diff --git a/policy-20080710.patch b/policy-20080710.patch
index e92e00b..cac8643 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -8170,8 +8170,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t })
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.5/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/roles/staff.te 2008-08-25 10:50:15.000000000 -0400
-@@ -8,18 +8,34 @@
++++ serefpolicy-3.5.5/policy/modules/roles/staff.te 2008-08-28 09:46:16.000000000 -0400
+@@ -8,23 +8,50 @@
role staff_r;
@@ -8192,10 +8192,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-+ cron_per_role_template(staff, staff_t, staff_r)
-+')
-+
-+optional_policy(`
+ logadm_role_change_template(staff)
+')
+
@@ -8207,7 +8203,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
secadm_role_change_template(staff)
')
-@@ -28,3 +44,14 @@
+ optional_policy(`
++ ssh_per_role_template(staff, staff_t, staff_r)
++')
++
++optional_policy(`
+ sysadm_role_change_template(staff)
sysadm_dontaudit_use_terms(staff_t)
')
@@ -9639,7 +9640,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.5.5/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/services/apache.if 2008-08-25 10:50:15.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/apache.if 2008-08-29 14:16:41.000000000 -0400
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -10129,7 +10130,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1098,3 +1071,144 @@
+@@ -1098,3 +1071,178 @@
allow httpd_t $1:process signal;
')
@@ -10274,9 +10275,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
+')
+')
++
++########################################
++## <summary>
++## Mark content as being readable by standard apache processes
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`apache_ro_content',`
++ gen_require(`
++ attribute httpd_ro_content;
++ ')
++ typeattribute $1 httpd_ro_content;
++')
++
++########################################
++## <summary>
++## Mark content as being read/write by standard apache processes
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`apache_rw_content',`
++ gen_require(`
++ attribute httpd_rw_content;
++ ')
++ typeattribute $1 httpd_rw_content;
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.5/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/services/apache.te 2008-08-26 10:08:47.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/apache.te 2008-08-29 14:24:52.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -10322,7 +10357,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </p>
## </desc>
gen_tunable(httpd_can_network_connect, false)
-@@ -109,14 +125,33 @@
+@@ -109,14 +125,35 @@
## </desc>
gen_tunable(httpd_unified, false)
@@ -10347,6 +10382,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </desc>
+gen_tunable(allow_httpd_sys_script_anon_write, false)
+
++attribute httpd_ro_content;
++attribute httpd_rw_content;
attribute httpdcontent;
-attribute httpd_user_content_type;
@@ -10358,7 +10395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# user script domains
attribute httpd_script_domains;
-@@ -147,6 +182,9 @@
+@@ -147,6 +184,9 @@
type httpd_log_t;
logging_log_file(httpd_log_t)
@@ -10368,17 +10405,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
-@@ -180,6 +218,9 @@
+@@ -180,6 +220,9 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
-+typeattribute httpd_sys_content_t httpdcontent; # customizable
-+typeattribute httpd_sys_content_rw_t httpdcontent; # customizable
++typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable
++typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable
+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -202,12 +243,16 @@
+@@ -202,12 +245,16 @@
prelink_object_file(httpd_modules_t)
')
@@ -10396,7 +10433,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-@@ -249,6 +294,7 @@
+@@ -249,6 +296,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -10404,7 +10441,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -289,6 +335,7 @@
+@@ -260,9 +308,9 @@
+
+ allow httpd_t httpd_suexec_exec_t:file { getattr read };
+
+-allow httpd_t httpd_sys_content_t:dir list_dir_perms;
+-read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+-read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
++allow httpd_t httpd_ro_content:dir list_dir_perms;
++read_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content)
++read_lnk_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content)
+
+ manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+ manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+@@ -289,6 +337,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -10412,7 +10462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -312,12 +359,11 @@
+@@ -312,12 +361,11 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -10427,7 +10477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(httpd_t)
-@@ -335,6 +381,10 @@
+@@ -335,6 +383,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -10438,7 +10488,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -351,18 +401,33 @@
+@@ -351,18 +403,33 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -10459,7 +10509,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </desc>
+gen_tunable(allow_httpd_mod_auth_pam, false)
+
-+tunable_policy(`allow_httpd_mod_auth_pam',`
+ tunable_policy(`allow_httpd_mod_auth_pam',`
+- auth_domtrans_chk_passwd(httpd_t)
+ auth_domtrans_chkpwd(httpd_t)
+')
+
@@ -10470,13 +10521,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </desc>
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+optional_policy(`
- tunable_policy(`allow_httpd_mod_auth_pam',`
-- auth_domtrans_chk_passwd(httpd_t)
++tunable_policy(`allow_httpd_mod_auth_pam',`
+ samba_domtrans_winbind_helper(httpd_t)
')
')
-@@ -370,6 +435,16 @@
+@@ -370,6 +437,16 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -10493,7 +10543,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
-@@ -382,23 +457,34 @@
+@@ -382,23 +459,34 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -10504,14 +10554,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
+')
-+
-+tunable_policy(`allow_httpd_sys_script_anon_write',`
-+ miscfiles_manage_public_files(httpd_sys_script_t)
-+')
- manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
- manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
- manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
++tunable_policy(`allow_httpd_sys_script_anon_write',`
++ miscfiles_manage_public_files(httpd_sys_script_t)
++')
++
+tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
+ domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
@@ -10536,7 +10586,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
-@@ -408,6 +494,11 @@
+@@ -408,6 +496,11 @@
fs_read_cifs_symlinks(httpd_t)
')
@@ -10548,7 +10598,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -441,8 +532,13 @@
+@@ -441,8 +534,13 @@
')
optional_policy(`
@@ -10564,7 +10614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -454,18 +550,13 @@
+@@ -454,18 +552,13 @@
')
optional_policy(`
