diff --git a/booleans-targeted.conf b/booleans-targeted.conf index 9f442ff..f2994aa 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -269,8 +269,8 @@ allow_qemu_full_network=true # Allow nsplugin execmem/execstack for bad plugins # -allow_nsplugin_execmem=false +allow_nsplugin_execmem=true # Allow unconfined domain to transition to confined domain # -allow_unconfined_nsplugin_transition=true +allow_unconfined_nsplugin_transition=false diff --git a/policy-20071130.patch b/policy-20071130.patch index bd5aa49..ecc369f 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -2794,7 +2794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.3.1/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2008-02-19 17:24:26.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/usermanage.te 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/admin/usermanage.te 2008-04-08 09:10:03.000000000 -0400 @@ -97,6 +97,7 @@ # allow checking if a shell is executable @@ -2827,7 +2827,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman libs_use_ld_so(passwd_t) libs_use_shared_libs(passwd_t) -@@ -503,6 +507,7 @@ +@@ -334,6 +338,7 @@ + # user generally runs this from their home directory, so do not audit a search + # on user home dir + userdom_dontaudit_search_all_users_home_content(passwd_t) ++userdom_unpriv_users_stream_connect(passwd_t) + + optional_policy(` + nscd_domtrans(passwd_t) +@@ -503,6 +508,7 @@ userdom_use_unpriv_users_fds(useradd_t) # for when /root is the cwd userdom_dontaudit_search_sysadm_home_dirs(useradd_t) @@ -2835,7 +2843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman # Add/remove user home directories userdom_home_filetrans_generic_user_home_dir(useradd_t) userdom_manage_all_users_home_content_dirs(useradd_t) -@@ -525,6 +530,12 @@ +@@ -525,6 +531,12 @@ ') optional_policy(` @@ -5207,8 +5215,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +HOME_DIR/\.local.* gen_context(system_u:object_r:user_nsplugin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-04-05 07:58:19.000000000 -0400 -@@ -0,0 +1,352 @@ ++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-04-08 13:32:39.000000000 -0400 +@@ -0,0 +1,353 @@ + +## policy for nsplugin + @@ -5376,6 +5384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + dontaudit nsplugin_t $2:tcp_socket rw_socket_perms; + dontaudit nsplugin_t $2:udp_socket rw_socket_perms; + dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms; ++ dontaudit nsplugin_t $2:unix_dgram_socket rw_socket_perms; + dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms; + dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms; + dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms; @@ -5563,8 +5572,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-06 06:06:06.000000000 -0400 -@@ -0,0 +1,187 @@ ++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-08 13:28:42.000000000 -0400 +@@ -0,0 +1,188 @@ + +policy_module(nsplugin,1.0.0) + @@ -5630,6 +5639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +corenet_all_recvfrom_unlabeled(nsplugin_t) +corenet_all_recvfrom_netlabel(nsplugin_t) +corenet_tcp_connect_flash_port(nsplugin_t) ++corenet_tcp_connect_pulseaudio_port(nsplugin_t) +corenet_tcp_connect_http_port(nsplugin_t) +corenet_tcp_sendrecv_generic_if(nsplugin_t) +corenet_tcp_sendrecv_all_nodes(nsplugin_t) @@ -6723,7 +6733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-04-05 15:02:25.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-04-08 13:28:17.000000000 -0400 @@ -75,6 +75,7 @@ network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) network_port(apcupsd, tcp,3551,s0, udp,3551,s0) @@ -6765,10 +6775,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) -@@ -133,10 +139,12 @@ +@@ -133,10 +139,13 @@ network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(postfix_policyd, tcp,10031,s0) ++network_port(pulseaudio, tcp,4713,s0) +network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) @@ -6778,7 +6789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pxe, udp,4011,s0) -@@ -148,11 +156,11 @@ +@@ -148,11 +157,11 @@ network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -6792,7 +6803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) network_port(spamd, tcp,783,s0) -@@ -170,7 +178,12 @@ +@@ -170,7 +179,12 @@ network_port(transproxy, tcp,8081,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -7382,13 +7393,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +dontaudit can_change_object_identity can_change_object_identity:key link; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.3.1/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/files.fc 2008-04-07 21:39:29.000000000 -0400 -@@ -31,7 +31,7 @@ - /boot/\.journal <> ++++ serefpolicy-3.3.1/policy/modules/kernel/files.fc 2008-04-08 13:17:18.000000000 -0400 +@@ -32,6 +32,7 @@ /boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /boot/lost\+found/.* <> --/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) -+/boot(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) + /boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) ++/boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) # # /emul @@ -10993,7 +11003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.3.1/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-04-07 22:36:44.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-04-08 10:52:26.000000000 -0400 @@ -13,6 +13,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -11033,7 +11043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons # needs to read /var/lib/dbus/machine-id files_read_var_lib_files(consolekit_t) -@@ -47,16 +57,37 @@ +@@ -47,23 +57,72 @@ auth_use_nsswitch(consolekit_t) @@ -11074,19 +11084,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons optional_policy(` unconfined_dbus_chat(consolekit_t) -@@ -64,6 +95,33 @@ + ') ') - optional_policy(` ++polkit_read_lib(consolekit_t) ++ ++optional_policy(` + polkit_domtrans_auth(consolekit_t) -+ polkit_read_lib(consolekit_t) +') + -+optional_policy(` + optional_policy(` xserver_read_all_users_xauth(consolekit_t) xserver_stream_connect_xdm_xserver(consolekit_t) + xserver_ptrace_xdm(consolekit_t) - ') ++') + +optional_policy(` + #reading .Xauthity @@ -11101,7 +11112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons +tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_list_nfs(consolekit_t) + fs_dontaudit_rw_nfs_files(consolekit_t) -+') + ') + +tunable_policy(`use_samba_home_dirs',` + fs_dontaudit_list_cifs(consolekit_t) @@ -11928,7 +11939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.3.1/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-04-08 11:43:01.000000000 -0400 @@ -43,14 +43,13 @@ type cupsd_var_run_t; @@ -12073,7 +12084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -@@ -195,15 +219,15 @@ +@@ -195,15 +219,16 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) @@ -12086,6 +12097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +selinux_validate_context(cupsd_t) init_exec_script_files(cupsd_t) ++init_read_utmp(cupsd_t) +auth_domtrans_chk_passwd(cupsd_t) +auth_dontaudit_read_pam_pid(cupsd_t) @@ -12093,7 +12105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups auth_use_nsswitch(cupsd_t) libs_use_ld_so(cupsd_t) -@@ -219,17 +243,22 @@ +@@ -219,17 +244,22 @@ miscfiles_read_fonts(cupsd_t) seutil_read_config(cupsd_t) @@ -12118,7 +12130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -242,12 +271,21 @@ +@@ -242,12 +272,21 @@ optional_policy(` dbus_system_bus_client_template(cupsd,cupsd_t) @@ -12140,7 +12152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -263,6 +301,10 @@ +@@ -263,6 +302,10 @@ ') optional_policy(` @@ -12151,7 +12163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) -@@ -326,6 +368,7 @@ +@@ -326,6 +369,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -12159,7 +12171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -353,6 +396,7 @@ +@@ -353,6 +397,7 @@ logging_send_syslog_msg(cupsd_config_t) miscfiles_read_localization(cupsd_config_t) @@ -12167,7 +12179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups seutil_dontaudit_search_config(cupsd_config_t) -@@ -372,6 +416,10 @@ +@@ -372,6 +417,10 @@ ') optional_policy(` @@ -12178,7 +12190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -387,6 +435,7 @@ +@@ -387,6 +436,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -12186,7 +12198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -499,15 +548,10 @@ +@@ -499,15 +549,10 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; @@ -12203,7 +12215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t) files_pid_filetrans(hplip_t,hplip_var_run_t,file) -@@ -537,14 +581,14 @@ +@@ -537,14 +582,14 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -12220,7 +12232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) -@@ -564,7 +608,8 @@ +@@ -564,7 +609,8 @@ userdom_dontaudit_search_sysadm_home_dirs(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) @@ -12230,7 +12242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups optional_policy(` seutil_sigchld_newrole(hplip_t) -@@ -645,3 +690,37 @@ +@@ -645,3 +691,39 @@ optional_policy(` udev_read_db(ptal_t) ') @@ -12268,6 +12280,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +userdom_manage_generic_user_home_content_files(cups_pdf_t) + +lpd_manage_spool(cups_pdf_t) ++ ++rw_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.3.1/policy/modules/services/cvs.if --- nsaserefpolicy/policy/modules/services/cvs.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/cvs.if 2008-04-04 12:06:55.000000000 -0400 @@ -16394,7 +16408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.3.1/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-04-08 10:11:15.000000000 -0400 @@ -6,6 +6,8 @@ # Declarations # @@ -16463,15 +16477,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -73,6 +95,7 @@ +@@ -73,7 +95,9 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) + cron_read_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) ++ cron_dontaudit_write_system_job_tmp_files(system_mail_t) ') -@@ -81,6 +104,11 @@ + optional_policy(` +@@ -81,6 +105,11 @@ ') optional_policy(` @@ -16483,7 +16499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. logrotate_read_tmp_files(system_mail_t) ') -@@ -136,11 +164,38 @@ +@@ -136,11 +165,38 @@ ') optional_policy(` @@ -16523,7 +16539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. optional_policy(` # why is mail delivered to a directory of type arpwatch_data_t? arpwatch_search_data(mailserver_delivery) -@@ -154,3 +209,4 @@ +@@ -154,3 +210,4 @@ cron_read_system_job_tmp_files(mta_user_agent) ') ') @@ -17161,7 +17177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.3.1/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-04-07 14:54:21.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-04-08 14:34:18.000000000 -0400 @@ -13,6 +13,13 @@ type NetworkManager_var_run_t; files_pid_file(NetworkManager_var_run_t) @@ -17223,7 +17239,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw libs_use_ld_so(NetworkManager_t) libs_use_shared_libs(NetworkManager_t) -@@ -129,21 +144,21 @@ +@@ -113,6 +128,7 @@ + userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t) + # Read gnome-keyring + userdom_read_unpriv_users_home_content_files(NetworkManager_t) ++userdom_unpriv_users_stream_connect(NetworkManager_t) + + optional_policy(` + bind_domtrans(NetworkManager_t) +@@ -129,21 +145,21 @@ ') optional_policy(` @@ -17250,7 +17274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -155,19 +170,20 @@ +@@ -155,19 +171,20 @@ ppp_domtrans(NetworkManager_t) ppp_read_pid_files(NetworkManager_t) ppp_signal(NetworkManager_t) @@ -19532,7 +19556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.3.1/policy/modules/services/privoxy.fc --- nsaserefpolicy/policy/modules/services/privoxy.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/privoxy.fc 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/privoxy.fc 2008-04-08 10:04:40.000000000 -0400 @@ -1,6 +1,10 @@ /etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) @@ -28208,7 +28232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc +/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-04-04 12:06:56.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-04-08 14:25:58.000000000 -0400 @@ -44,9 +44,9 @@ # Cluster LVM daemon local policy # @@ -28269,7 +28293,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te userdom_dontaudit_use_unpriv_user_fds(clvmd_t) userdom_dontaudit_search_sysadm_home_dirs(clvmd_t) -@@ -146,17 +159,19 @@ +@@ -136,6 +149,14 @@ + ') + + optional_policy(` ++ unconfined_domain(clvmd_t) ++') ++ ++optional_policy(` ++ unconfined_domain(lvm_t) ++') ++ ++optional_policy(` + udev_read_db(clvmd_t) + ') + +@@ -146,17 +167,19 @@ # DAC overrides and mknod for modifying /dev entries (vgmknodes) # rawio needed for dmraid @@ -28292,7 +28331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) -@@ -188,6 +203,7 @@ +@@ -188,6 +211,7 @@ manage_files_pattern(lvm_t,lvm_metadata_t,lvm_metadata_t) filetrans_pattern(lvm_t,lvm_etc_t,lvm_metadata_t,file) files_etc_filetrans(lvm_t,lvm_metadata_t,file) @@ -28300,7 +28339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te kernel_read_system_state(lvm_t) kernel_read_kernel_sysctls(lvm_t) -@@ -204,7 +220,6 @@ +@@ -204,7 +228,6 @@ selinux_compute_user_contexts(lvm_t) dev_create_generic_chr_files(lvm_t) @@ -28308,7 +28347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) -@@ -224,6 +239,8 @@ +@@ -224,6 +247,8 @@ dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -28317,7 +28356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te fs_getattr_xattr_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) -@@ -242,6 +259,7 @@ +@@ -242,6 +267,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -28325,7 +28364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te term_getattr_all_user_ttys(lvm_t) term_list_ptys(lvm_t) -@@ -250,6 +268,7 @@ +@@ -250,6 +276,7 @@ domain_use_interactive_fds(lvm_t) @@ -28333,7 +28372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: -@@ -271,6 +290,8 @@ +@@ -271,6 +298,8 @@ seutil_search_default_contexts(lvm_t) seutil_sigchld_newrole(lvm_t) @@ -28342,7 +28381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te ifdef(`distro_redhat',` # this is from the initrd: files_rw_isid_type_dirs(lvm_t) -@@ -289,5 +310,18 @@ +@@ -289,5 +318,18 @@ ') optional_policy(` @@ -28474,7 +28513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.3.1/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2008-02-06 10:33:22.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/modutils.te 2008-04-04 12:06:56.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/modutils.te 2008-04-08 14:30:44.000000000 -0400 @@ -22,6 +22,8 @@ type insmod_exec_t; application_domain(insmod_t,insmod_exec_t) @@ -28600,12 +28639,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(depmod_t) -@@ -219,11 +243,12 @@ +@@ -219,11 +243,13 @@ optional_policy(` # Read System.map from home directories. - unconfined_read_home_content_files(depmod_t) + unconfined_dontaudit_use_terminals(depmod_t) ++ unconfined_domain(depmod_t) ') optional_policy(` @@ -30756,7 +30796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-07 22:54:48.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-08 14:33:30.000000000 -0400 @@ -29,9 +29,14 @@ ') @@ -31589,7 +31629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_base_user_template($1) userdom_manage_home_template($1) -@@ -923,70 +921,68 @@ +@@ -923,70 +921,69 @@ allow $1_t self:context contains; @@ -31631,6 +31671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - application_exec_all($1_t) + auth_dontaudit_write_login_records($1_t) ++ auth_rw_cache($1_t) # The library functions always try to open read-write first, # then fall back to read-only if it fails. @@ -31692,7 +31733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1020,9 +1016,6 @@ +@@ -1020,9 +1017,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -31702,7 +31743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1031,16 +1024,29 @@ +@@ -1031,16 +1025,29 @@ # # privileged home directory writers @@ -31738,7 +31779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1068,6 +1074,13 @@ +@@ -1068,6 +1075,13 @@ userdom_restricted_user_template($1) @@ -31752,7 +31793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_xwindows_client_template($1) ############################## -@@ -1076,14 +1089,16 @@ +@@ -1076,14 +1090,16 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -31774,7 +31815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1091,32 +1106,29 @@ +@@ -1091,32 +1107,29 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -31818,7 +31859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1127,10 +1139,10 @@ +@@ -1127,10 +1140,10 @@ ## ## ##

