diff --git a/policy-20071130.patch b/policy-20071130.patch index 993eab3..4de83ea 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -693,7 +693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xg +system_r:xdm_t xguest_r:xguest_t diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile --- nsaserefpolicy/Makefile 2008-02-06 10:33:22.000000000 -0500 -+++ serefpolicy-3.3.1/Makefile 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/Makefile 2008-03-06 11:35:33.000000000 -0500 @@ -235,7 +235,7 @@ appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) @@ -736,6 +736,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/M endef # create-base-per-role-tmpl modulenames,outputfile +@@ -521,6 +523,10 @@ + @mkdir -p $(appdir)/users + $(verbose) $(INSTALL) -m 644 $^ $@ + ++$(appdir)/initrc_context: $(tmpdir)/initrc_context ++ @mkdir -p $(appdir) ++ $(verbose) $(INSTALL) -m 644 $< $@ ++ + $(appdir)/%: $(appconf)/% + @mkdir -p $(appdir) + $(verbose) $(INSTALL) -m 644 $< $@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.3.1/man/man8/httpd_selinux.8 --- nsaserefpolicy/man/man8/httpd_selinux.8 2008-02-18 14:30:19.000000000 -0500 +++ serefpolicy-3.3.1/man/man8/httpd_selinux.8 2008-02-29 09:31:45.000000000 -0500 @@ -2308,7 +2319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.3.1/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2007-12-19 05:32:18.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/rpm.te 2008-02-28 15:36:54.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/admin/rpm.te 2008-03-06 13:12:21.000000000 -0500 @@ -31,6 +31,9 @@ files_type(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; @@ -2381,9 +2392,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te optional_policy(` java_domtrans(rpm_script_t) +@@ -353,6 +372,11 @@ + ') + + optional_policy(` ++ gamin_domtrans(rpm_t) ++ gamin_stream_connect(rpm_t) ++') ++ ++optional_policy(` + usermanage_domtrans_groupadd(rpm_script_t) + usermanage_domtrans_useradd(rpm_script_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-02-27 12:44:10.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-03-06 15:38:11.000000000 -0500 @@ -55,7 +55,7 @@ # @@ -2393,12 +2416,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_sudo_t self:process { setexec setrlimit }; allow $1_sudo_t self:fd use; -@@ -68,33 +68,34 @@ +@@ -68,33 +68,35 @@ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; allow $1_sudo_t self:unix_dgram_socket sendto; allow $1_sudo_t self:unix_stream_socket connectto; - allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; + allow $1_sudo_t self:key manage_key_perms; ++ allow $1_sudo_t $1_t:key search; # Enter this derived domain from the user domain domtrans_pattern($2, sudo_exec_t, $1_sudo_t) @@ -2432,7 +2456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if domain_use_interactive_fds($1_sudo_t) domain_sigchld_interactive_fds($1_sudo_t) -@@ -106,32 +107,42 @@ +@@ -106,32 +108,42 @@ files_getattr_usr_files($1_sudo_t) # for some PAM modules and for cwd files_dontaudit_search_home($1_sudo_t) @@ -2485,7 +2509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.3.1/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/admin/su.if 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/admin/su.if 2008-03-06 15:39:00.000000000 -0500 @@ -41,15 +41,13 @@ allow $2 $1_su_t:process signal; @@ -2535,7 +2559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ') ####################################### -@@ -172,13 +170,12 @@ +@@ -172,14 +170,14 @@ domain_interactive_fd($1_su_t) role $3 types $1_su_t; @@ -2550,9 +2574,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s allow $1_su_t self:fifo_file rw_fifo_file_perms; - allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; allow $1_su_t self:key { search write }; ++ allow $1_su_t $1_t:key search; # Transition from the user domain to this domain. -@@ -188,7 +185,7 @@ + domtrans_pattern($2, su_exec_t, $1_su_t) +@@ -188,7 +186,7 @@ corecmd_shell_domtrans($1_su_t,$2) allow $2 $1_su_t:fd use; allow $2 $1_su_t:fifo_file rw_file_perms; @@ -2561,7 +2587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s kernel_read_system_state($1_su_t) kernel_read_kernel_sysctls($1_su_t) -@@ -203,15 +200,15 @@ +@@ -203,15 +201,15 @@ # needed for pam_rootok selinux_compute_access_vector($1_su_t) @@ -2580,7 +2606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s files_read_etc_files($1_su_t) files_read_etc_runtime_files($1_su_t) files_search_var_lib($1_su_t) -@@ -226,12 +223,14 @@ +@@ -226,12 +224,14 @@ libs_use_ld_so($1_su_t) libs_use_shared_libs($1_su_t) @@ -2596,7 +2622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ifdef(`distro_rhel4',` domain_role_change_exemption($1_su_t) -@@ -295,13 +294,7 @@ +@@ -295,13 +295,7 @@ xserver_domtrans_user_xauth($1, $1_su_t) ') @@ -3592,8 +3618,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.3.1/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2007-12-19 05:32:09.