@@ -10584,7 +10634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -475,6 +566,12 @@
+@@ -475,6 +568,12 @@
openca_kill(httpd_t)
')
@@ -10597,7 +10647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
-@@ -482,6 +579,7 @@
+@@ -482,6 +581,7 @@
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
@@ -10605,7 +10655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -490,6 +588,7 @@
+@@ -490,6 +590,7 @@
')
optional_policy(`
@@ -10613,7 +10663,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -519,9 +618,28 @@
+@@ -519,9 +620,28 @@
logging_send_syslog_msg(httpd_helper_t)
tunable_policy(`httpd_tty_comm',`
@@ -10642,7 +10692,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Apache PHP script local policy
-@@ -551,22 +669,27 @@
+@@ -551,22 +671,27 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -10676,7 +10726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -590,6 +713,8 @@
+@@ -590,6 +715,8 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -10685,7 +10735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -598,9 +723,7 @@
+@@ -598,9 +725,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -10696,7 +10746,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -633,12 +756,21 @@
+@@ -633,12 +758,21 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -10721,7 +10771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -647,6 +779,12 @@
+@@ -647,6 +781,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -10734,7 +10784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -664,10 +802,6 @@
+@@ -664,10 +804,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -10745,7 +10795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Apache system script local policy
-@@ -677,7 +811,8 @@
+@@ -677,7 +813,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -10755,7 +10805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -691,12 +826,15 @@
+@@ -691,12 +828,15 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -10773,7 +10823,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -704,6 +842,28 @@
+@@ -704,6 +844,28 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -10802,7 +10852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -716,10 +876,10 @@
+@@ -716,10 +878,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -10817,7 +10867,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -727,6 +887,8 @@
+@@ -727,6 +889,8 @@
# httpd_rotatelogs local policy
#
@@ -10826,7 +10876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -741,3 +903,48 @@
+@@ -741,3 +905,56 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -10875,6 +10925,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
++
++manage_dirs_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
++manage_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
++manage_lnk_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
++
++manage_dirs_pattern(httpd_t,httpdcontent,httpd_rw_content)
++manage_files_pattern(httpd_t,httpdcontent,httpd_rw_content)
++manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.5.5/policy/modules/services/apcupsd.fc
--- nsaserefpolicy/policy/modules/services/apcupsd.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/services/apcupsd.fc 2008-08-25 10:50:15.000000000 -0400
@@ -12538,9 +12596,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ fs_dontaudit_rw_cifs_files(consolekit_t)
+')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.fc serefpolicy-3.5.5/policy/modules/services/courier.fc
+--- nsaserefpolicy/policy/modules/services/courier.fc 2008-08-14 13:08:27.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/courier.fc 2008-08-26 20:27:36.000000000 -0400
+@@ -21,3 +21,4 @@
+ /var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0)
+
+ /var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0)
++/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.5.5/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2008-08-14 13:08:27.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/services/courier.te 2008-08-25 10:50:15.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/courier.te 2008-08-28 09:50:54.000000000 -0400
@@ -28,6 +28,7 @@
type courier_exec_t;
@@ -12549,6 +12615,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
courier_domain_template(sqwebmail)
typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
+@@ -73,6 +74,9 @@
+
+ sysadm_dontaudit_search_home_dirs(courier_authdaemon_t)
+
++files_search_spool(courier_authdaemon_t, courier_spool_t, courier_spool_t)
++manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
++
+ ########################################
+ #
+ # Calendar (PCP) local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.5.5/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/services/cron.fc 2008-08-25 10:50:15.000000000 -0400
@@ -12568,7 +12644,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.5/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/services/cron.if 2008-08-25 10:50:15.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/cron.if 2008-08-26 20:18:25.000000000 -0400
@@ -35,39 +35,23 @@
#
template(`cron_per_role_template',`
@@ -12737,7 +12813,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
# $1_crontab_t local policy
-@@ -193,9 +84,13 @@
+@@ -193,10 +84,13 @@
# dac_override is to create the file in the directory under /tmp
allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
allow $1_crontab_t self:process signal_perms;
@@ -12746,12 +12822,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, $1_crontab_t)
+ allow $2 $1_crontab_t:fd use;
-+
-+ auth_domtrans_chk_passwd($1_crontab_t)
++ auth_run_chk_passwd($1_crontab_t, $3, { $1_devpts_t $1_tty_device_t })
# crontab shows up in user ps
ps_process_pattern($2, $1_crontab_t)
-@@ -206,9 +101,6 @@
+
+@@ -206,9 +100,6 @@
# Allow crond to read those crontabs in cron spool.
allow crond_t $1_cron_spool_t:file manage_file_perms;
@@ -12761,7 +12837,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# create files in /var/spool/cron
manage_files_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t)
filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t,file)
-@@ -227,27 +119,32 @@
+@@ -227,27 +118,32 @@
# Run helper programs as the user domain
corecmd_bin_domtrans($1_crontab_t, $2)
corecmd_shell_domtrans($1_crontab_t, $2)
@@ -12796,7 +12872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
-@@ -286,14 +183,12 @@
+@@ -286,14 +182,12 @@
template(`cron_admin_template',`
gen_require(`
attribute cron_spool_type;
@@ -12812,7 +12888,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Manipulate other users crontab.
selinux_get_fs_mount($1_crontab_t)
selinux_validate_context($1_crontab_t)
-@@ -421,6 +316,24 @@
+@@ -421,6 +315,24 @@
########################################
## <summary>
@@ -12837,20 +12913,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write a cron daemon unnamed pipe.
## </summary>
## <param name="domain">
-@@ -439,7 +352,7 @@
+@@ -439,7 +351,26 @@
########################################
## <summary>
-## Read, and write cron daemon TCP sockets.
