files(gkeyringd_domain) +files_read_usr_files(gkeyringd_domain) @@ -7052,16 +6922,6 @@ index 2505654..45b4ca9 100644 + +userdom_use_inherited_user_terminals(gnome_domain) + -+tunable_policy(`use_nfs_home_dirs',` -+ fs_getattr_nfs(gkeyringd_domain) -+ fs_manage_nfs_dirs(gkeyringd_domain) -+ fs_manage_nfs_files(gkeyringd_domain) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(gkeyringd_domain) -+ fs_manage_cifs_files(gkeyringd_domain) -+') diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc index e9853d4..6864b58 100644 --- a/policy/modules/apps/gpg.fc @@ -7147,7 +7007,7 @@ index 40e0a2a..93d212c 100644 ## ## Send generic signals to user gpg processes. diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te -index 9050e8c..401a4ec 100644 +index 9050e8c..80f8c31 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0) @@ -7205,7 +7065,7 @@ index 9050e8c..401a4ec 100644 manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -@@ -123,11 +139,14 @@ logging_send_syslog_msg(gpg_t) +@@ -123,22 +139,26 @@ logging_send_syslog_msg(gpg_t) miscfiles_read_localization(gpg_t) @@ -7222,21 +7082,25 @@ index 9050e8c..401a4ec 100644 mta_write_config(gpg_t) -@@ -142,20 +161,33 @@ tunable_policy(`use_samba_home_dirs',` - ') - - optional_policy(` +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(gpg_t) +- fs_manage_nfs_files(gpg_t) ++userdom_home_manager(gpg_t) ++ ++optional_policy(` + gnome_read_config(gpg_t) + gnome_stream_connect_gkeyringd(gpg_t) -+') -+ + ') + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(gpg_t) +- fs_manage_cifs_files(gpg_t) +optional_policy(` + mta_read_spool(gpg_t) -+') -+ -+optional_policy(` - mozilla_read_user_home_files(gpg_t) - mozilla_write_user_home_files(gpg_t) + ') + + optional_policy(` +@@ -147,15 +167,19 @@ optional_policy(` ') optional_policy(` @@ -7260,7 +7124,7 @@ index 9050e8c..401a4ec 100644 ######################################## # # GPG helper local policy -@@ -191,7 +223,7 @@ files_read_etc_files(gpg_helper_t) +@@ -191,7 +215,7 @@ files_read_etc_files(gpg_helper_t) auth_use_nsswitch(gpg_helper_t) @@ -7269,7 +7133,7 @@ index 9050e8c..401a4ec 100644 tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(gpg_helper_t) -@@ -205,11 +237,12 @@ tunable_policy(`use_samba_home_dirs',` +@@ -205,11 +229,12 @@ tunable_policy(`use_samba_home_dirs',` # # GPG agent local policy # @@ -7283,7 +7147,7 @@ index 9050e8c..401a4ec 100644 allow gpg_agent_t self:fifo_file rw_fifo_file_perms; # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -@@ -239,19 +272,20 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) +@@ -239,34 +264,25 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) miscfiles_read_localization(gpg_agent_t) # Write to the user domain tty. @@ -7306,7 +7170,23 @@ index 9050e8c..401a4ec 100644 userdom_manage_user_home_content_dirs(gpg_agent_t) userdom_manage_user_home_content_files(gpg_agent_t) ') -@@ -332,6 +366,10 @@ miscfiles_read_localization(gpg_pinentry_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(gpg_agent_t) +- fs_manage_nfs_files(gpg_agent_t) +- fs_manage_nfs_symlinks(gpg_agent_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(gpg_agent_t) +- fs_manage_cifs_files(gpg_agent_t) +- fs_manage_cifs_symlinks(gpg_agent_t) +-') ++userdom_home_manager(gpg_agent_t) + + optional_policy(` + mozilla_dontaudit_rw_user_home_files(gpg_agent_t) +@@ -332,13 +348,15 @@ miscfiles_read_localization(gpg_pinentry_t) # for .Xauthority userdom_read_user_home_content_files(gpg_pinentry_t) userdom_read_user_tmpfs_files(gpg_pinentry_t) @@ -7315,18 +7195,19 @@ index 9050e8c..401a4ec 100644 +userdom_signull_unpriv_users(gpg_pinentry_t) +userdom_use_user_terminals(gpg_pinentry_t) - tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(gpg_pinentry_t) -@@ -342,11 +380,21 @@ tunable_policy(`use_samba_home_dirs',` +-tunable_policy(`use_nfs_home_dirs',` +- fs_read_nfs_files(gpg_pinentry_t) +-') ++userdom_home_reader(gpg_pinentry_t) + +-tunable_policy(`use_samba_home_dirs',` +- fs_read_cifs_files(gpg_pinentry_t) ++optional_policy(` ++ gnome_read_home_config(gpg_pinentry_t) ') optional_policy(` -+ gnome_read_home_config(gpg_pinentry_t) -+') -+ -+optional_policy(` - dbus_session_bus_client(gpg_pinentry_t) - dbus_system_bus_client(gpg_pinentry_t) +@@ -347,6 +365,12 @@ optional_policy(` ') optional_policy(` @@ -7339,7 +7220,7 @@ index 9050e8c..401a4ec 100644 pulseaudio_exec(gpg_pinentry_t) pulseaudio_rw_home_files(gpg_pinentry_t) pulseaudio_setattr_home_dir(gpg_pinentry_t) -@@ -356,4 +404,28 @@ optional_policy(` +@@ -356,4 +380,28 @@ optional_policy(` optional_policy(` xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) @@ -7422,7 +7303,7 @@ index 4f9dc90..81a0fc6 100644 + relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t) ') diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te -index 66beb80..b69a628 100644 +index 66beb80..4bc18b6 100644 --- a/policy/modules/apps/irc.te +++ b/policy/modules/apps/irc.te @@ -24,6 +24,30 @@ userdom_user_home_content(irc_tmp_t) @@ -7456,20 +7337,27 @@ index 66beb80..b69a628 100644 # Local policy # -@@ -84,7 +108,7 @@ seutil_use_newrole_fds(irc_t) +@@ -84,20 +108,75 @@ seutil_use_newrole_fds(irc_t) sysnet_read_config(irc_t) # Write to the user domain tty. -userdom_use_user_terminals(irc_t) +userdom_use_inherited_user_terminals(irc_t) - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(irc_t) -@@ -101,3 +125,78 @@ tunable_policy(`use_samba_home_dirs',` - optional_policy(` - nis_use_ypbind(irc_t) - ') +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(irc_t) +- fs_manage_nfs_files(irc_t) +- fs_manage_nfs_symlinks(irc_t) ++userdom_home_manager(irc_t) + ++optional_policy(` ++ nis_use_ypbind(irc_t) + ') + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(irc_t) +- fs_manage_cifs_files(irc_t) +- fs_manage_cifs_symlinks(irc_t) +######################################## +# +# Irssi personal declarations. @@ -7527,162 +7415,13 @@ index 66beb80..b69a628 100644 + corenet_tcp_connect_all_ports(irssi_t) + corenet_sendrecv_generic_server_packets(irssi_t) + corenet_sendrecv_all_client_packets(irssi_t) -+') -+ -+tunable_policy(`use_nfs_home_dirs', ` -+ fs_manage_nfs_dirs(irssi_t) -+ fs_manage_nfs_files(irssi_t) -+ fs_manage_nfs_symlinks(irssi_t) -+') -+ -+tunable_policy(`use_samba_home_dirs', ` -+ fs_manage_cifs_dirs(irssi_t) -+ fs_manage_cifs_files(irssi_t) -+ fs_manage_cifs_symlinks(irssi_t) -+') -+ -+optional_policy(` -+ automount_dontaudit_getattr_tmp_dirs(irssi_t) -+') -diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc -index 86c1768..5d2130c 100644 ---- a/policy/modules/apps/java.fc -+++ b/policy/modules/apps/java.fc -@@ -5,10 +5,13 @@ - /opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) - /opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - /opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) -+/opt/local/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) -+/opt/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - - # - # /usr - # -+/usr/Aptana[^/]*/AptanaStudio -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) -@@ -27,12 +30,14 @@ - /usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0) --/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) - - /usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - - /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - -+/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) -+/opt/ibm(/.*)?/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) -+ - ifdef(`distro_redhat',` - /usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) - ') -diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if -index e6d84e8..7c398c0 100644 ---- a/policy/modules/apps/java.if -+++ b/policy/modules/apps/java.if -@@ -72,7 +72,8 @@ template(`java_role_template',` - - domain_interactive_fd($1_java_t) - -- userdom_manage_user_tmpfs_files($1_java_t) -+ userdom_unpriv_usertype($1, $1_java_t) -+ userdom_manage_tmpfs_role($2, $1_java_t) - - allow $1_java_t self:process { ptrace signal getsched execmem execstack }; - -@@ -82,7 +83,7 @@ template(`java_role_template',` - - domtrans_pattern($3, java_exec_t, $1_java_t) - -- corecmd_bin_domtrans($1_java_t, $3) -+ corecmd_bin_domtrans($1_java_t, $1_t) - - dev_dontaudit_append_rand($1_java_t) - -@@ -105,7 +106,7 @@ template(`java_role_template',` - ## - ## - # --template(`java_domtrans',` -+interface(`java_domtrans',` - gen_require(` - type java_t, java_exec_t; - ') -@@ -179,6 +180,10 @@ interface(`java_run_unconfined',` - - java_domtrans_unconfined($1) - role $2 types unconfined_java_t; -+ -+ optional_policy(` -+ nsplugin_role_notrans($2, unconfined_java_t) -+ ') ') - ######################################## -diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te -index 167950d..27d37b0 100644 ---- a/policy/modules/apps/java.te -+++ b/policy/modules/apps/java.te -@@ -82,18 +82,20 @@ dev_read_urand(java_t) - dev_read_rand(java_t) - dev_dontaudit_append_rand(java_t) - -+files_read_etc_files(java_t) - files_read_usr_files(java_t) - files_search_home(java_t) - files_search_var_lib(java_t) - files_read_etc_runtime_files(java_t) - # Read global fonts and font config --files_read_etc_files(java_t) - - fs_getattr_xattr_fs(java_t) - fs_dontaudit_rw_tmpfs_files(java_t) - - logging_send_syslog_msg(java_t) - -+auth_use_nsswitch(java_t) ++userdom_home_manager(irssi_t) + - miscfiles_read_localization(java_t) - # Read global fonts and font config - miscfiles_read_fonts(java_t) -@@ -123,14 +125,6 @@ tunable_policy(`allow_java_execstack',` - ') - optional_policy(` -- nis_use_ypbind(java_t) --') -- --optional_policy(` -- nscd_socket_use(java_t) --') -- --optional_policy(` - xserver_user_x_domain_template(java, java_t, java_tmpfs_t) - ') - -@@ -143,14 +137,21 @@ optional_policy(` - # execheap is needed for itanium/BEA jrocket - allow unconfined_java_t self:process { execstack execmem execheap }; - -+ init_dbus_chat_script(unconfined_java_t) -+ - files_execmod_all_files(unconfined_java_t) - - init_dbus_chat_script(unconfined_java_t) - - unconfined_domain_noaudit(unconfined_java_t) - unconfined_dbus_chat(unconfined_java_t) -+ userdom_unpriv_usertype(unconfined, unconfined_java_t) - - optional_policy(` - rpm_domtrans(unconfined_java_t) - ') -+ -+ optional_policy(` -+ wine_domtrans(unconfined_java_t) -+ ') +- nis_use_ypbind(irc_t) ++ automount_dontaudit_getattr_tmp_dirs(irssi_t) ') diff --git a/policy/modules/apps/kde.fc b/policy/modules/apps/kde.fc new file mode 100644 @@ -7944,44 +7683,6 @@ index 0bac996..ca2388d 100644 -userdom_use_user_terminals(lockdev_t) +userdom_use_inherited_user_terminals(lockdev_t) -diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if -index 7b08e13..b2b83ad 100644 ---- a/policy/modules/apps/mono.if -+++ b/policy/modules/apps/mono.if -@@ -40,16 +40,16 @@ template(`mono_role_template',` - domain_interactive_fd($1_mono_t) - application_type($1_mono_t) - -- allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; -- -- allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; -+ allow $1_mono_t self:process { signal getsched execheap execmem execstack }; -+ allow $3 $1_mono_t:process { getattr noatsecure signal_perms }; - - domtrans_pattern($3, mono_exec_t, $1_mono_t) - - fs_dontaudit_rw_tmpfs_files($1_mono_t) - corecmd_bin_domtrans($1_mono_t, $1_t) - -- userdom_manage_user_tmpfs_files($1_mono_t) -+ userdom_unpriv_usertype($1, $1_mono_t) -+ userdom_manage_tmpfs_role($2, $1_mono_t) - - optional_policy(` - xserver_role($1_r, $1_mono_t) -diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te -index dff0f12..ecab36d 100644 ---- a/policy/modules/apps/mono.te -+++ b/policy/modules/apps/mono.te -@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t) - # Local policy - # - --allow mono_t self:process { ptrace signal getsched execheap execmem execstack }; -+allow mono_t self:process { signal getsched execheap execmem execstack }; - - init_dbus_chat_script(mono_t) - diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc index 93ac529..35b51ab 100644 --- a/policy/modules/apps/mozilla.fc @@ -8170,7 +7871,7 @@ index fbb5c5a..b9b8ac2 100644 + dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; ') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2e9318b..69e2534 100644 +index 2e9318b..add01a5 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t) @@ -8213,7 +7914,7 @@ index 2e9318b..69e2534 100644 logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) -@@ -165,14 +172,18 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) +@@ -165,27 +172,21 