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/gpg.te 2008-02-26 08:29:22.000000000 -0500 -@@ -7,15 +7,228 @@ ++++ serefpolicy-3.3.1/policy/modules/apps/gpg.te 2008-03-06 15:47:25.000000000 -0500 +@@ -7,15 +7,229 @@ # # Type for gpg or pgp executables. @@ -3644,6 +3670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s +userdom_user_home_dir_filetrans(user, gpg_t, user_gpg_secret_t, dir) +userdom_manage_user_home_content_files(user,gpg_t) +userdom_manage_user_tmp_files(user,gpg_t) ++userdom_unpriv_users_stream_connect(gpg_t) + +# transition from the gpg domain to the helper domain +domtrans_pattern(gpg_t,gpg_helper_exec_t,gpg_helper_t) @@ -3911,7 +3938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te s + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.3.1/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2007-03-01 10:01:48.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/java.fc 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/apps/java.fc 2008-03-06 11:17:59.000000000 -0500 @@ -11,6 +11,7 @@ # /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) @@ -3920,7 +3947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0) -@@ -20,5 +21,14 @@ +@@ -20,5 +21,15 @@ /usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) @@ -3933,13 +3960,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc +/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + -+/usr/lib/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0) -+/usr/lib64/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0) ++/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:java_exec_t,s0) ++/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:java_exec_t,s0) ++ + +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.3.1/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/apps/java.if 2008-03-03 08:25:05.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/apps/java.if 2008-03-06 11:15:51.000000000 -0500 @@ -32,7 +32,7 @@ ## ## @@ -3949,7 +3977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if gen_require(` type java_exec_t; ') -@@ -57,14 +57,16 @@ +@@ -57,18 +57,21 @@ # Local policy # @@ -3970,7 +3998,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if manage_dirs_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t) manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t) -@@ -76,13 +78,9 @@ + files_tmp_filetrans($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir }) ++ allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute; + + manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t) + manage_lnk_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t) +@@ -76,14 +79,9 @@ manage_sock_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t) fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ file lnk_file sock_file fifo_file }) @@ -3981,10 +4014,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if - # The user role is authorized for this domain. - domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t) -+ domain_auto_trans($2, java_exec_t, $1_javaplugin_t) - allow $1_javaplugin_t $2:fd use; +- allow $1_javaplugin_t $2:fd use; ++ domtrans_pattern($2, java_exec_t, $1_javaplugin_t) # Unrestricted inheritance from the caller. allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh }; + allow $1_javaplugin_t $2:process signull; @@ -94,7 +92,7 @@ kernel_read_system_state($1_javaplugin_t) @@ -4034,7 +4068,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if userdom_manage_user_home_content_dirs($1,$1_javaplugin_t) userdom_manage_user_home_content_files($1,$1_javaplugin_t) userdom_manage_user_home_content_symlinks($1,$1_javaplugin_t) -@@ -156,16 +162,63 @@ +@@ -146,9 +152,6 @@ + + tunable_policy(`allow_java_execstack',` + allow $1_javaplugin_t self:process execstack; +- +- allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute; +- + libs_legacy_use_shared_libs($1_javaplugin_t) + libs_legacy_use_ld_so($1_javaplugin_t) + +@@ -156,16 +159,63 @@ ') optional_policy(` @@ -4104,7 +4148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ') ######################################## -@@ -219,3 +272,67 @@ +@@ -219,3 +269,67 @@ corecmd_search_bin($1) domtrans_pattern($1, java_exec_t, java_t) ') @@ -4378,7 +4422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # /bin diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.3.1/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-03-04 10:33:57.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-03-06 10:13:20.000000000 -0500 @@ -35,7 +35,10 @@ template(`mozilla_per_role_template',` gen_require(` @@ -4508,7 +4552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # Unrestricted inheritance from the caller. allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh }; -@@ -112,11 +151,13 @@ +@@ -112,17 +151,20 @@ ps_process_pattern($2,$1_mozilla_t) allow $2 $1_mozilla_t:process signal_perms; @@ -4524,7 +4568,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # Look for plugins corecmd_list_bin($1_mozilla_t) -@@ -165,13 +206,28 @@ + # for bash - old mozilla binary + corecmd_exec_shell($1_mozilla_t) + corecmd_exec_bin($1_mozilla_t) ++ application_exec($1_mozilla_t) + + # Browse the web, connect to printer + corenet_all_recvfrom_unlabeled($1_mozilla_t) +@@ -151,6 +193,7 @@ + + dev_read_urand($1_mozilla_t) + dev_read_rand($1_mozilla_t) ++ + dev_write_sound($1_mozilla_t) + dev_read_sound($1_mozilla_t) + dev_dontaudit_rw_dri($1_mozilla_t) +@@ -165,13 +208,28 @@ files_read_var_files($1_mozilla_t) files_read_var_symlinks($1_mozilla_t) files_dontaudit_getattr_boot_dirs($1_mozilla_t) @@ -4553,29 +4612,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. libs_use_ld_so($1_mozilla_t) libs_use_shared_libs($1_mozilla_t) -@@ -180,18 +236,10 @@ +@@ -180,18 +238,10 @@ miscfiles_read_fonts($1_mozilla_t) miscfiles_read_localization($1_mozilla_t) - # Browse the web, connect to printer - sysnet_dns_name_resolve($1_mozilla_t) - sysnet_read_config($1_mozilla_t) -+ userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t) -+ userdom_dontaudit_use_user_terminals($1,$1_mozilla_t) - +- - userdom_manage_user_home_content_dirs($1,$1_mozilla_t) - userdom_manage_user_home_content_files($1,$1_mozilla_t) - userdom_manage_user_home_content_symlinks($1,$1_mozilla_t) - userdom_manage_user_tmp_dirs($1,$1_mozilla_t) - userdom_manage_user_tmp_files($1,$1_mozilla_t) - userdom_manage_user_tmp_sockets($1,$1_mozilla_t) -- ++ userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t) ++ userdom_dontaudit_use_user_terminals($1,$1_mozilla_t) + - xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t) + xserver_user_x_domain_template($1,$1_mozilla,$1_mozilla_t,$1_mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t) xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t) -@@ -211,131 +259,8 @@ +@@ -211,131 +261,8 @@ fs_manage_cifs_symlinks($1_mozilla_t) ') @@ -4709,7 +4768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -350,19 +275,27 @@ +@@ -350,19 +277,27 @@ optional_policy(` cups_read_rw_config($1_mozilla_t) cups_dbus_chat($1_mozilla_t) @@ -4721,14 +4780,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. - dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t) +# dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t) +# dbus_connectto_user_bus($1,$1_mozilla_t) - ') - - optional_policy(` -+ gnome_exec_gconf($1_mozilla_t) -+ gnome_manage_user_gnome_config($1,$1_mozilla_t) + ') + + optional_policy(` ++ gnome_exec_gconf($1_mozilla_t) ++ gnome_manage_user_gnome_config($1,$1_mozilla_t) + ') + + optional_policy(` + gnome_domtrans_user_gconf($1,$1_mozilla_t) gnome_stream_connect_gconf_template($1,$1_mozilla_t) ') @@ -4739,7 +4798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -370,37 +303,18 @@ +@@ -370,37 +305,18 @@ ') optional_policy(` @@ -4780,7 +4839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -430,11 +344,11 @@ +@@ -430,11 +346,11 @@ # template(`mozilla_read_user_home_files',` gen_require(` @@ -4795,7 +4854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -464,11 +378,10 @@ +@@ -464,11 +380,10 @@ # template(`mozilla_write_user_home_files',` gen_require(` @@ -4809,7 +4868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -573,3 +486,27 @@ +@@ -573,3 +488,27 @@ allow $2 $1_mozilla_t:tcp_socket rw_socket_perms; ') @@ -6082,7 +6141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc 2008-02-26 13:48:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc 2008-03-06 10:56:27.000000000 -0500 @@ -7,11 +7,11 @@ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -6173,7 +6232,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) -@@ -284,3 +292,10 @@ +@@ -213,9 +221,10 @@ + /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) + + /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) +@@ -284,3 +293,10 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -7061,7 +7132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # etc_runtime_t is the type of various diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.3.1/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-24 15:00:24.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-03-04 08:35:34.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-03-06 10:50:35.000000000 -0500 @@ -310,6 +310,25 @@ ######################################## @@ -7123,7 +7194,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -3039,6 +3077,25 @@ +@@ -2903,6 +2941,7 @@ + type tmpfs_t; + ') + ++ dontaudit $1 tmpfs_t:dir rw_dir_perms; + dontaudit $1 tmpfs_t:file rw_file_perms; + ') + +@@ -3039,6 +3078,25 @@ ######################################## ## @@ -7149,7 +7228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Relabel block nodes on tmpfs filesystems. ## ## -@@ -3224,6 +3281,7 @@ +@@ -3224,6 +3282,7 @@ ') allow $1 filesystem_type:filesystem getattr; @@ -7157,7 +7236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -3551,3 +3609,123 @@ +@@ -3551,3 +3610,123 @@ relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs) relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs) ') @@ -13572,7 +13651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.3.1/policy/modules/services/fail2ban.te --- nsaserefpolicy/policy/modules/services/fail2ban.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te 2008-03-04 15:04:18.