+## Read temporary files from cron.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -447,7 +360,26 @@
- ## </summary>
- ## </param>
- #
--interface(`cron_rw_tcp_sockets',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`cron_read_tmp_files',`
+ gen_require(`
+ type crond_tmp_t;
@@ -12863,18 +12938,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+########################################
+## <summary>
+## Dontaudit Read, and write cron daemon TCP sockets.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -447,7 +378,7 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`cron_rw_tcp_sockets',`
+interface(`cron_dontaudit_rw_tcp_sockets',`
gen_require(`
type crond_t;
')
-@@ -559,11 +491,14 @@
+@@ -559,11 +490,14 @@
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -12890,7 +12966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -584,3 +519,44 @@
+@@ -584,3 +518,44 @@
dontaudit $1 system_crond_tmp_t:file append;
')
@@ -13416,7 +13492,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.5/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/services/cups.te 2008-08-25 10:50:15.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/cups.te 2008-08-29 12:52:54.000000000 -0400
@@ -48,6 +48,9 @@
type hplip_t;
type hplip_exec_t;
@@ -13624,6 +13700,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
+@@ -281,7 +326,7 @@
+ # Cups configuration daemon local policy
+ #
+
+-allow cupsd_config_t self:capability { chown sys_tty_config };
++allow cupsd_config_t self:capability { chown dav_override sys_tty_config };
+ dontaudit cupsd_config_t self:capability sys_tty_config;
+ allow cupsd_config_t self:process signal_perms;
+ allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
@@ -326,6 +371,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
@@ -17715,7 +17800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.5.5/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/services/mailman.te 2008-08-25 10:50:15.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/mailman.te 2008-08-28 09:24:48.000000000 -0400
@@ -53,10 +53,9 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
@@ -17734,7 +17819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+allow mailman_mail_t initrc_t:process signal;
-+allow mailman_mail_t self:process signal;
++allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
+
+files_search_spool(mailman_mail_t)
@@ -19945,7 +20030,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.5/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.5/policy/modules/services/polkit.if 2008-08-25 10:50:15.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/polkit.if 2008-08-26 20:18:05.000000000 -0400
@@ -0,0 +1,212 @@
+
+## <summary>policy for polkit_auth</summary>
@@ -20396,7 +20481,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.5.5/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/services/postfix.fc 2008-08-25 10:50:15.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/postfix.fc 2008-08-26 13:08:46.000000000 -0400
@@ -29,12 +29,10 @@
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -20500,7 +20585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.5/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/services/postfix.te 2008-08-25 10:50:15.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/postfix.te 2008-08-26 13:30:44.000000000 -0400
@@ -6,6 +6,14 @@
# Declarations
#
@@ -20695,7 +20780,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-@@ -407,6 +446,10 @@
+@@ -407,6 +446,14 @@
')
optional_policy(`
@@ -20703,10 +20788,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+optional_policy(`
++ spamassassin_domtrans_spamc(postfix_pipe_t)
++')
++
++optional_policy(`
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -443,8 +486,7 @@
+@@ -443,8 +490,7 @@
')
optional_policy(`
@@ -20716,7 +20805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -470,6 +512,15 @@
+@@ -470,6 +516,15 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -20732,7 +20821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Postfix qmgr local policy
-@@ -564,6 +615,10 @@
+@@ -564,6 +619,10 @@
sasl_connect(postfix_smtpd_t)
')
@@ -20743,7 +20832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Postfix virtual local policy
-@@ -579,7 +634,7 @@
+@@ -579,7 +638,7 @@
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
# connect to master process
@@ -21280,7 +21369,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.5.5/policy/modules/services/prelude.if
--- nsaserefpolicy/policy/modules/services/prelude.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/services/prelude.if 2008-08-25 10:50:15.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/prelude.if 2008-08-29 14:42:14.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -21322,7 +21411,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+## <summary>
-+## Read/Write to prelude-manager spool files.
++## Manage to prelude-manager spool files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -21330,14 +21419,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </summary>
+## </param>
+#
-+interface(`prelude_rw_spool',`
++interface(`prelude_manage_spool',`
+ gen_require(`
+ type prelude_spool_t;
+ ')
+
+ files_search_spool($1)
-+ list_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
-+ rw_files_pattern($1, prelude_spool_t, prelude_spool_t)
++ manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
++ manage_files_pattern($1, prelude_spool_t, prelude_spool_t)
+')
+
+########################################
@@ -21872,7 +21961,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/etc/rc.d/init.d/pyzord -- gen_context(system_u:object_r:pyzord_script_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.5.5/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/services/pyzor.if 2008-08-25 10:50:15.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/pyzor.if 2008-08-26 13:06:33.000000000 -0400
@@ -25,16 +25,16 @@
#
template(`pyzor_per_role_template',`
@@ -24886,7 +24975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/etc/rc.d/init.d/spamd -- gen_context(system_u:object_r:spamd_script_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.5.5/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/services/spamassassin.if 2008-08-25 10:50:15.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/spamassassin.if 2008-08-26 13:44:12.000000000 -0400
@@ -34,10 +34,10 @@
# cjp: when tunables are available, spamc stuff should be
# toggled on activation of spamc, and similarly for spamd.
@@ -25969,7 +26058,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.5/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/services/ssh.if 2008-08-25 10:50:15.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/ssh.if 2008-08-29 13:10:02.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -25990,7 +26079,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
-@@ -93,18 +95,18 @@
+@@ -93,20 +95,21 @@
ps_process_pattern($2, $1_ssh_t)
# user can manage the keys and config
@@ -26016,8 +26105,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
kernel_read_kernel_sysctls($1_ssh_t)
++ kernel_read_system_state($1_ssh_t)
-@@ -212,7 +214,7 @@
+ corenet_all_recvfrom_unlabeled($1_ssh_t)
+ corenet_all_recvfrom_netlabel($1_ssh_t)
+@@ -212,7 +215,7 @@
ssh_basic_client_template($1, $2, $3)
@@ -26026,7 +26118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type $1_ssh_agent_t;
application_domain($1_ssh_agent_t, ssh_agent_exec_t)
-@@ -240,9 +242,9 @@
+@@ -240,9 +243,9 @@
manage_sock_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t)
fs_tmpfs_filetrans($1_ssh_t, $1_ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -26039,7 +26131,50 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t)
-@@ -413,6 +415,25 @@
+@@ -254,6 +257,8 @@
+ userdom_use_unpriv_users_fds($1_ssh_t)
+ userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
+ userdom_search_user_home_dirs($1,$1_ssh_t)
++ userdom_write_user_tmp_sockets(user,$1_ssh_t)
++
+ # Write to the user domain tty.
+ userdom_use_user_terminals($1,$1_ssh_t)
+ # needs to read krb tgt
+@@ -282,21 +287,10 @@
+ ')
+
+ optional_policy(`
+- xserver_user_x_domain_template($1, $1_ssh, $1_ssh_t, $1_ssh_tmpfs_t)
++# xserver_user_x_domain_template($1, $1_ssh, $1_ssh_t, $1_ssh_tmpfs_t)
+ xserver_domtrans_user_xauth($1, $1_ssh_t)
+ ')
+
+- ifdef(`TODO',`
+- # for /bin/sh used to execute xauth
+- dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
+-
+- #allow ssh to access keys stored on removable media
+- # Should we have a boolean around this?
