diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 4f732cf..e134722 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2965,7 +2965,7 @@ index 7590165..19aaaed 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 644d4d7..4d8e35b 100644 +index 644d4d7..5be2ae6 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -3226,7 +3226,7 @@ index 644d4d7..4d8e35b 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -321,8 +381,12 @@ ifdef(`distro_redhat', ` +@@ -321,20 +381,27 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -3239,7 +3239,10 @@ index 644d4d7..4d8e35b 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -332,9 +396,12 @@ ifdef(`distro_redhat', ` + /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0) +-/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) ++#/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -4962,7 +4965,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..030b246 100644 +index 4edc40d..49513c7 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5224,9 +5227,12 @@ index 4edc40d..030b246 100644 network_port(ssh, tcp,22,s0) network_port(stunnel) # no defined portcon network_port(svn, tcp,3690,s0, udp,3690,s0) -@@ -259,6 +300,7 @@ network_port(telnetd, tcp,23,s0) +@@ -257,8 +298,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) + network_port(tcs, tcp, 30003, s0) + network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) - network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) +-network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) ++network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0, tcp,9150,s0) network_port(traceroute, udp,64000-64010,s0) +network_port(tram, tcp, 4567, s0) network_port(transproxy, tcp,8081,s0) @@ -7428,7 +7434,7 @@ index 6529bd9..cfec99c 100644 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d1..258c7cc 100644 +index 6a1e4d1..adafd25 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -76,33 +76,8 @@ interface(`domain_type',` @@ -7537,12 +7543,14 @@ index 6a1e4d1..258c7cc 100644 ## Relabel to and from all entry point ## file types. ## -@@ -1530,4 +1543,25 @@ interface(`domain_unconfined',` +@@ -1530,4 +1543,27 @@ interface(`domain_unconfined',` typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; + + mcs_process_set_categories($1) ++ ++ userdom_filetrans_home_content($1) +') + +######################################## @@ -7564,7 +7572,7 @@ index 6a1e4d1..258c7cc 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..3980a24 100644 +index cf04cb5..8601a3e 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -7690,7 +7698,7 @@ index cf04cb5..3980a24 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +227,282 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +227,262 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -7724,7 +7732,6 @@ index cf04cb5..3980a24 100644 +optional_policy(` + auth_filetrans_named_content(unconfined_domain_type) + auth_filetrans_admin_home_content(unconfined_domain_type) -+ auth_filetrans_home_content(unconfined_domain_type) +') + +optional_policy(` @@ -7768,14 +7775,6 @@ index cf04cb5..3980a24 100644 +') + +optional_policy(` -+ gpg_filetrans_home_content(unconfined_domain_type) -+') -+ -+optional_policy(` -+ irc_filetrans_home_content(unconfined_domain_type) -+') -+ -+optional_policy(` + kerberos_filetrans_named_content(unconfined_domain_type) +') + @@ -7788,10 +7787,6 @@ index cf04cb5..3980a24 100644 +') + +optional_policy(` -+ mozilla_filetrans_home_content(unconfined_domain_type) -+') -+ -+optional_policy(` + mysql_filetrans_named_content(unconfined_domain_type) +') + @@ -7820,7 +7815,6 @@ index cf04cb5..3980a24 100644 +') + +optional_policy(` -+ pulseaudio_filetrans_home_content(unconfined_domain_type) + pulseaudio_filetrans_admin_home_content(unconfined_domain_type) +') + @@ -7844,21 +7838,15 @@ index cf04cb5..3980a24 100644 +') + +optional_policy(` -+ thumb_filetrans_home_content(unconfined_domain_type) -+') -+ -+optional_policy(` + tftp_filetrans_named_content(unconfined_domain_type) +') + +optional_policy(` + userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file }) -+ userdom_filetrans_home_content(unconfined_domain_type) +') + +optional_policy(` + virt_filetrans_named_content(unconfined_domain_type) -+ virt_filetrans_home_content(unconfined_domain_type) +') + +optional_policy(` @@ -10818,7 +10806,7 @@ index 148d87a..822f6be 100644 allow files_unconfined_type file_type:file execmod; ') diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc -index cda5588..91d1e25 100644 +index cda5588..91a633a 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc @@ -1,3 +1,7 @@ @@ -10829,7 +10817,7 @@ index cda5588..91d1e25 100644 /cgroup -d gen_context(system_u:object_r:cgroup_t,s0) /cgroup/.* <> -@@ -14,3 +18,8 @@ +@@ -14,3 +18,10 @@ # for systemd systems: /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) /sys/fs/cgroup/.* <> @@ -10838,6 +10826,8 @@ index cda5588..91d1e25 100644 +/usr/lib/udev/devices/hugepages/.* <> +/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +/usr/lib/udev/devices/shm/.* <> ++/var/run/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) ++/var/run/[^/]*/gvfs/.* <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 8416beb..60b2ce1 100644 --- a/policy/modules/kernel/filesystem.if @@ -17073,10 +17063,10 @@ index a26f84f..947af6c 100644 -/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) +#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if -index 9d2f311..c8a2637 100644 +index 9d2f311..9e87525 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if -@@ -10,7 +10,7 @@ +@@ -10,90 +10,21 @@ ## ## ## @@ -17085,10 +17075,49 @@ index 9d2f311..c8a2637 100644 ## The type of the user domain. ## ## -@@ -54,15 +54,6 @@ interface(`postgresql_role',` - # Client local policy - # - + # + interface(`postgresql_role',` + gen_require(` +- class db_database all_db_database_perms; +- class db_schema all_db_schema_perms; +- class db_table all_db_table_perms; +- class db_sequence all_db_sequence_perms; +- class db_view all_db_view_perms; +- class db_procedure all_db_procedure_perms; +- class db_language all_db_language_perms; +- class db_column all_db_column_perms; +- class db_tuple all_db_tuple_perms; +- class db_blob all_db_blob_perms; +- +- attribute sepgsql_client_type, sepgsql_database_type; +- attribute sepgsql_schema_type, sepgsql_sysobj_table_type; +- +- type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t; +- type sepgsql_ranged_proc_exec_t, sepgsql_ranged_proc_t; +- type user_sepgsql_blob_t, user_sepgsql_proc_exec_t; +- type user_sepgsql_schema_t, user_sepgsql_seq_t; +- type user_sepgsql_sysobj_t, user_sepgsql_table_t; +- type user_sepgsql_view_t; +- type sepgsql_temp_object_t; ++ attribute sepgsql_client_type; ++ type sepgsql_trusted_proc_t; ++ type sepgsql_ranged_proc_t; + ') + +- ######################################## +- # +- # Declarations +- # +- + typeattribute $2 sepgsql_client_type; + role $1 types sepgsql_trusted_proc_t; + role $1 types sepgsql_ranged_proc_t; +- +- ############################## +- # +- # Client local policy +- # +- - tunable_policy(`sepgsql_enable_users_ddl',` - allow $2 user_sepgsql_schema_t:db_schema { create drop setattr }; - allow $2 user_sepgsql_table_t:db_table { create drop setattr }; @@ -17098,27 +17127,41 @@ index 9d2f311..c8a2637 100644 - allow $2 user_sepgsql_view_t:db_view { create drop setattr }; - allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; - ') - - allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; - type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; -@@ -94,6 +85,16 @@ interface(`postgresql_role',` - - allow $2 sepgsql_trusted_proc_t:process transition; - type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; -+ -+ tunable_policy(`sepgsql_enable_users_ddl',` -+ allow $2 user_sepgsql_schema_t:db_schema { create drop setattr }; -+ allow $2 user_sepgsql_table_t:db_table { create drop setattr }; -+ allow $2 user_sepgsql_table_t:db_column { create drop setattr }; -+ allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; -+ allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value }; -+ allow $2 user_sepgsql_view_t:db_view { create drop setattr }; -+ allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; -+ ') +- +- allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; +- type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; +- type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; +- +- allow $2 user_sepgsql_table_t:db_table { getattr select update insert delete lock }; +- allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; +- allow $2 user_sepgsql_table_t:db_tuple { select update insert delete }; +- type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t; +- +- allow $2 user_sepgsql_sysobj_t:db_tuple { use select }; +- type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; +- +- allow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value }; +- type_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t; +- +- allow $2 user_sepgsql_view_t:db_view { getattr expand }; +- type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t; +- +- allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; +- type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t; +- +- allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; +- type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t; +- +- allow $2 sepgsql_ranged_proc_t:process transition; +- type_transition $2 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; +- allow sepgsql_ranged_proc_t $2:process dyntransition; +- +- allow $2 sepgsql_trusted_proc_t:process transition; +- type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; ') ######################################## -@@ -312,7 +313,7 @@ interface(`postgresql_search_db',` +@@ -312,7 +243,7 @@ interface(`postgresql_search_db',` type postgresql_db_t; ') @@ -17127,7 +17170,7 @@ index 9d2f311..c8a2637 100644 ') ######################################## -@@ -324,14 +325,16 @@ interface(`postgresql_search_db',` +@@ -324,14 +255,16 @@ interface(`postgresql_search_db',` ## Domain allowed access. ## ## @@ -17147,7 +17190,7 @@ index 9d2f311..c8a2637 100644 ') ######################################## -@@ -354,6 +357,24 @@ interface(`postgresql_domtrans',` +@@ -354,6 +287,24 @@ interface(`postgresql_domtrans',` ###################################### ## @@ -17172,7 +17215,7 @@ index 9d2f311..c8a2637 100644 ## Allow domain to signal postgresql ## ## -@@ -421,7 +442,6 @@ interface(`postgresql_tcp_connect',` +@@ -421,7 +372,6 @@ interface(`postgresql_tcp_connect',` ## Domain allowed access. ## ## @@ -17180,7 +17223,7 @@ index 9d2f311..c8a2637 100644 # interface(`postgresql_stream_connect',` gen_require(` -@@ -432,6 +452,7 @@ interface(`postgresql_stream_connect',` +@@ -432,6 +382,7 @@ interface(`postgresql_stream_connect',` files_search_pids($1) files_search_tmp($1) @@ -17188,15 +17231,91 @@ index 9d2f311..c8a2637 100644 ') ######################################## -@@ -514,7 +535,6 @@ interface(`postgresql_unpriv_client',` - allow $1 unpriv_sepgsql_view_t:db_view { getattr expand }; - type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t; - +@@ -447,83 +398,10 @@ interface(`postgresql_stream_connect',` + # + interface(`postgresql_unpriv_client',` + gen_require(` +- class db_database all_db_database_perms; +- class db_schema all_db_schema_perms; +- class db_table all_db_table_perms; +- class db_sequence all_db_sequence_perms; +- class db_view all_db_view_perms; +- class db_procedure all_db_procedure_perms; +- class db_language all_db_language_perms; +- class db_column all_db_column_perms; +- class db_tuple all_db_tuple_perms; +- class db_blob all_db_blob_perms; +- + attribute sepgsql_client_type; +- attribute sepgsql_database_type, sepgsql_schema_type; +- attribute sepgsql_sysobj_table_type; +- +- type sepgsql_ranged_proc_t, sepgsql_ranged_proc_exec_t; +- type sepgsql_temp_object_t; +- type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t; +- type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t; +- type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t; +- type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t; +- type unpriv_sepgsql_view_t; + ') + +- ######################################## +- # +- # Declarations +- # +- + typeattribute $1 sepgsql_client_type; +- +- ######################################## +- # +- # Client local policy +- # +- +- type_transition $1 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; +- allow $1 sepgsql_ranged_proc_t:process transition; +- allow sepgsql_ranged_proc_t $1:process dyntransition; +- +- type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; +- allow $1 sepgsql_trusted_proc_t:process transition; +- +- allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; +- type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t; +- +- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; +- type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t; +- +- allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name }; +- type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; +- type_transition $1 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; - - tunable_policy(`sepgsql_enable_users_ddl',` - allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr }; - allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; -@@ -547,6 +567,29 @@ interface(`postgresql_unconfined',` +- allow $1 unpriv_sepgsql_table_t:db_table { getattr select update insert delete lock }; +- allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; +- allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; +- type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t; +- +- allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value }; +- type_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t; +- +- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select }; +- type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; +- +- allow $1 unpriv_sepgsql_view_t:db_view { getattr expand }; +- type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t; +- +- +- tunable_policy(`sepgsql_enable_users_ddl',` +- allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr }; +- allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; +- allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr }; +- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete }; +- allow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr }; +- allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr }; +- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; +- ') + ') + + ######################################## +@@ -547,6 +425,29 @@ interface(`postgresql_unconfined',` ######################################## ## @@ -17226,7 +17345,7 @@ index 9d2f311..c8a2637 100644 ## All of the rules required to administrate an postgresql environment ## ## -@@ -563,35 +606,41 @@ interface(`postgresql_unconfined',` +@@ -563,35 +464,41 @@ interface(`postgresql_unconfined',` # interface(`postgresql_admin',` gen_require(` @@ -17277,7 +17396,7 @@ index 9d2f311..c8a2637 100644 + postgresql_filetrans_named_content($1) ') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 346d011..59ee2a5 100644 +index 346d011..d84cfd8 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,25 +19,32 @@ gen_require(` @@ -17290,15 +17409,15 @@ index 346d011..59ee2a5 100644 +##

+## Allow postgresql to use ssh and rsync for point-in-time recovery +##

-+## + ## +-gen_tunable(sepgsql_enable_users_ddl, false) +gen_tunable(postgresql_can_rsync, false) + +## +##

+## Allow unprivileged users to execute DDL statement +##