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te 2008-03-06 13:11:59.000000000 -0500 @@ -18,6 +18,9 @@ type fail2ban_var_run_t; files_pid_file(fail2ban_var_run_t) @@ -13594,7 +13673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail kernel_read_system_state(fail2ban_t) -@@ -47,14 +51,20 @@ +@@ -47,14 +51,23 @@ files_read_etc_files(fail2ban_t) files_read_usr_files(fail2ban_t) @@ -13602,6 +13681,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail +files_search_var_lib(fail2ban_t) + +fs_list_inotifyfs(fail2ban_t) ++ ++auth_use_nsswitch(fail2ban_t) ++corenet_tcp_connect_dns_port(fail2ban_t) libs_use_ld_so(fail2ban_t) libs_use_shared_libs(fail2ban_t) @@ -13616,6 +13698,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail optional_policy(` apache_read_log(fail2ban_t) ') +@@ -64,5 +77,11 @@ + ') + + optional_policy(` ++ gamin_domtrans(fail2ban_t) ++ gamin_stream_connect(fail2ban_t) ++') ++ ++optional_policy(` + iptables_domtrans(fail2ban_t) + ') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.fc serefpolicy-3.3.1/policy/modules/services/fetchmail.fc --- nsaserefpolicy/policy/modules/services/fetchmail.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/fetchmail.fc 2008-02-26 08:29:22.000000000 -0500 @@ -13867,6 +13961,97 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ') optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.fc serefpolicy-3.3.1/policy/modules/services/gamin.fc +--- nsaserefpolicy/policy/modules/services/gamin.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/gamin.fc 2008-03-06 13:09:29.000000000 -0500 +@@ -0,0 +1,2 @@ ++ ++/usr/libexec/gam_server -- gen_context(system_u:object_r:gamin_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.3.1/policy/modules/services/gamin.if +--- nsaserefpolicy/policy/modules/services/gamin.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/gamin.if 2008-03-06 13:09:29.000000000 -0500 +@@ -0,0 +1,39 @@ ++ ++## policy for gamin ++ ++######################################## ++## ++## Execute a domain transition to run gamin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`gamin_domtrans',` ++ gen_require(` ++ type gamin_t; ++ type gamin_exec_t; ++ ') ++ ++ domtrans_pattern($1,gamin_exec_t,gamin_t) ++') ++ ++######################################## ++## ++## Connect to gamin over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gamin_stream_connect',` ++ gen_require(` ++ type gamin_t; ++ ') ++ ++ allow $1 gamin_t:unix_stream_socket connectto; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.3.1/policy/modules/services/gamin.te +--- nsaserefpolicy/policy/modules/services/gamin.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/gamin.te 2008-03-06 13:11:39.000000000 -0500 +@@ -0,0 +1,38 @@ ++policy_module(gamin,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type gamin_t; ++type gamin_exec_t; ++init_daemon_domain(gamin_t, gamin_exec_t) ++ ++######################################## ++# ++# gamin local policy ++# ++ ++# Init script handling ++domain_use_interactive_fds(gamin_t) ++ ++# internal communication is often done using fifo and unix sockets. ++allow gamin_t self:fifo_file rw_file_perms; ++allow gamin_t self:unix_stream_socket create_stream_socket_perms; ++ ++files_read_etc_files(gamin_t) ++files_read_etc_runtime_files(gamin_t) ++files_list_all(gamin_t) ++files_getattr_all_files(gamin_t) ++ ++fs_list_inotifyfs(gamin_t) ++domain_read_all_domains_state(gamin_t) ++ ++libs_use_ld_so(gamin_t) ++libs_use_shared_libs(gamin_t) ++ ++miscfiles_read_localization(gamin_t) ++ ++role unconfined_r types gamin_t; ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.3.1/policy/modules/services/gnomeclock.fc --- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.fc 2008-02-26 08:29:22.000000000 -0500 @@ -15382,7 +15567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.3.1/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-03-06 11:55:52.000000000 -0500 @@ -6,6 +6,8 @@ # Declarations # @@ -15469,11 +15654,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. logrotate_read_tmp_files(system_mail_t) ') -@@ -136,11 +162,33 @@ +@@ -136,11 +162,37 @@ ') optional_policy(` -+ clamav_stream_connect(sendmail_t) ++ clamav_stream_connect(system_mail_t) ++') ++ ++optional_policy(` ++ fail2ban_append_log(system_mail_t) +') + +optional_policy(` @@ -15504,7 +15693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. optional_policy(` # why is mail delivered to a directory of type arpwatch_data_t? arpwatch_search_data(mailserver_delivery) -@@ -154,3 +202,4 @@ +@@ -154,3 +206,4 @@ cron_read_system_job_tmp_files(mta_user_agent) ') ') @@ -16109,7 +16298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.3.1/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-12 10:15:45.