+- files_search_mnt($1_ssh_t)
+- r_dir_file($1_ssh_t, removable_t)
+-
+- ') dnl endif TODO
+-
+ ##############################
+ #
+ # $1_ssh_agent_t local policy
+@@ -383,10 +377,6 @@
+ xserver_rw_xdm_pipes($1_ssh_agent_t)
+ ')
+
+- ifdef(`TODO',`
+- dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
+- ') dnl endif TODO
+-
+ ##############################
+ #
+ # $1_ssh_keysign_t local policy
+@@ -413,6 +403,25 @@
')
')
@@ -26065,7 +26200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#######################################
## <summary>
## The template to define a ssh server.
-@@ -443,13 +464,14 @@
+@@ -443,13 +452,14 @@
type $1_var_run_t;
files_pid_file($1_var_run_t)
@@ -26081,7 +26216,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
-@@ -479,6 +501,10 @@
+@@ -479,6 +489,10 @@
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_ssh_server_packets($1_t)
@@ -26092,7 +26227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_dontaudit_getattr_all_fs($1_t)
-@@ -506,9 +532,14 @@
+@@ -506,9 +520,14 @@
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
userdom_search_all_users_home_dirs($1_t)
@@ -26107,7 +26242,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`use_samba_home_dirs',`
-@@ -517,11 +548,7 @@
+@@ -517,11 +536,7 @@
optional_policy(`
kerberos_use($1_t)
@@ -26120,7 +26255,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -710,3 +737,22 @@
+@@ -710,3 +725,22 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -26762,7 +26897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.5/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/services/xserver.if 2008-08-25 10:50:15.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/xserver.if 2008-08-28 14:39:44.000000000 -0400
@@ -16,6 +16,7 @@
gen_require(`
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@@ -26823,11 +26958,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type iceauth_exec_t, xauth_exec_t;
attribute fonts_type, fonts_cache_type, fonts_config_type;
+ type fonts_home_t, fonts_cache_home_t, fonts_config_home_t;
-+ type iceauth_home_t, xauth_home_t, xauth_tmp_t;
++ type iceauth_home_t, xauth_t, xauth_home_t, xauth_tmp_t;
')
##############################
-@@ -280,35 +293,25 @@
+@@ -280,61 +293,41 @@
xserver_common_domain_template($1)
role $3 types $1_xserver_t;
@@ -26851,33 +26986,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- type $1_iceauth_home_t alias $1_iceauth_rw_t;
- files_poly_member($1_iceauth_home_t)
- userdom_user_home_content($1, $1_iceauth_home_t)
-+ typealias iceauth_home_t alias $1_iceauth_rw_t;
-+ typealias iceauth_home_t alias $1_iceauth_home_t;
-
- type $1_xauth_t;
- domain_type($1_xauth_t)
- domain_entry_file($1_xauth_t, xauth_exec_t)
- role $3 types $1_xauth_t;
-
+-
+- type $1_xauth_t;
+- domain_type($1_xauth_t)
+- domain_entry_file($1_xauth_t, xauth_exec_t)
+- role $3 types $1_xauth_t;
+-
- type $1_xauth_home_t alias $1_xauth_rw_t, xauth_home_type;
- files_poly_member($1_xauth_home_t)
- userdom_user_home_content($1, $1_xauth_home_t)
--
++ typealias iceauth_home_t alias $1_iceauth_rw_t;
++ typealias iceauth_home_t alias $1_iceauth_home_t;
+
- type $1_xauth_tmp_t;
- files_tmp_file($1_xauth_tmp_t)
+-
+- ##############################
+- #
+- # $1_xserver_t Local policy
+- #
+ typealias xauth_home_t alias $1_xauth_rw_t;
+ typealias xauth_home_t alias $1_xauth_home_t;
- ##############################
- #
-@@ -317,24 +320,24 @@
-
- domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
+- domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
++ allow $1_xserver_t xauth_home_t:file { getattr read };
- allow $1_xserver_t $1_xauth_home_t:file { getattr read };
-+ allow $1_xserver_t xauth_home_t:file { getattr read };
++ domtrans_pattern($1_xserver_t, xauth_exec_t, xauth_t)
++ role $3 types xauth_t;
- domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
+- domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
allow $1_xserver_t $2:process signal;
allow $1_xserver_t $2:shm rw_shm_perms;
@@ -26905,7 +27043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
stream_connect_pattern($2, $1_xserver_tmp_t, $1_xserver_tmp_t, $1_xserver_t)
-@@ -348,6 +351,8 @@
+@@ -348,85 +341,32 @@
locallogin_use_fds($1_xserver_t)
@@ -26914,10 +27052,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_search_user_home_dirs($1, $1_xserver_t)
userdom_use_user_ttys($1, $1_xserver_t)
userdom_setattr_user_ttys($1, $1_xserver_t)
-@@ -355,18 +360,12 @@
+ userdom_rw_user_tmpfs_files($1, $1_xserver_t)
xserver_use_user_fonts($1, $1_xserver_t)
- xserver_rw_xdm_tmp_files($1_xauth_t)
+- xserver_rw_xdm_tmp_files($1_xauth_t)
++ xserver_rw_xdm_tmp_files(xauth_t)
+ xserver_read_xdm_xserver_tmp_files($2)
optional_policy(`
@@ -26930,43 +27069,78 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- allow $1_xserver_t xdm_var_run_t:dir search;
- ')
- ') dnl end TODO
--
- ##############################
- #
- # $1_xauth_t Local policy
-@@ -375,12 +374,12 @@
- allow $1_xauth_t self:process signal;
- allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
++ domtrans_pattern($2, xauth_exec_t, xauth_t)
++ allow $2 xauth_t:process signal;
+- ##############################
+- #
+- # $1_xauth_t Local policy
+- #
+-
+- allow $1_xauth_t self:process signal;
+- allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
+-
- allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1, $1_xauth_t, $1_xauth_home_t,file)
-+ allow $1_xauth_t xauth_home_t:file manage_file_perms;
-+ userdom_user_home_dir_filetrans($1, $1_xauth_t, xauth_home_t, file)
-
+-
- manage_dirs_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t)
- manage_files_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t)
- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
-+ manage_dirs_pattern($1_xauth_t, xauth_tmp_t, xauth_tmp_t)
-+ manage_files_pattern($1_xauth_t, xauth_tmp_t, xauth_tmp_t)
-+ files_tmp_filetrans($1_xauth_t, xauth_tmp_t, { file dir })
-
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+-
+- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+-
+- allow $2 $1_xauth_t:process signal;
++ allow $2 xauth_home_t:file manage_file_perms;
++ allow $2 xauth_home_t:file { relabelfrom relabelto };
-@@ -389,11 +388,8 @@
# allow ps to show xauth
- ps_process_pattern($2,$1_xauth_t)
-
+- ps_process_pattern($2,$1_xauth_t)
+-
- allow $2 $1_xauth_home_t:file manage_file_perms;
- allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
-
- allow xdm_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1, xdm_t, $1_xauth_home_t, file)
-+ allow $2 xauth_home_t:file manage_file_perms;
-+ allow $2 xauth_home_t:file { relabelfrom relabelto };
+-
+- domain_use_interactive_fds($1_xauth_t)
+-
+- files_read_etc_files($1_xauth_t)
+- files_search_pids($1_xauth_t)
+-
+- fs_getattr_xattr_fs($1_xauth_t)
+- fs_search_auto_mountpoints($1_xauth_t)
+-
+- # cjp: why?
