diff --git a/policy-20071130.patch b/policy-20071130.patch index dbef272..bc10dad 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -2613,7 +2613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ####################################### diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-02 09:54:52.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-03-04 16:24:35.000000000 -0500 @@ -28,6 +28,7 @@ files_purge_tmp(tmpreaper_t) # why does it need setattr? @@ -2622,7 +2622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) -@@ -42,6 +43,19 @@ +@@ -42,6 +43,22 @@ cron_system_entry(tmpreaper_t,tmpreaper_exec_t) @@ -2630,6 +2630,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap +userdom_delete_all_users_home_content_files(tmpreaper_t) +userdom_delete_all_users_home_content_symlinks(tmpreaper_t) + ++files_delete_isid_type_dirs(tmpreaper_t) ++files_delete_isid_type_files(tmpreaper_t) ++ +optional_policy(` + amavis_manage_spool_files(tmpreaper_t) +') @@ -2698,6 +2701,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.3.1/policy/modules/admin/vbetool.te +--- nsaserefpolicy/policy/modules/admin/vbetool.te 2007-12-19 05:32:18.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/admin/vbetool.te 2008-03-04 16:04:15.000000000 -0500 +@@ -23,6 +23,8 @@ + dev_rwx_zero(vbetool_t) + dev_read_sysfs(vbetool_t) + ++domain_mmap_low(vbetool_t) ++ + term_use_unallocated_ttys(vbetool_t) + + libs_use_ld_so(vbetool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.3.1/policy/modules/admin/vpn.te --- nsaserefpolicy/policy/modules/admin/vpn.te 2008-02-18 14:30:19.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/admin/vpn.te 2008-02-26 08:29:22.000000000 -0500 @@ -3924,7 +3939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.3.1/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/apps/java.if 2008-02-26 21:21:39.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/apps/java.if 2008-03-03 08:25:05.000000000 -0500 @@ -32,7 +32,7 @@ ## ## @@ -4019,7 +4034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if userdom_manage_user_home_content_dirs($1,$1_javaplugin_t) userdom_manage_user_home_content_files($1,$1_javaplugin_t) userdom_manage_user_home_content_symlinks($1,$1_javaplugin_t) -@@ -156,15 +162,67 @@ +@@ -156,16 +162,63 @@ ') optional_policy(` @@ -4029,8 +4044,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if - optional_policy(` - nscd_socket_use($1_javaplugin_t) +- ') +') -+ + +- optional_policy(` +- xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t) +####################################### +## +## The per role template for the java module. @@ -4062,7 +4080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if + gen_require(` + type java_exec_t; ') - ++ + type $1_java_t; + domain_type($1_java_t) + domain_entry_file($1_java_t,java_exec_t) @@ -4083,15 +4101,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if + dev_read_rand($1_java_t) + + fs_dontaudit_rw_tmpfs_files($1_java_t) -+ - optional_policy(` -- xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t) -+ xserver_user_x_domain_template($1,$1_java,$1_java_t,$1_tmpfs_t) -+ xserver_xdm_rw_shm($1_java_t) - ') ') -@@ -219,3 +277,67 @@ + ######################################## +@@ -219,3 +272,67 @@ corecmd_search_bin($1) domtrans_pattern($1, java_exec_t, java_t) ') @@ -4223,8 +4236,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys +userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.3.1/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/mono.if 2008-02-26 08:29:22.000000000 -0500 -@@ -18,3 +18,109 @@ ++++ serefpolicy-3.3.1/policy/modules/apps/mono.if 2008-03-03 08:24:51.000000000 -0500 +@@ -18,3 +18,101 @@ corecmd_search_bin($1) domtrans_pattern($1, mono_exec_t, mono_t) ') @@ -4325,14 +4338,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if + domtrans_pattern($2, mono_exec_t, $1_mono_t) + + fs_dontaudit_rw_tmpfs_files($1_mono_t) -+ -+ optional_policy(` -+ gen_require(` -+ type $1_tmpfs_t; -+ ') -+ xserver_user_x_domain_template($1,$1_mono,$1_mono_t,$1_tmpfs_t) -+ xserver_xdm_rw_shm($1_mono_t) -+ ') +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.3.1/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2007-12-19 05:32:09.000000000 -0500 @@ -4373,7 +4378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # /bin diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.3.1/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-02-27 13:16:07.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-03-04 10:33:57.000000000 -0500 @@ -35,7 +35,10 @@ template(`mozilla_per_role_template',` gen_require(` @@ -4417,7 +4422,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. allow $1_mozilla_t self:fifo_file rw_fifo_file_perms; allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create }; allow $1_mozilla_t self:sem create_sem_perms; -@@ -71,10 +80,15 @@ +@@ -66,15 +75,19 @@ + allow $1_mozilla_t self:unix_stream_socket { listen accept }; + # Browse the web, connect to printer + allow $1_mozilla_t self:tcp_socket create_socket_perms; +- allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms; + # for bash - old mozilla binary can_exec($1_mozilla_t, mozilla_exec_t) @@ -4436,7 +4446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. userdom_search_user_home_dirs($1,$1_mozilla_t) # Mozpluggerrc -@@ -89,22 +103,48 @@ +@@ -89,22 +102,48 @@ allow $2 $1_mozilla_t:unix_stream_socket connectto; # X access, Home files @@ -4498,7 +4508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # Unrestricted inheritance from the caller. allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh }; -@@ -112,11 +152,13 @@ +@@ -112,11 +151,13 @@ ps_process_pattern($2,$1_mozilla_t) allow $2 $1_mozilla_t:process signal_perms; @@ -4514,7 +4524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # Look for plugins corecmd_list_bin($1_mozilla_t) -@@ -165,10 +207,23 @@ +@@ -165,13 +206,28 @@ files_read_var_files($1_mozilla_t) files_read_var_symlinks($1_mozilla_t) files_dontaudit_getattr_boot_dirs($1_mozilla_t) @@ -4538,9 +4548,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. term_dontaudit_getattr_pty_dirs($1_mozilla_t) -@@ -184,14 +239,10 @@ - sysnet_dns_name_resolve($1_mozilla_t) - sysnet_read_config($1_mozilla_t) ++ auth_use_nsswitch($1_mozilla_t) ++ + libs_use_ld_so($1_mozilla_t) + libs_use_shared_libs($1_mozilla_t) + +@@ -180,18 +236,10 @@ + miscfiles_read_fonts($1_mozilla_t) + miscfiles_read_localization($1_mozilla_t) + +- # Browse the web, connect to printer +- sysnet_dns_name_resolve($1_mozilla_t) +- sysnet_read_config($1_mozilla_t) ++ userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t) ++ userdom_dontaudit_use_user_terminals($1,$1_mozilla_t) - userdom_manage_user_home_content_dirs($1,$1_mozilla_t) - userdom_manage_user_home_content_files($1,$1_mozilla_t) @@ -4548,15 +4569,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. - userdom_manage_user_tmp_dirs($1,$1_mozilla_t) - userdom_manage_user_tmp_files($1,$1_mozilla_t) - userdom_manage_user_tmp_sockets($1,$1_mozilla_t) -+ userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t) -+ userdom_dontaudit_use_user_terminals($1,$1_mozilla_t) - +- - xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t) + xserver_user_x_domain_template($1,$1_mozilla,$1_mozilla_t,$1_mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t) xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t) -@@ -211,131 +262,8 @@ +@@ -211,131 +259,8 @@ fs_manage_cifs_symlinks($1_mozilla_t) ') @@ -4690,7 +4709,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -350,19 +278,27 @@ +@@ -350,19 +275,27 @@ optional_policy(` cups_read_rw_config($1_mozilla_t) cups_dbus_chat($1_mozilla_t) @@ -4720,18 +4739,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -370,6 +306,10 @@ +@@ -370,37 +303,18 @@ ') optional_policy(` +- mplayer_domtrans_user_mplayer($1, $1_mozilla_t) +- mplayer_read_user_home_files($1, $1_mozilla_t) + nsplugin_per_role_template($1, $1_mozilla_t, $1_r) -+ ') -+ -+ optional_policy(` - mplayer_domtrans_user_mplayer($1, $1_mozilla_t) - mplayer_read_user_home_files($1, $1_mozilla_t) ') -@@ -382,25 +322,6 @@ + + optional_policy(` +- nscd_socket_use($1_mozilla_t) ++ mplayer_domtrans_user_mplayer($1, $1_mozilla_t) ++ mplayer_read_user_home_files($1, $1_mozilla_t) + ') + + optional_policy(` thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t) ') @@ -4757,7 +4780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -430,11 +351,11 @@ +@@ -430,11 +344,11 @@ # template(`mozilla_read_user_home_files',` gen_require(` @@ -4772,7 +4795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -464,11 +385,10 @@ +@@ -464,11 +378,10 @@ # template(`mozilla_write_user_home_files',` gen_require(` @@ -4786,7 +4809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -573,3 +493,27 @@ +@@ -573,3 +486,27 @@ allow $2 $1_mozilla_t:tcp_socket rw_socket_perms; ') @@ -4973,8 +4996,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-02-26 16:13:57.000000000 -0500 -@@ -0,0 +1,339 @@ ++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-03-04 14:46:08.000000000 -0500 +@@ -0,0 +1,344 @@ + +## policy for nsplugin + @@ -5188,6 +5211,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + type nsplugin_rw_t; + ') + nsplugin_use($1, $2) ++ ++ optional_policy(` ++ xserver_common_app_template($2, nsplugin_t) ++ ') ++ + role $3 types nsplugin_t; + role $3 types nsplugin_config_t; +') @@ -5316,7 +5344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-02-27 12:47:03.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-03-04 10:03:36.000000000 -0500 @@ -0,0 +1,154 @@ + +policy_module(nsplugin,1.0.0) @@ -5383,6 +5411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +domain_dontaudit_read_all_domains_state(nsplugin_t) + +dev_read_rand(nsplugin_t) ++dev_read_sound(nsplugin_t) + +kernel_read_kernel_sysctls(nsplugin_t) +kernel_read_system_state(nsplugin_t) @@ -5423,7 +5452,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + xserver_stream_connect_xdm_xserver(nsplugin_t) + xserver_xdm_rw_shm(nsplugin_t) + xserver_read_xdm_tmp_files(nsplugin_t) -+ xserver_xdm_x_domain_template(nsplugin,nsplugin_t) +') + +######################################## @@ -6199,7 +6227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-03-04 15:06:28.000000000 -0500 @@ -82,6 +82,7 @@ network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) @@ -6255,7 +6283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(rsh, tcp,514,s0) network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) -@@ -170,7 +177,11 @@ +@@ -170,7 +177,12 @@ network_port(transproxy, tcp,8081,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -6264,6 +6292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(vnc, tcp,5900,s0) +# Reserve 100 ports for vnc/virt machines +portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t, s0) ++network_port(whois, tcp,43,s0, udp,43,s0) network_port(wccp, udp,2048,s0) network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) @@ -6849,7 +6878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-02-26 16:54:46.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-03-04 16:23:38.000000000 -0500 @@ -1266,6 +1266,24 @@ ######################################## @@ -6875,7 +6904,57 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Unmount a rootfs filesystem. ## ## -@@ -2707,6 +2725,24 @@ +@@ -2187,6 +2205,49 @@ + + ######################################## + ## ++## Delete directories on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_isid_type_dirs',` ++ gen_require(` ++ type file_t; ++ ') ++ ++ delete_dirs_pattern($1, file_t, file_t) ++') ++ ++######################################## ++## ++## Delete files on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_isid_type_files',` ++ gen_require(` ++ type file_t; ++ ') ++ ++ delete_files_pattern($1, file_t, file_t) ++ delete_lnk_files_pattern($1, file_t, file_t) ++ delete_fifo_files_pattern($1, file_t, file_t) ++ delete_sock_files_pattern($1, file_t, file_t) ++ delete_blk_files_pattern($1, file_t, file_t) ++ delete_chr_files_pattern($1, file_t, file_t) ++') ++ ++######################################## ++## + ## Do not audit attempts to search directories on new filesystems + ## that have not yet been labeled. + ## +@@ -2707,6 +2768,24 @@ ######################################## ## @@ -6900,7 +6979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Create, read, write, and delete symbolic links in /mnt. ## ## -@@ -4717,7 +4753,6 @@ +@@ -4717,7 +4796,6 @@ files_search_home($1) corecmd_exec_bin($1) seutil_domtrans_setfiles($1) @@ -6908,7 +6987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ') -@@ -4756,3 +4791,54 @@ +@@ -4756,3 +4834,54 @@ allow $1 { file_type -security_file_type }:dir manage_dir_perms; ') @@ -6977,7 +7056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # etc_runtime_t is the type of various diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.3.1/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-24 15:00:24.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-02-29 09:10:51.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-03-04 08:35:34.000000000 -0500 @@ -310,6 +310,25 @@ ######################################## @@ -7073,13 +7152,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -3551,3 +3609,103 @@ +@@ -3551,3 +3609,123 @@ relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs) relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs) ') + +######################################## +## ++## Search directories ++## on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_search_fusefs_dirs',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 fusefs_t:dir search_dir_perms; ++') ++ ++######################################## ++## +## Create, read, write, and delete directories +## on a FUSEFS filesystem. +## @@ -9695,7 +9794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.3.1/policy/modules/services/bitlbee.te --- nsaserefpolicy/policy/modules/services/bitlbee.te 2007-09-17 15:56:47.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/bitlbee.te 2008-02-26 16:46:31.