- ## --gen_tunable(sepgsql_enable_users_ddl, false) ++## +gen_tunable(postgresql_selinux_users_ddl, true) ## @@ -17386,16 +17505,64 @@ index 346d011..59ee2a5 100644 allow postgresql_t self:process execmem; ') -@@ -488,7 +494,7 @@ allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db - # Note that permission of creation/deletion are eventually controlled by - # create or drop permission of individual objects within shared schemas. - # So, it just allows to create/drop user specific types. +@@ -485,10 +491,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin + # It is always allowed to operate temporary objects for any database client. + allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom }; + +-# Note that permission of creation/deletion are eventually controlled by +-# create or drop permission of individual objects within shared schemas. +-# So, it just allows to create/drop user specific types. -tunable_policy(`sepgsql_enable_users_ddl',` ++############################## ++# ++# Client local policy ++# ++allow sepgsql_client_type user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; ++type_transition sepgsql_client_type sepgsql_database_type:db_schema user_sepgsql_schema_t; ++type_transition sepgsql_client_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; ++ ++allow sepgsql_client_type user_sepgsql_table_t:db_table { getattr select update insert delete lock }; ++allow sepgsql_client_type user_sepgsql_table_t:db_column { getattr select update insert }; ++allow sepgsql_client_type user_sepgsql_table_t:db_tuple { select update insert delete }; ++type_transition sepgsql_client_type sepgsql_schema_type:db_table user_sepgsql_table_t; ++ ++allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple { use select }; ++type_transition sepgsql_client_type sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; ++ ++allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { getattr get_value next_value }; ++type_transition sepgsql_client_type sepgsql_schema_type:db_sequence user_sepgsql_seq_t; ++ ++allow sepgsql_client_type user_sepgsql_view_t:db_view { getattr expand }; ++type_transition sepgsql_client_type sepgsql_schema_type:db_view user_sepgsql_view_t; ++ ++allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { getattr execute }; ++type_transition sepgsql_client_type sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t; ++ ++allow sepgsql_client_type user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; ++type_transition sepgsql_client_type sepgsql_database_type:db_blob user_sepgsql_blob_t; ++ ++allow sepgsql_client_type sepgsql_ranged_proc_t:process transition; ++type_transition sepgsql_client_type sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; ++allow sepgsql_ranged_proc_t sepgsql_client_type:process dyntransition; ++ ++allow sepgsql_client_type sepgsql_trusted_proc_t:process transition; ++type_transition sepgsql_client_type sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; ++ +tunable_policy(`postgresql_selinux_users_ddl',` ++ allow sepgsql_client_type user_sepgsql_schema_t:db_schema { create drop setattr }; ++ allow sepgsql_client_type user_sepgsql_table_t:db_table { create drop setattr }; ++ allow sepgsql_client_type user_sepgsql_table_t:db_column { create drop setattr }; ++ allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple { update insert delete }; ++ allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { create drop setattr set_value }; ++ allow sepgsql_client_type user_sepgsql_view_t:db_view { create drop setattr }; ++ allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; ++ # Note that permission of creation/deletion are eventually controlled by ++ # create or drop permission of individual objects within shared schemas. ++ # So, it just allows to create/drop user specific types. allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name }; ') -@@ -536,7 +542,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; +@@ -536,7 +584,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_admin_type) @@ -17404,7 +17571,7 @@ index 346d011..59ee2a5 100644 allow sepgsql_admin_type sepgsql_database_type:db_database *; allow sepgsql_admin_type sepgsql_schema_type:db_schema *; -@@ -589,3 +595,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; +@@ -589,3 +637,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type) @@ -18086,10 +18253,10 @@ index fe0c682..da12170 100644 + allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 5fc0391..386c48c 100644 +index 5fc0391..8d190be 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te -@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.3) +@@ -6,44 +6,52 @@ policy_module(ssh, 2.3.3) # ## @@ -18126,6 +18293,7 @@ index 5fc0391..386c48c 100644 +ssh_dyntransition_domain_template(chroot_user_t) +ssh_dyntransition_domain_template(sshd_sandbox_t) ++ssh_dyntransition_domain_template(sshd_net_t) + type ssh_keygen_t; type ssh_keygen_exec_t; @@ -18156,7 +18324,7 @@ index 5fc0391..386c48c 100644 type ssh_t; type ssh_exec_t; typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t }; -@@ -73,6 +80,11 @@ type ssh_home_t; +@@ -73,6 +81,11 @@ type ssh_home_t; typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; userdom_user_home_content(ssh_home_t) @@ -18168,7 +18336,7 @@ index 5fc0391..386c48c 100644 ############################## # -@@ -83,6 +95,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; +@@ -83,6 +96,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; @@ -18176,7 +18344,7 @@ index 5fc0391..386c48c 100644 allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ssh_t self:shm create_shm_perms; -@@ -90,15 +103,11 @@ allow ssh_t self:sem create_sem_perms; +@@ -90,15 +104,11 @@ allow ssh_t self:sem create_sem_perms; allow ssh_t self:msgq create_msgq_perms; allow ssh_t self:msg { send receive }; allow ssh_t self:tcp_socket create_stream_socket_perms; @@ -18193,14 +18361,14 @@ index 5fc0391..386c48c 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -108,32 +117,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -107,33 +117,39 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } + manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) - userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) +-userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) +userdom_read_all_users_keys(ssh_t) +userdom_stream_connect(ssh_t) +userdom_search_admin_dir(sshd_t) -+userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) @@ -18218,8 +18386,6 @@ index 5fc0391..386c48c 100644 -read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t) +manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t) +manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t) -+userdom_user_home_dir_filetrans(ssh_server, ssh_home_t, dir) -+userdom_admin_home_dir_filetrans(ssh_server, ssh_home_t, dir) kernel_read_kernel_sysctls(ssh_t) kernel_read_system_state(ssh_t) @@ -18240,7 +18406,7 @@ index 5fc0391..386c48c 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -156,38 +175,42 @@ logging_read_generic_logs(ssh_t) +@@ -156,38 +172,42 @@ logging_read_generic_logs(ssh_t) auth_use_nsswitch(ssh_t) @@ -18302,7 +18468,7 @@ index 5fc0391..386c48c 100644 ') optional_policy(` -@@ -195,6 +218,7 @@ optional_policy(` +@@ -195,6 +215,7 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -18310,7 +18476,7 @@ index 5fc0391..386c48c 100644 ############################## # # ssh_keysign_t local policy -@@ -206,6 +230,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; +@@ -206,6 +227,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; allow ssh_keysign_t sshd_key_t:file { getattr read }; dev_read_urand(ssh_keysign_t) @@ -18318,7 +18484,7 @@ index 5fc0391..386c48c 100644 files_read_etc_files(ssh_keysign_t) -@@ -223,33 +248,50 @@ optional_policy(` +@@ -223,33 +245,50 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -18378,7 +18544,7 @@ index 5fc0391..386c48c 100644 ') optional_policy(` -@@ -257,11 +299,24 @@ optional_policy(` +@@ -257,11 +296,24 @@ optional_policy(` ') optional_policy(` @@ -18404,7 +18570,7 @@ index 5fc0391..386c48c 100644 ') optional_policy(` -@@ -269,6 +324,10 @@ optional_policy(` +@@ -269,6 +321,10 @@ optional_policy(` ') optional_policy(` @@ -18415,7 +18581,7 @@ index 5fc0391..386c48c 100644 rpm_use_script_fds(sshd_t) ') -@@ -279,6 +338,32 @@ optional_policy(` +@@ -279,6 +335,32 @@ optional_policy(` ') optional_policy(` @@ -18448,7 +18614,7 @@ index 5fc0391..386c48c 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -286,6 +371,29 @@ optional_policy(` +@@ -286,6 +368,29 @@ optional_policy(` xserver_domtrans_xauth(sshd_t) ') @@ -18478,7 +18644,7 @@ index 5fc0391..386c48c 100644 ######################################## # # ssh_keygen local policy -@@ -294,19 +402,26 @@ optional_policy(` +@@ -294,19 +399,26 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -18506,7 +18672,7 @@ index 5fc0391..386c48c 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -323,6 +438,12 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -323,6 +435,12 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -18519,7 +18685,7 @@ index 5fc0391..386c48c 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -331,3 +452,123 @@ optional_policy(` +@@ -331,3 +449,138 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -18549,6 +18715,20 @@ index 5fc0391..386c48c 100644 + +logging_send_audit_msgs(sshd_sandbox_t) + ++##################################### ++# ++# sshd [net] child local policy ++# ++ ++allow sshd_t sshd_net_t:process signal; ++ ++allow sshd_net_t self:process setrlimit; ++ ++init_ioctl_stream_sockets(sshd_net_t) ++ ++logging_send_audit_msgs(sshd_net_t) ++ ++ +###################################### +# +# chroot_user_t local policy @@ -18571,10 +18751,11 @@ index 5fc0391..386c48c 100644 + +tunable_policy(`ssh_chroot_rw_homedirs',` + files_list_home(chroot_user_t) -+ userdom_manage_user_home_content(chroot_user_t) -+', ` -+ -+ userdom_user_home_dir_filetrans_pattern(chroot_user_t, { dir file lnk_file }) ++ userdom_manage_user_home_content_files(chroot_user_t) ++ userdom_manage_user_home_content_symlinks(chroot_user_t) ++ userdom_manage_user_home_content_pipes(chroot_user_t) ++ userdom_manage_user_home_content_sockets(chroot_user_t) ++ userdom_manage_user_home_content_dirs(chroot_user_t) +') + +tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',` @@ -20177,7 +20358,7 @@ index 6bf0ecc..8a8ed32 100644 + files_search_tmp($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..5a2bd5f 100644 +index 2696452..2964047 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -20373,7 +20554,11 @@ index 2696452..5a2bd5f 100644 userdom_user_tmpfs_file(xserver_tmpfs_t) type xsession_exec_t; -@@ -229,17 +280,30 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) +@@ -225,21 +276,33 @@ optional_policy(` + # + + allow iceauth_t iceauth_home_t:file manage_file_perms; +-userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) allow xdm_t iceauth_home_t:file read_file_perms; @@ -20412,7 +20597,7 @@ index 2696452..5a2bd5f 100644 ') ######################################## -@@ -247,48 +311,85 @@ tunable_policy(`use_samba_home_dirs',` +@@ -247,48 +310,83 @@ tunable_policy(`use_samba_home_dirs',` # Xauth local policy # @@ -20428,8 +20613,7 @@ index 2696452..5a2bd5f 100644 +corenet_tcp_connect_xserver_port(xauth_t) allow xauth_t xauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) -+userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file) +-userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) + +manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) +manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) @@ -20508,7 +20692,7 @@ index 2696452..5a2bd5f 100644 ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) ssh_dontaudit_rw_tcp_sockets(xauth_t) -@@ -299,64 +400,108 @@ optional_policy(` +@@ -299,64 +397,106 @@ optional_policy(` # XDM Local policy # @@ -20544,8 +20728,6 @@ index 2696452..5a2bd5f 100644 + +manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t) +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) -+userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file) -+userdom_admin_home_dir_filetrans(xdm_t, xdm_home_t, file) +xserver_filetrans_home_content(xdm_t) +xserver_filetrans_admin_home_content(xdm_t) + @@ -20627,7 +20809,7 @@ index 2696452..5a2bd5f 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -365,20 +510,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -365,20 +505,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -20657,7 +20839,7 @@ index 2696452..5a2bd5f 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -388,38 +540,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -388,38 +535,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -20710,7 +20892,7 @@ index 2696452..5a2bd5f 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -430,9 +592,26 @@ files_list_mnt(xdm_t) +@@ -430,9 +587,26 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -20737,7 +20919,7 @@ index 2696452..5a2bd5f 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +620,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +615,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -20781,7 +20963,7 @@ index 2696452..5a2bd5f 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +662,43 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +657,43 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -20831,7 +21013,7 @@ index 2696452..5a2bd5f 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +712,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +707,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -20858,7 +21040,7 @@ index 2696452..5a2bd5f 100644 ') optional_policy(` -@@ -514,12 +739,72 @@ optional_policy(` +@@ -514,12 +734,72 @@ optional_policy(` ') optional_policy(` @@ -20931,7 +21113,7 @@ index 2696452..5a2bd5f 100644 hostname_exec(xdm_t) ') -@@ -537,28 +822,78 @@ optional_policy(` +@@ -537,28 +817,78 @@ optional_policy(` ') optional_policy(` @@ -21019,7 +21201,7 @@ index 2696452..5a2bd5f 100644 ') optional_policy(` -@@ -570,6 +905,14 @@ optional_policy(` +@@ -570,6 +900,14 @@ optional_policy(` ') optional_policy(` @@ -21034,7 +21216,7 @@ index 2696452..5a2bd5f 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +937,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +932,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -21047,7 +21229,7 @@ index 2696452..5a2bd5f 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +954,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +949,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -21063,7 +21245,7 @@ index 2696452..5a2bd5f 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -628,12 +981,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +976,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -21085,7 +21267,7 @@ index 2696452..5a2bd5f 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1001,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +996,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -21099,7 +21281,7 @@ index 2696452..5a2bd5f 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1027,27 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1022,27 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -21130,7 +21312,7 @@ index 2696452..5a2bd5f 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,8 +1058,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,8 +1053,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -21144,7 +21326,7 @@ index 2696452..5a2bd5f 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -708,20 +1077,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1072,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -21168,7 +21350,7 @@ index 2696452..5a2bd5f 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1096,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1091,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -21177,7 +21359,7 @@ index 2696452..5a2bd5f 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1140,44 @@ optional_policy(` +@@ -775,16 +1135,44 @@ optional_policy(` ') optional_policy(` @@ -21223,7 +21405,7 @@ index 2696452..5a2bd5f 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1186,10 @@ optional_policy(` +@@ -793,6 +1181,10 @@ optional_policy(` ') optional_policy(` @@ -21234,7 +21416,7 @@ index 2696452..5a2bd5f 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1205,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1200,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -21248,7 +21430,7 @@ index 2696452..5a2bd5f 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1216,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1211,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -21257,7 +21439,7 @@ index 2696452..5a2bd5f 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1229,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1224,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -21292,7 +21474,7 @@ index 2696452..5a2bd5f 100644 ') optional_policy(` -@@ -902,7 +1294,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1289,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -21301,7 +21483,7 @@ index 2696452..5a2bd5f 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1348,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1343,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -21333,7 +21515,7 @@ index 2696452..5a2bd5f 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1394,40 