+- term_use_ptmx($1_xauth_t)
+-
+- auth_use_nsswitch($1_xauth_t)
+-
+- libs_use_ld_so($1_xauth_t)
+- libs_use_shared_libs($1_xauth_t)
++ ps_process_pattern($2,xauth_t)
- domain_use_interactive_fds($1_xauth_t)
+- userdom_use_user_terminals($1, $1_xauth_t)
+- userdom_read_user_tmp_files($1, $1_xauth_t)
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_files($1_xauth_t)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files($1_xauth_t)
+- ')
+-
+- optional_policy(`
+- ssh_sigchld($1_xauth_t)
+- ssh_read_pipes($1_xauth_t)
+- ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
+- ')
++ userdom_use_user_terminals($1, xauth_t)
++ userdom_read_user_tmp_files($1, xauth_t)
-@@ -435,16 +431,16 @@
+ ##############################
+ #
+@@ -435,16 +375,16 @@
domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
@@ -26988,7 +27162,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_search_auto_mountpoints($1_iceauth_t)
-@@ -467,34 +463,12 @@
+@@ -467,34 +407,12 @@
#
# Device rules
@@ -27025,7 +27199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# xrdb X11:ChangeProperty prop=RESOURCE_MANAGER
allow $2 info_xproperty_t:x_property { create write append };
-@@ -610,7 +584,7 @@
+@@ -610,7 +528,7 @@
# refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
gen_require(`
type xdm_t, xdm_tmp_t;
@@ -27034,7 +27208,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
allow $2 self:shm create_shm_perms;
-@@ -618,8 +592,8 @@
+@@ -618,8 +536,8 @@
allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -27045,7 +27219,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -643,13 +617,177 @@
+@@ -643,11 +561,80 @@
xserver_read_xdm_tmp_files($2)
@@ -27127,20 +27301,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ # setattr: metacity X11:InstallColormap
+ allow $3 $1_xserver_t:x_screen { getattr saver_setattr saver_getattr setattr };
-+')
-+
-+#######################################
-+## <summary>
-+## Interface to provide X object permissions on a given X server to
-+## an X client domain. Provides the minimal set required by a basic
-+## X client application.
-+## </summary>
-+## <param name="user">
-+## <summary>
-+## The prefix of the X server domain (e.g., user
-+## is the prefix for user_t).
-+## </summary>
-+## </param>
+ ')
+
+ #######################################
+@@ -662,6 +649,101 @@
+ ## is the prefix for user_t).
+ ## </summary>
+ ## </param>
+## <param name="domain">
+## <summary>
+## Client domain allowed access.
@@ -27221,13 +27388,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+# xserver_use($1, $1, $2)
+ xserver_use(xdm, $1, $2)
- ')
-
++')
+
- #######################################
- ## <summary>
- ## Interface to provide X object permissions on a given X server to
-@@ -676,7 +814,7 @@
++
++#######################################
++## <summary>
++## Interface to provide X object permissions on a given X server to
++## an X client domain. Provides the minimal set required by a basic
++## X client application.
++## </summary>
++## <param name="user">
++## <summary>
++## The prefix of the X server domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
+ ## <param name="prefix">
+ ## <summary>
+ ## The prefix of the X client domain (e.g., user
+@@ -676,7 +758,7 @@
#
template(`xserver_common_x_domain_template',`
gen_require(`
@@ -27236,7 +27415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type xproperty_t, info_xproperty_t, clipboard_xproperty_t;
type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
type xevent_t, client_xevent_t;
-@@ -685,7 +823,6 @@
+@@ -685,7 +767,6 @@
attribute x_server_domain, x_domain;
attribute xproperty_type;
attribute xevent_type, xextension_type;
@@ -27244,7 +27423,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
class x_drawable all_x_drawable_perms;
class x_screen all_x_screen_perms;
-@@ -709,20 +846,22 @@
+@@ -709,20 +790,22 @@
# Declarations
#
@@ -27270,7 +27449,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
# Local Policy
-@@ -740,7 +879,7 @@
+@@ -740,7 +823,7 @@
allow $3 x_server_domain:x_server getattr;