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) # Browse the web, connect to printer sysnet_dns_name_resolve(mozilla_t) @@ -8228,14 +7929,26 @@ index 2e9318b..69e2534 100644 - allow mozilla_t self:process { execmem execstack }; +tunable_policy(`allow_execstack',` + allow mozilla_t self:process execstack; -+') -+ + ') + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(mozilla_t) +- fs_manage_nfs_files(mozilla_t) +- fs_manage_nfs_symlinks(mozilla_t) +tunable_policy(`deny_execmem',`',` + allow mozilla_t self:process execmem; ') - tunable_policy(`use_nfs_home_dirs',` -@@ -262,6 +273,7 @@ optional_policy(` +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(mozilla_t) +- fs_manage_cifs_files(mozilla_t) +- fs_manage_cifs_symlinks(mozilla_t) +-') ++userdom_home_manager(mozilla_t) + + # Uploads, local html + tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` +@@ -262,6 +263,7 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) gnome_manage_config(mozilla_t) @@ -8243,7 +7956,7 @@ index 2e9318b..69e2534 100644 ') optional_policy(` -@@ -278,7 +290,8 @@ optional_policy(` +@@ -278,7 +280,8 @@ optional_policy(` ') optional_policy(` @@ -8253,7 +7966,7 @@ index 2e9318b..69e2534 100644 ') optional_policy(` -@@ -296,16 +309,19 @@ optional_policy(` +@@ -296,16 +299,19 @@ optional_policy(` # mozilla_plugin local policy # @@ -8277,7 +7990,7 @@ index 2e9318b..69e2534 100644 can_exec(mozilla_plugin_t, mozilla_home_t) read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) -@@ -313,8 +329,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) +@@ -313,8 +319,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) @@ -8290,7 +8003,7 @@ index 2e9318b..69e2534 100644 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -@@ -332,11 +350,9 @@ kernel_request_load_module(mozilla_plugin_t) +@@ -332,11 +340,9 @@ kernel_request_load_module(mozilla_plugin_t) corecmd_exec_bin(mozilla_plugin_t) corecmd_exec_shell(mozilla_plugin_t) @@ -8304,17 +8017,19 @@ index 2e9318b..69e2534 100644 corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) corenet_tcp_connect_http_port(mozilla_plugin_t) corenet_tcp_connect_http_cache_port(mozilla_plugin_t) -@@ -344,6 +360,9 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t) +@@ -344,6 +350,11 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t) corenet_tcp_connect_ipp_port(mozilla_plugin_t) corenet_tcp_connect_mmcc_port(mozilla_plugin_t) corenet_tcp_connect_speech_port(mozilla_plugin_t) +corenet_tcp_connect_streaming_port(mozilla_plugin_t) ++corenet_tcp_connect_ftp_port(mozilla_plugin_t) ++corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t) +corenet_tcp_bind_generic_node(mozilla_plugin_t) +corenet_udp_bind_generic_node(mozilla_plugin_t) dev_read_rand(mozilla_plugin_t) dev_read_urand(mozilla_plugin_t) -@@ -385,20 +404,26 @@ term_getattr_all_ttys(mozilla_plugin_t) +@@ -385,33 +396,29 @@ term_getattr_all_ttys(mozilla_plugin_t) term_getattr_all_ptys(mozilla_plugin_t) userdom_rw_user_tmpfs_files(mozilla_plugin_t) @@ -8343,8 +8058,22 @@ index 2e9318b..69e2534 100644 + allow mozilla_plugin_t self:process execstack; ') - tunable_policy(`use_nfs_home_dirs',` -@@ -425,7 +450,13 @@ optional_policy(` +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(mozilla_plugin_t) +- fs_manage_nfs_files(mozilla_plugin_t) +- fs_manage_nfs_symlinks(mozilla_plugin_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(mozilla_plugin_t) +- fs_manage_cifs_files(mozilla_plugin_t) +- fs_manage_cifs_symlinks(mozilla_plugin_t) +-') ++userdom_home_manager(mozilla_plugin_t) + + optional_policy(` + alsa_read_rw_config(mozilla_plugin_t) +@@ -425,7 +432,13 @@ optional_policy(` ') optional_policy(` @@ -8358,7 +8087,7 @@ index 2e9318b..69e2534 100644 ') optional_policy(` -@@ -438,7 +469,14 @@ optional_policy(` +@@ -438,7 +451,14 @@ optional_policy(` ') optional_policy(` @@ -8374,7 +8103,7 @@ index 2e9318b..69e2534 100644 ') optional_policy(` -@@ -446,10 +484,27 @@ optional_policy(` +@@ -446,10 +466,27 @@ optional_policy(` pulseaudio_stream_connect(mozilla_plugin_t) pulseaudio_setattr_home_dir(mozilla_plugin_t) pulseaudio_manage_home_files(mozilla_plugin_t) @@ -8447,7 +8176,7 @@ index d8ea41d..8bdc526 100644 + domtrans_pattern($1, mplayer_exec_t, $2) +') diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te -index 072a210..8b1fa1b 100644 +index 072a210..320963b 100644 --- a/policy/modules/apps/mplayer.te +++ b/policy/modules/apps/mplayer.te @@ -32,6 +32,7 @@ files_config_file(mplayer_etc_t) @@ -8458,7 +8187,7 @@ index 072a210..8b1fa1b 100644 userdom_user_home_content(mplayer_home_t) type mplayer_tmpfs_t; -@@ -76,7 +77,7 @@ storage_raw_read_removable_device(mencoder_t) +@@ -76,13 +77,14 @@ storage_raw_read_removable_device(mencoder_t) miscfiles_read_localization(mencoder_t) @@ -8467,7 +8196,14 @@ index 072a210..8b1fa1b 100644 # Handle removable media, /tmp, and /home userdom_list_user_tmp(mencoder_t) userdom_read_user_tmp_files(mencoder_t) -@@ -91,7 +92,7 @@ ifndef(`enable_mls',` + userdom_read_user_tmp_symlinks(mencoder_t) + userdom_read_user_home_content_files(mencoder_t) + userdom_read_user_home_content_symlinks(mencoder_t) ++userdom_home_manager(mencoder_t) + + # Read content to encode + ifndef(`enable_mls',` +@@ -91,7 +93,7 @@ ifndef(`enable_mls',` fs_read_removable_symlinks(mencoder_t) ') @@ -8476,7 +8212,54 @@ index 072a210..8b1fa1b 100644 allow mencoder_t self:process execmem; ') -@@ -159,6 +160,7 @@ manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) +@@ -103,46 +105,6 @@ tunable_policy(`allow_mplayer_execstack',` + allow mencoder_t self:process { execmem execstack }; + ') + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(mencoder_t) +- fs_manage_nfs_files(mencoder_t) +- fs_manage_nfs_symlinks(mencoder_t) +- +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(mencoder_t) +- fs_manage_cifs_files(mencoder_t) +- fs_manage_cifs_symlinks(mencoder_t) +- +-') +- +-# Read content to encode +-tunable_policy(`use_nfs_home_dirs',` +- fs_list_auto_mountpoints(mencoder_t) +- files_list_home(mencoder_t) +- fs_read_nfs_files(mencoder_t) +- fs_read_nfs_symlinks(mencoder_t) +- +-',` +- files_dontaudit_list_home(mencoder_t) +- fs_dontaudit_list_auto_mountpoints(mencoder_t) +- fs_dontaudit_read_nfs_files(mencoder_t) +- fs_dontaudit_list_nfs(mencoder_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_list_auto_mountpoints(mencoder_t) +- files_list_home(mencoder_t) +- fs_read_cifs_files(mencoder_t) +- fs_read_cifs_symlinks(mencoder_t) +-',` +- files_dontaudit_list_home(mencoder_t) +- fs_dontaudit_list_auto_mountpoints(mencoder_t) +- fs_dontaudit_read_cifs_files(mencoder_t) +- fs_dontaudit_list_cifs(mencoder_t) +-') +- + ######################################## + # + # mplayer local policy +@@ -159,6 +121,7 @@ manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir) @@ -8484,7 +8267,7 @@ index 072a210..8b1fa1b 100644 manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) -@@ -225,10 +227,14 @@ fs_dontaudit_getattr_all_fs(mplayer_t) +@@ -225,10 +188,14 @@ fs_dontaudit_getattr_all_fs(mplayer_t) fs_search_auto_mountpoints(mplayer_t) fs_list_inotifyfs(mplayer_t) @@ -8500,7 +8283,15 @@ index 072a210..8b1fa1b 100644 # Read media files userdom_list_user_tmp(mplayer_t) userdom_read_user_tmp_files(mplayer_t) -@@ -246,7 +252,7 @@ ifdef(`enable_mls',`',` +@@ -236,6 +203,7 @@ userdom_read_user_tmp_symlinks(mplayer_t) + userdom_read_user_home_content_files(mplayer_t) + userdom_read_user_home_content_symlinks(mplayer_t) + userdom_write_user_tmp_sockets(mplayer_t) ++userdom_home_manager(mplayer_t) + + xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t) + +@@ -246,7 +214,7 @@ ifdef(`enable_mls',`',` fs_read_removable_symlinks(mplayer_t) ') @@ -8509,7 +8300,55 @@ index 072a210..8b1fa1b 100644 allow mplayer_t self:process execmem; ') -@@ -305,7 +311,7 @@ optional_policy(` +@@ -258,54 +226,19 @@ tunable_policy(`allow_mplayer_execstack',` + allow mplayer_t self:process { execmem execstack }; + ') + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(mplayer_t) +- fs_manage_nfs_files(mplayer_t) +- fs_manage_nfs_symlinks(mplayer_t) +-') +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(mplayer_t) +- fs_manage_cifs_files(mplayer_t) +- fs_manage_cifs_symlinks(mplayer_t) +-') +- + # Legacy domain issues + tunable_policy(`allow_mplayer_execstack',` + allow mplayer_t mplayer_tmpfs_t:file execute; + ') + +-# Read songs +-tunable_policy(`use_nfs_home_dirs',` +- fs_list_auto_mountpoints(mplayer_t) +- files_list_home(mplayer_t) +- fs_read_nfs_files(mplayer_t) +- fs_read_nfs_symlinks(mplayer_t) +- +-',` +- files_dontaudit_list_home(mplayer_t) +- fs_dontaudit_list_auto_mountpoints(mplayer_t) +- fs_dontaudit_read_nfs_files(mplayer_t) +- fs_dontaudit_list_nfs(mplayer_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_list_auto_mountpoints(mplayer_t) +- files_list_home(mplayer_t) +- fs_read_cifs_files(mplayer_t) +- fs_read_cifs_symlinks(mplayer_t) +-',` +- files_dontaudit_list_home(mplayer_t) +- fs_dontaudit_list_auto_mountpoints(mplayer_t) +- fs_dontaudit_read_cifs_files(mplayer_t) +- fs_dontaudit_list_cifs(mplayer_t) +-') ++userdom_home_manager(mplayer_t) + + optional_policy(` + alsa_read_rw_config(mplayer_t) ') optional_policy(` @@ -9122,10 +8961,10 @@ index 0000000..fce899a +') diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te new file mode 100644 -index 0000000..3b6b4cb +index 0000000..cc6b555 --- /dev/null +++ b/policy/modules/apps/nsplugin.te -@@ -0,0 +1,335 @@ +@@ -0,0 +1,327 @@ +policy_module(nsplugin, 1.0.0) + +######################################## @@ -9336,10 +9175,6 @@ index 0000000..3b6b4cb +') + +optional_policy(` -+ unconfined_execmem_signull(nsplugin_t) -+') -+ -+optional_policy(` + sandbox_read_tmpfs_files(nsplugin_t) +') + @@ -9457,171 +9292,6 @@ index 0000000..3b6b4cb + pulseaudio_manage_home_files(nsplugin_t) + pulseaudio_setattr_home_dir(nsplugin_t) +') -+ -+optional_policy(` -+ unconfined_execmem_exec(nsplugin_t) -+') -diff --git a/policy/modules/apps/openoffice.fc b/policy/modules/apps/openoffice.fc -new file mode 100644 -index 0000000..4428be4 ---- /dev/null -+++ b/policy/modules/apps/openoffice.fc -@@ -0,0 +1,3 @@ -+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) -+/opt/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) -+ -diff --git a/policy/modules/apps/openoffice.if b/policy/modules/apps/openoffice.if -new file mode 100644 -index 0000000..792bf9c ---- /dev/null -+++ b/policy/modules/apps/openoffice.if -@@ -0,0 +1,124 @@ -+## Openoffice -+ -+####################################### -+## -+## The per role template for the openoffice module. -+## -+## -+## -+## The type of the user domain. -+## -+## -+# -+interface(`openoffice_plugin_role',` -+ gen_require(` -+ type openoffice_exec_t; -+ type openoffice_t; -+ ') -+ -+ ######################################## -+ # -+ # Local policy -+ # -+ -+ domtrans_pattern($1, openoffice_exec_t, openoffice_t) -+ allow $1 openoffice_t:process { signal sigkill }; -+') -+ -+####################################### -+## -+## role for openoffice -+## -+## -+##

-+## This template creates a derived domains which are used -+## for java applications. -+##

-+##
-+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+# -+interface(`openoffice_role_template',` -+ gen_require(` -+ type openoffice_exec_t; -+ ') -+ -+ role $2 types $1_openoffice_t; -+ -+ type $1_openoffice_t; -+ domain_type($1_openoffice_t) -+ domain_entry_file($1_openoffice_t, openoffice_exec_t) -+ domain_interactive_fd($1_openoffice_t) -+ -+ userdom_unpriv_usertype($1, $1_openoffice_t) -+ userdom_exec_user_home_content_files($1_openoffice_t) -+ -+ allow $1_openoffice_t self:process { getsched sigkill execmem execstack }; -+ -+ allow $3 $1_openoffice_t:process { getattr signal_perms noatsecure siginh rlimitinh }; -+ allow $1_openoffice_t $3:tcp_socket { read write }; -+ -+ domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t) -+ -+ dev_read_urand($1_openoffice_t) -+ dev_read_rand($1_openoffice_t) -+ -+ fs_dontaudit_rw_tmpfs_files($1_openoffice_t) -+ -+ allow $3 $1_openoffice_t:process { signal sigkill }; -+ allow $1_openoffice_t $3:unix_stream_socket connectto; -+ -+ optional_policy(` -+ xserver_role($2, $1_openoffice_t) -+ ') -+') -+ -+######################################## -+## -+## Execute openoffice_exec_t -+## in the specified domain. -+## -+## -+##

-+## Execute a openoffice_exec_t -+## in the specified domain. -+##

-+##

-+## No interprocess communication (signals, pipes, -+## etc.) is provided by this interface since -+## the domains are not owned by this module. -+##