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1389,40 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -28471,7 +28653,7 @@ index 9fe8e01..d5fe55a 100644 /var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index fc28bc3..e102068 100644 +index fc28bc3..2f33076 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',` @@ -28534,7 +28716,7 @@ index fc28bc3..e102068 100644 ') ######################################## -@@ -554,6 +577,10 @@ interface(`miscfiles_delete_man_pages',` +@@ -554,6 +577,29 @@ interface(`miscfiles_delete_man_pages',` delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) @@ -28542,10 +28724,29 @@ index fc28bc3..e102068 100644 + mandb_setattr_cache_dirs($1) + mandb_delete_cache($1) + ') ++') ++####################################### ++## ++## Create, read, write, and delete man pages ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`miscfiles_setattr_man_pages',` ++ gen_require(` ++ type man_t; ++ ') ++ ++ files_search_usr($1) ++ ++ allow $1 man_t:dir setattr; ') ######################################## -@@ -622,6 +649,30 @@ interface(`miscfiles_manage_man_cache',` +@@ -622,6 +668,30 @@ interface(`miscfiles_manage_man_cache',` ######################################## ## @@ -28576,7 +28777,7 @@ index fc28bc3..e102068 100644 ## Read public files used for file ## transfer services. ## -@@ -784,8 +835,11 @@ interface(`miscfiles_etc_filetrans_localization',` +@@ -784,8 +854,11 @@ interface(`miscfiles_etc_filetrans_localization',` type locale_t; ') @@ -28590,7 +28791,7 @@ index fc28bc3..e102068 100644 ') ######################################## -@@ -809,3 +863,60 @@ interface(`miscfiles_manage_localization',` +@@ -809,3 +882,60 @@ interface(`miscfiles_manage_localization',` manage_lnk_files_pattern($1, locale_t, locale_t) ') @@ -31994,10 +32195,10 @@ index 0000000..595f756 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..778b99b +index 0000000..2961157 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1043 @@ +@@ -0,0 +1,1042 @@ +## SELinux policy for systemd components + +####################################### @@ -33040,13 +33241,12 @@ index 0000000..778b99b + allow systemd_hostnamed_t $1:dbus send_msg; + ps_process_pattern(systemd_hostnamed_t, $1) +') -+ diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..913fc52 +index 0000000..ac0a395 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,620 @@ +@@ -0,0 +1,624 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -33528,6 +33728,8 @@ index 0000000..913fc52 +miscfiles_manage_localization(systemd_localed_t) +miscfiles_etc_filetrans_localization(systemd_localed_t) + ++userdom_dbus_send_all_users(systemd_localed_t) ++ +optional_policy(` + dbus_connect_system_bus(systemd_localed_t) + dbus_system_bus_client(systemd_localed_t) @@ -33552,6 +33754,8 @@ index 0000000..913fc52 +init_read_state(systemd_hostnamed_t) +init_stream_connect(systemd_hostnamed_t) + ++logging_send_syslog_msg(systemd_hostnamed_t) ++ +optional_policy(` + dbus_system_bus_client(systemd_hostnamed_t) + dbus_connect_system_bus(systemd_hostnamed_t) @@ -35038,7 +35242,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..c270e54 100644 +index 3c5dba7..6c2548e 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -35054,7 +35258,7 @@ index 3c5dba7..c270e54 100644 corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) -@@ -44,79 +46,133 @@ template(`userdom_base_user_template',` +@@ -44,79 +46,132 @@ template(`userdom_base_user_template',` term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) @@ -35206,7 +35410,6 @@ index 3c5dba7..c270e54 100644 + miscfiles_read_public_files($1_usertype) - tunable_policy(`allow_execmem',` -+ systemd_dbus_chat_hostnamed($1_usertype) + systemd_dbus_chat_logind($1_usertype) + systemd_read_logind_sessions_files($1_usertype) + systemd_write_inhibit_pipes($1_usertype) @@ -35240,7 +35443,7 @@ index 3c5dba7..c270e54 100644 ') ####################################### -@@ -150,6 +206,8 @@ interface(`userdom_ro_home_role',` +@@ -150,6 +205,8 @@ interface(`userdom_ro_home_role',` type user_home_t, user_home_dir_t; ') @@ -35249,7 +35452,7 @@ index 3c5dba7..c270e54 100644 ############################## # # Domain access to home dir -@@ -167,27 +225,6 @@ interface(`userdom_ro_home_role',` +@@ -167,27 +224,6 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -35277,7 +35480,7 @@ index 3c5dba7..c270e54 100644 ') ####################################### -@@ -219,8 +256,11 @@ interface(`userdom_ro_home_role',` +@@ -219,8 +255,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -35289,7 +35492,7 @@ index 3c5dba7..c270e54 100644 ############################## # # Domain access to home dir -@@ -229,43 +269,47 @@ interface(`userdom_manage_home_role',` +@@ -229,43 +268,46 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -35305,6 +35508,7 @@ index 3c5dba7..c270e54 100644 - relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) + + allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom }; + allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; @@ -35318,7 +35522,6 @@ index 3c5dba7..c270e54 100644 + relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) - filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) + userdom_filetrans_home_content($2) + files_list_home($2) @@ -35353,7 +35556,7 @@ index 3c5dba7..c270e54 100644 ') ') -@@ -273,6 +317,25 @@ interface(`userdom_manage_home_role',` +@@ -273,6 +315,25 @@ interface(`userdom_manage_home_role',` ## ## Manage user temporary files ## @@ -35379,7 +35582,7 @@ index 3c5dba7..c270e54 100644 ## ## ## Role allowed access. -@@ -287,17 +350,64 @@ interface(`userdom_manage_home_role',` +@@ -287,17 +348,64 @@ interface(`userdom_manage_home_role',` # interface(`userdom_manage_tmp_role',` gen_require(` @@ -35449,7 +35652,7 @@ index 3c5dba7..c270e54 100644 ') ####################################### -@@ -317,11 +427,31 @@ interface(`userdom_exec_user_tmp_files',` +@@ -317,11 +425,31 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -35481,7 +35684,7 @@ index 3c5dba7..c270e54 100644 ## Role access for the user tmpfs type ## that the user has full access. ## -@@ -348,59 +478,60 @@ interface(`userdom_exec_user_tmp_files',` +@@ -348,59 +476,60 @@ interface(`userdom_exec_user_tmp_files',` # interface(`userdom_manage_tmpfs_role',` gen_require(` @@ -35572,7 +35775,7 @@ index 3c5dba7..c270e54 100644 ') ####################################### -@@ -431,6 +562,7 @@ template(`userdom_xwindows_client_template',` +@@ -431,6 +560,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -35580,7 +35783,7 @@ index 3c5dba7..c270e54 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -463,8 +595,8 @@ template(`userdom_change_password_template',` +@@ -463,8 +593,8 @@ template(`userdom_change_password_template',` ') optional_policy(` @@ -35591,7 +35794,7 @@ index 3c5dba7..c270e54 100644 ') ') -@@ -491,7 +623,8 @@ template(`userdom_common_user_template',` +@@ -491,7 +621,8 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -35601,7 +35804,7 @@ index 3c5dba7..c270e54 100644 ############################## # -@@ -501,41 +634,51 @@ template(`userdom_common_user_template',` +@@ -501,41 +632,51 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -35676,7 +35879,7 @@ index 3c5dba7..c270e54 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,93 +689,121 @@ template(`userdom_common_user_template',` +@@ -546,93 +687,120 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -35692,7 +35895,6 @@ index 3c5dba7..c270e54 100644 + auth_run_pam_timestamp($1_t,$1_r) + auth_run_utempter($1_t,$1_r) + auth_filetrans_admin_home_content($1_t) -+ auth_filetrans_home_content($1_t) - init_read_utmp($1_t) + init_read_utmp($1_usertype) @@ -35836,7 +36038,7 @@ index 3c5dba7..c270e54 100644 ') optional_policy(` -@@ -646,19 +817,17 @@ template(`userdom_common_user_template',` +@@ -646,19 +814,16 @@ template(`userdom_common_user_template',` # for running depmod as part of the kernel packaging process optional_policy(` @@ -35848,7 +36050,6 @@ index 3c5dba7..c270e54 100644 - mta_rw_spool($1_t) + mta_rw_spool($1_usertype) + mta_manage_queue($1_usertype) -+ mta_filetrans_home_content($1_usertype) ') optional_policy(` @@ -35861,7 +36062,7 @@ index 3c5dba7..c270e54 100644 mysql_stream_connect($1_t) ') ') -@@ -671,7 +840,7 @@ template(`userdom_common_user_template',` +@@ -671,7 +836,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -35870,7 +36071,7 @@ index 3c5dba7..c270e54 100644 ') optional_policy(` -@@ -680,9 +849,9 @@ template(`userdom_common_user_template',` +@@ -680,9 +845,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -35883,7 +36084,7 @@ index 3c5dba7..c270e54 100644 ') ') -@@ -693,32 +862,36 @@ template(`userdom_common_user_template',` +@@ -693,32 +858,36 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -35931,7 +36132,7 @@ index 3c5dba7..c270e54 100644 ') ') -@@ -743,17 +916,33 @@ template(`userdom_common_user_template',` +@@ -743,17 +912,33 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -35940,13 +36141,12 @@ index 3c5dba7..c270e54 100644 userdom_base_user_template($1) -- userdom_manage_home_role($1_r, $1_t) + typeattribute $1_t login_userdomain; ++ + userdom_manage_home_role($1_r, $1_t) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) -+ userdom_manage_home_role($1_r, $1_usertype) -+ + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) + @@ -35970,7 +36170,7 @@ index 3c5dba7..c270e54 100644 userdom_change_password_template($1) -@@ -761,82 +950,100 @@ template(`userdom_login_user_template', ` +@@ -761,82 +946,99 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -36073,7 +36273,6 @@ index 3c5dba7..c270e54 100644 - seutil_read_config($1_t) + optional_policy(` + kerberos_use($1_usertype) -+ kerberos_filetrans_home_content($1_usertype) + ') optional_policy(` @@ -36107,7 +36306,7 @@ index 3c5dba7..c270e54 100644 ') ') -@@ -868,6 +1075,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1070,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -36120,7 +36319,7 @@ index 3c5dba7..c270e54 100644 ############################## # # Local policy -@@ -908,41 +1121,97 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -908,41 +1116,97 @@ template(`userdom_restricted_xwindows_user_template',` # Local policy # @@ -36231,7 +36430,7 @@ index 3c5dba7..c270e54 100644 ') optional_policy(` -@@ -951,12 +1220,30 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -951,12 +1215,29 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` @@ -36242,7 +36441,6 @@ index 3c5dba7..c270e54 100644 + optional_policy(` + pulseaudio_role($1_r, $1_usertype) + pulseaudio_filetrans_admin_home_content($1_usertype) -+ pulseaudio_filetrans_home_content($1_usertype) + ') + + optional_policy(` @@ -36263,7 +36461,7 @@ index 3c5dba7..c270e54 100644 ') ####################################### -@@ -990,27 +1277,33 @@ template(`userdom_unpriv_user_template', ` +@@ -990,27 +1271,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -36301,7 +36499,7 @@ index 3c5dba7..c270e54 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1314,57 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1308,59 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -36311,6 +36509,8 @@ index 3c5dba7..c270e54 100644 - kernel_dontaudit_read_ring_buffer($1_t) - ') + miscfiles_read_hwdata($1_usertype) ++ ++ fs_mounton_fusefs($1_usertype) # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode @@ -36350,26 +36550,26 @@ index 3c5dba7..c270e54 100644 + + optional_policy(` + gpm_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) + mount_run_fusermount($1_t, $1_r) + mount_read_pid_files($1_t) + ') + + optional_policy(` + wine_role_template($1, $1_r, $1_t) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) ++ ') ++ ++ optional_policy(` + postfix_run_postdrop($1_t, $1_r) + postfix_search_spool($1_t) ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1373,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1369,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -36380,7 +36580,7 @@ index 3c5dba7..c270e54 100644 ') ') -@@ -1082,7 +1411,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1407,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -36389,7 +36589,7 @@ index 3c5dba7..c270e54 100644 ') ############################## -@@ -1109,6 +1438,7 @@ template(`userdom_admin_user_template',` +@@ -1109,6 +1434,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -36397,7 +36597,7 @@ index 3c5dba7..c270e54 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1117,6 +1447,9 @@ template(`userdom_admin_user_template',` +@@ -1117,6 +1443,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -36407,7 +36607,7 @@ index 3c5dba7..c270e54 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1131,6 +1464,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1460,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -36415,7 +36615,7 @@ index 3c5dba7..c270e54 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1482,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1478,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -36430,7 +36630,7 @@ index 3c5dba7..c270e54 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,30 +1500,39 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1496,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -36466,16 +36666,14 @@ index 3c5dba7..c270e54 100644 logging_send_syslog_msg($1_t) - modutils_domtrans_insmod($1_t) -- + optional_policy(` + modutils_domtrans_insmod($1_t) + modutils_domtrans_depmod($1_t) + ') -+ + # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator - # cannot directly manipulate policy files with arbitrary programs. -@@ -1194,6 +1541,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1537,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -36484,7 +36682,7 @@ index 3c5dba7..c270e54 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1550,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1546,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -36503,7 +36701,7 @@ index 3c5dba7..c270e54 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1253,6 +1606,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1602,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -36512,7 +36710,7 @@ index 3c5dba7..c270e54 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1265,8 +1620,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1616,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -36524,7 +36722,7 @@ index 3c5dba7..c270e54 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1277,29 +1634,31 @@ template(`userdom_security_admin_template',` +@@ -1277,29 +1630,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -36567,7 +36765,7 @@ index 3c5dba7..c270e54 100644 ') optional_policy(` -@@ -1360,14 +1719,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1715,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -36586,7 +36784,7 @@ index 3c5dba7..c270e54 100644 ') ######################################## -@@ -1408,6 +1770,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1766,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -36638,7 +36836,7 @@ index 3c5dba7..c270e54 100644 ## ## ## Domain allowed access. -@@ -1512,11 +1919,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1915,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -36670,7 +36868,7 @@ index 3c5dba7..c270e54 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1558,6 +1985,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +1981,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -36685,7 +36883,7 @@ index 3c5dba7..c270e54 100644 ') ######################################## -@@ -1573,9 +2008,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +2004,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -36697,7 +36895,7 @@ index 3c5dba7..c270e54 100644 ') ######################################## -@@ -1632,6 +2069,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2065,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -36740,7 +36938,7 @@ index 3c5dba7..c270e54 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2184,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2180,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -36749,7 +36947,7 @@ index 3c5dba7..c270e54 100644 ') ######################################## -@@ -1744,10 +2219,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2215,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -36764,7 +36962,7 @@ index 3c5dba7..c270e54 100644 ') ######################################## -@@ -1772,7 +2249,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2245,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -36773,7 +36971,7 @@ index 3c5dba7..c270e54 100644 ## ## ## -@@ -1780,19 +2257,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1780,19 +2253,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -36797,7 +36995,7 @@ index 3c5dba7..c270e54 100644 ## ## ## -@@ -1800,31 +2275,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1800,31 +2271,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -36837,7 +37035,7 @@ index 3c5dba7..c270e54 100644 ') ######################################## -@@ -1848,6 +2323,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2319,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -36863,7 +37061,7 @@ index 3c5dba7..c270e54 100644 ## Mmap user home files. ## ## -@@ -1878,14 +2372,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2368,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -36901,7 +37099,7 @@ index 3c5dba7..c270e54 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1896,11 +2412,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2408,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -36919,7 +37117,7 @@ index 3c5dba7..c270e54 100644 ') ######################################## -@@ -1941,7 +2460,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1941,7 +2456,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -36946,7 +37144,7 @@ index 3c5dba7..c270e54 100644 ## ## ## -@@ -1951,17 +2488,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1951,17 +2484,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` # interface(`userdom_delete_all_user_home_content_files',` gen_require(` @@ -36967,7 +37165,7 @@ index 3c5dba7..c270e54 100644 ## ## ## -@@ -1969,12 +2504,48 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1969,12 +2500,48 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -37018,7 +37216,7 @@ index 3c5dba7..c270e54 100644 ') ######################################## -@@ -2010,8 +2581,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2010,8 +2577,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -37028,7 +37226,7 @@ index 3c5dba7..c270e54 100644 ') ######################################## -@@ -2027,20 +2597,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2027,20 +2593,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -37053,7 +37251,7 @@ index 3c5dba7..c270e54 100644 ######################################## ## -@@ -2123,7 +2687,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2683,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -37062,7 +37260,7 @@ index 3c5dba7..c270e54 100644 ## ## ## -@@ -2131,19 +2695,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2691,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -37086,7 +37284,7 @@ index 3c5dba7..c270e54 100644 ## ## ## -@@ -2151,12 +2713,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2709,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -37102,7 +37300,7 @@ index 3c5dba7..c270e54 100644 ') ######################################## -@@ -2393,11 +2955,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +2951,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -37117,7 +37315,7 @@ index 3c5dba7..c270e54 100644 files_search_tmp($1) ') -@@ -2417,7 +2979,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +2975,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -37126,7 +37324,7 @@ index 3c5dba7..c270e54 100644 ') ######################################## -@@ -2664,6 +3226,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3222,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -37152,7 +37350,7 @@ index 3c5dba7..c270e54 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3261,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3257,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -37168,7 +37366,7 @@ index 3c5dba7..c270e54 100644 ## ## ## -@@ -2707,7 +3289,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3285,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -37177,7 +37375,7 @@ index 3c5dba7..c270e54 100644 ## ## ## -@@ -2715,19 +3297,17 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,19 +3293,17 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -37200,7 +37398,7 @@ index 3c5dba7..c270e54 100644 ## ## ## -@@ -2735,21 +3315,39 @@ interface(`userdom_manage_user_tmpfs_files',` +@@ -2735,25 +3311,43 @@ interface(`userdom_manage_user_tmpfs_files',` ## ## # @@ -37224,9 +37422,10 @@ index 3c5dba7..c270e54 100644 ## -## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`userdom_dontaudit_getattr_user_ttys',` +interface(`userdom_getattr_user_ttys',` + gen_require(` + type user_tty_device_t; @@ -37242,10 +37441,14 @@ index 3c5dba7..c270e54 100644 +## +## +## Domain to not audit. - ## - ## - # -@@ -2817,6 +3415,24 @@ interface(`userdom_use_user_ttys',` ++## ++## ++# ++interface(`userdom_dontaudit_getattr_user_ttys',` + gen_require(` + type user_tty_device_t; + ') +@@ -2817,6 +3411,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -37270,7 +37473,7 @@ index 3c5dba7..c270e54 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3451,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3447,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -37313,7 +37516,7 @@ index 3c5dba7..c270e54 100644 ## ## ## -@@ -2859,14 +3487,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3483,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -37351,7 +37554,7 @@ index 3c5dba7..c270e54 100644 ') ######################################## -@@ -2885,8 +3532,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3528,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -37381,7 +37584,7 @@ index 3c5dba7..c270e54 100644 ') ######################################## -@@ -2958,69 +3624,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3620,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -37482,7 +37685,7 @@ index 3c5dba7..c270e54 100644 ## ## ## -@@ -3028,12 +3693,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3689,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -37497,7 +37700,7 @@ index 3c5dba7..c270e54 100644 ') ######################################## -@@ -3097,7 +3762,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3758,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -37506,7 +37709,7 @@ index 3c5dba7..c270e54 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3778,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3774,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -37540,7 +37743,7 @@ index 3c5dba7..c270e54 100644 ') ######################################## -@@ -3217,7 +3866,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3862,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -37549,7 +37752,7 @@ index 3c5dba7..c270e54 100644 ') ######################################## -@@ -3272,7 +3921,64 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +3917,64 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -37615,7 +37818,7 @@ index 3c5dba7..c270e54 100644 ') ######################################## -@@ -3290,7 +3996,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3290,7 +3992,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -37624,7 +37827,7 @@ index 3c5dba7..c270e54 100644 ') ######################################## -@@ -3309,6 +4015,7 @@ interface(`userdom_read_all_users_state',` +@@ -3309,6 +4011,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -37632,7 +37835,7 @@ index 3c5dba7..c270e54 100644 kernel_search_proc($1) ') -@@ -3385,6 +4092,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,6 +4088,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -37675,7 +37878,7 @@ index 3c5dba7..c270e54 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4148,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4144,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -37700,7 +37903,7 @@ index 3c5dba7..c270e54 100644 ## Create keys for all user domains. ## ## -@@ -3439,3 +4200,1365 @@ interface(`userdom_dbus_send_all_users',` +@@ -3439,3 +4196,1355 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -38947,21 +39150,10 @@ index 3c5dba7..c270e54 100644 +# +interface(`userdom_filetrans_home_content',` + gen_require(` -+ type home_bin_t, home_cert_t; -+ type audio_home_t; ++ attribute userdom_filetrans_type; + ') + -+ userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin") -+ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Audio") -+ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music") -+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert") -+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki") -+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates") -+ -+ optional_policy(` -+ gnome_config_filetrans($1, home_cert_t, dir, "certificates") -+ #gnome_admin_home_gconf_filetrans($1, home_bin_t, dir, "bin") -+ ') ++ typeattribute $1 userdom_filetrans_type; +') + +######################################## @@ -38997,8 +39189,9 @@ index 3c5dba7..c270e54 100644 + gen_require(` + attribute userdom_home_manager_type; + ') -+ + typeattribute $1 userdom_home_manager_type; ++ ++ userdom_filetrans_home_content($1) +') + +######################################## @@ -39067,7 +39260,7 @@ index 3c5dba7..c270e54 100644 + filetrans_pattern($1, user_tmpfs_t, $2, $3, $4) +') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index e2b538b..069a8ea 100644 +index e2b538b..6371ed6 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5) @@ -39130,12 +39323,13 @@ index e2b538b..069a8ea 100644 # all user domains attribute userdomain; -@@ -58,6 +52,22 @@ attribute unpriv_userdomain; +@@ -58,6 +52,23 @@ attribute unpriv_userdomain; attribute user_home_content_type; +attribute userdom_home_reader_type; +attribute userdom_home_manager_type; ++attribute userdom_filetrans_type; + +# unprivileged user domains +attribute user_home_type; @@ -39153,7 +39347,7 @@ index e2b538b..069a8ea 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +80,123 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +81,207 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -39279,6 +39473,90 @@ index e2b538b..069a8ea 100644 +') +# vi /etc/mtab can cause an avc trying to relabel to self. +dontaudit userdomain self:file relabelto; ++ ++userdom_user_home_dir_filetrans_user_home_content(userdom_filetrans_type, { dir file lnk_file fifo_file sock_file }) ++userdom_user_home_dir_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin") ++userdom_user_home_dir_filetrans(userdom_filetrans_type, audio_home_t, dir, "Audio") ++userdom_user_home_dir_filetrans(userdom_filetrans_type, audio_home_t, dir, "Music") ++userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".cert") ++userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".pki") ++userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates") ++ ++optional_policy(` ++ gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates") ++ #gnome_admin_home_gconf_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin") ++') ++ ++#optional_policy(` ++# alsa_home_filetrans_alsa_home(userdom_filetrans_type) ++#') ++ ++optional_policy(` ++ apache_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ auth_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ gnome_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ gpg_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ irc_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ kerberos_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ mozilla_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ mta_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ pulseaudio_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ spamassassin_filetrans_home_content(userdom_filetrans_type) ++ spamassassin_filetrans_admin_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ ssh_filetrans_admin_home_content(userdom_filetrans_type) ++ ssh_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ telepathy_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ thumb_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ tvtime_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ virt_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ xserver_filetrans_home_content(userdom_filetrans_type) ++ xserver_filetrans_admin_home_content(userdom_filetrans_type) ++') diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt index e79d545..101086d 100644 --- a/policy/support/misc_patterns.spt diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index cb0c0a9..0c2bc63 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -1692,7 +1692,7 @@ index 5de1e01..3aa9abb 100644 + +/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0) diff --git a/alsa.if b/alsa.if -index 708b743..a482fed 100644 +index 708b743..c2edd9a 100644 --- a/alsa.if +++ b/alsa.if @@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',` @@ -1703,6 +1703,15 @@ index 708b743..a482fed 100644 ') ######################################## +@@ -235,7 +236,7 @@ interface(`alsa_home_filetrans_alsa_home',` + type alsa_home_t; + ') + +- userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3) ++ userdom_user_home_dir_filetrans($1, alsa_home_t, dir, $3) + ') + + ######################################## @@ -256,3 +257,69 @@ interface(`alsa_read_lib',` files_search_var_lib($1) read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) @@ -2031,7 +2040,7 @@ index c960f92..486e9ed 100644 optional_policy(` nscd_dontaudit_search_pid(amtu_t) diff --git a/anaconda.te b/anaconda.te -index 6f1384c..e9c715d 100644 +index 6f1384c..9f23456 100644 --- a/anaconda.te +++ b/anaconda.te @@ -4,6 +4,10 @@ gen_require(` @@ -2045,14 +2054,17 @@ index 6f1384c..e9c715d 100644 ######################################## # # Declarations -@@ -34,6 +38,7 @@ modutils_domtrans_insmod(anaconda_t) +@@ -34,8 +38,9 @@ modutils_domtrans_insmod(anaconda_t) modutils_domtrans_depmod(anaconda_t) seutil_domtrans_semanage(anaconda_t) +seutil_domtrans_setsebool(anaconda_t) - userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) +-userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) ++userdom_filetrans_home_content(anaconda_t) + optional_policy(` + rpm_domtrans(anaconda_t) diff --git a/antivirus.fc b/antivirus.fc new file mode 100644 index 0000000..e44bff0 @@ -2432,10 +2444,10 @@ index 0000000..3929b7e +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..bd752cd +index 0000000..b334e9a --- /dev/null +++ b/antivirus.te -@@ -0,0 +1,244 @@ +@@ -0,0 +1,245 @@ +policy_module(antivirus, 1.0.0) + +######################################## @@ -2513,6 +2525,7 @@ index 0000000..bd752cd + +manage_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) +manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) ++manage_lnk_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) +manage_sock_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) + +manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) @@ -7020,11 +7033,11 @@ index 5439f1c..0be374d 100644 diff --git a/authconfig.fc b/authconfig.fc new file mode 100644 -index 0000000..86bbf21 +index 0000000..4579cfe --- /dev/null +++ b/authconfig.fc @@ -0,0 +1,3 @@ -+/usr/share/authconfig/authconfig.py -- gen_context(system_u:object_r:authconfig_exec_t,s0) ++/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:authconfig_exec_t,s0) + +/var/lib/authconfig(/.