# everyone can do override-redirect windows.
# this could be used to spoof labels
@@ -27279,7 +27458,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# everyone can receive management events on the root window
# allows to know when new windows appear, among other things
allow $3 manage_xevent_t:x_event receive;
-@@ -749,7 +888,7 @@
+@@ -749,7 +832,7 @@
# can read server-owned resources
allow $3 x_server_domain:x_resource read;
# can mess with own clients
@@ -27288,7 +27467,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Protocol Extensions
allow $3 std_xext_t:x_extension { query use };
-@@ -758,27 +897,17 @@
+@@ -758,27 +841,17 @@
# X Properties
# can read and write client properties
@@ -27321,7 +27500,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Input
# can receive own events
-@@ -805,6 +934,12 @@
+@@ -805,6 +878,12 @@
allow $3 manage_xevent_t:x_synthetic_event send;
allow $3 client_xevent_t:x_synthetic_event send;
@@ -27334,7 +27513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Selections
# can use the clipboard
allow $3 clipboard_xselection_t:x_selection { getattr setattr read };
-@@ -813,13 +948,15 @@
+@@ -813,13 +892,15 @@
# Other X Objects
# can create and use cursors
@@ -27354,7 +27533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined($3),
-@@ -879,17 +1016,17 @@
+@@ -879,17 +960,17 @@
#
template(`xserver_user_x_domain_template',`
gen_require(`
@@ -27379,7 +27558,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for when /tmp/.X11-unix is created by the system
allow $3 xdm_t:fd use;
-@@ -916,11 +1053,9 @@
+@@ -916,11 +997,9 @@
# X object manager
xserver_common_x_domain_template($1, $2, $3)
@@ -27394,7 +27573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -952,26 +1087,43 @@
+@@ -952,26 +1031,43 @@
#
template(`xserver_use_user_fonts',`
gen_require(`
@@ -27445,10 +27624,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -1005,6 +1157,73 @@
+@@ -997,10 +1093,77 @@
+ #
+ template(`xserver_domtrans_user_xauth',`
+ gen_require(`
+- type $1_xauth_t, xauth_exec_t;
++ type xauth_t, xauth_exec_t;
+ ')
- ########################################
- ## <summary>
+- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
++ domtrans_pattern($2, xauth_exec_t, xauth_t)
++')
++
++########################################
++## <summary>
+## Read a user Xauthority domain.
+## </summary>
+## <desc>
@@ -27512,14 +27701,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ # Read .Iceauthority file
+ allow $2 iceauth_home_t:file { getattr read };
-+')
-+
-+########################################
-+## <summary>
- ## Transition to a user Xauthority domain.
- ## </summary>
- ## <desc>
-@@ -1030,10 +1249,10 @@
+ ')
+
+ ########################################
+@@ -1030,10 +1193,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
@@ -27532,7 +27717,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1219,6 +1438,25 @@
+@@ -1219,6 +1382,25 @@
########################################
## <summary>
@@ -27558,7 +27743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read xdm-writable configuration files.
## </summary>
## <param name="domain">
-@@ -1273,6 +1511,7 @@
+@@ -1273,6 +1455,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
@@ -27566,7 +27751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1291,7 +1530,7 @@
+@@ -1291,7 +1474,7 @@
')
files_search_pids($1)
@@ -27575,7 +27760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1314,6 +1553,24 @@
+@@ -1314,6 +1497,24 @@
########################################
## <summary>
@@ -27600,7 +27785,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute the X server in the XDM X server domain.
## </summary>
## <param name="domain">
-@@ -1324,15 +1581,47 @@
+@@ -1324,15 +1525,47 @@
#
interface(`xserver_domtrans_xdm_xserver',`
gen_require(`
@@ -27649,7 +27834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1482,7 +1771,7 @@
+@@ -1482,7 +1715,7 @@
type xdm_xserver_tmp_t;
')
@@ -27658,7 +27843,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1674,6 +1963,65 @@
+@@ -1674,6 +1907,65 @@
########################################
## <summary>
@@ -27724,7 +27909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1686,8 +2034,126 @@
+@@ -1686,8 +1978,126 @@
#
interface(`xserver_unconfined',`
gen_require(`
@@ -27855,7 +28040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.5/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/services/xserver.te 2008-08-25 10:50:15.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/xserver.te 2008-08-28 12:54:34.000000000 -0400
@@ -8,6 +8,14 @@
## <desc>
@@ -27925,7 +28110,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
-@@ -122,6 +147,27 @@
+@@ -122,6 +147,31 @@
type xserver_log_t;
logging_log_file(xserver_log_t)
@@ -27941,6 +28126,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+type iceauth_home_t;
+userdom_user_home_content(user, iceauth_home_t)
+
++type xauth_t;
++domain_type(xauth_t)
++domain_entry_file(xauth_t, xauth_exec_t)
++
+type xauth_home_t, xauth_home_type;
+userdom_user_home_content(user, xauth_home_t)
+
@@ -27953,7 +28142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_common_domain_template(xdm)
xserver_common_x_domain_template(xdm, xdm, xdm_t)
init_system_domain(xdm_xserver_t, xserver_exec_t)
-@@ -140,8 +186,9 @@
+@@ -140,8 +190,9 @@
# XDM Local policy
#
@@ -27965,7 +28154,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
-@@ -154,6 +201,12 @@
+@@ -154,6 +205,12 @@
allow xdm_t self:key { search link write };
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@@ -27978,7 +28167,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -169,6 +222,8 @@
+@@ -169,6 +226,8 @@
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
@@ -27987,7 +28176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
-@@ -176,15 +231,25 @@
+@@ -176,15 +235,25 @@
manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -28015,7 +28204,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -198,6 +263,7 @@
+@@ -198,6 +267,7 @@
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
@@ -28023,7 +28212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t)
-@@ -229,6 +295,7 @@
+@@ -229,6 +299,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@@ -28031,7 +28220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
-@@ -241,6 +308,7 @@
+@@ -241,6 +312,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -28039,7 +28228,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -253,14 +321,17 @@
+@@ -253,14 +325,17 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -28059,7 +28248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -271,9 +342,13 @@
+@@ -271,9 +346,13 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -28073,7 +28262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -282,6 +357,7 @@
+@@ -282,6 +361,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -28081,7 +28270,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -290,6 +366,7 @@
+@@ -290,6 +370,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -28089,7 +28278,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -301,21 +378,25 @@
+@@ -301,21 +382,25 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -28120,7 +28309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -348,10 +429,12 @@
+@@ -348,10 +433,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -28133,7 +28322,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -359,6 +442,22 @@
+@@ -359,6 +446,22 @@
')
optional_policy(`
@@ -28156,7 +28345,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
-@@ -382,16 +481,32 @@
+@@ -382,16 +485,32 @@
')
optional_policy(`
@@ -28190,7 +28379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -427,7 +542,7 @@
+@@ -427,7 +546,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -28199,7 +28388,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -439,6 +554,15 @@
+@@ -439,6 +558,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -28215,7 +28404,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -450,10 +574,19 @@
+@@ -450,10 +578,19 @@
# xdm_xserver_t may no longer have any reason
# to read ROLE_home_t - examine this in more detail
# (xauth?)
@@ -28236,7 +28425,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
-@@ -468,8 +601,19 @@
+@@ -468,8 +605,19 @@
optional_policy(`
dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t)
@@ -28256,7 +28445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
resmgr_stream_connect(xdm_t)
-@@ -481,8 +625,25 @@
+@@ -481,8 +629,25 @@
')
optional_policy(`
@@ -28284,7 +28473,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',`
allow xdm_xserver_t self:process { execheap execmem };
-@@ -491,7 +652,6 @@
+@@ -491,7 +656,6 @@
ifdef(`distro_rhel4',`
allow xdm_xserver_t self:process { execheap execmem };
')
@@ -28292,7 +28481,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
-@@ -544,3 +704,10 @@
+@@ -544,3 +708,56 @@
#
allow pam_t xdm_t:fifo_file { getattr ioctl write };
') dnl end TODO
@@ -28303,6 +28492,52 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow x_domain xdm_xserver_tmpfs_t:file rw_file_perms;
+')
+
++##############################
++#
++# xauth_t Local policy
++#
++
++allow xauth_t self:process signal;
++allow xauth_t self:unix_stream_socket create_stream_socket_perms;
++
++allow xauth_t xauth_home_t:file manage_file_perms;
++userdom_user_home_dir_filetrans($1, xauth_t, xauth_home_t, file)
++
++manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
++manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
++files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
++
++domain_use_interactive_fds(xauth_t)
++
++files_read_etc_files(xauth_t)
++files_search_pids(xauth_t)
++
++fs_getattr_xattr_fs(xauth_t)
++fs_search_auto_mountpoints(xauth_t)
++
++auth_use_nsswitch(xauth_t)
++
++libs_use_ld_so(xauth_t)
++libs_use_shared_libs(xauth_t)
++
++files_search_pids(xauth_t)
++rw_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_files(xauth_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_files(xauth_t)
++')
++
++optional_policy(`
++ ssh_sigchld(xauth_t)
++ ssh_read_pipes(xauth_t)
++ ssh_dontaudit_rw_tcp_sockets(xauth_t)
++')
++
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.fc serefpolicy-3.5.5/policy/modules/services/zabbix.fc
--- nsaserefpolicy/policy/modules/services/zabbix.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/services/zabbix.fc 2008-08-25 10:50:15.000000000 -0400
@@ -29764,8 +29999,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.5.5/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2008-08-25 09:12:31.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/system/logging.if 2008-08-25 10:50:15.000000000 -0400
-@@ -699,6 +699,8 @@
++++ serefpolicy-3.5.5/policy/modules/system/logging.if 2008-08-29 14:20:21.000000000 -0400
+@@ -281,7 +281,9 @@
+ role system_r types $1;
+
+ domtrans_pattern(audisp_t, $2, $1)
++# Not sure if this is necessary?
+ allow $1 audisp_t:process signal;
++ allow audisp_t $1:process signal;
+
+ allow audisp_t $2:file getattr;
+ allow $1 audisp_t:unix_stream_socket rw_socket_perms;
+@@ -699,6 +701,8 @@
files_search_var($1)
manage_files_pattern($1,logfile,logfile)
read_lnk_files_pattern($1,logfile,logfile)
@@ -29774,7 +30019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -803,6 +805,42 @@
+@@ -803,6 +807,42 @@
########################################
## <summary>
@@ -29817,7 +30062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## the audit environment
## </summary>
-@@ -827,6 +865,7 @@
+@@ -827,6 +867,7 @@
gen_require(`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
@@ -29825,7 +30070,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
allow $1 auditd_t:process { ptrace signal_perms };
-@@ -842,6 +881,13 @@
+@@ -842,6 +883,13 @@
manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
logging_run_auditctl($1, $2, $3)
@@ -29839,7 +30084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -862,6 +908,7 @@
+@@ -862,6 +910,7 @@
type syslogd_tmp_t, syslogd_var_lib_t;
type syslogd_var_run_t, klogd_var_run_t;
type klogd_tmp_t, var_log_t;
@@ -29847,7 +30092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
allow $1 syslogd_t:process { ptrace signal_perms };
-@@ -889,6 +936,12 @@
+@@ -889,6 +938,12 @@
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -29860,7 +30105,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -915,5 +968,5 @@
+@@ -915,5 +970,5 @@
#
interface(`logging_admin',`
logging_admin_audit($1, $2, $3)
@@ -32435,7 +32680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/system/userdomain.if 2008-08-25 10:50:15.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/system/userdomain.if 2008-08-29 13:08:43.000000000 -0400
@@ -28,10 +28,14 @@
class context contains;
')
@@ -33341,7 +33586,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_base_user_template($1)
-@@ -934,70 +921,72 @@
+@@ -930,74 +917,77 @@
+
+ allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
+ dontaudit $1_t self:process setrlimit;
++
+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
allow $1_t self:context contains;
@@ -33447,7 +33697,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -1031,9 +1020,6 @@
+@@ -1031,9 +1021,6 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
@@ -33457,7 +33707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
typeattribute $1_tty_device_t user_ttynode;
##############################
-@@ -1042,12 +1028,24 @@
+@@ -1042,12 +1029,24 @@
#
# privileged home directory writers
@@ -33488,7 +33738,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
loadkeys_run($1_t,$1_r,$1_tty_device_t)
-@@ -1087,14 +1085,16 @@
+@@ -1087,14 +1086,16 @@
#
authlogin_per_role_template($1, $1_t, $1_r)
@@ -33510,7 +33760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1102,28 +1102,23 @@
+@@ -1102,28 +1103,23 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -33544,7 +33794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -1134,8 +1129,7 @@
+@@ -1134,8 +1130,7 @@
## </summary>
## <desc>
## <p>
@@ -33554,7 +33804,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </p>
## <p>
## This template creates a user domain, types, and
-@@ -1167,11 +1161,10 @@
+@@ -1167,11 +1162,10 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -33567,7 +33817,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -1189,36 +1182,45 @@
+@@ -1189,36 +1183,45 @@
')
')
@@ -33626,7 +33876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -1295,8 +1297,6 @@
+@@ -1295,8 +1298,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -33635,7 +33885,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1318,8 +1318,6 @@
+@@ -1318,8 +1319,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -33644,7 +33894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1374,13 +1372,6 @@
+@@ -1374,13 +1373,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -33658,7 +33908,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1432,6 +1423,7 @@
+@@ -1432,6 +1424,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -33666,7 +33916,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1461,10 +1453,6 @@
+@@ -1461,10 +1454,6 @@
seutil_run_semanage($1,$2,$3)
seutil_run_setfiles($1, $2, $3)
@@ -33677,7 +33927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
aide_run($1,$2, $3)
')
-@@ -1484,6 +1472,14 @@
+@@ -1484,6 +1473,14 @@
optional_policy(`
netlabel_run_mgmt($1,$2, $3)
')
@@ -33692,7 +33942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1741,11 +1737,15 @@
+@@ -1741,11 +1738,15 @@
#
template(`userdom_user_home_content',`
gen_require(`
@@ -33711,7 +33961,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1841,11 +1841,11 @@
+@@ -1841,11 +1842,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -33725,7 +33975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1875,11 +1875,11 @@
+@@ -1875,11 +1876,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -33739,7 +33989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1923,12 +1923,12 @@