-+##
-+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the new process. -+## -+## -+# -+interface(`openoffice_exec_domtrans',` -+ gen_require(` -+ type openoffice_exec_t; -+ ') -+ -+ allow $2 openoffice_exec_t:file entrypoint; -+ domtrans_pattern($1, openoffice_exec_t, $2) -+') -diff --git a/policy/modules/apps/openoffice.te b/policy/modules/apps/openoffice.te -new file mode 100644 -index 0000000..a842371 ---- /dev/null -+++ b/policy/modules/apps/openoffice.te -@@ -0,0 +1,16 @@ -+policy_module(openoffice, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type openoffice_t; -+type openoffice_exec_t; -+application_domain(openoffice_t, openoffice_exec_t) -+ -+######################################## -+# -+# Unconfined java local policy -+# -+ diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te index ccc15ab..9f88c3a 100644 --- a/policy/modules/apps/podsleuth.te @@ -9733,18 +9403,24 @@ index f40c64d..aa9e8e2 100644 + userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie") ') diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te -index d1eace5..5314e57 100644 +index d1eace5..3411497 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te -@@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; +@@ -43,8 +43,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; + manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) ++manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) userdom_search_user_home_dirs(pulseaudio_t) -+userdom_search_admin_dir(pulseaudio_t) ++# ~/.esd_auth - maybe we should label this pulseaudit_home_t? ++userdom_read_user_home_content_files(pulseaudio_t) ++userdom_search_admin_dir(pulseaudio_t) ++ manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) -@@ -53,7 +54,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) + manage_lnk_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) +@@ -53,7 +58,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) @@ -9753,7 +9429,7 @@ index d1eace5..5314e57 100644 can_exec(pulseaudio_t, pulseaudio_exec_t) -@@ -85,8 +86,8 @@ fs_rw_anon_inodefs_files(pulseaudio_t) +@@ -85,8 +90,8 @@ fs_rw_anon_inodefs_files(pulseaudio_t) fs_getattr_tmpfs(pulseaudio_t) fs_list_inotifyfs(pulseaudio_t) @@ -9764,7 +9440,7 @@ index d1eace5..5314e57 100644 auth_use_nsswitch(pulseaudio_t) -@@ -94,10 +95,29 @@ logging_send_syslog_msg(pulseaudio_t) +@@ -94,10 +99,29 @@ logging_send_syslog_msg(pulseaudio_t) miscfiles_read_localization(pulseaudio_t) @@ -9798,7 +9474,7 @@ index d1eace5..5314e57 100644 optional_policy(` bluetooth_stream_connect(pulseaudio_t) -@@ -127,10 +147,24 @@ optional_policy(` +@@ -127,10 +151,24 @@ optional_policy(` ') optional_policy(` @@ -9823,7 +9499,7 @@ index d1eace5..5314e57 100644 policykit_domtrans_auth(pulseaudio_t) policykit_read_lib(pulseaudio_t) policykit_read_reload(pulseaudio_t) -@@ -148,3 +182,7 @@ optional_policy(` +@@ -148,3 +186,7 @@ optional_policy(` xserver_read_xdm_pid(pulseaudio_t) xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') @@ -11010,7 +10686,7 @@ index c8254dd..340a2d7 100644 /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if -index a57e81e..f9fbc60 100644 +index a57e81e..b0b3ce6 100644 --- a/policy/modules/apps/screen.if +++ b/policy/modules/apps/screen.if @@ -25,6 +25,7 @@ template(`screen_role_template',` @@ -11021,7 +10697,7 @@ index a57e81e..f9fbc60 100644 ') ######################################## -@@ -32,51 +33,18 @@ template(`screen_role_template',` +@@ -32,51 +33,20 @@ template(`screen_role_template',` # Declarations # @@ -11066,7 +10742,8 @@ index a57e81e..f9fbc60 100644 - read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t) - - allow $1_screen_t $3:process signal; -- ++ userdom_home_reader($1_screen_t) + domtrans_pattern($3, screen_exec_t, $1_screen_t) allow $3 $1_screen_t:process { signal sigchld }; dontaudit $3 $1_screen_t:unix_stream_socket { read write }; @@ -11076,7 +10753,7 @@ index a57e81e..f9fbc60 100644 manage_fifo_files_pattern($3, screen_home_t, screen_home_t) manage_dirs_pattern($3, screen_home_t, screen_home_t) -@@ -87,77 +55,22 @@ template(`screen_role_template',` +@@ -87,77 +57,22 @@ template(`screen_role_template',` relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) @@ -11155,7 +10832,7 @@ index a57e81e..f9fbc60 100644 ') ') diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te -index 553bc73..b3b144c 100644 +index 553bc73..0bd13e3 100644 --- a/policy/modules/apps/screen.te +++ b/policy/modules/apps/screen.te @@ -5,6 +5,8 @@ policy_module(screen, 2.3.1) @@ -11167,7 +10844,7 @@ index 553bc73..b3b144c 100644 type screen_exec_t; application_executable_file(screen_exec_t) -@@ -24,3 +26,101 @@ typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t +@@ -24,3 +26,92 @@ typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t }; files_pid_file(screen_var_run_t) ubac_constrained(screen_var_run_t) @@ -11260,15 +10937,6 @@ index 553bc73..b3b144c 100644 +userdom_setattr_user_ptys(screen_domain) +userdom_setattr_user_ttys(screen_domain) + -+tunable_policy(`use_samba_home_dirs',` -+ fs_read_cifs_symlinks(screen_domain) -+ fs_list_cifs(screen_domain) -+') -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_list_nfs(screen_domain) -+ fs_read_nfs_symlinks(screen_domain) -+') diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if index 1dc7a85..a01511f 100644 --- a/policy/modules/apps/seunshare.if @@ -11627,7 +11295,7 @@ index 3cfb128..d49274d 100644 + gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy") +') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te -index 2533ea0..546f5a5 100644 +index 2533ea0..7942965 100644 --- a/policy/modules/apps/telepathy.te +++ b/policy/modules/apps/telepathy.te @@ -26,12 +26,18 @@ attribute telepathy_executable; @@ -11675,18 +11343,30 @@ index 2533ea0..546f5a5 100644 corenet_all_recvfrom_netlabel(telepathy_gabble_t) corenet_all_recvfrom_unlabeled(telepathy_gabble_t) corenet_tcp_sendrecv_generic_if(telepathy_gabble_t) -@@ -112,6 +130,10 @@ optional_policy(` - dbus_system_bus_client(telepathy_gabble_t) +@@ -98,18 +116,14 