*)? gen_context(system_u:object_r:authconfig_var_lib_t,s0) diff --git a/authconfig.if b/authconfig.if @@ -10068,10 +10081,10 @@ index 0000000..efebae7 +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..45057f8 +index 0000000..2cce501 --- /dev/null +++ b/chrome.te -@@ -0,0 +1,200 @@ +@@ -0,0 +1,203 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -10154,9 +10167,14 @@ index 0000000..45057f8 +dev_rwx_zero(chrome_sandbox_t) +dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t) + -+ +fs_dontaudit_getattr_all_fs(chrome_sandbox_t) + ++libs_legacy_use_shared_libs(chrome_sandbox_t) ++ ++miscfiles_read_fonts(chrome_sandbox_t) ++ ++sysnet_dns_name_resolve(chrome_sandbox_t) ++ +userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t) +userdom_execute_user_tmpfs_files(chrome_sandbox_t) + @@ -10168,10 +10186,6 @@ index 0000000..45057f8 +# This one we should figure a way to make it more secure +userdom_manage_home_certs(chrome_sandbox_t) + -+miscfiles_read_fonts(chrome_sandbox_t) -+ -+sysnet_dns_name_resolve(chrome_sandbox_t) -+ +optional_policy(` + gnome_rw_inherited_config(chrome_sandbox_t) + gnome_read_home_config(chrome_sandbox_t) @@ -10262,6 +10276,8 @@ index 0000000..45057f8 + +init_read_state(chrome_sandbox_nacl_t) + ++libs_legacy_use_shared_libs(chrome_sandbox_nacl_t) ++ +userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t) +userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t) +userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t) @@ -14348,7 +14364,7 @@ index 1303b30..058864e 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 28e1b86..5f68577 100644 +index 28e1b86..0c0f4f2 100644 --- a/cron.te +++ b/cron.te @@ -1,4 +1,4 @@ @@ -15061,6 +15077,7 @@ index 28e1b86..5f68577 100644 ') optional_policy(` +- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) + systemd_dbus_chat_logind(system_cronjob_t) + systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) +') @@ -15073,7 +15090,7 @@ index 28e1b86..5f68577 100644 +optional_policy(` + unconfined_shell_domtrans(crond_t) + unconfined_dbus_send(crond_t) - userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ++ userdom_filetrans_home_content(crond_t) ') ######################################## @@ -15117,7 +15134,7 @@ index 28e1b86..5f68577 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -639,84 +661,149 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -639,84 +661,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -15170,7 +15187,6 @@ index 28e1b86..5f68577 100644 userdom_manage_user_home_content_symlinks(cronjob_t) userdom_manage_user_home_content_pipes(cronjob_t) userdom_manage_user_home_content_sockets(cronjob_t) -+#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) -tunable_policy(`cron_userdomain_transition',` - dontaudit cronjob_t crond_t:fd use; @@ -17557,7 +17573,7 @@ index afcf3a2..0730306 100644 + dontaudit system_bus_type $1:dbus send_msg; ') diff --git a/dbus.te b/dbus.te -index 2c2e7e1..4c346e6 100644 +index 2c2e7e1..4a56f17 100644 --- a/dbus.te +++ b/dbus.te @@ -1,20 +1,18 @@ @@ -17882,7 +17898,7 @@ index 2c2e7e1..4c346e6 100644 selinux_validate_context(session_bus_type) selinux_compute_access_vector(session_bus_type) selinux_compute_create_context(session_bus_type) -@@ -225,18 +300,37 @@ selinux_compute_user_contexts(session_bus_type) +@@ -225,18 +300,36 @@ selinux_compute_user_contexts(session_bus_type) auth_read_pam_console_data(session_bus_type) logging_send_audit_msgs(session_bus_type) @@ -17899,7 +17915,6 @@ index 2c2e7e1..4c346e6 100644 +userdom_dontaudit_search_admin_dir(session_bus_type) +userdom_manage_user_home_content_dirs(session_bus_type) +userdom_manage_user_home_content_files(session_bus_type) -+userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file }) +userdom_manage_tmpfs_files(session_bus_type, file) +userdom_tmpfs_filetrans(session_bus_type, file) @@ -17925,7 +17940,7 @@ index 2c2e7e1..4c346e6 100644 ') ######################################## -@@ -244,5 +338,6 @@ optional_policy(` +@@ -244,5 +337,6 @@ optional_policy(` # Unconfined access to this module # @@ -20571,7 +20586,7 @@ index dbcac59..66d42bb 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index a7bfaf0..412f08d 100644 +index a7bfaf0..9697f9d 100644 --- a/dovecot.te +++ b/dovecot.te @@ -1,4 +1,4 @@ @@ -20784,7 +20799,7 @@ index a7bfaf0..412f08d 100644 +userdom_manage_user_home_content_symlinks(dovecot_t) +userdom_manage_user_home_content_pipes(dovecot_t) +userdom_manage_user_home_content_sockets(dovecot_t) -+userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) ++userdom_filetrans_home_content(dovecot_t) optional_policy(` - kerberos_keytab_template(dovecot, dovecot_t) @@ -20953,7 +20968,7 @@ index a7bfaf0..412f08d 100644 +userdom_manage_user_home_content_symlinks(dovecot_deliver_t) +userdom_manage_user_home_content_pipes(dovecot_deliver_t) +userdom_manage_user_home_content_sockets(dovecot_deliver_t) -+userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) ++userdom_filetrans_home_content(dovecot_deliver_t) -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(dovecot_deliver_t) @@ -21514,7 +21529,7 @@ index a0da189..d8bc9d5 100644 userdom_dontaudit_use_unpriv_user_fds(entropyd_t) userdom_dontaudit_search_user_home_dirs(entropyd_t) diff --git a/evolution.te b/evolution.te -index 94fb625..b94a09d 100644 +index 94fb625..3742ee1 100644 --- a/evolution.te +++ b/evolution.te @@ -168,7 +168,6 @@ dev_read_urand(evolution_t) @@ -21525,6 +21540,15 @@ index 94fb625..b94a09d 100644 fs_search_auto_mountpoints(evolution_t) +@@ -187,7 +186,7 @@ userdom_manage_user_tmp_files(evolution_t) + + userdom_manage_user_home_content_dirs(evolution_t) + userdom_manage_user_home_content_files(evolution_t) +-userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file }) ++userdom_filetrans_home_content(evolution_t) + + userdom_write_user_tmp_sockets(evolution_t) + @@ -286,7 +285,6 @@ stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolutio dev_read_urand(evolution_alarm_t) @@ -22615,7 +22639,7 @@ index 280f875..f3a67c9 100644 ## ## diff --git a/firstboot.te b/firstboot.te -index c12c067..3b01d01 100644 +index c12c067..a415012 100644 --- a/firstboot.te +++ b/firstboot.te @@ -1,7 +1,7 @@ @@ -22703,7 +22727,7 @@ index c12c067..3b01d01 100644 init_domtrans_script(firstboot_t) init_rw_utmp(firstboot_t) -@@ -73,11 +76,11 @@ locallogin_use_fds(firstboot_t) +@@ -73,18 +76,18 @@ locallogin_use_fds(firstboot_t) logging_send_syslog_msg(firstboot_t) @@ -22718,6 +22742,14 @@ index c12c067..3b01d01 100644 userdom_manage_user_home_content_dirs(firstboot_t) userdom_manage_user_home_content_files(firstboot_t) userdom_manage_user_home_content_symlinks(firstboot_t) + userdom_manage_user_home_content_pipes(firstboot_t) + userdom_manage_user_home_content_sockets(firstboot_t) + userdom_home_filetrans_user_home_dir(firstboot_t) +-userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) ++userdom_filetrans_home_content(firstboot_t) + + optional_policy(` + dbus_system_bus_client(firstboot_t) @@ -102,20 +105,18 @@ optional_policy(` ') @@ -22885,7 +22917,7 @@ index d062080..e098a40 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index e50f33c..ee708c7 100644 +index e50f33c..2f7de33 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1) @@ -22982,9 +23014,11 @@ index e50f33c..ee708c7 100644 miscfiles_read_public_files(ftpd_t) seutil_dontaudit_search_config(ftpd_t) -@@ -255,31 +262,40 @@ sysnet_use_ldap(ftpd_t) +@@ -254,32 +261,42 @@ sysnet_use_ldap(ftpd_t) + userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t) ++userdom_filetrans_home_content(ftpd_t) -tunable_policy(`allow_ftpd_anon_write',` +tunable_policy(`ftpd_anon_write',` @@ -23030,7 +23064,7 @@ index e50f33c..ee708c7 100644 ') tunable_policy(`ftpd_use_passive_mode',` -@@ -299,9 +315,9 @@ tunable_policy(`ftpd_connect_db',` +@@ -299,9 +316,9 @@ tunable_policy(`ftpd_connect_db',` corenet_sendrecv_mssql_client_packets(ftpd_t) corenet_tcp_connect_mssql_port(ftpd_t) corenet_tcp_sendrecv_mssql_port(ftpd_t) @@ -23043,7 +23077,20 @@ index e50f33c..ee708c7 100644 ') tunable_policy(`ftp_home_dir',` -@@ -360,7 +376,7 @@ optional_policy(` +@@ -309,12 +326,9 @@ tunable_policy(`ftp_home_dir',` + + userdom_manage_user_home_content_dirs(ftpd_t) + userdom_manage_user_home_content_files(ftpd_t) +- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) + userdom_manage_user_tmp_dirs(ftpd_t) + userdom_manage_user_tmp_files(ftpd_t) +- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) + ',` +- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) + userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) + ') + +@@ -360,7 +374,7 @@ optional_policy(` selinux_validate_context(ftpd_t) kerberos_keytab_template(ftpd, ftpd_t) @@ -23052,7 +23099,7 @@ index e50f33c..ee708c7 100644 ') optional_policy(` -@@ -410,21 +426,20 @@ optional_policy(` +@@ -410,21 +424,20 @@ optional_policy(` # stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -23076,7 +23123,7 @@ index e50f33c..ee708c7 100644 miscfiles_read_public_files(anon_sftpd_t) -@@ -437,10 +452,23 @@ tunable_policy(`sftpd_anon_write',` +@@ -437,23 +450,34 @@ tunable_policy(`sftpd_anon_write',` # Sftpd local policy # @@ -23098,10 +23145,26 @@ index e50f33c..ee708c7 100644 + ssh_manage_home_files(sftpd_t) + ') +') ++ ++userdom_filetrans_home_content(sftpd_t) ++userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) tunable_policy(`sftpd_enable_homedirs',` allow sftpd_t self:capability { dac_override dac_read_search }; -@@ -475,21 +503,11 @@ tunable_policy(`sftpd_anon_write',` + + userdom_manage_user_home_content_dirs(sftpd_t) + userdom_manage_user_home_content_files(sftpd_t) +- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) + userdom_manage_user_tmp_dirs(sftpd_t) + userdom_manage_user_tmp_files(sftpd_t) +- userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) +-',` +- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) +- userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) + ') + + tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` +@@ -475,21 +499,11 @@ tunable_policy(`sftpd_anon_write',` tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) @@ -23699,10 +23762,10 @@ index 0000000..1ed97fe + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..9cfc035 +index 0000000..643f4bd --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,145 @@ +@@ -0,0 +1,146 @@ +policy_module(glusterfs, 1.0.1) + +## @@ -23726,7 +23789,7 @@ index 0000000..9cfc035 +## Allow glusterfsd to share any file/directory read/write. +##

+## -+gen_tunable(gluster_export_all_rw, false) ++gen_tunable(gluster_export_all_rw, true) + +######################################## +# @@ -23833,6 +23896,7 @@ index 0000000..9cfc035 +miscfiles_read_public_files(glusterd_t) + +userdom_manage_user_home_dirs(glusterd_t) ++userdom_filetrans_home_content(glusterd_t) + +tunable_policy(`gluster_anon_write',` + miscfiles_manage_public_files(glusterd_t) @@ -24127,10 +24191,10 @@ index e39de43..52e5a3a 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index d03fd43..f73c152 100644 +index d03fd43..0a785a3 100644 --- a/gnome.if +++ b/gnome.if -@@ -1,123 +1,155 @@ +@@ -1,123 +1,154 @@ -## GNU network object model environment. +## GNU network object model environment (GNOME) @@ -24315,7 +24379,6 @@ index d03fd43..f73c152 100644 - dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) + dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) + dbus_session_bus_client($1_gkeyringd_t) -+ gnome_home_dir_filetrans($1_gkeyringd_t) + gnome_manage_generic_home_dirs($1_gkeyringd_t) + gnome_read_generic_data_home_files($1_gkeyringd_t) + gnome_read_generic_data_home_dirs($1_gkeyringd_t) @@ -24363,7 +24426,7 @@ index d03fd43..f73c152 100644 ## ## ## -@@ -125,18 +157,18 @@ template(`gnome_role_template',` +@@ -125,18 +156,18 @@ template(`gnome_role_template',` ## ## # @@ -24387,7 +24450,7 @@ index d03fd43..f73c152 100644 ## ## ## -@@ -144,119 +176,114 @@ interface(`gnome_exec_gconf',` +@@ -144,119 +175,114 @@ interface(`gnome_exec_gconf',` ## ## # @@ -24544,7 +24607,7 @@ index d03fd43..f73c152 100644 ## ## ## -@@ -264,15 +291,21 @@ interface(`gnome_create_generic_home_dirs',` +@@ -264,15 +290,21 @@ interface(`gnome_create_generic_home_dirs',` ## ## # @@ -24571,7 +24634,7 @@ index d03fd43..f73c152 100644 ## ## ## -@@ -280,57 +313,89 @@ interface(`gnome_setattr_config_dirs',` +@@ -280,57 +312,89 @@ interface(`gnome_setattr_config_dirs',` ## ## # @@ -24679,7 +24742,7 @@ index d03fd43..f73c152 100644 ## ## ## -@@ -338,15 +403,18 @@ interface(`gnome_read_generic_home_content',` +@@ -338,15 +402,18 @@ interface(`gnome_read_generic_home_content',` ## ## # @@ -24703,7 +24766,7 @@ index d03fd43..f73c152 100644 ## ## ## -@@ -354,22 +422,18 @@ interface(`gnome_manage_config',` +@@ -354,22 +421,18 @@ interface(`gnome_manage_config',` ## ## # @@ -24730,7 +24793,7 @@ index d03fd43..f73c152 100644 ## ## ## -@@ -377,53 +441,37 @@ interface(`gnome_manage_generic_home_content',` +@@ -377,53 +440,37 @@ interface(`gnome_manage_generic_home_content',` ## ## # @@ -24792,7 +24855,7 @@ index d03fd43..f73c152 100644 ## ## ## -@@ -431,17 +479,18 @@ interface(`gnome_home_filetrans',` +@@ -431,17 +478,18 @@ interface(`gnome_home_filetrans',` ## ## # @@ -24815,7 +24878,7 @@ index d03fd43..f73c152 100644 ## ## ## -@@ -449,46 +498,36 @@ interface(`gnome_create_generic_gconf_home_dirs',` +@@ -449,46 +497,36 @@ interface(`gnome_create_generic_gconf_home_dirs',` ## ## # @@ -24871,7 +24934,7 @@ index d03fd43..f73c152 100644 ## ## ## -@@ -496,29 +535,35 @@ interface(`gnome_manage_generic_gconf_home_content',` +@@ -496,29 +534,35 @@ interface(`gnome_manage_generic_gconf_home_content',` ## ## # @@ -24915,7 +24978,7 @@ index d03fd43..f73c152 100644 ## ## ## -@@ -527,62 +572,125 @@ interface(`gnome_search_generic_gconf_home',` +@@ -527,62 +571,125 @@ interface(`gnome_search_generic_gconf_home',` ## ## # @@ -25060,7 +25123,7 @@ index d03fd43..f73c152 100644 ## ## ## -@@ -591,65 +699,76 @@ interface(`gnome_home_filetrans_gnome_home',` +@@ -591,65 +698,76 @@ interface(`gnome_home_filetrans_gnome_home',` ## ## # @@ -25161,7 +25224,7 @@ index d03fd43..f73c152 100644 ## ## ## -@@ -657,46 +776,36 @@ interface(`gnome_dbus_chat_gkeyringd',` +@@ -657,46 +775,36 @@ interface(`gnome_dbus_chat_gkeyringd',` ## ## # @@ -25217,7 +25280,7 @@ index d03fd43..f73c152 100644 ## ## ## -@@ -704,12 +813,773 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -704,12 +812,773 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # @@ -26839,7 +26902,7 @@ index 180f1b7..951b790 100644 + userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") +') diff --git a/gpg.te b/gpg.te -index 44cf341..8424d09 100644 +index 44cf341..b04d02c 100644 --- a/gpg.te +++ b/gpg.te @@ -1,47 +1,47 @@ @@ -27039,8 +27102,9 @@ index 44cf341..8424d09 100644 +userdom_manage_all_user_tmp_content(gpg_t) +#userdom_manage_user_home_content(gpg_t) userdom_manage_user_home_content_files(gpg_t) +-userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) +userdom_manage_user_home_content_dirs(gpg_t) - userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) ++userdom_filetrans_home_content(gpg_t) +userdom_stream_connect(gpg_t) -tunable_policy(`use_nfs_home_dirs',` @@ -27192,6 +27256,7 @@ index 44cf341..8424d09 100644 +userdom_use_inherited_user_terminals(gpg_agent_t) +# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) userdom_search_user_home_dirs(gpg_agent_t) ++userdom_filetrans_home_content(gpg_agent_t) ifdef(`hide_broken_symptoms',` userdom_dontaudit_read_user_tmp_files(gpg_agent_t) @@ -27202,7 +27267,6 @@ index 44cf341..8424d09 100644 + # write ~/.gpg-agent-info or a similar to the users home dir + # or subdir (gpg-agent --write-env-file option) + # -+ userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, { dir file }) userdom_manage_user_home_content_dirs(gpg_agent_t) userdom_manage_user_home_content_files(gpg_agent_t) - userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file) @@ -27948,7 +28012,7 @@ index ac00fb0..06cb083 100644 + userdom_user_home_dir_filetrans($1, irc_home_t, dir, "irclogs") ') diff --git a/irc.te b/irc.te -index ecad9c7..f8d4f1d 100644 +index ecad9c7..56e2b35 100644 --- a/irc.te +++ b/irc.te @@ -37,7 +37,32 @@ userdom_user_home_content(irc_log_home_t) @@ -28016,7 +28080,7 @@ index ecad9c7..f8d4f1d 100644 fs_getattr_all_fs(irc_t) fs_search_auto_mountpoints(irc_t) -@@ -106,7 +123,6 @@ auth_use_nsswitch(irc_t) +@@ -106,13 +123,15 @@ auth_use_nsswitch(irc_t) init_read_utmp(irc_t) init_dontaudit_lock_utmp(irc_t) @@ -28024,16 +28088,16 @@ index ecad9c7..f8d4f1d 100644 userdom_use_user_terminals(irc_t) -@@ -114,6 +130,9 @@ userdom_manage_user_home_content_dirs(irc_t) + userdom_manage_user_home_content_dirs(irc_t) userdom_manage_user_home_content_files(irc_t) - userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file }) - +-userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file }) ++userdom_filetrans_home_content(irc_t) ++ +# Write to the user domain tty. +userdom_use_inherited_user_terminals(irc_t) -+ + tunable_policy(`irc_use_any_tcp_ports',` corenet_sendrecv_all_server_packets(irc_t) - corenet_tcp_bind_all_unreserved_ports(irc_t) @@ -122,18 +141,71 @@ tunable_policy(`irc_use_any_tcp_ports',` corenet_tcp_sendrecv_all_ports(irc_t) ') @@ -28233,7 +28297,7 @@ index 1a35420..1d27695 100644 logging_search_logs($1) admin_pattern($1, iscsi_log_t) diff --git a/iscsi.te b/iscsi.te -index 57304e4..74153ec 100644 +index 57304e4..e7080f8 100644 --- a/iscsi.te +++ b/iscsi.te @@ -9,8 +9,8 @@ type iscsid_t; @@ -28268,7 +28332,7 @@ index 57304e4..74153ec 100644 corenet_all_recvfrom_netlabel(iscsid_t) corenet_tcp_sendrecv_generic_if(iscsid_t) corenet_tcp_sendrecv_generic_node(iscsid_t) -@@ -85,10 +84,12 @@ corenet_sendrecv_isns_client_packets(iscsid_t) +@@ -85,10 +84,13 @@ corenet_sendrecv_isns_client_packets(iscsid_t) corenet_tcp_connect_isns_port(iscsid_t) corenet_tcp_sendrecv_isns_port(iscsid_t) @@ -28277,13 +28341,14 @@ index 57304e4..74153ec 100644 +corenet_tcp_connect_winshadow_port(iscsid_t) +corenet_tcp_sendrecv_winshadow_port(iscsid_t) + ++dev_read_urand(iscsid_t) dev_rw_sysfs(iscsid_t) dev_rw_userio_dev(iscsid_t) -dev_write_raw_memory(iscsid_t) domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) -@@ -99,8 +100,6 @@ init_stream_connect_script(iscsid_t) +@@ -99,8 +101,6 @@ init_stream_connect_script(iscsid_t) logging_send_syslog_msg(iscsid_t) @@ -28776,7 +28841,7 @@ index bb12c90..ff69343 100644 -auth_use_nsswitch(jabberd_router_t) +sysnet_read_config(jabberd_domain) diff --git a/java.te b/java.te -index b3fcfbb..98cbfb4 100644 +index b3fcfbb..5459aa3 100644 --- a/java.te +++ b/java.te @@ -11,7 +11,7 @@ policy_module(java, 2.6.3) @@ -28796,7 +28861,12 @@ index b3fcfbb..98cbfb4 100644 files_read_etc_runtime_files(java_domain) fs_getattr_all_fs(java_domain) -@@ -112,7 +111,7 @@ userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file s +@@ -108,11 +107,11 @@ userdom_manage_user_home_content_files(java_domain) + userdom_manage_user_home_content_symlinks(java_domain) + userdom_manage_user_home_content_pipes(java_domain) + userdom_manage_user_home_content_sockets(java_domain) +-userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file }) ++userdom_filetrans_home_content(java_domain_t) userdom_write_user_tmp_sockets(java_domain) @@ -30586,7 +30656,7 @@ index f9de9fc..138e1e2 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") ') diff --git a/kerberos.te b/kerberos.te -index 3465a9a..fe2c2da 100644 +index 3465a9a..353c4ce 100644 --- a/kerberos.te +++ b/kerberos.te @@ -1,4 +1,4 @@ @@ -30700,7 +30770,7 @@ index 3465a9a..fe2c2da 100644 corenet_all_recvfrom_netlabel(kadmind_t) corenet_tcp_sendrecv_generic_if(kadmind_t) corenet_udp_sendrecv_generic_if(kadmind_t) -@@ -119,31 +128,39 @@ corenet_tcp_sendrecv_all_ports(kadmind_t) +@@ -119,31 +128,41 @@ corenet_tcp_sendrecv_all_ports(kadmind_t) corenet_udp_sendrecv_all_ports(kadmind_t) corenet_tcp_bind_generic_node(kadmind_t) corenet_udp_bind_generic_node(kadmind_t) @@ -30733,6 +30803,8 @@ index 3465a9a..fe2c2da 100644 selinux_validate_context(kadmind_t) ++auth_read_passwd(kadmind_t) ++ logging_send_syslog_msg(kadmind_t) -miscfiles_read_localization(kadmind_t) @@ -30745,7 +30817,7 @@ index 3465a9a..fe2c2da 100644 sysnet_use_ldap(kadmind_t) userdom_dontaudit_use_unpriv_user_fds(kadmind_t) -@@ -154,6 +171,10 @@ optional_policy(` +@@ -154,6 +173,10 @@ optional_policy(` ') optional_policy(` @@ -30756,7 +30828,7 @@ index 3465a9a..fe2c2da 100644 nis_use_ypbind(kadmind_t) ') -@@ -174,24 +195,27 @@ optional_policy(` +@@ -174,24 +197,27 @@ optional_policy(` # Krb5kdc local policy # @@ -30788,7 +30860,7 @@ index 3465a9a..fe2c2da 100644 logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; -@@ -203,42 +227,39 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) +@@ -203,54 +229,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file) @@ -30839,7 +30911,10 @@ index 3465a9a..fe2c2da 100644 files_read_usr_symlinks(krb5kdc_t) files_read_var_files(krb5kdc_t) -@@ -247,10 +268,10 @@ selinux_validate_context(krb5kdc_t) + selinux_validate_context(krb5kdc_t) + ++auth_read_passwd(krb5kdc_t) ++ logging_send_syslog_msg(krb5kdc_t) miscfiles_read_generic_certs(krb5kdc_t) @@ -30851,7 +30926,7 @@ index 3465a9a..fe2c2da 100644 sysnet_use_ldap(krb5kdc_t) userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) -@@ -261,11 +282,11 @@ optional_policy(` +@@ -261,11 +286,11 @@ optional_policy(` ') optional_policy(` @@ -30865,7 +30940,7 @@ index 3465a9a..fe2c2da 100644 ') optional_policy(` -@@ -273,6 +294,10 @@ optional_policy(` +@@ -273,6 +298,10 @@ optional_policy(` ') optional_policy(` @@ -30876,7 +30951,7 @@ index 3465a9a..fe2c2da 100644 udev_read_db(krb5kdc_t) ') -@@ -281,10 +306,12 @@ optional_policy(` +@@ -281,10 +310,12 @@ optional_policy(` # kpropd local policy # @@ -30892,7 +30967,7 @@ index 3465a9a..fe2c2da 100644 allow kpropd_t krb5_host_rcache_t:file manage_file_perms; -@@ -303,26 +330,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) +@@ -303,26 +334,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) corecmd_exec_bin(kpropd_t) @@ -32582,7 +32657,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index 7bab8e5..3124cab 100644 +index 7bab8e5..ed36684 100644 --- a/logrotate.te +++ b/logrotate.te @@ -1,20 +1,18 @@ @@ -32644,7 +32719,7 @@ index 7bab8e5..3124cab 100644 allow logrotate_t self:shm create_shm_perms; allow logrotate_t self:sem create_sem_perms; allow logrotate_t self:msgq create_msgq_perms; -@@ -48,79 +52,93 @@ allow logrotate_t self:msg { send receive }; +@@ -48,79 +52,94 @@ allow logrotate_t self:msg { send receive }; allow logrotate_t logrotate_lock_t:file manage_file_perms; files_lock_filetrans(logrotate_t, logrotate_lock_t, file) @@ -32666,9 +32741,10 @@ index 7bab8e5..3124cab 100644 kernel_read_kernel_sysctls(logrotate_t) +dev_read_urand(logrotate_t) ++dev_read_sysfs(logrotate_t) + +fs_search_auto_mountpoints(logrotate_t) -+fs_getattr_xattr_fs(logrotate_t) ++fs_getattr_all_fs(logrotate_t) +fs_list_inotifyfs(logrotate_t) + +mls_file_read_all_levels(logrotate_t) @@ -32765,7 +32841,7 @@ index 7bab8e5..3124cab 100644 ') optional_policy(` -@@ -140,11 +158,11 @@ optional_policy(` +@@ -140,11 +159,11 @@ optional_policy(` ') optional_policy(` @@ -32779,7 +32855,7 @@ index 7bab8e5..3124cab 100644 ') optional_policy(` -@@ -178,7 +196,7 @@ optional_policy(` +@@ -178,7 +197,7 @@ optional_policy(` ') optional_policy(` @@ -32788,7 +32864,7 @@ index 7bab8e5..3124cab 100644 ') optional_policy(` -@@ -198,21 +216,22 @@ optional_policy(` +@@ -198,21 +217,22 @@ optional_policy(` ') optional_policy(` @@ -32815,7 +32891,7 @@ index 7bab8e5..3124cab 100644 ') optional_policy(` -@@ -228,10 +247,20 @@ optional_policy(` +@@ -228,10 +248,20 @@ optional_policy(` ') optional_policy(` @@ -32836,7 +32912,7 @@ index 7bab8e5..3124cab 100644 su_exec(logrotate_t) ') -@@ -241,13 +270,11 @@ optional_policy(` +@@ -241,13 +271,11 @@ optional_policy(` ####################################### # @@ -34150,10 +34226,10 @@ index 327f3f7..8d5841f 100644 + ') ') diff --git a/mandb.te b/mandb.te -index 5a414e0..e2f4ce0 100644 +index 5a414e0..fd54e2b 100644 --- a/mandb.te +++ b/mandb.te -@@ -10,25 +10,40 @@ roleattribute system_r mandb_roles; +@@ -10,28 +10,45 @@ roleattribute system_r mandb_roles; type mandb_t; type mandb_exec_t; @@ -34196,7 +34272,12 @@ index 5a414e0..e2f4ce0 100644 +files_search_locks(mandb_t) miscfiles_manage_man_cache(mandb_t) ++miscfiles_setattr_man_pages(mandb_t) + optional_policy(` + cron_system_entry(mandb_t, mandb_exec_t) + ') ++ diff --git a/mcelog.if b/mcelog.if index 9dbe694..f89651e 100644 --- a/mcelog.if @@ -35691,6 +35772,19 @@ index 4de8949..5c237c3 100644 fs_getattr_all_fs(mongod_t) -miscfiles_read_localization(mongod_t) +diff --git a/mono.te b/mono.te +index d287fe9..3dc493c 100644 +--- a/mono.te ++++ b/mono.te +@@ -28,7 +28,7 @@ allow mono_domain self:process { signal getsched execheap execmem execstack }; + # local policy + # + +-userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file }) ++userdom_filetrans_home_content(mono_t) + + init_dbus_chat_script(mono_t) + diff --git a/monop.te b/monop.te index 4462c0e..84944d1 100644 --- a/monop.te @@ -36515,7 +36609,7 @@ index 6194b80..97b8462 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..de62123 100644 +index 6a306ee..7131f6f 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -36524,7 +36618,7 @@ index 6a306ee..de62123 100644 ######################################## # -@@ -6,17 +6,34 @@ policy_module(mozilla, 2.7.4) +@@ -6,17 +6,27 @@ policy_module(mozilla, 2.7.4) # ## @@ -36545,13 +36639,6 @@ index 6a306ee..de62123 100644 +##

+## +gen_tunable(mozilla_read_content, false) -+ -+## -+##

-+## Allow mozilla_plugins to create random content in the users home directory -+##

-+## -+gen_tunable(mozilla_plugin_enable_homedirs, false) attribute_role mozilla_roles; attribute_role mozilla_plugin_roles; @@ -36564,7 +36651,7 @@ index 6a306ee..de62123 100644 type mozilla_t; type mozilla_exec_t; typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; -@@ -24,6 +41,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; +@@ -24,6 +34,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; userdom_user_application_domain(mozilla_t, mozilla_exec_t) role mozilla_roles types mozilla_t; @@ -36574,7 +36661,7 @@ index 6a306ee..de62123 100644 type mozilla_home_t; typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; -@@ -31,29 +51,24 @@ userdom_user_home_content(mozilla_home_t) +@@ -31,29 +44,24 @@ userdom_user_home_content(mozilla_home_t) type mozilla_plugin_t; type mozilla_plugin_exec_t; @@ -36609,7 +36696,7 @@ index 6a306ee..de62123 100644 type mozilla_tmp_t; userdom_user_tmp_file(mozilla_tmp_t) -@@ -63,10 +78,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys +@@ -63,10 +71,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; userdom_user_tmpfs_file(mozilla_tmpfs_t) @@ -36620,7 +36707,7 @@ index 6a306ee..de62123 100644 ######################################## # # Local policy -@@ -75,23 +86,26 @@ optional_policy(` +@@ -75,23 +79,25 @@ optional_policy(` allow mozilla_t self:capability { sys_nice setgid setuid }; allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; allow mozilla_t self:fifo_file rw_fifo_file_perms; @@ -36651,7 +36738,6 @@ index 6a306ee..de62123 100644 +manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) +manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) +userdom_search_user_home_dirs(mozilla_t) -+userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir) -filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") +# Mozpluggerrc @@ -36659,7 +36745,7 @@ index 6a306ee..de62123 100644 manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) -@@ -103,76 +117,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +@@ -103,76 +109,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) @@ -36767,7 +36853,7 @@ index 6a306ee..de62123 100644 term_dontaudit_getattr_pty_dirs(mozilla_t) -@@ -181,56 +188,73 @@ auth_use_nsswitch(mozilla_t) +@@ -181,56 +180,73 @@ auth_use_nsswitch(mozilla_t) logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) @@ -36775,15 +36861,15 @@ index 6a306ee..de62123 100644 miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) -userdom_use_user_ptys(mozilla_t) -+userdom_use_inherited_user_ptys(mozilla_t) - +- -userdom_manage_user_tmp_dirs(mozilla_t) -userdom_manage_user_tmp_files(mozilla_t) - -userdom_manage_user_home_content_dirs(mozilla_t) -userdom_manage_user_home_content_files(mozilla_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) -- ++userdom_use_inherited_user_ptys(mozilla_t) + -userdom_write_user_tmp_sockets(mozilla_t) - -mozilla_run_plugin(mozilla_t, mozilla_roles) @@ -36878,7 +36964,7 @@ index 6a306ee..de62123 100644 ') optional_policy(` -@@ -244,19 +268,12 @@ optional_policy(` +@@ -244,19 +260,12 @@ optional_policy(` optional_policy(` cups_read_rw_config(mozilla_t) @@ -36900,7 +36986,7 @@ index 6a306ee..de62123 100644 optional_policy(` networkmanager_dbus_chat(mozilla_t) -@@ -265,33 +282,32 @@ optional_policy(` +@@ -265,33 +274,32 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) @@ -36913,34 +36999,34 @@ index 6a306ee..de62123 100644 - gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private") + gnome_manage_config(mozilla_t) + gnome_manage_gconf_home_files(mozilla_t) ++') ++ ++optional_policy(` ++ java_domtrans(mozilla_t) ') optional_policy(` - java_exec(mozilla_t) - java_manage_generic_home_content(mozilla_t) - java_home_filetrans_java_home(mozilla_t, dir, ".java") -+ java_domtrans(mozilla_t) ++ lpd_domtrans_lpr(mozilla_t) ') optional_policy(` - lpd_run_lpr(mozilla_t, mozilla_roles) -+ lpd_domtrans_lpr(mozilla_t) ++ mplayer_domtrans(mozilla_t) ++ mplayer_read_user_home_files(mozilla_t) ') optional_policy(` - mplayer_exec(mozilla_t) - mplayer_manage_generic_home_content(mozilla_t) - mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer") -+ mplayer_domtrans(mozilla_t) -+ mplayer_read_user_home_files(mozilla_t) ++ nscd_socket_use(mozilla_t) ') optional_policy(` - pulseaudio_run(mozilla_t, mozilla_roles) -+ nscd_socket_use(mozilla_t) -+') -+ -+optional_policy(` + #pulseaudio_role(mozilla_roles, mozilla_t) + pulseaudio_exec(mozilla_t) + pulseaudio_stream_connect(mozilla_t) @@ -36948,7 +37034,7 @@ index 6a306ee..de62123 100644 ') optional_policy(` -@@ -300,221 +316,171 @@ optional_policy(` +@@ -300,221 +308,171 @@ optional_policy(` ######################################## # @@ -37007,7 +37093,6 @@ index 6a306ee..de62123 100644 +manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) +manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) +manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) -+mozilla_filetrans_home_content(mozilla_plugin_t) manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) @@ -37187,6 +37272,7 @@ index 6a306ee..de62123 100644 + libs_exec_ld_so(mozilla_plugin_t) libs_exec_lib_files(mozilla_plugin_t) ++libs_legacy_use_shared_libs(mozilla_plugin_t) logging_send_syslog_msg(mozilla_plugin_t) @@ -37263,7 +37349,7 @@ index 6a306ee..de62123 100644 ') optional_policy(` -@@ -523,36 +489,43 @@ optional_policy(` +@@ -523,36 +481,43 @@ optional_policy(` ') optional_policy(` @@ -37301,18 +37387,18 @@ index 6a306ee..de62123 100644 optional_policy(` - lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles) + lpd_run_lpr(mozilla_plugin_t, mozilla_roles) -+') -+ -+optional_policy(` -+ mplayer_exec(mozilla_plugin_t) -+ mplayer_manage_generic_home_content(mozilla_plugin_t) -+ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") ') optional_policy(` - mplayer_exec(mozilla_plugin_t) - mplayer_manage_generic_home_content(mozilla_plugin_t) - mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") ++ mplayer_exec(mozilla_plugin_t) ++ mplayer_manage_generic_home_content(mozilla_plugin_t) ++ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") ++') ++ ++optional_policy(` + pulseaudio_exec(mozilla_plugin_t) + pulseaudio_stream_connect(mozilla_plugin_t) + pulseaudio_setattr_home_dir(mozilla_plugin_t) @@ -37321,7 +37407,7 @@ index 6a306ee..de62123 100644 ') optional_policy(` -@@ -560,7 +533,7 @@ optional_policy(` +@@ -560,7 +525,7 @@ optional_policy(` ') optional_policy(` @@ -37330,7 +37416,7 @@ index 6a306ee..de62123 100644 ') optional_policy(` -@@ -568,108 +541,108 @@ optional_policy(` +@@ -568,108 +533,108 @@ optional_policy(` ') optional_policy(` @@ -37358,12 +37444,12 @@ index 6a306ee..de62123 100644 -allow mozilla_plugin_config_t self:process { setsched signal_perms getsched }; -allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; -allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; -+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; - +- -allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms; -- ++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; + -manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) -manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) @@ -37485,16 +37571,17 @@ index 6a306ee..de62123 100644 -optional_policy(` - automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t) -+tunable_policy(`mozilla_plugin_enable_homedirs',` -+ userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file }) -+', ` -+ -+ userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, file) -+ userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, dir) - ') +-') ++#tunable_policy(`mozilla_plugin_enable_homedirs',` ++# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file }) ++#', ` -optional_policy(` - xserver_use_user_fonts(mozilla_plugin_config_t) ++ #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, file) ++ #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, dir) ++#') ++ +tunable_policy(`selinuxuser_execmod',` + userdom_execmod_user_home_files(mozilla_plugin_t) ') @@ -37574,7 +37661,7 @@ index 7c8afcc..200cec1 100644 ') diff --git a/mplayer.te b/mplayer.te -index 9aca704..5db9491 100644 +index 9aca704..f92829c 100644 --- a/mplayer.te +++ b/mplayer.te @@ -11,7 +11,7 @@ policy_module(mplayer, 2.4.4) @@ -37594,6 +37681,15 @@ index 9aca704..5db9491 100644 fs_search_auto_mountpoints(mencoder_t) +@@ -82,7 +81,7 @@ userdom_manage_user_tmp_files(mencoder_t) + + userdom_manage_user_home_content_dirs(mencoder_t) + userdom_manage_user_home_content_files(mencoder_t) +-userdom_user_home_dir_filetrans_user_home_content(mencoder_t, { dir