+@@ -1923,12 +1924,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -33755,7 +34005,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1958,10 +1958,11 @@
+@@ -1958,10 +1959,11 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -33769,7 +34019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1993,11 +1994,47 @@
+@@ -1993,11 +1995,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -33819,7 +34069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2029,10 +2066,10 @@
+@@ -2029,10 +2067,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -33832,7 +34082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2062,11 +2099,11 @@
+@@ -2062,11 +2100,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -33846,7 +34096,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2096,11 +2133,11 @@
+@@ -2096,11 +2134,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -33861,7 +34111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2130,10 +2167,14 @@
+@@ -2130,10 +2168,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -33878,7 +34128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2163,11 +2204,11 @@
+@@ -2163,11 +2205,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -33892,7 +34142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2197,11 +2238,11 @@
+@@ -2197,11 +2239,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -33906,7 +34156,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2231,10 +2272,10 @@
+@@ -2231,10 +2273,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -33919,7 +34169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2266,12 +2307,12 @@
+@@ -2266,12 +2308,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -33935,7 +34185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2303,10 +2344,10 @@
+@@ -2303,10 +2345,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -33948,7 +34198,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2338,12 +2379,12 @@
+@@ -2338,12 +2380,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -33964,7 +34214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2375,12 +2416,12 @@
+@@ -2375,12 +2417,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -33980,7 +34230,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2412,12 +2453,12 @@
+@@ -2412,12 +2454,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -33996,7 +34246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2462,11 +2503,11 @@
+@@ -2462,11 +2504,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -34010,7 +34260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2511,11 +2552,11 @@
+@@ -2511,11 +2553,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -34024,7 +34274,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2555,11 +2596,11 @@
+@@ -2555,11 +2597,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -34038,7 +34288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2589,11 +2630,11 @@
+@@ -2589,11 +2631,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -34052,7 +34302,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2623,11 +2664,11 @@
+@@ -2623,11 +2665,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -34066,7 +34316,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2659,10 +2700,10 @@
+@@ -2659,10 +2701,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -34079,7 +34329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2694,10 +2735,10 @@
+@@ -2694,10 +2736,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -34092,7 +34342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2727,12 +2768,12 @@
+@@ -2727,12 +2769,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -34108,7 +34358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2764,10 +2805,10 @@
+@@ -2764,10 +2806,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -34121,7 +34371,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2799,10 +2840,10 @@
+@@ -2799,10 +2841,10 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -34134,7 +34384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2832,12 +2873,12 @@
+@@ -2832,12 +2874,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -34150,7 +34400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2869,10 +2910,10 @@
+@@ -2869,10 +2911,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -34163,7 +34413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2904,12 +2945,12 @@
+@@ -2904,12 +2946,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -34179,7 +34429,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2941,11 +2982,11 @@
+@@ -2941,11 +2983,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -34193,7 +34443,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2977,11 +3018,11 @@
+@@ -2977,11 +3019,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -34207,7 +34457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3013,11 +3054,11 @@
+@@ -3013,11 +3055,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -34221,7 +34471,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3049,11 +3090,11 @@
+@@ -3049,11 +3091,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -34235,7 +34485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3085,11 +3126,11 @@
+@@ -3085,11 +3127,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -34249,7 +34499,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3134,10 +3175,10 @@
+@@ -3134,10 +3176,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -34262,7 +34512,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_search_tmp($2)
')
-@@ -3178,19 +3219,19 @@
+@@ -3178,19 +3220,19 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -34286,7 +34536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </p>
## <p>
## This is a templated interface, and should only
-@@ -4616,11 +4657,11 @@
+@@ -4616,11 +4658,11 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -34300,7 +34550,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -4640,6 +4681,14 @@
+@@ -4640,6 +4682,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -34315,7 +34565,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -4677,6 +4726,8 @@
+@@ -4677,6 +4727,8 @@
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@@ -34324,7 +34574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -4721,6 +4772,25 @@
+@@ -4721,6 +4773,25 @@
########################################
## <summary>
@@ -34350,7 +34600,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4946,7 +5016,7 @@
+@@ -4946,7 +5017,7 @@
########################################
## <summary>
@@ -34359,7 +34609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -5318,6 +5388,42 @@
+@@ -5318,6 +5389,42 @@
########################################
## <summary>
@@ -34402,7 +34652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5368,7 +5474,7 @@
+@@ -5368,7 +5475,7 @@
attribute userdomain;
')
@@ -34411,7 +34661,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
-@@ -5483,7 +5589,7 @@
+@@ -5483,7 +5590,7 @@
########################################
## <summary>
@@ -34420,15 +34670,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -5491,10 +5597,46 @@
+@@ -5491,7 +5598,43 @@
## </summary>
## </param>
#
-interface(`userdom_dbus_send_all_users',`
+interface(`userdom_manage_all_users_keys',`
- gen_require(`
- attribute userdomain;
-- class dbus send_msg;
++ gen_require(`
++ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key manage_key_perms;
@@ -34463,13 +34712,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </param>
+#
+interface(`userdom_dbus_send_all_users',`
-+ gen_require(`
-+ attribute userdomain;
-+ class dbus send_msg;
- ')
-
- allow $1 userdomain:dbus send_msg;
-@@ -5513,3 +5655,506 @@
+ gen_require(`
+ attribute userdomain;
+ class dbus send_msg;
+@@ -5513,3 +5656,506 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')