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` + corenet_sendrecv_generic_client_packets(telepathy_gabble_t) ') +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(telepathy_gabble_t) +- fs_manage_nfs_files(telepathy_gabble_t) +-') ++userdom_home_manager(telepathy_gabble_t) + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(telepathy_gabble_t) +- fs_manage_cifs_files(telepathy_gabble_t) +optional_policy(` ++ dbus_system_bus_client(telepathy_gabble_t) + ') + + optional_policy(` +- dbus_system_bus_client(telepathy_gabble_t) + gnome_manage_home_config(telepathy_gabble_t) -+') -+ + ') + ####################################### - # - # Telepathy Idle local policy. -@@ -147,10 +169,13 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +@@ -147,10 +161,13 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` allow telepathy_logger_t self:unix_stream_socket create_socket_perms; @@ -11700,19 +11380,26 @@ index 2533ea0..546f5a5 100644 files_read_etc_files(telepathy_logger_t) files_read_usr_files(telepathy_logger_t) -@@ -168,6 +193,11 @@ tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(telepathy_logger_t) - ') +@@ -158,14 +175,11 @@ files_search_pids(telepathy_logger_t) + + fs_getattr_all_fs(telepathy_logger_t) +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(telepathy_logger_t) +- fs_manage_nfs_files(telepathy_logger_t) +-') ++userdom_home_manager(telepathy_logger_t) + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(telepathy_logger_t) +- fs_manage_cifs_files(telepathy_logger_t) +optional_policy(` + # ~/.config/dconf/user + gnome_manage_home_config(telepathy_logger_t) -+') -+ + ') + ####################################### - # - # Telepathy Mission-Control local policy. -@@ -176,6 +206,12 @@ tunable_policy(`use_samba_home_dirs',` +@@ -176,6 +190,12 @@ tunable_policy(`use_samba_home_dirs',` manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file }) @@ -11725,10 +11412,15 @@ index 2533ea0..546f5a5 100644 dev_read_rand(telepathy_mission_control_t) -@@ -194,6 +230,26 @@ tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(telepathy_mission_control_t) - ') +@@ -184,14 +204,26 @@ fs_getattr_all_fs(telepathy_mission_control_t) + files_read_etc_files(telepathy_mission_control_t) + files_read_usr_files(telepathy_mission_control_t) +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(telepathy_mission_control_t) +- fs_manage_nfs_files(telepathy_mission_control_t) ++userdom_home_manager(telepathy_mission_control_t) ++ +optional_policy(` + dbus_system_bus_client(telepathy_mission_control_t) + @@ -11741,18 +11433,19 @@ index 2533ea0..546f5a5 100644 + optional_policy(` + networkmanager_dbus_chat(telepathy_mission_control_t) + ') -+') -+ + ') + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(telepathy_mission_control_t) +- fs_manage_cifs_files(telepathy_mission_control_t) +# ~/.cache/.mc_connections. +optional_policy(` + manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t) + gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file) -+') -+ + ') + ####################################### - # - # Telepathy Butterfly and Haze local policy. -@@ -205,8 +261,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect }; +@@ -205,8 +237,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect }; manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) @@ -11764,7 +11457,7 @@ index 2533ea0..546f5a5 100644 corenet_all_recvfrom_netlabel(telepathy_msn_t) corenet_all_recvfrom_unlabeled(telepathy_msn_t) -@@ -228,6 +287,8 @@ corecmd_read_bin_symlinks(telepathy_msn_t) +@@ -228,6 +263,8 @@ corecmd_read_bin_symlinks(telepathy_msn_t) files_read_etc_files(telepathy_msn_t) files_read_usr_files(telepathy_msn_t) @@ -11773,7 +11466,7 @@ index 2533ea0..546f5a5 100644 libs_exec_ldconfig(telepathy_msn_t) logging_send_syslog_msg(telepathy_msn_t) -@@ -246,6 +307,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +@@ -246,6 +283,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` ') optional_policy(` @@ -11784,7 +11477,7 @@ index 2533ea0..546f5a5 100644 dbus_system_bus_client(telepathy_msn_t) optional_policy(` -@@ -361,14 +426,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms; +@@ -361,14 +402,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms; allow telepathy_domain self:tcp_socket create_socket_perms; allow telepathy_domain self:udp_socket create_socket_perms; @@ -11803,7 +11496,7 @@ index 2533ea0..546f5a5 100644 miscfiles_read_localization(telepathy_domain) optional_policy(` -@@ -376,5 +443,23 @@ optional_policy(` +@@ -376,5 +419,23 @@ optional_policy(` ') optional_policy(` @@ -12014,11 +11707,34 @@ index 0000000..01584ce + gnome_read_generic_data_home_files(thumb_t) + gnome_manage_gstreamer_home_files(thumb_t) +') +diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te +index f50789e..9ba6da8 100644 +--- a/policy/modules/apps/thunderbird.te ++++ b/policy/modules/apps/thunderbird.te +@@ -114,17 +114,7 @@ xserver_read_xdm_tmp_files(thunderbird_t) + xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t) + + # Access ~/.thunderbird +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(thunderbird_t) +- fs_manage_nfs_files(thunderbird_t) +- fs_manage_nfs_symlinks(thunderbird_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(thunderbird_t) +- fs_manage_cifs_files(thunderbird_t) +- fs_manage_cifs_symlinks(thunderbird_t) +-') ++userdom_home_manager(thunderbird_t) + + tunable_policy(`mail_read_content && use_nfs_home_dirs',` + files_list_home(thunderbird_t) diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te -index 11fe4f2..98bfbf3 100644 +index 11fe4f2..38318b9 100644 --- a/policy/modules/apps/tvtime.te +++ b/policy/modules/apps/tvtime.te -@@ -73,7 +73,7 @@ fs_search_auto_mountpoints(tvtime_t) +@@ -73,20 +73,11 @@ fs_search_auto_mountpoints(tvtime_t) miscfiles_read_localization(tvtime_t) miscfiles_read_fonts(tvtime_t) @@ -12027,6 +11743,20 @@ index 11fe4f2..98bfbf3 100644 userdom_read_user_home_content_files(tvtime_t) # X access, Home files +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(tvtime_t) +- fs_manage_nfs_files(tvtime_t) +- fs_manage_nfs_symlinks(tvtime_t) +-') +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(tvtime_t) +- fs_manage_cifs_files(tvtime_t) +- fs_manage_cifs_symlinks(tvtime_t) +-') ++userdom_home_manager(tvtime_t) + + optional_policy(` + xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t) diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if index d2ab7cb..ddb34f1 100644 --- a/policy/modules/apps/uml.if @@ -12554,7 +12284,7 @@ index be9246b..e3de8fa 100644 tunable_policy(`wine_mmap_zero_ignore',` dontaudit wine_t self:memprotect mmap_zero; diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te -index 8bfe97d..95a3d06 100644 +index 8bfe97d..356e2a1 100644 --- a/policy/modules/apps/wireshark.te +++ b/policy/modules/apps/wireshark.te @@ -15,6 +15,7 @@ ubac_constrained(wireshark_t) @@ -12583,17 +12313,29 @@ index 8bfe97d..95a3d06 100644 miscfiles_read_fonts(wireshark_t) miscfiles_read_localization(wireshark_t) -@@ -106,10 +109,6 @@ tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_symlinks(wireshark_t) - ') +@@ -94,21 +97,7 @@ sysnet_read_config(wireshark_t) + + userdom_manage_user_home_content_files(wireshark_t) +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(wireshark_t) +- fs_manage_nfs_files(wireshark_t) +- fs_manage_nfs_symlinks(wireshark_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(wireshark_t) +- fs_manage_cifs_files(wireshark_t) +- fs_manage_cifs_symlinks(wireshark_t) +-') +- -optional_policy(` - nscd_socket_use(wireshark_t) -') -- ++userdom_home_manager(wireshark_t) + # Manual transition from userhelper optional_policy(` - userhelper_use_fd(wireshark_t) diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if index b3efef7..50c1a74 100644 --- a/policy/modules/apps/wm.if @@ -12660,7 +12402,7 @@ index 223ad43..d95e720 100644 rsync_exec(yam_t) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 3fae11a..7bcafea 100644 +index 3fae11a..0b0896b 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -97,8 +97,6 @@ ifdef(`distro_redhat',` @@ -12830,7 +12572,7 @@ index 3fae11a..7bcafea 100644 /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0) -@@ -286,6 +295,7 @@ ifdef(`distro_gentoo',` +@@ -286,15 +295,19 @@ ifdef(`distro_gentoo',` /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) @@ -12838,9 +12580,10 @@ index 3fae11a..7bcafea 100644 /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -293,8 +303,10 @@ ifdef(`distro_gentoo',` + /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/tucan.*/tucan.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/virtualbox/.*\.sh gen_context(system_u:object_r:bin_t,s0) +/usr/share/wicd/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -12850,7 +12593,7 @@ index 3fae11a..7bcafea 100644 ifdef(`distro_gentoo', ` /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -306,10 +318,11 @@ ifdef(`distro_redhat', ` +@@ -306,10 +319,11 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -12864,7 +12607,7 @@ index 3fae11a..7bcafea 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -319,9 +332,11 @@ ifdef(`distro_redhat', ` +@@ -319,9 +333,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -12876,7 +12619,7 @@ index 3fae11a..7bcafea 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -363,7 +378,7 @@ ifdef(`distro_redhat', ` +@@ -363,7 +379,7 @@ ifdef(`distro_redhat', ` ifdef(`distro_suse', ` /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -12885,7 +12628,7 @@ index 3fae11a..7bcafea 100644 /usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0) ') -@@ -375,8 +390,9 @@ ifdef(`distro_suse', ` +@@ -375,8 +391,9 @@ ifdef(`distro_suse', ` /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -12896,7 +12639,7 @@ index 3fae11a..7bcafea 100644 /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -385,3 +401,4 @@ ifdef(`distro_suse', ` +@@ -385,3 +402,4 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -12972,19 +12715,6 @@ index 9e9263a..650e796 100644 manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') -diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te -index 23a1c3c..9527971 100644 ---- a/policy/modules/kernel/corecommands.te -+++ b/policy/modules/kernel/corecommands.te -@@ -13,7 +13,7 @@ attribute exec_type; - # - # bin_t is the type of files in the system bin/sbin directories. - # --type bin_t alias { ls_exec_t sbin_t }; -+type bin_t alias { ls_exec_t sbin_t java_exec_t execmem_exec_t mono_exec_t }; - corecmd_executable_file(bin_t) - dev_associate(bin_t) #For /dev/MAKEDEV - diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index 4f3b542..cf422f4 100644 --- a/policy/modules/kernel/corenetwork.if.in @@ -14147,7 +13877,7 @@ index 4f3b542..cf422f4 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..1541989 100644 +index 99b71cb..9c48de6 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -11,11 +11,15 @@ attribute netif_type; @@ -14287,7 +14017,7 @@ index 99b71cb..1541989 100644 network_port(ipmi, udp,623,s0, udp,664,s0) network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0) network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) -@@ -129,20 +172,25 @@ network_port(iscsi, tcp,3260,s0) +@@ -129,20 +172,26 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -14311,12 +14041,13 @@ index 99b71cb..1541989 100644 +network_port(matahari, tcp,49000,s0, udp,49000,s0) network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) ++network_port(mongod, tcp,27017,s0) network_port(monopd, tcp,1234,s0) +network_port(movaz_ssc, tcp,5252,s0) network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -@@ -152,21 +200,31 @@ network_port(mysqlmanagerd, tcp,2273,s0) +@@ -152,21 +201,31 @@ network_port(mysqlmanagerd, tcp,2273,s0) network_port(nessus, tcp,1241,s0) network_port(netport, tcp,3129,s0, udp,3129,s0) network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) @@ -14349,7 +14080,7 @@ index 99b71cb..1541989 100644 network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) -@@ -179,30 +237,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) +@@ -179,30 +238,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) network_port(razor, tcp,2703,s0) @@ -14389,7 +14120,7 @@ index 99b71cb..1541989 100644 network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) -@@ -215,9 +278,11 @@ network_port(uucpd, tcp,540,s0) +@@ -215,9 +279,11 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -14402,7 +14133,7 @@ index 99b71cb..1541989 100644 network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -229,6 +294,7 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -229,6 +295,7 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -14410,7 +14141,7 @@ index 99b71cb..1541989 