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/bitlbee.te 2008-03-03 11:03:16.000000000 -0500 @@ -17,6 +17,9 @@ type bitlbee_var_t; files_type(bitlbee_var_t) @@ -9719,6 +9818,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl files_read_etc_files(bitlbee_t) files_search_pids(bitlbee_t) # grant read-only access to the user help files +@@ -62,6 +71,8 @@ + libs_legacy_use_shared_libs(bitlbee_t) + libs_use_ld_so(bitlbee_t) + ++miscfiles_read_localization(bitlbee_t) ++ + sysnet_dns_name_resolve(bitlbee_t) + + optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.3.1/policy/modules/services/bluetooth.fc --- nsaserefpolicy/policy/modules/services/bluetooth.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/bluetooth.fc 2008-02-26 08:29:22.000000000 -0500 @@ -10131,7 +10239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.3.1/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/clamav.te 2008-02-29 09:36:56.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/clamav.te 2008-03-03 09:52:23.000000000 -0500 @@ -48,6 +48,9 @@ type freshclam_var_log_t; logging_log_file(freshclam_var_log_t) @@ -10148,20 +10256,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam kernel_read_kernel_sysctls(clamd_t) +kernel_read_system_state(clamd_t) + -+corecmd_search_bin(clamd_t) ++corecmd_exec_shell(clamd_t) corenet_all_recvfrom_unlabeled(clamd_t) corenet_all_recvfrom_netlabel(clamd_t) -@@ -120,6 +126,8 @@ +@@ -120,6 +126,9 @@ cron_use_system_job_fds(clamd_t) cron_rw_pipes(clamd_t) +mta_read_config(clamd_t) ++mta_send_mail(clamd_t) + optional_policy(` amavis_read_lib_files(clamd_t) amavis_read_spool_files(clamd_t) -@@ -127,6 +135,10 @@ +@@ -127,6 +136,10 @@ amavis_create_pid_files(clamd_t) ') @@ -10172,7 +10281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam ######################################## # # Freshclam local policy -@@ -233,3 +245,7 @@ +@@ -233,3 +246,7 @@ optional_policy(` apache_read_sys_content(clamscan_t) ') @@ -11095,7 +11204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.3.1/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-03-04 10:00:21.000000000 -0500 @@ -43,14 +43,12 @@ type cupsd_var_run_t; @@ -11744,7 +11853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-02-26 12:56:03.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-03-04 10:11:49.000000000 -0500 @@ -53,6 +53,7 @@ gen_require(` type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; @@ -11816,7 +11925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus selinux_get_fs_mount($1_dbusd_t) selinux_validate_context($1_dbusd_t) -@@ -161,12 +164,23 @@ +@@ -161,12 +164,24 @@ seutil_read_config($1_dbusd_t) seutil_read_default_contexts($1_dbusd_t) @@ -11825,6 +11934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + userdom_read_unpriv_users_home_content_files($1_dbusd_t) + userdom_dontaudit_append_unpriv_home_content_files($1_dbusd_t) + term_dontaudit_use_all_user_ptys($1_dbusd_t) ++ term_dontaudit_use_all_user_ttys($1_dbusd_t) ifdef(`hide_broken_symptoms', ` dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write }; @@ -11841,7 +11951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus tunable_policy(`read_default_t',` files_list_default($1_dbusd_t) files_read_default_files($1_dbusd_t) -@@ -182,6 +196,7 @@ +@@ -182,6 +197,7 @@ optional_policy(` xserver_use_xdm_fds($1_dbusd_t) xserver_rw_xdm_pipes($1_dbusd_t) @@ -11849,7 +11959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') ') -@@ -209,12 +224,9 @@ +@@ -209,12 +225,9 @@ class dbus send_msg; ') @@ -11864,7 +11974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($2) -@@ -223,6 +235,10 @@ +@@ -223,6 +236,10 @@ files_search_pids($2) stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t) dbus_read_config($2) @@ -11875,7 +11985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') ####################################### -@@ -251,18 +267,16 @@ +@@ -251,18 +268,16 @@ template(`dbus_user_bus_client_template',` gen_require(` type $1_dbusd_t; @@ -11896,7 +12006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') ######################################## -@@ -292,6 +306,59 @@ +@@ -292,6 +307,59 @@ ######################################## ## @@ -11956,7 +12066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ## Read dbus configuration. ## ## -@@ -366,3 +433,55 @@ +@@ -366,3 +434,55 @@ allow $1 system_dbusd_t:dbus *; ') @@ -13438,7 +13548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.3.1/policy/modules/services/fail2ban.te --- nsaserefpolicy/policy/modules/services/fail2ban.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te 2008-02-28 15:39:03.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te 2008-03-04 15:04:18.000000000 -0500 @@ -18,6 +18,9 @@ type fail2ban_var_run_t; files_pid_file(fail2ban_var_run_t) @@ -13467,7 +13577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail +files_list_var(fail2ban_t) +files_search_var_lib(fail2ban_t) + -+fs_search_inotifyfs(fail2ban_t) ++fs_list_inotifyfs(fail2ban_t) libs_use_ld_so(fail2ban_t) libs_use_shared_libs(fail2ban_t) @@ -19376,7 +19486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.3.1/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-03-04 15:19:05.000000000 -0500 @@ -60,10 +60,14 @@ manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) @@ -19419,7 +19529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. +dev_dontaudit_getattr_all_blk_files(nfsd_t) +dev_dontaudit_getattr_all_chr_files(nfsd_t) + -+dev_read_lvm_control(nfsd_t) ++dev_rw_lvm_control(nfsd_t) +storage_dontaudit_raw_read_fixed_disk(nfsd_t) + # for /proc/fs/nfs/exports - should we have a new type? @@ -22901,8 +23011,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-02-29 17:24:22.000000000 -0500 -@@ -15,6 +15,11 @@ ++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-04 14:49:58.000000000 -0500 +@@ -12,9 +12,15 @@ + ## + ## + # ++ template(`xserver_common_domain_template',` gen_require(` type xkb_var_lib_t, xserver_exec_t, xserver_log_t; @@ -22914,7 +23028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ############################## -@@ -22,7 +27,10 @@ +@@ -22,7 +28,10 @@ # Declarations # @@ -22926,7 +23040,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domain_type($1_xserver_t) domain_entry_file($1_xserver_t,xserver_exec_t) -@@ -45,7 +53,7 @@ +@@ -33,7 +42,7 @@ + files_tmpfs_file($1_xserver_tmpfs_t) + + ############################## +- # ++ + # $1_xserver_t local policy + # + +@@ -45,7 +54,7 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -22935,7 +23058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dontaudit $1_xserver_t self:capability chown; allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_xserver_t self:memprotect mmap_zero; -@@ -83,6 +91,11 @@ +@@ -83,6 +92,11 @@ manage_files_pattern($1_xserver_t,xserver_log_t,xserver_log_t) logging_log_filetrans($1_xserver_t,xserver_log_t,file) @@ -22947,7 +23070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state($1_xserver_t) kernel_read_device_sysctls($1_xserver_t) kernel_read_modprobe_sysctls($1_xserver_t) -@@ -115,18 +128,23 @@ +@@ -115,18 +129,23 @@ dev_rw_agp($1_xserver_t) dev_rw_framebuffer($1_xserver_t) dev_manage_dri_dev($1_xserver_t) @@ -22973,7 +23096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files($1_xserver_t) files_read_etc_runtime_files($1_xserver_t) -@@ -140,12 +158,16 @@ +@@ -140,12 +159,16 @@ fs_getattr_xattr_fs($1_xserver_t) fs_search_nfs($1_xserver_t) fs_search_auto_mountpoints($1_xserver_t) @@ -22991,7 +23114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_unallocated_ttys($1_xserver_t) term_use_unallocated_ttys($1_xserver_t) -@@ -153,13 +175,17 @@ +@@ -153,13 +176,17 @@ libs_use_shared_libs($1_xserver_t) logging_send_syslog_msg($1_xserver_t) @@ -23010,7 +23133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow $1_xserver_t self:process { execmem execheap execstack }; -@@ -169,6 +195,46 @@ +@@ -169,6 +196,46 @@ allow $1_xserver_t self:process { execmem execheap execstack }; ') @@ -23023,7 +23146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + + allow $1_xserver_t input_xevent_t:x_event send; + allow $1_xserver_t x_rootwindow_t:x_drawable send; -+ allow $1_xserver_t xdm_input_xevent_t:x_event send; ++ allow $1_xserver_t xdm_t:x_event send; + allow $1_xserver_t $1_t:x_drawable send; + + ',` @@ -23057,7 +23180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` apm_stream_connect($1_xserver_t) ') -@@ -223,8 +289,10 @@ +@@ -223,8 +290,10 @@ template(`xserver_per_role_template',` gen_require(` @@ -23070,7 +23193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ############################## -@@ -232,189 +300,119 @@ +@@ -232,189 +301,119 @@ # Declarations # @@ -23191,16 +23314,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` - userhelper_search_config($1_xserver_t) -+ userhelper_search_config(xdm_xserver_t) - ') - +- ') +- - ifdef(`TODO',` - ifdef(`xdm.te', ` - allow $1_t xdm_tmp_t:sock_file unlink; - allow $1_xserver_t xdm_var_run_t:dir search; -- ') ++ userhelper_search_config(xdm_xserver_t) + ') - ') dnl end TODO -- + ############################## # - # $1_xauth_t Local policy @@ -23212,12 +23335,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser - - allow $1_xauth_t $1_xauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file) -+ domtrans_pattern($2, xauth_exec_t, xauth_t) - +- - manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t) - manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t) - files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir }) -- ++ domtrans_pattern($2, xauth_exec_t, xauth_t) + - domtrans_pattern($2, xauth_exec_t, $1_xauth_t) - - allow $2 $1_xauth_t:process signal; @@ -23231,10 +23354,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser - - allow xdm_t $1_xauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file) -- -- domain_use_interactive_fds($1_xauth_t) + ps_process_pattern($2,xauth_t) +- domain_use_interactive_fds($1_xauth_t) +- - files_read_etc_files($1_xauth_t) - files_search_pids($1_xauth_t) - @@ -23312,7 +23435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files($1_iceauth_t) - ') -+ allow $2 { input_xevent_t xdm_input_xevent_type }:x_event send; ++ allow $2 { input_xevent_t }:x_event send; + allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send; - tunable_policy(`use_samba_home_dirs',` @@ -23324,7 +23447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ####################################### -@@ -521,19 +519,18 @@ +@@ -521,19 +520,18 @@ ## # template(`xserver_user_client_template',` @@ -23352,7 +23475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -542,25 +539,382 @@ +@@ -542,25 +540,465 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -23414,6 +23537,104 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + +####################################### +## ++## Interface to provide X object paste ++## ++## ++## ++## The prefix of the X server domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## Client domain allowed access. ++## ++## ++# ++template(`xserver_paste',` ++ allow $2_t $1_t:x_synthetic_event send; ++ allow $1_t $2_t:x_property destroy; ++') ++ ++####################################### ++## ++## Interface to provide X object cut ++## ++## ++## ++## The prefix of the X server domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## Client domain allowed access. ++## ++## ++# ++template(`xserver_cut',` ++ allow $2_t $1_t:x_synthetic_event send; ++') ++ ++####################################### ++## ++## Interface to provide X object permissions on an X Application ++## Provides the minimal set required by a basic X client application. ++## ++## ++## ++## The X user domain (e.g., user_t). ++## ++## ++## ++## ++## Client domain allowed access. ++## ++## ++# ++template(`xserver_common_app_template',` ++ gen_require(` ++ type x_rootwindow_t, x_rootcolormap_t, std_xext_t, shmem_xext_t; ++ type default_xproperty_t, info_xproperty_t, clipboard_xproperty_t; ++ type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; ++ type default_xevent_t, client_xevent_t; ++ type clipboard_xselection_t, default_xselection_t; ++ type screensaver_xext_t, unknown_xext_t, x_rootscreen_t; ++ type disallowed_xext_t; ++ type output_xext_t; ++ ++ attribute x_server_domain, x_domain; ++ attribute xproperty_type; ++ attribute xevent_type, xextension_type; ++ class x_drawable all_x_drawable_perms; ++ class x_screen all_x_screen_perms; ++ class x_gc all_x_gc_perms; ++ class x_font all_x_font_perms; ++ class x_colormap all_x_colormap_perms; ++ class x_property all_x_property_perms; ++ class x_selection all_x_selection_perms; ++ class x_cursor all_x_cursor_perms; ++ class x_client all_x_client_perms; ++ class x_device all_x_device_perms; ++ class x_server all_x_server_perms; ++ class x_extension all_x_extension_perms; ++ class x_resource all_x_resource_perms; ++ class x_event all_x_event_perms; ++ class x_synthetic_event all_x_synthetic_event_perms; ++ ++ attribute xdm_x_domain; ++ type xdm_t; ++ ') ++ ++ allow $2 $1:x_drawable { hide setattr show receive create manage add_child write read getattr remove_child list_child destroy set_property }; ++ allow $2 $1:x_event receive; ++ allow $2 $1:x_synthetic_event receive; ++ ++ allow $1 $2:x_property read; ++') ++ ++####################################### ++## +## Interface to provide X object permissions on a given X server to +## an X client domain. Provides the minimal set required by a basic +## X client application. @@ -23444,7 +23665,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + type default_xevent_t, client_xevent_t; + type clipboard_xselection_t, default_xselection_t; + type screensaver_xext_t, unknown_xext_t, x_rootscreen_t; -+ type xdm_default_xproperty_t; + type disallowed_xext_t; + type output_xext_t; + @@ -23467,7 +23687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + class x_event all_x_event_perms; + class x_synthetic_event all_x_synthetic_event_perms; + -+ attribute xdm_x_domain, xdm_input_xevent_type; ++ attribute xdm_x_domain; + type xdm_t; + ') + @@ -23480,15 +23700,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + typeattribute $2_t xdm_x_domain, x_domain; + + # Types for properties -+ type $2_default_xproperty_t, xproperty_type; ++# type $2_default_xproperty_t, xproperty_type; + + # Types for events -+ type $2_input_xevent_t, xdm_input_xevent_type, xevent_type; -+ type $2_property_xevent_t, xevent_type; -+ type $2_focus_xevent_t, xevent_type; -+ type $2_manage_xevent_t, xevent_type; -+ type $2_default_xevent_t, xevent_type; -+ type $2_client_xevent_t, xevent_type; ++# type $2_input_xevent_t, xdm_input_xevent_type, xevent_type; ++# type $2_property_xevent_t, xevent_type; ++# type $2_focus_xevent_t, xevent_type; ++# type $2_manage_xevent_t, xevent_type; ++# type $2_default_xevent_t, xevent_type; ++# type $2_client_xevent_t, xevent_type; + + ############################## + # @@ -23523,22 +23743,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + allow $3 $3:x_client { manage destroy }; + + # X Protocol Extensions -+ allow $3 std_xext_t:x_extension { query use }; -+ allow $3 shmem_xext_t:x_extension { query use }; ++ allow $3 std_xext_t:x_extension { use }; ++ allow $3 shmem_xext_t:x_extension { use }; + dontaudit $3 xextension_type:x_extension query; + + # X Properties + # can read and write client properties -+ allow $3 $2_default_xproperty_t:x_property { create destroy read write }; -+ allow $1_t $2_default_xproperty_t:x_property { read }; -+ -+ allow $3 default_xproperty_t:x_property read; ++ allow $3 $3:x_property { create destroy read write }; ++ allow $3 default_xproperty_t:x_property { read write destroy create }; ++ allow $3 output_xext_t:x_extension { use }; ++ allow $3 output_xext_t:x_property read; + -+ allow $3 output_xext_t:x_extension use; -+ -+ allow $3 xdm_default_xproperty_t:x_property { write read }; -+ -+ type_transition $2_t default_xproperty_t:x_property $2_default_xproperty_t; ++ type_transition $2_t default_xproperty_t:x_property $2_t; + # can read and write cut buffers + allow $3 clipboard_xproperty_t:x_property { create read write }; + # can read/write info properties @@ -23551,7 +23767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + + # X Windows + # operations allowed on root windows -+ allow $3 x_rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive read write manage setattr show }; ++ allow $3 x_rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive read write manage setattr show override destroy create hide }; + + # operations allowed on my windows + allow $3 $3:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -23561,45 +23777,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + # can use the default colormap + allow $3 x_rootcolormap_t:x_colormap { read use add_color install uninstall }; + -+ allow $3 $1_t:x_client destroy; -+ allow $3 $1_t:x_drawable { receive get_property getattr list_child }; ++ allow $3 $3:x_client destroy; ++ allow $3 $3:x_drawable { receive get_property getattr list_child }; + + # X Input + # can receive own events -+ allow $3 $2_input_xevent_t:{ x_event x_synthetic_event } receive; + allow $3 input_xevent_t:{ x_event x_synthetic_event } receive; -+ allow $1_t $2_input_xevent_t:{ x_event x_synthetic_event } { send receive }; -+ -+ allow $3 $2_property_xevent_t:{ x_event x_synthetic_event } receive; -+ allow $1_t $2_property_xevent_t:{ x_event x_synthetic_event } { send receive }; -+ -+ allow $3 $2_focus_xevent_t:{ x_event x_synthetic_event } receive; -+ allow $1_t $2_focus_xevent_t:{ x_event x_synthetic_event } { send receive }; ++ allow $3 $3:{ x_event x_synthetic_event } { send receive }; + -+ allow $3 $2_manage_xevent_t:{ x_event x_synthetic_event } receive; -+ allow $1_t $2_manage_xevent_t:{ x_event x_synthetic_event } { send receive }; -+ -+ allow $3 $2_default_xevent_t:{ x_event x_synthetic_event } receive; -+ allow $1_t $2_default_xevent_t:{ x_event x_synthetic_event } {send receive }; -+ -+ allow $3 $2_client_xevent_t:{ x_event x_synthetic_event } { send receive }; -+ allow $1_t $2_client_xevent_t:{ x_event x_synthetic_event } { send receive }; -+ type_transition $2_t input_xevent_t:x_event $2_input_xevent_t; -+ type_transition $2_t property_xevent_t:x_event $2_property_xevent_t; -+ type_transition $2_t focus_xevent_t:x_event $2_focus_xevent_t; -+ type_transition $2_t manage_xevent_t:x_event $2_manage_xevent_t; -+ type_transition $2_t default_xevent_t:x_event $2_default_xevent_t; ++ type_transition $2_t input_xevent_t:x_event $2_t; ++ type_transition $2_t property_xevent_t:x_event $2_t; ++ type_transition $2_t focus_xevent_t:x_event $2_t; ++ type_transition $2_t manage_xevent_t:x_event $2_t; ++ type_transition $2_t default_xevent_t:x_event $2_t; + + allow $3 default_xevent_t:x_event receive; + -+ type_transition $2_t client_xevent_t:x_event $2_client_xevent_t; ++ type_transition $2_t client_xevent_t:x_event $2_t; ++ + # can receive certain root window events + allow $3 focus_xevent_t:x_event receive; + allow $3 property_xevent_t:x_event receive; + allow $3 client_xevent_t:x_synthetic_event receive; + allow $3 manage_xevent_t:x_synthetic_event receive; + # can send ICCCM events to myself -+ allow $3 $2_manage_xevent_t:x_synthetic_event send; ++ allow $3 $3:x_synthetic_event send; + # can send ICCCM events to the root window + allow $3 manage_xevent_t:x_synthetic_event send; + allow $3 client_xevent_t:x_synthetic_event send; @@ -23620,10 +23822,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + # can read and write own objects + allow $3 $3:x_resource { read write }; + -+ allow $3 screensaver_xext_t:x_extension use; -+ allow $3 unknown_xext_t:x_extension use; -+ allow $3 x_rootscreen_t:x_screen { saver_setattr saver_getattr setattr }; -+ allow $3 disallowed_xext_t:x_extension use; ++ allow $3 screensaver_xext_t:x_extension { use }; ++ allow $3 unknown_xext_t:x_extension { use }; ++ ++ allow $3 x_rootscreen_t:x_screen { saver_setattr saver_getattr getattr setattr }; ++ ++ allow $3 disallowed_xext_t:x_extension { use }; + + tunable_policy(`! xserver_object_manager',` + # should be xserver_unconfined($3), @@ -23653,11 +23857,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + allow $3 xevent_type:{ x_event x_synthetic_event } *; + ') + -+ allow $3 xdm_t:x_client destroy; -+ allow $3 xdm_t:x_drawable { receive get_property getattr list_child }; -+ -+ allow x_server_domain $2_input_xevent_t:x_event send; ++ allow x_server_domain $3:x_event send; + allow x_server_domain $3:x_drawable send; ++ ++ allow $3 xdm_t:x_client destroy; ++ allow $3 xdm_t:x_drawable { get_property receive getattr read send list_child }; ++ allow $3 xdm_t:x_property { write read }; ++ allow $3 xdm_t:x_synthetic_event send; +') + +####################################### @@ -23741,7 +23947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ') -@@ -593,26 +947,44 @@ +@@ -593,26 +1031,44 @@ # template(`xserver_use_user_fonts',` gen_require(` @@ -23793,7 +23999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -638,10 +1010,77 @@ +@@ -638,10 +1094,77 @@ # template(`xserver_domtrans_user_xauth',` gen_require(` @@ -23832,8 +24038,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +template(`xserver_read_user_xauth',` + gen_require(` + type user_xauth_home_t; -+ ') -+ + ') + +- domtrans_pattern($2, xauth_exec_t, $1_xauth_t) + allow $2 user_xauth_home_t:file { getattr read }; +') + @@ -23865,15 +24072,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +template(`xserver_read_user_iceauth',` + gen_require(` + type