@@ -31833,7 +31874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1164,7 +1176,6 @@ +@@ -1164,7 +1177,6 @@ # Need the following rule to allow users to run vpnc corenet_tcp_bind_xserver_port($1_t) @@ -31841,7 +31882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1193,12 +1204,11 @@ +@@ -1193,12 +1205,11 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -31856,7 +31897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') # Run pppd in pppd_t by default for user -@@ -1207,7 +1217,27 @@ +@@ -1207,7 +1218,27 @@ ') optional_policy(` @@ -31885,7 +31926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1284,8 +1314,6 @@ +@@ -1284,8 +1315,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -31894,7 +31935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1307,8 +1335,6 @@ +@@ -1307,8 +1336,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -31903,7 +31944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1363,13 +1389,6 @@ +@@ -1363,13 +1390,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -31917,7 +31958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` userhelper_exec($1_t) ') -@@ -1422,6 +1441,7 @@ +@@ -1422,6 +1442,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -31925,7 +31966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1787,10 +1807,14 @@ +@@ -1787,10 +1808,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -31941,7 +31982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1886,11 +1910,11 @@ +@@ -1886,11 +1911,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -31955,7 +31996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1920,11 +1944,11 @@ +@@ -1920,11 +1945,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -31969,7 +32010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1968,12 +1992,12 @@ +@@ -1968,12 +1993,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -31985,7 +32026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2003,10 +2027,11 @@ +@@ -2003,10 +2028,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -31999,7 +32040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2038,11 +2063,47 @@ +@@ -2038,11 +2064,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -32049,7 +32090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2074,10 +2135,10 @@ +@@ -2074,10 +2136,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -32062,7 +32103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2107,11 +2168,11 @@ +@@ -2107,11 +2169,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -32076,7 +32117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2141,11 +2202,11 @@ +@@ -2141,11 +2203,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -32091,7 +32132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2175,10 +2236,14 @@ +@@ -2175,10 +2237,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -32108,7 +32149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2208,11 +2273,11 @@ +@@ -2208,11 +2274,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -32122,7 +32163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2242,11 +2307,11 @@ +@@ -2242,11 +2308,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -32136,7 +32177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2276,10 +2341,10 @@ +@@ -2276,10 +2342,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -32149,7 +32190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2311,12 +2376,12 @@ +@@ -2311,12 +2377,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -32165,7 +32206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2348,10 +2413,10 @@ +@@ -2348,10 +2414,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -32178,7 +32219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2383,12 +2448,12 @@ +@@ -2383,12 +2449,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -32194,7 +32235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2420,12 +2485,12 @@ +@@ -2420,12 +2486,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -32210,7 +32251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2457,12 +2522,12 @@ +@@ -2457,12 +2523,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -32226,7 +32267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2507,11 +2572,11 @@ +@@ -2507,11 +2573,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -32240,7 +32281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2556,11 +2621,11 @@ +@@ -2556,11 +2622,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -32254,7 +32295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2600,11 +2665,11 @@ +@@ -2600,11 +2666,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -32268,7 +32309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2634,11 +2699,11 @@ +@@ -2634,11 +2700,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -32282,7 +32323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2668,11 +2733,11 @@ +@@ -2668,11 +2734,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -32296,7 +32337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2704,10 +2769,10 @@ +@@ -2704,10 +2770,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -32309,7 +32350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2739,10 +2804,10 @@ +@@ -2739,10 +2805,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -32322,7 +32363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2772,12 +2837,12 @@ +@@ -2772,12 +2838,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -32338,7 +32379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2809,10 +2874,10 @@ +@@ -2809,10 +2875,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -32351,7 +32392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2844,10 +2909,48 @@ +@@ -2844,10 +2910,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -32402,7 +32443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2877,12 +2980,12 @@ +@@ -2877,12 +2981,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -32418,7 +32459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2914,10 +3017,10 @@ +@@ -2914,10 +3018,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -32431,7 +32472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2949,12 +3052,12 @@ +@@ -2949,12 +3053,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -32447,7 +32488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2986,11 +3089,11 @@ +@@ -2986,11 +3090,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -32461,7 +32502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3022,11 +3125,11 @@ +@@ -3022,11 +3126,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -32475,7 +32516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3058,11 +3161,11 @@ +@@ -3058,11 +3162,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -32489,7 +32530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3094,11 +3197,11 @@ +@@ -3094,11 +3198,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -32503,7 +32544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3130,11 +3233,11 @@ +@@ -3130,11 +3234,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -32517,7 +32558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3179,10 +3282,10 @@ +@@ -3179,10 +3283,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -32530,7 +32571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3223,10 +3326,10 @@ +@@ -3223,10 +3327,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -32543,7 +32584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3254,24 +3357,24 @@ +@@ -3254,24 +3358,24 @@ ## ## # @@ -32572,7 +32613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