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -238,6 +304,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) +@@ -238,6 +305,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) @@ -14423,7 +14154,7 @@ index 99b71cb..1541989 100644 ######################################## # -@@ -282,9 +354,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -282,9 +355,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -14487,7 +14218,7 @@ index 35fed4f..51ad69a 100644 # diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index 6cf8784..12bd6fc 100644 +index 6cf8784..b48524e 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,11 +15,13 @@ @@ -14515,7 +14246,7 @@ index 6cf8784..12bd6fc 100644 /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -126,6 +130,7 @@ ifdef(`distro_suse', ` +@@ -126,12 +130,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -14523,7 +14254,14 @@ index 6cf8784..12bd6fc 100644 /dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0) /dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) -@@ -187,8 +192,6 @@ ifdef(`distro_suse', ` + + /dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) + ++/dev/ati/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) + +@@ -187,8 +193,6 @@ ifdef(`distro_suse', ` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -14532,7 +14270,7 @@ index 6cf8784..12bd6fc 100644 ifdef(`distro_redhat',` # originally from named.fc /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0) -@@ -196,3 +199,8 @@ ifdef(`distro_redhat',` +@@ -196,3 +200,8 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ') @@ -18493,7 +18231,7 @@ index 22821ff..20251b0 100644 ######################################## # diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 97fcdac..e5652a1 100644 +index 97fcdac..6342520 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -18739,7 +18477,32 @@ index 97fcdac..e5652a1 100644 ####################################### ## ## Create, read, write, and delete dirs -@@ -2080,6 +2222,24 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2025,6 +2167,24 @@ interface(`fs_read_fusefs_symlinks',` + + ######################################## + ## ++## Manage symbolic links on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_manage_fusefs_symlinks',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ manage_lnk_files_pattern($1, fusefs_t, fusefs_t) ++') ++ ++######################################## ++## + ## Get the attributes of an hugetlbfs + ## filesystem. + ## +@@ -2080,6 +2240,24 @@ interface(`fs_manage_hugetlbfs_dirs',` ######################################## ## @@ -18764,7 +18527,7 @@ index 97fcdac..e5652a1 100644 ## Read and write hugetlbfs files. ## ## -@@ -2148,6 +2308,7 @@ interface(`fs_list_inotifyfs',` +@@ -2148,6 +2326,7 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -18772,7 +18535,7 @@ index 97fcdac..e5652a1 100644 ') ######################################## -@@ -2480,6 +2641,7 @@ interface(`fs_read_nfs_files',` +@@ -2480,6 +2659,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -18780,7 +18543,7 @@ index 97fcdac..e5652a1 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2518,6 +2680,7 @@ interface(`fs_write_nfs_files',` +@@ -2518,6 +2698,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -18788,7 +18551,7 @@ index 97fcdac..e5652a1 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2544,6 +2707,25 @@ interface(`fs_exec_nfs_files',` +@@ -2544,6 +2725,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -18814,7 +18577,7 @@ index 97fcdac..e5652a1 100644 ## Append files ## on a NFS filesystem. ## -@@ -2584,6 +2766,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2584,6 +2784,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -18857,7 +18620,7 @@ index 97fcdac..e5652a1 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2598,7 +2816,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2598,7 +2834,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -18866,7 +18629,7 @@ index 97fcdac..e5652a1 100644 ') ######################################## -@@ -2736,7 +2954,7 @@ interface(`fs_search_removable',` +@@ -2736,7 +2972,7 @@ interface(`fs_search_removable',` ## ## ## @@ -18875,7 +18638,7 @@ index 97fcdac..e5652a1 100644 ## ## # -@@ -2772,7 +2990,7 @@ interface(`fs_read_removable_files',` +@@ -2772,7 +3008,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -18884,7 +18647,7 @@ index 97fcdac..e5652a1 100644 ## ## # -@@ -2965,6 +3183,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2965,6 +3201,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -18892,7 +18655,7 @@ index 97fcdac..e5652a1 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3005,6 +3224,7 @@ interface(`fs_manage_nfs_files',` +@@ -3005,6 +3242,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -18900,7 +18663,7 @@ index 97fcdac..e5652a1 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3045,6 +3265,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3045,6 +3283,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -18908,7 +18671,7 @@ index 97fcdac..e5652a1 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3958,6 +4179,42 @@ interface(`fs_dontaudit_list_tmpfs',` +@@ -3958,6 +4197,42 @@ interface(`fs_dontaudit_list_tmpfs',` ######################################## ## @@ -18951,7 +18714,7 @@ index 97fcdac..e5652a1 100644 ## Create, read, write, and delete ## tmpfs directories ## -@@ -4175,6 +4432,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4175,6 +4450,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -18976,7 +18739,7 @@ index 97fcdac..e5652a1 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4251,6 +4526,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4251,6 +4544,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -19002,7 +18765,7 @@ index 97fcdac..e5652a1 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4457,6 +4751,8 @@ interface(`fs_mount_all_fs',` +@@ -4457,6 +4769,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -19011,7 +18774,7 @@ index 97fcdac..e5652a1 100644 ') ######################################## -@@ -4503,7 +4799,7 @@ interface(`fs_unmount_all_fs',` +@@ -4503,7 +4817,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -19020,7 +18783,7 @@ index 97fcdac..e5652a1 100644 ## Example attributes: ##

##