user_iceauth_home_t; - ') - -- domtrans_pattern($2, xauth_exec_t, $1_xauth_t) ++ ') ++ + # Read .Iceauthority file + allow $2 user_iceauth_home_t:file { getattr read }; ') ######################################## -@@ -671,10 +1110,10 @@ +@@ -671,10 +1194,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -23886,7 +24092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -760,7 +1199,7 @@ +@@ -760,7 +1283,7 @@ type xconsole_device_t; ') @@ -23895,7 +24101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -860,6 +1299,25 @@ +@@ -860,6 +1383,25 @@ ######################################## ## @@ -23921,7 +24127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Read xdm-writable configuration files. ## ## -@@ -914,6 +1372,7 @@ +@@ -914,6 +1456,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) @@ -23929,7 +24135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -955,6 +1414,24 @@ +@@ -955,6 +1498,24 @@ ######################################## ## @@ -23954,7 +24160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Execute the X server in the XDM X server domain. ## ## -@@ -965,15 +1442,47 @@ +@@ -965,15 +1526,47 @@ # interface(`xserver_domtrans_xdm_xserver',` gen_require(` @@ -24003,7 +24209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1123,7 +1632,7 @@ +@@ -1123,7 +1716,7 @@ type xdm_xserver_tmp_t; ') @@ -24012,7 +24218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1312,3 +1821,108 @@ +@@ -1312,3 +1905,82 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -24095,32 +24301,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + + typeattribute $1 xserver_unconfined_type; +') -+ -+####################################### -+## -+## Interface to provide X object permissions on the xdm X server to -+## an X client domain. Provides the minimal set required by a basic -+## X client application. -+## -+## -+## -+## The prefix of the X client domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Client domain allowed access. -+## -+## -+# -+interface(`xserver_xdm_x_domain_template', ` -+ gen_require(` -+ type xdm_t; -+ ') -+ -+ xserver_common_x_domain_template(xdm,$1,$2) -+') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-02-28 16:46:06.000000000 -0500 @@ -24907,8 +25087,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.3.1/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-02-19 17:24:26.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/authlogin.fc 2008-02-26 08:29:22.000000000 -0500 -@@ -40,6 +40,10 @@ ++++ serefpolicy-3.3.1/policy/modules/system/authlogin.fc 2008-03-04 15:32:26.000000000 -0500 +@@ -13,6 +13,7 @@ + /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) + /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) + /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ++/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) + /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + ifdef(`distro_suse', ` +@@ -40,6 +41,10 @@ /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) @@ -26768,7 +26956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.3.1/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2008-02-06 10:33:22.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/mount.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/mount.te 2008-03-04 08:35:40.000000000 -0500 @@ -18,17 +18,18 @@ init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; @@ -26829,7 +27017,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. fs_getattr_xattr_fs(mount_t) fs_getattr_cifs(mount_t) -@@ -100,6 +105,8 @@ +@@ -72,6 +77,7 @@ + fs_list_auto_mountpoints(mount_t) + fs_rw_tmpfs_chr_files(mount_t) + fs_read_tmpfs_symlinks(mount_t) ++fs_search_fusefs_dirs(mount_t) + + term_use_all_terms(mount_t) + +@@ -100,6 +106,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -26838,15 +27034,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. auth_use_nsswitch(mount_t) -@@ -119,6 +126,7 @@ +@@ -119,6 +127,8 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) +userdom_read_sysadm_home_content_files(mount_t) ++userdom_manage_generic_user_home_content_dirs(mount_t) ifdef(`distro_redhat',` optional_policy(` -@@ -167,6 +175,8 @@ +@@ -167,6 +177,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -26855,7 +27052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -181,6 +191,11 @@ +@@ -181,6 +193,11 @@ ') ') @@ -26867,7 +27064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -188,6 +203,7 @@ +@@ -188,6 +205,7 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -26875,7 +27072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -198,4 +214,26 @@ +@@ -198,4 +216,26 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t,file) unconfined_domain(unconfined_mount_t) @@ -27851,7 +28048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran allow setrans_t self:netlink_selinux_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.3.1/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-16 14:09:49.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if 2008-03-04 15:18:51.000000000 -0500 @@ -145,6 +145,25 @@ ######################################## @@ -28150,7 +28347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.3.1/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-12-12 11:35:28.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-03-04 10:17:41.000000000 -0500 @@ -2,15 +2,18 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) @@ -28170,7 +28367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') +/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/bin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) ++/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +/usr/bin/livecd-creator -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.3.1/policy/modules/system/unconfined.if @@ -28452,7 +28649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-02-27 16:50:07.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-03-04 16:05:25.000000000 -0500 @@ -6,35 +6,67 @@ # Declarations # @@ -28525,7 +28722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -@@ -42,7 +74,10 @@ +@@ -42,23 +74,36 @@ logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) @@ -28536,7 +28733,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -@@ -51,14 +86,23 @@ + unconfined_domain(unconfined_t) ++domain_mmap_low(unconfined_t) + userdom_priveleged_home_dir_manager(unconfined_t) optional_policy(` @@ -28564,7 +28763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -69,11 +113,11 @@ +@@ -69,11 +114,11 @@ bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') @@ -28581,7 +28780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf optional_policy(` init_dbus_chat_script(unconfined_t) -@@ -101,12 +145,24 @@ +@@ -101,12 +146,24 @@ ') optional_policy(` @@ -28606,7 +28805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -118,11 +174,7 @@ +@@ -118,11 +175,7 @@ ') optional_policy(` @@ -28619,7 +28818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -134,14 +186,6 @@ +@@ -134,14 +187,6 @@ ') optional_policy(` @@ -28634,7 +28833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf oddjob_domtrans_mkhomedir(unconfined_t) ') -@@ -154,38 +198,37 @@ +@@ -154,38 +199,37 @@ ') optional_policy(` @@ -28687,7 +28886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -205,11 +248,30 @@ +@@ -205,11 +249,30 @@ ') optional_policy(` @@ -28720,7 +28919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -219,14 +281,34 @@ +@@ -219,14 +282,34 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -28775,7 +28974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-02-29 16:26:11.