##

## This is a templated interface, and should only -@@ -3290,23 +3393,24 @@ +@@ -3290,23 +3394,24 @@ ## ## # @@ -32604,7 +32645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

##

## This is a templated interface, and should only -@@ -3321,25 +3425,28 @@ +@@ -3321,25 +3426,28 @@ ## ## ##

@@ -32639,7 +32680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

##

## This is a templated interface, and should only -@@ -3358,18 +3465,86 @@ +@@ -3358,18 +3466,86 @@ ##

## # @@ -32729,7 +32770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ##

-@@ -4231,11 +4406,11 @@ +@@ -4231,11 +4407,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -32743,7 +32784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4251,10 +4426,10 @@ +@@ -4251,10 +4427,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -32756,7 +32797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4270,11 +4445,11 @@ +@@ -4270,11 +4446,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -32770,7 +32811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4289,16 +4464,16 @@ +@@ -4289,16 +4465,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -32790,7 +32831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4307,12 +4482,27 @@ +@@ -4307,12 +4483,27 @@ ## ## # @@ -32821,7 +32862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4327,13 +4517,13 @@ +@@ -4327,13 +4518,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -32839,7 +32880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4531,10 +4721,10 @@ +@@ -4531,10 +4722,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -32852,7 +32893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4551,10 +4741,10 @@ +@@ -4551,10 +4742,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -32865,7 +32906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4569,10 +4759,10 @@ +@@ -4569,10 +4760,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -32878,7 +32919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4588,10 +4778,10 @@ +@@ -4588,10 +4779,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -32891,7 +32932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4606,10 +4796,10 @@ +@@ -4606,10 +4797,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -32904,7 +32945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4625,10 +4815,10 @@ +@@ -4625,10 +4816,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -32917,7 +32958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4644,12 +4834,11 @@ +@@ -4644,12 +4835,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -32933,7 +32974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4676,10 +4865,10 @@ +@@ -4676,10 +4866,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -32946,7 +32987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4694,10 +4883,10 @@ +@@ -4694,10 +4884,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -32959,7 +33000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4712,13 +4901,13 @@ +@@ -4712,13 +4902,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -32977,7 +33018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4754,11 +4943,49 @@ +@@ -4754,11 +4944,49 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -33028,7 +33069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4778,6 +5005,14 @@ +@@ -4778,6 +5006,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -33043,7 +33084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4839,6 +5074,26 @@ +@@ -4839,6 +5075,26 @@ ######################################## ##

@@ -33070,7 +33111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all directories ## in all users home directories. ## -@@ -4859,6 +5114,25 @@ +@@ -4859,6 +5115,25 @@ ######################################## ## @@ -33096,7 +33137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4879,6 +5153,26 @@ +@@ -4879,6 +5154,26 @@ ######################################## ## @@ -33123,7 +33164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all symlinks ## in all users home directories. ## -@@ -5115,7 +5409,7 @@ +@@ -5115,7 +5410,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -33132,7 +33173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5304,6 +5598,50 @@ +@@ -5304,6 +5599,50 @@ ######################################## ## @@ -33183,7 +33224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5509,6 +5847,42 @@ +@@ -5509,6 +5848,42 @@ ######################################## ## @@ -33226,7 +33267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5559,7 +5933,7 @@ +@@ -5559,7 +5934,7 @@ attribute userdomain; ') @@ -33235,7 +33276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -5674,7 +6048,7 @@ +@@ -5674,7 +6049,7 @@ ######################################## ## @@ -33244,7 +33285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5682,18 +6056,54 @@ +@@ -5682,18 +6057,54 @@ ## ## # @@ -33303,7 +33344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5704,3 +6114,370 @@ +@@ -5704,3 +6115,370 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 2a80307..3480cff 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 29%{?dist} +Release: 30%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -387,6 +387,9 @@ exit 0 %endif %changelog +* Tue Apr 8 2008 Dan Walsh 3.3.1-30 +- Allow passwd to communicate with user sockets to change gnome-keyring + * Sat Apr 5 2008 Dan Walsh 3.3.1-29 - Fix initial install