file }) ++userdom_filetrans_home_content(mencoder_t) + + ifndef(`enable_mls',` + fs_list_dos(mencoder_t) @@ -95,15 +94,15 @@ ifndef(`enable_mls',` fs_read_iso9660_files(mencoder_t) ') @@ -37622,6 +37718,15 @@ index 9aca704..5db9491 100644 fs_getattr_all_fs(mplayer_t) fs_search_auto_mountpoints(mplayer_t) +@@ -194,7 +192,7 @@ userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file }) + + userdom_manage_user_home_content_dirs(mplayer_t) + userdom_manage_user_home_content_files(mplayer_t) +-userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file }) ++userdom_filetrans_home_content(mplayer_t) + + userdom_write_user_tmp_sockets(mplayer_t) + @@ -211,15 +209,15 @@ ifndef(`enable_mls',` fs_read_iso9660_files(mplayer_t) ') @@ -37747,7 +37852,7 @@ index f42896c..8654c3c 100644 -/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/mta.if b/mta.if -index ed81cac..7d1522c 100644 +index ed81cac..566684a 100644 --- a/mta.if +++ b/mta.if @@ -1,4 +1,4 @@ @@ -38033,7 +38138,7 @@ index ed81cac..7d1522c 100644 typeattribute $1 mailserver_domain; ') -@@ -374,6 +264,12 @@ interface(`mta_mailserver_delivery',` +@@ -374,6 +264,15 @@ interface(`mta_mailserver_delivery',` ') typeattribute $1 mailserver_delivery; @@ -38043,10 +38148,13 @@ index ed81cac..7d1522c 100644 + optional_policy(` + mta_rw_delivery_tcp_sockets($1) + ') ++ ++ userdom_filetrans_home_content($1) ++ ') ####################################### -@@ -394,6 +290,12 @@ interface(`mta_mailserver_user_agent',` +@@ -394,6 +293,12 @@ interface(`mta_mailserver_user_agent',` ') typeattribute $1 mta_user_agent; @@ -38059,7 +38167,7 @@ index ed81cac..7d1522c 100644 ') ######################################## -@@ -408,14 +310,19 @@ interface(`mta_mailserver_user_agent',` +@@ -408,14 +313,19 @@ interface(`mta_mailserver_user_agent',` # interface(`mta_send_mail',` gen_require(` @@ -38081,7 +38189,7 @@ index ed81cac..7d1522c 100644 ') ######################################## -@@ -445,18 +352,24 @@ interface(`mta_send_mail',` +@@ -445,18 +355,24 @@ interface(`mta_send_mail',` # interface(`mta_sendmail_domtrans',` gen_require(` @@ -38111,7 +38219,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -464,7 +377,6 @@ interface(`mta_sendmail_domtrans',` +@@ -464,7 +380,6 @@ interface(`mta_sendmail_domtrans',` ## ## # @@ -38119,7 +38227,7 @@ index ed81cac..7d1522c 100644 interface(`mta_signal_system_mail',` gen_require(` type system_mail_t; -@@ -475,7 +387,43 @@ interface(`mta_signal_system_mail',` +@@ -475,7 +390,43 @@ interface(`mta_signal_system_mail',` ######################################## ## @@ -38164,7 +38272,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -506,13 +454,32 @@ interface(`mta_sendmail_exec',` +@@ -506,13 +457,32 @@ interface(`mta_sendmail_exec',` type sendmail_exec_t; ') @@ -38199,7 +38307,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -528,13 +495,13 @@ interface(`mta_read_config',` +@@ -528,13 +498,13 @@ interface(`mta_read_config',` files_search_etc($1) allow $1 etc_mail_t:dir list_dir_perms; @@ -38216,7 +38324,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -548,33 +515,31 @@ interface(`mta_write_config',` +@@ -548,33 +518,31 @@ interface(`mta_write_config',` type etc_mail_t; ') @@ -38256,7 +38364,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -582,84 +547,66 @@ interface(`mta_read_aliases',` +@@ -582,84 +550,66 @@ interface(`mta_read_aliases',` ## ## # @@ -38357,7 +38465,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -674,14 +621,13 @@ interface(`mta_rw_aliases',` +@@ -674,14 +624,13 @@ interface(`mta_rw_aliases',` ') files_search_etc($1) @@ -38375,7 +38483,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -697,6 +643,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',` +@@ -697,6 +646,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',` dontaudit $1 mailserver_delivery:tcp_socket { read write }; ') @@ -38401,7 +38509,7 @@ index ed81cac..7d1522c 100644 ####################################### ## ## Connect to all mail servers over TCP. (Deprecated) -@@ -713,8 +678,8 @@ interface(`mta_tcp_connect_all_mailservers',` +@@ -713,8 +681,8 @@ interface(`mta_tcp_connect_all_mailservers',` ####################################### ## @@ -38412,7 +38520,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -732,7 +697,7 @@ interface(`mta_dontaudit_read_spool_symlinks',` +@@ -732,7 +700,7 @@ interface(`mta_dontaudit_read_spool_symlinks',` ######################################## ## @@ -38421,7 +38529,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -753,8 +718,8 @@ interface(`mta_getattr_spool',` +@@ -753,8 +721,8 @@ interface(`mta_getattr_spool',` ######################################## ## @@ -38432,7 +38540,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -775,9 +740,8 @@ interface(`mta_dontaudit_getattr_spool_files',` +@@ -775,9 +743,8 @@ interface(`mta_dontaudit_getattr_spool_files',` ####################################### ## @@ -38444,7 +38552,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -811,7 +775,7 @@ interface(`mta_spool_filetrans',` +@@ -811,7 +778,7 @@ interface(`mta_spool_filetrans',` ####################################### ## @@ -38453,7 +38561,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -819,10 +783,10 @@ interface(`mta_spool_filetrans',` +@@ -819,10 +786,10 @@ interface(`mta_spool_filetrans',` ## ## # @@ -38468,7 +38576,7 @@ index ed81cac..7d1522c 100644 files_search_spool($1) read_files_pattern($1, mail_spool_t, mail_spool_t) -@@ -830,7 +794,7 @@ interface(`mta_read_spool_files',` +@@ -830,7 +797,7 @@ interface(`mta_read_spool_files',` ######################################## ## @@ -38477,7 +38585,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -845,13 +809,14 @@ interface(`mta_rw_spool',` +@@ -845,13 +812,14 @@ interface(`mta_rw_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -38495,7 +38603,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -866,13 +831,14 @@ interface(`mta_append_spool',` +@@ -866,13 +834,14 @@ interface(`mta_append_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -38513,7 +38621,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -891,8 +857,7 @@ interface(`mta_delete_spool',` +@@ -891,8 +860,7 @@ interface(`mta_delete_spool',` ######################################## ## @@ -38523,7 +38631,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -911,45 +876,9 @@ interface(`mta_manage_spool',` +@@ -911,45 +879,9 @@ interface(`mta_manage_spool',` manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') @@ -38570,7 +38678,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -968,7 +897,7 @@ interface(`mta_search_queue',` +@@ -968,7 +900,7 @@ interface(`mta_search_queue',` ####################################### ## @@ -38579,7 +38687,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -981,13 +910,13 @@ interface(`mta_list_queue',` +@@ -981,13 +913,13 @@ interface(`mta_list_queue',` type mqueue_spool_t; ') @@ -38595,7 +38703,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -1000,14 +929,14 @@ interface(`mta_read_queue',` +@@ -1000,14 +932,14 @@ interface(`mta_read_queue',` type mqueue_spool_t; ') @@ -38612,7 +38720,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -1027,7 +956,7 @@ interface(`mta_dontaudit_rw_queue',` +@@ -1027,7 +959,7 @@ interface(`mta_dontaudit_rw_queue',` ######################################## ## ## Create, read, write, and delete @@ -38621,7 +38729,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -1047,6 +976,41 @@ interface(`mta_manage_queue',` +@@ -1047,6 +979,41 @@ interface(`mta_manage_queue',` ####################################### ## @@ -38663,7 +38771,7 @@ index ed81cac..7d1522c 100644 ## Read sendmail binary. ## ## -@@ -1055,6 +1019,7 @@ interface(`mta_manage_queue',` +@@ -1055,6 +1022,7 @@ interface(`mta_manage_queue',` ## ## # @@ -38671,7 +38779,7 @@ index ed81cac..7d1522c 100644 interface(`mta_read_sendmail_bin',` gen_require(` type sendmail_exec_t; -@@ -1065,8 +1030,8 @@ interface(`mta_read_sendmail_bin',` +@@ -1065,8 +1033,8 @@ interface(`mta_read_sendmail_bin',` ####################################### ## @@ -38682,7 +38790,7 @@ index ed81cac..7d1522c 100644 ## ## ## -@@ -1081,3 +1046,175 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -1081,3 +1049,175 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -38859,7 +38967,7 @@ index ed81cac..7d1522c 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index afd2fad..af79d2b 100644 +index afd2fad..a270fd4 100644 --- a/mta.te +++ b/mta.te @@ -1,4 +1,4 @@ @@ -39275,7 +39383,7 @@ index afd2fad..af79d2b 100644 files_search_var_lib(mailserver_delivery) mailman_domtrans(mailserver_delivery) -@@ -387,24 +276,166 @@ optional_policy(` +@@ -387,24 +276,165 @@ optional_policy(` ######################################## # @@ -39295,7 +39403,7 @@ index afd2fad..af79d2b 100644 +userdom_use_inherited_user_terminals(mta_user_agent) +# Create dead.letter in user home directories. +userdom_manage_user_home_content_files(user_mail_t) -+userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) ++userdom_filetrans_home_content(user_mail_t) +# for reading .forward - maybe we need a new type for it? +# also for delivering mail to maildir +userdom_manage_user_home_content_dirs(mailserver_delivery) @@ -39303,7 +39411,6 @@ index afd2fad..af79d2b 100644 +userdom_manage_user_home_content_symlinks(mailserver_delivery) +userdom_manage_user_home_content_pipes(mailserver_delivery) +userdom_manage_user_home_content_sockets(mailserver_delivery) -+userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file }) +allow mailserver_delivery mailserver_delivery:fifo_file rw_inherited_fifo_file_perms; + +# Read user temporary files. @@ -41646,7 +41753,7 @@ index 0000000..8d7c751 +') diff --git a/namespace.te b/namespace.te new file mode 100644 -index 0000000..f6ffaa3 +index 0000000..bac253c --- /dev/null +++ b/namespace.te @@ -0,0 +1,40 @@ @@ -41689,7 +41796,7 @@ index 0000000..f6ffaa3 +userdom_manage_user_home_content_files(namespace_init_t) +userdom_relabelto_user_home_dirs(namespace_init_t) +userdom_relabelto_user_home_files(namespace_init_t) -+userdom_user_home_dir_filetrans_user_home_content(namespace_init_t, { dir file lnk_file fifo_file sock_file }) ++userdom_filetrans_home_content(namespace_init_t) diff --git a/ncftool.if b/ncftool.if index db9578f..4309e3d 100644 --- a/ncftool.if @@ -52100,7 +52207,7 @@ index 032a84d..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index 49694e8..e426304 100644 +index 49694e8..3ad3019 100644 --- a/policykit.te +++ b/policykit.te @@ -1,4 +1,4 @@ @@ -52278,7 +52385,13 @@ index 49694e8..e426304 100644 kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) dev_read_video_dev(policykit_auth_t) -@@ -162,48 +169,58 @@ auth_rw_var_auth(policykit_auth_t) +@@ -157,53 +164,64 @@ files_search_home(policykit_auth_t) + + fs_getattr_all_fs(policykit_auth_t) + fs_search_tmpfs(policykit_auth_t) ++fs_dontaudit_append_ecryptfs_files(policykit_auth_t) + + auth_rw_var_auth(policykit_auth_t) auth_use_nsswitch(policykit_auth_t) auth_domtrans_chk_passwd(policykit_auth_t) @@ -52347,7 +52460,7 @@ index 49694e8..e426304 100644 rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) -@@ -211,23 +228,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t +@@ -211,23 +229,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) @@ -52374,7 +52487,7 @@ index 49694e8..e426304 100644 optional_policy(` consolekit_dbus_chat(policykit_grant_t) ') -@@ -235,26 +249,28 @@ optional_policy(` +@@ -235,26 +250,28 @@ optional_policy(` ######################################## # @@ -52409,7 +52522,7 @@ index 49694e8..e426304 100644 userdom_read_all_users_state(policykit_resolve_t) optional_policy(` -@@ -266,6 +282,7 @@ optional_policy(` +@@ -266,6 +283,7 @@ optional_policy(` ') optional_policy(` @@ -54016,7 +54129,7 @@ index 2e23946..41da729 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 191a66f..2178086 100644 +index 191a66f..b11469c 100644 --- a/postfix.te +++ b/postfix.te @@ -1,4 +1,4 @@ @@ -54862,7 +54975,7 @@ index 191a66f..2178086 100644 +userdom_manage_user_home_content(postfix_virtual_t) userdom_home_filetrans_user_home_dir(postfix_virtual_t) -userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir }) -+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) ++userdom_filetrans_home_content(postfix_virtual_t) + +######################################## +# @@ -56797,7 +56910,7 @@ index 00edeab..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) ') diff --git a/procmail.te b/procmail.te -index d447152..c166238 100644 +index d447152..6f83f03 100644 --- a/procmail.te +++ b/procmail.te @@ -1,4 +1,4 @@ @@ -56905,7 +57018,7 @@ index d447152..c166238 100644 +userdom_manage_user_home_content_symlinks(procmail_t) +userdom_manage_user_home_content_pipes(procmail_t) +userdom_manage_user_home_content_sockets(procmail_t) -+userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file }) ++userdom_filetrans_home_content(procmail_t) + +# Execute user executables +userdom_exec_user_bin_files(procmail_t) @@ -65986,7 +66099,7 @@ index 3bd6446..a61764b 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/rpc.te b/rpc.te -index e5212e6..66ec108 100644 +index e5212e6..37860b7 100644 --- a/rpc.te +++ b/rpc.te @@ -1,4 +1,4 @@ @@ -66251,7 +66364,7 @@ index e5212e6..66ec108 100644 miscfiles_read_public_files(nfsd_t) -tunable_policy(`allow_nfsd_anon_write',` -+userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir }) ++userdom_filetrans_home_content(nfsd_t) +userdom_list_user_tmp(nfsd_t) + +# Write access to public_content_t and public_content_rw_t @@ -66515,10 +66628,10 @@ index c49828c..a323332 100644 sysnet_dns_name_resolve(rpcbind_t) diff --git a/rpm.fc b/rpm.fc -index ebe91fc..db87bca 100644 +index ebe91fc..cba31f2 100644 --- a/rpm.fc +++ b/rpm.fc -@@ -1,61 +1,67 @@ +@@ -1,61 +1,68 @@ -/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) -/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0) @@ -66540,6 +66653,7 @@ index ebe91fc..db87bca 100644 + +/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -67773,17 +67887,19 @@ index d1fd97f..7ee8502 100644 - -miscfiles_read_localization(rssh_chroot_helper_t) diff --git a/rsync.fc b/rsync.fc -index d25301b..2d77839 100644 +index d25301b..d92f567 100644 --- a/rsync.fc +++ b/rsync.fc -@@ -1,6 +1,6 @@ +@@ -1,7 +1,7 @@ /etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0) -/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) +/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) - /var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0) +-/var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0) ++/var/log/rsync.* gen_context(system_u:object_r:rsync_log_t,s0) + /var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) diff --git a/rsync.if b/rsync.if index f1140ef..c5bd83a 100644 --- a/rsync.if @@ -69321,7 +69437,7 @@ index aee75af..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 57c034b..055c3c5 100644 +index 57c034b..b2eac61 100644 --- a/samba.te +++ b/samba.te @@ -1,4 +1,4 @@ @@ -69854,7 +69970,7 @@ index 57c034b..055c3c5 100644 lpd_exec_lpr(smbd_t) ') -@@ -493,9 +476,34 @@ optional_policy(` +@@ -493,9 +476,33 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -69880,8 +69996,7 @@ index 57c034b..055c3c5 100644 + fs_manage_noxattr_fs_files(nmbd_t) + files_manage_non_security_files(nmbd_t) +') -+ -+userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) ++userdom_filetrans_home_content(nmbd_t) + ######################################## # @@ -69890,7 +70005,7 @@ index 57c034b..055c3c5 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -506,9 +514,11 @@ allow nmbd_t self:msg { send receive }; +@@ -506,9 +513,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -69905,7 +70020,7 @@ index 57c034b..055c3c5 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -520,20 +530,14 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -520,20 +529,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -69914,8 +70029,9 @@ index 57c034b..055c3c5 100644 -setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t) +manage_files_pattern(nmbd_t, samba_log_t, samba_log_t) - manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) -manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) ++manage_dirs_pattern(nmbd_t, samba_var_t, samba_var_t) + manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t) manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t) -files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd") @@ -70013,11 +70129,11 @@ index 57c034b..055c3c5 100644 -read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t }) +allow smbcontrol_t nmbd_t:process { signal signull }; +read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t) -+ + +allow smbcontrol_t smbd_t:process { signal signull }; +read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t) +allow smbcontrol_t winbind_t:process { signal signull }; - ++ +files_search_var_lib(smbcontrol_t) samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) @@ -70374,7 +70490,7 @@ index 57c034b..055c3c5 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -917,11 +912,17 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -917,18 +912,24 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -70393,6 +70509,14 @@ index 57c034b..055c3c5 100644 userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) userdom_manage_user_home_content_files(winbind_t) + userdom_manage_user_home_content_symlinks(winbind_t) + userdom_manage_user_home_content_pipes(winbind_t) + userdom_manage_user_home_content_sockets(winbind_t) +-userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) ++userdom_filetrans_home_content(winbind_t) + + optional_policy(` + ctdbd_stream_connect(winbind_t) @@ -936,6 +937,10 @@ optional_policy(` ') @@ -75307,7 +75431,7 @@ index e9bd097..80c9e56 100644 +/usr/bin/pyzor -- gen_context(system_u:object_r:spamc_exec_t,s0) +/usr/bin/pyzord -- gen_context(system_u:object_r:spamd_exec_t,s0) diff --git a/spamassassin.if b/spamassassin.if -index 1499b0b..82fc7f6 100644 +index 1499b0b..3052bd2 100644 --- a/spamassassin.if +++ b/spamassassin.if @@ -2,39 +2,45 @@ @@ -75659,7 +75783,7 @@ index 1499b0b..82fc7f6 100644 ## ## ## -@@ -348,19 +323,19 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` +@@ -348,19 +323,60 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` ## ## # @@ -75675,6 +75799,47 @@ index 1499b0b..82fc7f6 100644 + read_files_pattern($1, spamd_var_run_t, spamd_var_run_t) ') ++###################################### ++## ++## Transition to spamassassin named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`spamassassin_filetrans_home_content',` ++ gen_require(` ++ type spamc_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor") ++ userdom_user_home_dir_filetrans($1, spamc_home_t, file, ".spamassassin") ++ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".spamd") ++') ++ ++###################################### ++## ++## Transition to spamassassin named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`spamassassin_filetrans_admin_home_content',` ++ gen_require(` ++ type spamc_home_t; ++ ') ++ ++ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor") ++ userdom_admin_home_dir_filetrans($1, spamc_home_t, file, ".spamassassin") ++ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".spamd") ++') ++ ++ ######################################## ## -## All of the rules required to @@ -75684,7 +75849,7 @@ index 1499b0b..82fc7f6 100644 ## ## ## -@@ -369,20 +344,23 @@ interface(`spamassassin_stream_connect_spamd',` +@@ -369,20 +385,22 @@ interface(`spamassassin_stream_connect_spamd',` ## ## ## @@ -75692,7 +75857,7 @@ index 1499b0b..82fc7f6 100644 +## The role to be allowed to manage the spamassassin domain. ## ## - ## +-## # -interface(`spamassassin_admin',` +interface(`spamassassin_spamd_admin',` @@ -75711,7 +75876,7 @@ index 1499b0b..82fc7f6 100644 init_labeled_script_domtrans($1, spamd_initrc_exec_t) domain_system_change_exemption($1) -@@ -403,6 +381,4 @@ interface(`spamassassin_admin',` +@@ -403,6 +421,4 @@ interface(`spamassassin_admin',` files_list_pids($1) admin_pattern($1, spamd_var_run_t) @@ -75719,7 +75884,7 @@ index 1499b0b..82fc7f6 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index 4faa7e0..3a3ac18 100644 +index 4faa7e0..1485a62 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -1,4 +1,4 @@ @@ -75798,7 +75963,7 @@ index 4faa7e0..3a3ac18 100644 type spamd_initrc_exec_t; init_script_file(spamd_initrc_exec_t) -@@ -72,87 +39,198 @@ type spamd_log_t; +@@ -72,87 +39,196 @@ type spamd_log_t; logging_log_file(spamd_log_t) type spamd_spool_t; @@ -75925,7 +76090,6 @@ index 4faa7e0..3a3ac18 100644 manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) -userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, dir, ".spamassassin") -+userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) @@ -75936,7 +76100,6 @@ index 4faa7e0..3a3ac18 100644 +manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -+userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) +userdom_home_manager(spamassassin_t) + kernel_read_kernel_sysctls(spamassassin_t) @@ -76019,7 +76182,7 @@ index 4faa7e0..3a3ac18 100644 nis_use_ypbind_uncond(spamassassin_t) ') ') -@@ -160,6 +238,8 @@ optional_policy(` +@@ -160,6 +236,8 @@ optional_policy(` optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) @@ -76028,7 +76191,7 @@ index 4faa7e0..3a3ac18 100644 ') ######################################## -@@ -167,72 +247,87 @@ optional_policy(` +@@ -167,72 +245,85 @@ optional_policy(` # Client local policy # @@ -76067,11 +76230,9 @@ index 4faa7e0..3a3ac18 100644 +manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t) +manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t) +manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t) -+userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file }) +userdom_append_user_home_content_files(spamc_t) +# for /root/.pyzor +allow spamc_t self:capability dac_override; -+userdom_admin_home_dir_filetrans(spamc_t, spamc_home_t , dir, ".pyzor") list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) @@ -76147,7 +76308,7 @@ index 4faa7e0..3a3ac18 100644 optional_policy(` abrt_stream_connect(spamc_t) -@@ -243,6 +338,7 @@ optional_policy(` +@@ -243,6 +334,7 @@ optional_policy(` ') optional_policy(` @@ -76155,7 +76316,7 @@ index 4faa7e0..3a3ac18 100644 evolution_stream_connect(spamc_t) ') -@@ -251,52 +347,55 @@ optional_policy(` +@@ -251,52 +343,55 @@ optional_policy(` ') optional_policy(` @@ -76236,7 +76397,7 @@ index 4faa7e0..3a3ac18 100644 logging_log_filetrans(spamd_t, spamd_log_t, file) manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -@@ -308,6 +407,7 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) +@@ -308,6 +403,7 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) @@ -76244,7 +76405,7 @@ index 4faa7e0..3a3ac18 100644 allow spamd_t spamd_var_lib_t:dir list_dir_perms; manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -@@ -317,12 +417,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +@@ -317,12 +413,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) @@ -76260,7 +76421,7 @@ index 4faa7e0..3a3ac18 100644 corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -331,78 +432,58 @@ corenet_udp_sendrecv_generic_node(spamd_t) +@@ -331,78 +428,58 @@ corenet_udp_sendrecv_generic_node(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) @@ -76363,7 +76524,7 @@ index 4faa7e0..3a3ac18 100644 ') optional_policy(` -@@ -421,21 +502,13 @@ optional_policy(` +@@ -421,21 +498,13 @@ optional_policy(` ') optional_policy(` @@ -76387,7 +76548,7 @@ index 4faa7e0..3a3ac18 100644 ') optional_policy(` -@@ -443,8 +516,8 @@ optional_policy(` +@@ -443,8 +512,8 @@ optional_policy(` ') optional_policy(` @@ -76397,7 +76558,7 @@ index 4faa7e0..3a3ac18 100644 ') optional_policy(` -@@ -455,7 +528,12 @@ optional_policy(` +@@ -455,7 +524,12 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) razor_read_lib_files(spamd_t) @@ -76411,7 +76572,7 @@ index 4faa7e0..3a3ac18 100644 ') optional_policy(` -@@ -463,9 +541,9 @@ optional_policy(` +@@ -463,9 +537,9 @@ optional_policy(` ') optional_policy(` @@ -76422,7 +76583,7 @@ index 4faa7e0..3a3ac18 100644 ') optional_policy(` -@@ -474,32 +552,32 @@ optional_policy(` +@@ -474,32 +548,32 @@ optional_policy(` ######################################## # @@ -76465,7 +76626,7 @@ index 4faa7e0..3a3ac18 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +586,21 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +582,21 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) @@ -78635,7 +78796,7 @@ index 42946bc..95a9aa3 100644 + can_exec($1, telepathy_executable) ') diff --git a/telepathy.te b/telepathy.te -index e9c0964..6e84ad8 100644 +index e9c0964..20a31da 100644 --- a/telepathy.te +++ b/telepathy.te @@ -1,29 +1,28 @@ @@ -78678,7 +78839,7 @@ index e9c0964..6e84ad8 100644 telepathy_domain_template(gabble) -@@ -67,176 +66,145 @@ userdom_user_home_content(telepathy_sunshine_home_t) +@@ -67,176 +66,144 @@ userdom_user_home_content(telepathy_sunshine_home_t) ####################################### # @@ -78868,7 +79029,6 @@ index e9c0964..6e84ad8 100644 manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) -userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control") -+userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file }) +userdom_search_user_home_dirs(telepathy_mission_control_t) -manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) @@ -78904,7 +79064,7 @@ index e9c0964..6e84ad8 100644 optional_policy(` dbus_system_bus_client(telepathy_mission_control_t) -@@ -245,59 +213,51 @@ optional_policy(` +@@ -245,59 +212,51 @@ optional_policy(` devicekit_dbus_chat_power(telepathy_mission_control_t) ') optional_policy(` @@ -78979,7 +79139,7 @@ index e9c0964..6e84ad8 100644 init_read_state(telepathy_msn_t) -@@ -307,18 +267,19 @@ logging_send_syslog_msg(telepathy_msn_t) +@@ -307,18 +266,19 @@ logging_send_syslog_msg(telepathy_msn_t) miscfiles_read_all_certs(telepathy_msn_t) @@ -79004,7 +79164,7 @@ index e9c0964..6e84ad8 100644 ') optional_policy(` -@@ -329,43 +290,33 @@ optional_policy(` +@@ -329,43 +289,33 @@ optional_policy(` ') ') @@ -79053,7 +79213,7 @@ index e9c0964..6e84ad8 100644 ') optional_policy(` -@@ -378,73 +329,53 @@ optional_policy(` +@@ -378,73 +328,53 @@ optional_policy(` ####################################### # @@ -79137,7 +79297,7 @@ index e9c0964..6e84ad8 100644 optional_policy(` xserver_read_xdm_pid(telepathy_sunshine_t) xserver_stream_connect(telepathy_sunshine_t) -@@ -452,31 +383,39 @@ optional_policy(` +@@ -452,31 +382,39 @@ optional_policy(` ####################################### # @@ -80208,7 +80368,7 @@ index 0000000..aaf768a + corenet_dontaudit_udp_bind_generic_node(thumb_t) +') diff --git a/thunderbird.te b/thunderbird.te -index 4257ede..5b3949a 100644 +index 4257ede..fc265b8 100644 --- a/thunderbird.te +++ b/thunderbird.te @@ -53,7 +53,6 @@ kernel_read_system_state(thunderbird_t) @@ -80235,7 +80395,14 @@ index 4257ede..5b3949a 100644 userdom_write_user_tmp_sockets(thunderbird_t) -@@ -113,17 +110,8 @@ xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t) +@@ -107,23 +104,14 @@ userdom_manage_user_tmp_files(thunderbird_t) + + userdom_manage_user_home_content_dirs(thunderbird_t) + userdom_manage_user_home_content_files(thunderbird_t) +-userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file }) ++userdom_filetrans_home_content(thunderbird_t) + + xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t) xserver_read_xdm_tmp_files(thunderbird_t) xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t) @@ -81185,11 +81352,47 @@ index 7116181..9815e42 100644 optional_policy(` sysnet_domtrans_ifconfig(tuned_t) ') +diff --git a/tvtime.if b/tvtime.if +index 1bb0f7c..372be2f 100644 +--- a/tvtime.if ++++ b/tvtime.if +@@ -1,5 +1,23 @@ + ## High quality television application. + ++####################################### ++## ++## Transition to alsa named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tvtime_filetrans_home_content',` ++ gen_require(` ++ type tvtime_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, tvtime_home_t, dir, ".tvtime") ++') ++ + ######################################## + ## + ## Role access for tvtime diff --git a/tvtime.te b/tvtime.te -index 3292fcc..3cc43ed 100644 +index 3292fcc..20099b0 100644 --- a/tvtime.te +++ b/tvtime.te -@@ -61,7 +61,6 @@ dev_read_realtime_clock(tvtime_t) +@@ -42,7 +42,6 @@ allow tvtime_t self:unix_stream_socket rw_stream_socket_perms; + manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) + manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) + manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) +-userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir) + + manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) + manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) +@@ -61,7 +60,6 @@ dev_read_realtime_clock(tvtime_t) dev_read_sound(tvtime_t) dev_read_urand(tvtime_t) @@ -81197,7 +81400,7 @@ index 3292fcc..3cc43ed 100644 fs_getattr_all_fs(tvtime_t) fs_search_auto_mountpoints(tvtime_t) -@@ -69,21 +68,12 @@ fs_search_auto_mountpoints(tvtime_t) +@@ -69,21 +67,12 @@ fs_search_auto_mountpoints(tvtime_t) auth_use_nsswitch(tvtime_t) miscfiles_read_fonts(tvtime_t) @@ -86884,7 +87087,7 @@ index b51923c..bdbac3a 100644 tunable_policy(`wine_mmap_zero_ignore',` dontaudit wine_t self:memprotect mmap_zero; diff --git a/wireshark.te b/wireshark.te -index cf5cab6..d379bd6 100644 +index cf5cab6..a2d910f 100644 --- a/wireshark.te +++ b/wireshark.te @@ -34,7 +34,7 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t) @@ -86929,7 +87132,7 @@ index cf5cab6..d379bd6 100644 - fs_manage_cifs_files(wireshark_t) - fs_manage_cifs_symlinks(wireshark_t) -') -+userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file) ++userdom_filetrans_home_content(wireshark_t) -optional_policy(` - seutil_use_newrole_fds(wireshark_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 1e30a09..835adda 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 15%{?dist} +Release: 16%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -526,6 +526,52 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Feb 27 2013 Miroslav Grepl 3.12.1-16 +- Fix authconfig.py labeling +- Make any domains that write homedir content do it correctly +- Allow glusterd to read/write anyhwere on the file system by default +- Be a little more liberal with the rsync log files +- Fix iscsi_admin interface +- Allow iscsid_t to read /dev/urand +- Fix up iscsi domain for use with unit files +- Add filename transition support for spamassassin policy +- Allow web plugins to use badly formated libraries +- Allow nmbd_t to create samba_var_t directories +- Add filename transition support for spamassassin policy +- Add filename transition support for tvtime +- Fix alsa_home_filetrans_alsa_home() interface +- Move all userdom_filetrans_home_content() calling out of booleans +- Allow logrotote to getattr on all file sytems +- Remove duplicate userdom_filetrans_home_content() calling +- Allow kadmind to read /etc/passwd +- Dontaudit append .xsession-errors file on ecryptfs for policykit-auth +- Allow antivirus domain to manage antivirus db links +- Allow logrotate to read /sys +- Allow mandb to setattr on man dirs +- Remove mozilla_plugin_enable_homedirs boolean +- Fix ftp_home_dir boolean +- homedir mozilla filetrans has been moved to userdom_home_manager +- homedir telepathy filetrans has been moved to userdom_home_manager +- Remove gnome_home_dir_filetrans() from gnome_role_gkeyringd() +- Might want to eventually write a daemon on fusefsd. +- Add policy fixes for sshd [net] child from plautrba@redhat.com +- Tor uses a new port +- Remove bin_t for authconfig.py +- Fix so only one call to userdom_home_file_trans +- Allow home_manager_types to create content with the correctl label +- Fix all domains that write data into the homedir to do it with the correct label +- Change the postgresql to use proper boolean names, which is causing httpd_t to +- not get access to postgresql_var_run_t +- Hostname needs to send syslog messages +- Localectl needs to be able to send dbus signals to users +- Make sure userdom_filetrans_type will create files/dirs with user_home_t labeling by default +- Allow user_home_manger domains to create spam* homedir content with correct labeling +- Allow user_home_manger domains to create HOMEDIR/.tvtime with correct labeling +- Add missing miscfiles_setattr_man_pages() interface and for now comment some rules for userdom_filetrans_type to make build process working +- Declare userdom_filetrans_type attribute +- userdom_manage_home_role() needs to be called withoout usertype attribute because of userdom_filetrans_type attribute +- fusefsd is mounding a fuse file system on /run/user/UID/gvfs + * Thu Feb 21 2013 Miroslav Grepl 3.12.1-15 - Man pages are now generated in the build process - Allow cgred to list inotifyfs filesystem