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-03 16:30:45.000000000 -0500 @@ -29,9 +29,14 @@ ') @@ -29323,7 +29522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). -@@ -692,183 +672,193 @@ +@@ -692,183 +672,194 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -29487,6 +29686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - evolution_dbus_chat($1,$1_t) - evolution_alarm_dbus_chat($1,$1_t) + consolekit_dbus_chat($1_usertype) ++ consolekit_read_log($1_usertype) ') optional_policy(` @@ -29598,7 +29798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -895,6 +885,8 @@ +@@ -895,6 +886,8 @@ ## # template(`userdom_login_user_template', ` @@ -29607,7 +29807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_base_user_template($1) userdom_manage_home_template($1) -@@ -923,26 +915,26 @@ +@@ -923,26 +916,26 @@ allow $1_t self:context contains; @@ -29648,7 +29848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo auth_dontaudit_write_login_records($1_t) -@@ -950,43 +942,43 @@ +@@ -950,43 +943,43 @@ # The library functions always try to open read-write first, # then fall back to read-only if it fails. @@ -29710,7 +29910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1020,9 +1012,6 @@ +@@ -1020,9 +1013,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -29720,7 +29920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1031,16 +1020,29 @@ +@@ -1031,16 +1021,29 @@ # # privileged home directory writers @@ -29756,7 +29956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1068,6 +1070,13 @@ +@@ -1068,6 +1071,13 @@ userdom_restricted_user_template($1) @@ -29770,7 +29970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_xwindows_client_template($1) ############################## -@@ -1076,14 +1085,14 @@ +@@ -1076,14 +1086,14 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -29790,7 +29990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1091,32 +1100,25 @@ +@@ -1091,32 +1101,25 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -29832,7 +30032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1127,10 +1129,10 @@ +@@ -1127,10 +1130,10 @@ ## ## ##

@@ -29847,7 +30047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1193,12 +1195,11 @@ +@@ -1193,12 +1196,11 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -29862,7 +30062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') # Run pppd in pppd_t by default for user -@@ -1207,7 +1208,27 @@ +@@ -1207,7 +1209,27 @@ ') optional_policy(` @@ -29891,7 +30091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1284,8 +1305,6 @@ +@@ -1284,8 +1306,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -29900,7 +30100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1363,13 +1382,6 @@ +@@ -1363,13 +1383,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -29914,7 +30114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` userhelper_exec($1_t) ') -@@ -1422,6 +1434,7 @@ +@@ -1422,6 +1435,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -29922,7 +30122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1787,10 +1800,14 @@ +@@ -1787,10 +1801,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -29938,7 +30138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1886,11 +1903,11 @@ +@@ -1886,11 +1904,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -29952,7 +30152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1920,11 +1937,11 @@ +@@ -1920,11 +1938,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -29966,7 +30166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1968,12 +1985,12 @@ +@@ -1968,12 +1986,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -29982,7 +30182,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2003,10 +2020,10 @@ +@@ -2003,10 +2021,10 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -29995,7 +30195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2038,11 +2055,47 @@ +@@ -2038,11 +2056,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -30045,7 +30245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2074,10 +2127,10 @@ +@@ -2074,10 +2128,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -30058,7 +30258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2107,11 +2160,11 @@ +@@ -2107,11 +2161,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -30072,7 +30272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2141,11 +2194,11 @@ +@@ -2141,11 +2195,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -30087,7 +30287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2175,10 +2228,14 @@ +@@ -2175,10 +2229,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -30104,7 +30304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2208,11 +2265,11 @@ +@@ -2208,11 +2266,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -30118,7 +30318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2242,11 +2299,11 @@ +@@ -2242,11 +2300,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -30132,7 +30332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2276,10 +2333,10 @@ +@@ -2276,10 +2334,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -30145,7 +30345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2311,12 +2368,12 @@ +@@ -2311,12 +2369,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -30161,7 +30361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2348,10 +2405,10 @@ +@@ -2348,10 +2406,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -30174,7 +30374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2383,12 +2440,12 @@ +@@ -2383,12 +2441,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -30190,7 +30390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2420,12 +2477,12 @@ +@@ -2420,12 +2478,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -30206,7 +30406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2457,12 +2514,12 @@ +@@ -2457,12 +2515,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -30222,7 +30422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2507,11 +2564,11 @@ +@@ -2507,11 +2565,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -30236,7 +30436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2556,11 +2613,11 @@ +@@ -2556,11 +2614,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -30250,7 +30450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2600,11 +2657,11 @@ +@@ -2600,11 +2658,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -30264,7 +30464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2634,11 +2691,11 @@ +@@ -2634,11 +2692,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -30278,7 +30478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2668,11 +2725,11 @@ +@@ -2668,11 +2726,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -30292,7 +30492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2704,10 +2761,10 @@ +@@ -2704,10 +2762,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -30305,7 +30505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2739,10 +2796,10 @@ +@@ -2739,10 +2797,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -30318,7 +30518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2772,12 +2829,12 @@ +@@ -2772,12 +2830,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -30334,7 +30534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2809,10 +2866,10 @@ +@@ -2809,10 +2867,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -30347,7 +30547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2844,10 +2901,48 @@ +@@ -2844,10 +2902,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -30398,7 +30598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2877,12 +2972,12 @@ +@@ -2877,12 +2973,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -30414,7 +30614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2914,10 +3009,10 @@ +@@ -2914,10 +3010,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -30427,7 +30627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2949,12 +3044,12 @@ +@@ -2949,12 +3045,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -30443,7 +30643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2986,11 +3081,11 @@ +@@ -2986,11 +3082,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -30457,7 +30657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3022,11 +3117,11 @@ +@@ -3022,11 +3118,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -30471,7 +30671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3058,11 +3153,11 @@ +@@ -3058,11 +3154,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -30485,7 +30685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3094,11 +3189,11 @@ +@@ -3094,11 +3190,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -30499,7 +30699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3130,11 +3225,11 @@ +@@ -3130,11 +3226,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -30513,7 +30713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3179,10 +3274,10 @@ +@@ -3179,10 +3275,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -30526,7 +30726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3223,10 +3318,10 @@ +@@ -3223,10 +3319,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -30539,7 +30739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3254,6 +3349,42 @@ +@@ -3254,6 +3350,42 @@ ## ## # @@ -30582,7 +30782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo template(`userdom_rw_user_tmpfs_files',` gen_require(` type $1_tmpfs_t; -@@ -4231,11 +4362,11 @@ +@@ -4231,11 +4363,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -30596,7 +30796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4251,10 +4382,10 @@ +@@ -4251,10 +4383,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -30609,7 +30809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4270,11 +4401,11 @@ +@@ -4270,11 +4402,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -30623,7 +30823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4289,16 +4420,16 @@ +@@ -4289,16 +4421,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -30643,7 +30843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4307,12 +4438,27 @@ +@@ -4307,12 +4439,27 @@ ## ## # @@ -30674,7 +30874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4327,13 +4473,13 @@ +@@ -4327,13 +4474,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -30692,7 +30892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4531,10 +4677,10 @@ +@@ -4531,10 +4678,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -30705,7 +30905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4551,10 +4697,10 @@ +@@ -4551,10 +4698,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -30718,7 +30918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4569,10 +4715,10 @@ +@@ -4569,10 +4716,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -30731,7 +30931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4588,10 +4734,10 @@ +@@ -4588,10 +4735,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -30744,7 +30944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4606,10 +4752,10 @@ +@@ -4606,10 +4753,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -30757,7 +30957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4625,10 +4771,10 @@ +@@ -4625,10 +4772,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -30770,7 +30970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4644,12 +4790,11 @@ +@@ -4644,12 +4791,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -30786,7 +30986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4676,10 +4821,10 @@ +@@ -4676,10 +4822,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -30799,7 +30999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4694,10 +4839,10 @@ +@@ -4694,10 +4840,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -30812,7 +31012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4712,13 +4857,13 @@ +@@ -4712,13 +4858,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -30830,7 +31030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4754,11 +4899,49 @@ +@@ -4754,11 +4900,49 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -30881,7 +31081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4778,6 +4961,14 @@ +@@ -4778,6 +4962,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -30896,7 +31096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4839,6 +5030,26 @@ +@@ -4839,6 +5031,26 @@ ######################################## ##

@@ -30923,7 +31123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all directories ## in all users home directories. ## -@@ -4859,6 +5070,25 @@ +@@ -4859,6 +5071,25 @@ ######################################## ## @@ -30949,7 +31149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4879,6 +5109,26 @@ +@@ -4879,6 +5110,26 @@ ######################################## ## @@ -30976,7 +31176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all symlinks ## in all users home directories. ## -@@ -5115,7 +5365,7 @@ +@@ -5115,7 +5366,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -30985,7 +31185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5304,6 +5554,50 @@ +@@ -5304,6 +5555,50 @@ ######################################## ## @@ -31036,7 +31236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5509,6 +5803,42 @@ +@@ -5509,6 +5804,42 @@ ######################################## ## @@ -31079,7 +31279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5674,6 +6004,42 @@ +@@ -5674,6 +6005,42 @@ ######################################## ## @@ -31122,7 +31322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5704,3 +6070,368 @@ +@@ -5704,3 +6071,368 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index fa46cda..997be30 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 9%{?dist} +Release: 10%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -388,6 +388,9 @@ exit 0 %endif %changelog +* Mon Mar 3 2008 Dan Walsh 3.3.1-10 +- Allow bitlebee to read locale_t + * Fri Feb 29 2008 Dan Walsh 3.3.1-9 - More xselinux rules