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.if 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.if 2008-03-06 11:40:40.000000000 -0500 @@ -97,3 +97,21 @@ allow $1 NetworkManager_t:dbus send_msg; allow NetworkManager_t $1:dbus send_msg; @@ -16134,7 +16323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.3.1/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-03-06 11:40:30.000000000 -0500 @@ -13,6 +13,9 @@ type NetworkManager_var_run_t; files_pid_file(NetworkManager_var_run_t) @@ -18136,7 +18325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.3.1/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/ppp.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/ppp.te 2008-03-06 11:40:58.000000000 -0500 @@ -196,6 +196,12 @@ optional_policy(` @@ -18162,6 +18351,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. allow pptp_t self:fifo_file { read write }; allow pptp_t self:unix_dgram_socket create_socket_perms; allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; +@@ -287,6 +293,14 @@ + ') + + optional_policy(` ++ dbus_system_domain(pppd_t,pppd_exec_t) ++ ++ optional_policy(` ++ networkmanager_dbus_chat(pppd_t) ++ ') ++') ++ ++optional_policy(` + hostname_exec(pptp_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.3.1/policy/modules/services/prelude.fc --- nsaserefpolicy/policy/modules/services/prelude.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/prelude.fc 2008-02-26 08:29:22.000000000 -0500 @@ -23035,7 +23239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-05 14:36:29.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-06 13:07:32.000000000 -0500 @@ -12,9 +12,15 @@ ## ## @@ -23499,7 +23703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -542,25 +540,465 @@ +@@ -542,25 +540,473 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -23647,14 +23851,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + class x_synthetic_event all_x_synthetic_event_perms; + + attribute xdm_x_domain; -+ type xdm_t; + ') + + allow $2 $1:x_drawable { hide setattr show receive create manage add_child write read getattr remove_child list_child destroy set_property }; + allow $2 $1:x_event receive; + allow $2 $1:x_synthetic_event receive; -+ + allow $1 $2:x_property read; ++ ++ allow $2 std_xext_t:x_extension query; ++ allow $2 x_rootwindow_t:x_drawable { get_property getattr }; +') + +####################################### @@ -23691,6 +23896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + type screensaver_xext_t, unknown_xext_t, x_rootscreen_t; + type disallowed_xext_t; + type output_xext_t; ++ type accelgraphics_xext_t; + + attribute x_server_domain, x_domain; + attribute xproperty_type; @@ -23743,6 +23949,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + # everyone can get the input focus of everyone else + # this is a fundamental brokenness in the X protocol + allow $3 { x_domain x_server_domain }:x_device { getfocus setfocus use setattr bell manage freeze getattr grab force_cursor }; ++ ++ allow $3 { x_domain xserver_unconfined_type }:x_drawable receive; ++ allow $3 { x_domain xserver_unconfined_type }:x_event receive; ++ + tunable_policy(`allow_read_x_device',` + allow $3 { x_domain x_server_domain }:x_device read; + ') @@ -23760,6 +23970,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + # allows to know when new windows appear, among other things + allow $3 manage_xevent_t:x_event receive; + ++ allow $3 accelgraphics_xext_t:x_extension use; ++ + # X Server + # can read server-owned resources + allow $3 x_server_domain:x_resource read; @@ -23971,7 +24183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ') -@@ -593,26 +1031,44 @@ +@@ -593,26 +1039,44 @@ # template(`xserver_use_user_fonts',` gen_require(` @@ -24023,7 +24235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -638,10 +1094,77 @@ +@@ -638,10 +1102,77 @@ # template(`xserver_domtrans_user_xauth',` gen_require(` @@ -24103,7 +24315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -671,10 +1194,10 @@ +@@ -671,10 +1202,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -24116,7 +24328,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -760,7 +1283,7 @@ +@@ -760,7 +1291,7 @@ type xconsole_device_t; ') @@ -24125,7 +24337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -860,6 +1383,25 @@ +@@ -860,6 +1391,25 @@ ######################################## ## @@ -24151,7 +24363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Read xdm-writable configuration files. ## ## -@@ -914,6 +1456,7 @@ +@@ -914,6 +1464,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) @@ -24159,7 +24371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -955,6 +1498,24 @@ +@@ -955,6 +1506,24 @@ ######################################## ## @@ -24184,7 +24396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Execute the X server in the XDM X server domain. ## ## -@@ -965,15 +1526,47 @@ +@@ -965,15 +1534,47 @@ # interface(`xserver_domtrans_xdm_xserver',` gen_require(` @@ -24233,7 +24445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1123,7 +1716,7 @@ +@@ -1123,7 +1724,7 @@ type xdm_xserver_tmp_t; ') @@ -24242,7 +24454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1312,3 +1905,82 @@ +@@ -1312,3 +1913,82 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -24327,7 +24539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-05 18:07:11.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-06 15:35:49.000000000 -0500 @@ -8,6 +8,14 @@ ## @@ -24571,7 +24783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) -+storage_rw_fuse(xdm_t) ++storage_dontaudit_rw_fuse(xdm_t) term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) @@ -26108,7 +26320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.3.1/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-03-06 10:59:36.000000000 -0500 @@ -133,6 +133,7 @@ /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26142,7 +26354,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -292,6 +295,8 @@ +@@ -287,11 +290,15 @@ + /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) ++/usr/lib64/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) + ') dnl end distro_redhat + # # /var # @@ -26151,7 +26370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -@@ -304,3 +309,9 @@ +@@ -304,3 +311,9 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -27152,8 +27371,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.f +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.3.1/policy/modules/system/qemu.if --- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-02-27 23:40:38.000000000 -0500 -@@ -0,0 +1,291 @@ ++++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-03-06 09:35:23.000000000 -0500 +@@ -0,0 +1,294 @@ + +## policy for qemu + @@ -27389,6 +27608,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i + type $1_t; + domain_type($1_t) + ++ type $1_tmp_t; ++ files_tmp_file($1_tmp_t) ++ + domain_use_interactive_fds($1_t) + + allow $1_t self:capability { dac_read_search dac_override }; @@ -28092,7 +28314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran allow setrans_t self:netlink_selinux_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.3.1/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-16 14:09:49.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if 2008-03-04 15:18:51.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if 2008-03-06 11:55:26.000000000 -0500 @@ -145,6 +145,25 @@ ######################################## @@ -28391,8 +28613,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.3.1/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-12-12 11:35:28.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-03-04 10:17:41.000000000 -0500 -@@ -2,15 +2,18 @@ ++++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-03-06 11:17:16.000000000 -0500 +@@ -2,15 +2,16 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t @@ -28402,8 +28624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf /usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/lib(64)?/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) - +- /usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) - ifdef(`distro_gentoo',` @@ -29026,7 +29247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-05 18:06:38.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-06 09:14:52.000000000 -0500 @@ -29,9 +29,14 @@ ') @@ -30022,7 +30243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_xwindows_client_template($1) ############################## -@@ -1076,14 +1086,14 @@ +@@ -1076,14 +1086,16 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -30036,13 +30257,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # gnome keyring wants to read this. - dev_dontaudit_read_rand($1_t) + dev_dontaudit_read_rand($1_usertype) ++ # temporarily allow since openoffice requires this ++ dev_read_rand($1_usertype) - logging_send_syslog_msg($1_t) + logging_send_syslog_msg($1_usertype) logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1091,32 +1101,25 @@ +@@ -1091,32 +1103,25 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -30084,7 +30307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1127,10 +1130,10 @@ +@@ -1127,10 +1132,10 @@ ## ## ##

@@ -30099,7 +30322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1193,12 +1196,11 @@ +@@ -1193,12 +1198,11 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -30114,7 +30337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') # Run pppd in pppd_t by default for user -@@ -1207,7 +1209,27 @@ +@@ -1207,7 +1211,27 @@ ') optional_policy(` @@ -30143,7 +30366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1284,8 +1306,6 @@ +@@ -1284,8 +1308,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -30152,7 +30375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1363,13 +1383,6 @@ +@@ -1363,13 +1385,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -30166,7 +30389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` userhelper_exec($1_t) ') -@@ -1422,6 +1435,7 @@ +@@ -1422,6 +1437,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -30174,7 +30397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1787,10 +1801,14 @@ +@@ -1787,10 +1803,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -30190,7 +30413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1886,11 +1904,11 @@ +@@ -1886,11 +1906,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -30204,7 +30427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1920,11 +1938,11 @@ +@@ -1920,11 +1940,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -30218,7 +30441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1968,12 +1986,12 @@ +@@ -1968,12 +1988,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -30234,7 +30457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2003,10 +2021,10 @@ +@@ -2003,10 +2023,10 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -30247,7 +30470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2038,11 +2056,47 @@ +@@ -2038,11 +2058,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -30297,7 +30520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2074,10 +2128,10 @@ +@@ -2074,10 +2130,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -30310,7 +30533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2107,11 +2161,11 @@ +@@ -2107,11 +2163,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -30324,7 +30547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2141,11 +2195,11 @@ +@@ -2141,11 +2197,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -30339,7 +30562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2175,10 +2229,14 @@ +@@ -2175,10 +2231,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -30356,7 +30579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2208,11 +2266,11 @@ +@@ -2208,11 +2268,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -30370,7 +30593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2242,11 +2300,11 @@ +@@ -2242,11 +2302,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -30384,7 +30607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2276,10 +2334,10 @@ +@@ -2276,10 +2336,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -30397,7 +30620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2311,12 +2369,12 @@ +@@ -2311,12 +2371,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -30413,7 +30636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2348,10 +2406,10 @@ +@@ -2348,10 +2408,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -30426,7 +30649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2383,12 +2441,12 @@ +@@ -2383,12 +2443,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -30442,7 +30665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2420,12 +2478,12 @@ +@@ -2420,12 +2480,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -30458,7 +30681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2457,12 +2515,12 @@ +@@ -2457,12 +2517,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -30474,7 +30697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2507,11 +2565,11 @@ +@@ -2507,11 +2567,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -30488,7 +30711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2556,11 +2614,11 @@ +@@ -2556,11 +2616,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -30502,7 +30725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2600,11 +2658,11 @@ +@@ -2600,11 +2660,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -30516,7 +30739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2634,11 +2692,11 @@ +@@ -2634,11 +2694,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -30530,7 +30753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2668,11 +2726,11 @@ +@@ -2668,11 +2728,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -30544,7 +30767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2704,10 +2762,10 @@ +@@ -2704,10 +2764,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -30557,7 +30780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2739,10 +2797,10 @@ +@@ -2739,10 +2799,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -30570,7 +30793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2772,12 +2830,12 @@ +@@ -2772,12 +2832,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -30586,7 +30809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2809,10 +2867,10 @@ +@@ -2809,10 +2869,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -30599,7 +30822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2844,10 +2902,48 @@ +@@ -2844,10 +2904,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -30650,7 +30873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2877,12 +2973,12 @@ +@@ -2877,12 +2975,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -30666,7 +30889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2914,10 +3010,10 @@ +@@ -2914,10 +3012,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -30679,7 +30902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2949,12 +3045,12 @@ +@@ -2949,12 +3047,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -30695,7 +30918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2986,11 +3082,11 @@ +@@ -2986,11 +3084,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -30709,7 +30932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3022,11 +3118,11 @@ +@@ -3022,11 +3120,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -30723,7 +30946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3058,11 +3154,11 @@ +@@ -3058,11 +3156,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -30737,7 +30960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3094,11 +3190,11 @@ +@@ -3094,11 +3192,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -30751,7 +30974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3130,11 +3226,11 @@ +@@ -3130,11 +3228,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -30765,7 +30988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3179,10 +3275,10 @@ +@@ -3179,10 +3277,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -30778,7 +31001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3223,10 +3319,10 @@ +@@ -3223,10 +3321,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -30791,7 +31014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3254,6 +3350,42 @@ +@@ -3254,6 +3352,42 @@ ## ## # @@ -30834,7 +31057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo template(`userdom_rw_user_tmpfs_files',` gen_require(` type $1_tmpfs_t; -@@ -4231,11 +4363,11 @@ +@@ -4231,11 +4365,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -30848,7 +31071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4251,10 +4383,10 @@ +@@ -4251,10 +4385,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -30861,7 +31084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4270,11 +4402,11 @@ +@@ -4270,11 +4404,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -30875,7 +31098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4289,16 +4421,16 @@ +@@ -4289,16 +4423,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -30895,7 +31118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4307,12 +4439,27 @@ +@@ -4307,12 +4441,27 @@ ## ## # @@ -30926,7 +31149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4327,13 +4474,13 @@ +@@ -4327,13 +4476,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -30944,7 +31167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4531,10 +4678,10 @@ +@@ -4531,10 +4680,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -30957,7 +31180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4551,10 +4698,10 @@ +@@ -4551,10 +4700,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -30970,7 +31193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4569,10 +4716,10 @@ +@@ -4569,10 +4718,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -30983,7 +31206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4588,10 +4735,10 @@ +@@ -4588,10 +4737,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -30996,7 +31219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4606,10 +4753,10 @@ +@@ -4606,10 +4755,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -31009,7 +31232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4625,10 +4772,10 @@ +@@ -4625,10 +4774,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -31022,7 +31245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4644,12 +4791,11 @@ +@@ -4644,12 +4793,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -31038,7 +31261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4676,10 +4822,10 @@ +@@ -4676,10 +4824,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -31051,7 +31274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4694,10 +4840,10 @@ +@@ -4694,10 +4842,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -31064,7 +31287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4712,13 +4858,13 @@ +@@ -4712,13 +4860,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -31082,7 +31305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4754,11 +4900,49 @@ +@@ -4754,11 +4902,49 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -31133,7 +31356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4778,6 +4962,14 @@ +@@ -4778,6 +4964,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -31148,7 +31371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4839,6 +5031,26 @@ +@@ -4839,6 +5033,26 @@ ######################################## ##

@@ -31175,7 +31398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all directories ## in all users home directories. ## -@@ -4859,6 +5071,25 @@ +@@ -4859,6 +5073,25 @@ ######################################## ## @@ -31201,7 +31424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4879,6 +5110,26 @@ +@@ -4879,6 +5112,26 @@ ######################################## ## @@ -31228,7 +31451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all symlinks ## in all users home directories. ## -@@ -5115,7 +5366,7 @@ +@@ -5115,7 +5368,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -31237,7 +31460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5304,6 +5555,50 @@ +@@ -5304,6 +5557,50 @@ ######################################## ## @@ -31288,7 +31511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5509,6 +5804,42 @@ +@@ -5509,6 +5806,42 @@ ######################################## ## @@ -31331,7 +31554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5674,6 +6005,42 @@ +@@ -5674,6 +6007,42 @@ ######################################## ## @@ -31374,7 +31597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5704,3 +6071,368 @@ +@@ -5704,3 +6073,368 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ')