diff --git a/modules-targeted.conf b/modules-targeted.conf index 6a4d3f4..cadf2fa 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1648,3 +1648,10 @@ kerneloops = module # openoffice = base +# Layer: services +# Module: podsleuth +# +# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods. +# +podsleuth = module + diff --git a/policy-20071130.patch b/policy-20071130.patch index bca837b..7b320e4 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -3117,7 +3117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolutio nscd_socket_use($1_evolution_webcal_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.if serefpolicy-3.3.1/policy/modules/apps/games.if --- nsaserefpolicy/policy/modules/apps/games.if 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/apps/games.if 2008-04-21 11:02:48.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/apps/games.if 2008-04-30 13:16:27.000000000 -0400 @@ -146,7 +146,7 @@ ') @@ -3127,6 +3127,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.if xserver_create_xdm_tmp_sockets($1_games_t) xserver_read_xdm_lib_files($1_games_t) ') +@@ -165,3 +165,23 @@ + ') + ') + ') ++ ++######################################## ++## ++## Allow the specified domain to read/write ++## games data. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`games_rw_data',` ++ gen_require(` ++ type games_data_t; ++ ') ++ ++ rw_files_pattern($1,games_data_t, games_data_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.fc serefpolicy-3.3.1/policy/modules/apps/gift.fc --- nsaserefpolicy/policy/modules/apps/gift.fc 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/apps/gift.fc 2008-04-21 11:02:48.000000000 -0400 @@ -3239,7 +3263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.3.1/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/apps/gnome.if 2008-04-29 09:37:23.004992000 -0400 ++++ serefpolicy-3.3.1/policy/modules/apps/gnome.if 2008-04-29 09:37:23.000000000 -0400 @@ -33,9 +33,60 @@ ## # @@ -4522,8 +4546,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys +userdom_dontaudit_list_sysadm_home_dirs(loadkeys_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.3.1/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/mono.if 2008-04-29 11:57:14.653875000 -0400 -@@ -18,3 +18,102 @@ ++++ serefpolicy-3.3.1/policy/modules/apps/mono.if 2008-05-06 11:03:56.500459000 -0400 +@@ -18,3 +18,122 @@ corecmd_search_bin($1) domtrans_pattern($1, mono_exec_t, mono_t) ') @@ -4626,6 +4650,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if + fs_dontaudit_rw_tmpfs_files($1_mono_t) + corecmd_bin_domtrans($1_mono_t, $1_t) +') ++ ++######################################## ++## ++## Execute the mono program in the mono domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mono_exec',` ++ gen_require(` ++ type mono_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, mono_exec_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.3.1/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2007-12-19 05:32:09.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/apps/mono.te 2008-04-21 11:02:48.000000000 -0400 @@ -8881,7 +8925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-04-21 11:02:48.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-04-30 13:15:30.000000000 -0400 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -13212,7 +13256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-04-29 10:45:04.731105000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-04-29 10:45:04.000000000 -0400 @@ -53,6 +53,7 @@ gen_require(` type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; @@ -18871,6 +18915,120 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega rpm_exec(pegasus_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/podsleuth.fc serefpolicy-3.3.1/policy/modules/services/podsleuth.fc +--- nsaserefpolicy/policy/modules/services/podsleuth.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/podsleuth.fc 2008-05-06 10:38:33.000000000 -0400 +@@ -0,0 +1,2 @@ ++ ++/usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/podsleuth.if serefpolicy-3.3.1/policy/modules/services/podsleuth.if +--- nsaserefpolicy/policy/modules/services/podsleuth.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/podsleuth.if 2008-05-06 10:38:33.000000000 -0400 +@@ -0,0 +1,54 @@ ++ ++## policy for podsleuth ++ ++######################################## ++## ++## Execute a domain transition to run podsleuth. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`podsleuth_domtrans',` ++ gen_require(` ++ type podsleuth_t; ++ type podsleuth_exec_t; ++ ') ++ ++ domtrans_pattern($1,podsleuth_exec_t,podsleuth_t) ++') ++ ++ ++######################################## ++## ++## Execute podsleuth in the podsleuth domain, and ++## allow the specified role the podsleuth domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the podsleuth domain. ++## ++## ++## ++## ++## The type of the role's terminal. ++## ++## ++# ++interface(`podsleuth_run',` ++ gen_require(` ++ type podsleuth_t; ++ ') ++ ++ podsleuth_domtrans($1) ++ role $2 types podsleuth_t; ++ dontaudit podsleuth_t $3:chr_file rw_term_perms; ++') ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/podsleuth.te serefpolicy-3.3.1/policy/modules/services/podsleuth.te +--- nsaserefpolicy/policy/modules/services/podsleuth.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/podsleuth.te 2008-05-06 10:48:34.000000000 -0400 +@@ -0,0 +1,46 @@ ++policy_module(podsleuth,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type podsleuth_t; ++type podsleuth_exec_t; ++application_domain(podsleuth_t, podsleuth_exec_t) ++role system_r types podsleuth_t; ++ ++######################################## ++# ++# podsleuth local policy ++# ++allow podsleuth_t self:process { ptrace signal getsched execheap execmem }; ++ ++## internal communication is often done using fifo and unix sockets. ++allow podsleuth_t self:fifo_file rw_file_perms; ++allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; ++ ++dev_read_urand(podsleuth_t) ++ ++kernel_read_system_state(podsleuth_t) ++ ++files_read_etc_files(podsleuth_t) ++ ++libs_use_ld_so(podsleuth_t) ++libs_use_shared_libs(podsleuth_t) ++ ++miscfiles_read_localization(podsleuth_t) ++ ++mono_exec(podsleuth_t) ++hal_dbus_chat(podsleuth_t) ++ ++optional_policy(` ++ dbus_system_bus_client_template(podsleuth,podsleuth_t) ++') ++ ++gen_require(` ++ type hald_t; ++') ++ ++podsleuth_domtrans(hald_t) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.3.1/policy/modules/services/polkit.fc --- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/polkit.fc 2008-04-28 15:14:56.000000000 -0400 @@ -25256,7 +25414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-04-29 09:37:38.934561000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-04-29 09:37:38.000000000 -0400 @@ -12,9 +12,15 @@ ## ## @@ -26632,7 +26790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-29 11:09:45.700467000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-29 11:09:45.000000000 -0400 @@ -8,6 +8,14 @@ ## @@ -27516,7 +27674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-02-01 09:12:53.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-29 10:58:08.742336000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-29 10:58:08.000000000 -0400 @@ -99,7 +99,7 @@ template(`authlogin_per_role_template',` @@ -27735,7 +27893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-19 17:24:26.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-04-21 11:02:50.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-05-05 13:39:12.000000000 -0400 @@ -59,6 +59,9 @@ type utempter_exec_t; application_domain(utempter_t,utempter_exec_t) @@ -27779,7 +27937,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(pam_t) -@@ -282,6 +295,11 @@ +@@ -155,6 +168,8 @@ + dev_read_sysfs(pam_console_t) + dev_getattr_apm_bios_dev(pam_console_t) + dev_setattr_apm_bios_dev(pam_console_t) ++dev_getattr_cpu_dev(pam_console_t) ++dev_setattr_cpu_dev(pam_console_t) + dev_getattr_dri_dev(pam_console_t) + dev_setattr_dri_dev(pam_console_t) + dev_getattr_input_dev(pam_console_t) +@@ -179,6 +194,10 @@ + dev_setattr_video_dev(pam_console_t) + dev_getattr_xserver_misc_dev(pam_console_t) + dev_setattr_xserver_misc_dev(pam_console_t) ++ ++dev_getattr_all_chr_files(pam_console_t) ++dev_setattr_all_chr_files(pam_console_t) ++ + dev_read_urand(pam_console_t) + + mls_file_read_all_levels(pam_console_t) +@@ -282,6 +301,11 @@ ') ') @@ -27791,7 +27969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ######################################## # # updpwd local policy -@@ -297,8 +315,10 @@ +@@ -297,8 +321,10 @@ files_manage_etc_files(updpwd_t) term_dontaudit_use_console(updpwd_t) @@ -27803,7 +27981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo auth_manage_shadow(updpwd_t) auth_use_nsswitch(updpwd_t) -@@ -359,11 +379,6 @@ +@@ -359,11 +385,6 @@ ') optional_policy(` @@ -28850,7 +29028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.3.1/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2007-12-12 11:35:28.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-29 08:53:40.798973000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-29 08:53:40.000000000 -0400 @@ -213,12 +213,7 @@ ## # @@ -29316,7 +29494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc +/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-04-29 08:38:10.482745000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-04-29 08:38:10.000000000 -0400 @@ -22,7 +22,7 @@ role system_r types lvm_t; @@ -29627,7 +29805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.3.1/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2008-02-06 10:33:22.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/modutils.te 2008-04-29 08:36:55.595920000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/modutils.te 2008-04-29 08:36:55.000000000 -0400 @@ -22,6 +22,8 @@ type insmod_exec_t; application_domain(insmod_t,insmod_exec_t) @@ -29951,8 +30129,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.f +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.3.1/policy/modules/system/qemu.if --- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-04-21 11:02:50.000000000 -0400 -@@ -0,0 +1,303 @@ ++++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-05-06 13:00:22.930868000 -0400 +@@ -0,0 +1,304 @@ + +## policy for qemu + @@ -30252,13 +30430,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i + optional_policy(` + xserver_stream_connect_xdm_xserver($1_t) + xserver_read_xdm_tmp_files($1_t) ++ xserver_read_xdm_pid($1_t) + xserver_xdm_rw_shm($1_t) + ') +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.3.1/policy/modules/system/qemu.te --- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/qemu.te 2008-04-28 16:14:23.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/qemu.te 2008-05-06 12:59:56.894791000 -0400 @@ -0,0 +1,49 @@ +policy_module(qemu,1.0.0) + @@ -30311,7 +30490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.3.1/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/raid.te 2008-04-29 08:35:21.523317000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/raid.te 2008-04-29 08:35:21.000000000 -0400 @@ -19,7 +19,7 @@ # Local policy # @@ -31177,7 +31356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet xen_append_log(ifconfig_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.3.1/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2007-01-02 12:57:49.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/udev.if 2008-04-29 08:34:43.098742000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/udev.if 2008-04-29 08:34:43.000000000 -0400 @@ -96,6 +96,24 @@ ######################################## @@ -31291,8 +31470,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.3.1/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-12-12 11:35:28.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-04-21 11:02:50.000000000 -0400 -@@ -2,15 +2,16 @@ ++++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-05-06 11:32:14.189425000 -0400 +@@ -2,15 +2,18 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t @@ -31313,6 +31492,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +/usr/bin/livecd-creator -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) ++/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.3.1/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/system/unconfined.if 2008-04-25 13:52:57.000000000 -0400 @@ -31660,7 +31841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-29 12:04:03.912060000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-29 12:04:03.000000000 -0400 @@ -6,35 +6,74 @@ # Declarations # @@ -32003,7 +32184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-29 10:58:27.618425000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-30 13:19:45.000000000 -0400 @@ -29,9 +29,14 @@ ') @@ -33117,7 +33298,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1193,12 +1204,11 @@ +@@ -1182,23 +1193,16 @@ + ') + ') + +- tunable_policy(`user_dmesg',` +- kernel_read_ring_buffer($1_t) +- ',` +- kernel_dontaudit_read_ring_buffer($1_t) +- ') +- + # Allow users to run TCP servers (bind to ports and accept connection from + # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -33128,15 +33320,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` - netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) - netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -+ hal_dbus_chat($1_t) ++ hal_dbus_chat($1_usertype) ') # Run pppd in pppd_t by default for user -@@ -1207,7 +1217,27 @@ +@@ -1207,7 +1211,31 @@ ') optional_policy(` - setroubleshoot_stream_connect($1_t) ++ games_rw_data($1_usertype) ++ ') ++ ++ optional_policy(` + mount_run($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + ') + @@ -33161,7 +33357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1284,8 +1314,6 @@ +@@ -1284,8 +1312,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -33170,7 +33366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1307,8 +1335,6 @@ +@@ -1307,8 +1333,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -33179,7 +33375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1363,13 +1389,6 @@ +@@ -1363,13 +1387,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -33193,7 +33389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` userhelper_exec($1_t) ') -@@ -1422,6 +1441,7 @@ +@@ -1422,6 +1439,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -33201,7 +33397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1787,10 +1807,14 @@ +@@ -1787,10 +1805,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -33217,7 +33413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1886,11 +1910,11 @@ +@@ -1886,11 +1908,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -33231,7 +33427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1920,11 +1944,11 @@ +@@ -1920,11 +1942,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -33245,7 +33441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1968,12 +1992,12 @@ +@@ -1968,12 +1990,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -33261,7 +33457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2003,10 +2027,11 @@ +@@ -2003,10 +2025,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -33275,7 +33471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2038,11 +2063,47 @@ +@@ -2038,11 +2061,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -33325,7 +33521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2074,10 +2135,10 @@ +@@ -2074,10 +2133,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -33338,7 +33534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2107,11 +2168,11 @@ +@@ -2107,11 +2166,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -33352,7 +33548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2141,11 +2202,11 @@ +@@ -2141,11 +2200,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -33367,7 +33563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2175,10 +2236,14 @@ +@@ -2175,10 +2234,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -33384,7 +33580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2208,11 +2273,11 @@ +@@ -2208,11 +2271,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -33398,7 +33594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2242,11 +2307,11 @@ +@@ -2242,11 +2305,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -33412,7 +33608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2276,10 +2341,10 @@ +@@ -2276,10 +2339,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -33425,7 +33621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2311,12 +2376,12 @@ +@@ -2311,12 +2374,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -33441,7 +33637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2348,10 +2413,10 @@ +@@ -2348,10 +2411,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -33454,7 +33650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2383,12 +2448,12 @@ +@@ -2383,12 +2446,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -33470,7 +33666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2420,12 +2485,12 @@ +@@ -2420,12 +2483,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -33486,7 +33682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2457,12 +2522,12 @@ +@@ -2457,12 +2520,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -33502,7 +33698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2507,11 +2572,11 @@ +@@ -2507,11 +2570,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -33516,7 +33712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2556,11 +2621,11 @@ +@@ -2556,11 +2619,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -33530,7 +33726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2600,11 +2665,11 @@ +@@ -2600,11 +2663,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -33544,7 +33740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2634,11 +2699,11 @@ +@@ -2634,11 +2697,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -33558,7 +33754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2668,11 +2733,11 @@ +@@ -2668,11 +2731,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -33572,7 +33768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2704,10 +2769,10 @@ +@@ -2704,10 +2767,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -33585,7 +33781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2739,10 +2804,10 @@ +@@ -2739,10 +2802,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -33598,7 +33794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2772,12 +2837,12 @@ +@@ -2772,12 +2835,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -33614,7 +33810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2809,10 +2874,10 @@ +@@ -2809,10 +2872,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -33627,7 +33823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2844,10 +2909,48 @@ +@@ -2844,10 +2907,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -33678,7 +33874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2877,12 +2980,12 @@ +@@ -2877,12 +2978,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -33694,7 +33890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2914,10 +3017,10 @@ +@@ -2914,10 +3015,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -33707,7 +33903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2949,12 +3052,12 @@ +@@ -2949,12 +3050,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -33723,7 +33919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2986,11 +3089,11 @@ +@@ -2986,11 +3087,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -33737,7 +33933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3022,11 +3125,11 @@ +@@ -3022,11 +3123,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -33751,7 +33947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3058,11 +3161,11 @@ +@@ -3058,11 +3159,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -33765,7 +33961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3094,11 +3197,11 @@ +@@ -3094,11 +3195,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -33779,7 +33975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3130,11 +3233,11 @@ +@@ -3130,11 +3231,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -33793,7 +33989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3179,10 +3282,10 @@ +@@ -3179,10 +3280,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -33806,7 +34002,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3223,10 +3326,10 @@ +@@ -3223,10 +3324,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -33819,7 +34015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3254,24 +3357,24 @@ +@@ -3254,24 +3355,24 @@ ## ## # @@ -33848,7 +34044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

##

## This is a templated interface, and should only -@@ -3290,23 +3393,24 @@ +@@ -3290,23 +3391,24 @@ ## ## # @@ -33880,25 +34076,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

##

## This is a templated interface, and should only -@@ -3321,18 +3425,89 @@ +@@ -3321,7 +3423,78 @@ ## ## ##

-## Domain to not audit. +## Domain allowed access. - ## - ## - # --template(`userdom_dontaudit_list_user_untrusted_content',` ++## ++## ++# +template(`userdom_delete_user_tmpfs_files',` - gen_require(` -- type $1_untrusted_content_t; ++ gen_require(` + type $1_tmpfs_t; - ') - -- dontaudit $2 $1_untrusted_content_t:dir list_dir_perms; --') -- ++ ') ++ + fs_search_tmpfs($2) + allow $2 $1_tmpfs_t:dir list_dir_perms; + delete_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t) @@ -33962,21 +34153,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +## +## Domain to not audit. -+## -+## -+# -+template(`userdom_dontaudit_list_user_untrusted_content',` -+ gen_require(` -+ type $1_untrusted_content_t; -+ ') -+ -+ dontaudit $2 $1_untrusted_content_t:dir list_dir_perms; -+') -+ - ######################################## - ## - ## Read user untrusted files. -@@ -4231,11 +4406,11 @@ + ## + ## + # +@@ -4231,11 +4404,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -33990,7 +34170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4251,10 +4426,10 @@ +@@ -4251,10 +4424,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -34003,7 +34183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4270,11 +4445,11 @@ +@@ -4270,11 +4443,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -34017,7 +34197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4289,16 +4464,16 @@ +@@ -4289,16 +4462,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -34037,7 +34217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4307,12 +4482,35 @@ +@@ -4307,12 +4480,35 @@ ## ## # @@ -34076,7 +34256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4327,13 +4525,13 @@ +@@ -4327,13 +4523,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -34094,7 +34274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4531,10 +4729,10 @@ +@@ -4531,10 +4727,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -34107,7 +34287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4551,10 +4749,10 @@ +@@ -4551,10 +4747,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -34120,7 +34300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4569,10 +4767,10 @@ +@@ -4569,10 +4765,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -34133,7 +34313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4588,10 +4786,10 @@ +@@ -4588,10 +4784,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -34146,7 +34326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4606,10 +4804,10 @@ +@@ -4606,10 +4802,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -34159,7 +34339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4625,10 +4823,10 @@ +@@ -4625,10 +4821,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -34172,7 +34352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4644,12 +4842,11 @@ +@@ -4644,12 +4840,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -34188,7 +34368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4676,10 +4873,10 @@ +@@ -4676,10 +4871,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -34201,7 +34381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4694,10 +4891,10 @@ +@@ -4694,10 +4889,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -34214,7 +34394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4712,13 +4909,13 @@ +@@ -4712,13 +4907,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -34232,7 +34412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4754,11 +4951,49 @@ +@@ -4754,11 +4949,49 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -34283,7 +34463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4778,6 +5013,14 @@ +@@ -4778,6 +5011,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -34298,7 +34478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4839,6 +5082,26 @@ +@@ -4839,6 +5080,26 @@ ######################################## ## @@ -34325,7 +34505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all directories ## in all users home directories. ## -@@ -4859,6 +5122,25 @@ +@@ -4859,6 +5120,25 @@ ######################################## ## @@ -34351,7 +34531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4879,6 +5161,26 @@ +@@ -4879,6 +5159,26 @@ ######################################## ## @@ -34378,7 +34558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all symlinks ## in all users home directories. ## -@@ -5115,7 +5417,7 @@ +@@ -5115,7 +5415,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -34387,7 +34567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5304,6 +5606,63 @@ +@@ -5304,6 +5604,63 @@ ######################################## ## @@ -34451,7 +34631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5509,7 +5868,7 @@ +@@ -5509,7 +5866,7 @@ ######################################## ## @@ -34460,7 +34640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5517,18 +5876,17 @@ +@@ -5517,18 +5874,17 @@ ## ## # @@ -34483,7 +34663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5536,17 +5894,17 @@ +@@ -5536,17 +5892,17 @@ ## ## # @@ -34505,7 +34685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5554,12 +5912,49 @@ +@@ -5554,19 +5910,56 @@ ## ## # @@ -34517,11 +34697,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') - read_files_pattern($1,userdomain,userdomain) +- kernel_search_proc($1) + allow $1 user_ttynode:chr_file rw_term_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Get the attributes of all user domains. +-## +## Do not audit attempts to use unprivileged +## user ttys. +## @@ -34555,10 +34738,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + ') + + ps_process_pattern($1,userdomain) - kernel_search_proc($1) - ') - -@@ -5674,6 +6069,42 @@ ++ kernel_search_proc($1) ++') ++ ++######################################## ++## ++## Get the attributes of all user domains. ++## + ## + ## + ## Domain allowed access. +@@ -5674,6 +6067,42 @@ ######################################## ## @@ -34601,7 +34791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5704,3 +6135,408 @@ +@@ -5704,3 +6133,408 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -35012,7 +35202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.3.1/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.te 2008-04-21 11:02:50.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.te 2008-04-30 13:23:52.000000000 -0400 @@ -2,12 +2,7 @@ policy_module(userdomain,2.5.0) @@ -35049,7 +35239,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Allow users to connect to PostgreSQL ##

## -@@ -74,6 +62,9 @@ +@@ -45,13 +33,6 @@ + + ## + ##

+-## Allow users to read system messages. +-##

+-##
+-gen_tunable(user_dmesg,false) +- +-## +-##

+ ## Allow user to r/w files on filesystems + ## that do not have extended attributes (FAT, CDROM, FLOPPY) + ##

+@@ -74,6 +55,9 @@ # users home directory contents attribute home_type; @@ -35059,7 +35263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # The privhome attribute identifies every domain that can create files under # regular user home directories in the regular context (IE act on behalf of # a user in writing regular files) -@@ -97,44 +88,54 @@ +@@ -97,44 +81,54 @@ # unprivileged user domains attribute unpriv_userdomain; @@ -35076,11 +35280,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo -userdom_admin_user_template(sysadm) -userdom_unpriv_user_template(staff) -userdom_unpriv_user_template(user) -- --# user role change rules: --# sysadm_r can change to user roles --userdom_role_change_template(sysadm, user) --userdom_role_change_template(sysadm, staff) +type admin_home_t, home_type; +files_type(admin_home_t) +files_associate_tmp(admin_home_t) @@ -35105,12 +35304,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +files_poly_member(user_home_dir_t) +files_poly_parent(user_home_dir_t) --# only staff_r can change to sysadm_r --userdom_role_change_template(staff, sysadm) --dontaudit staff_t admin_terminal:chr_file { read write }; +-# user role change rules: +-# sysadm_r can change to user roles +-userdom_role_change_template(sysadm, user) +-userdom_role_change_template(sysadm, staff) +type user_tmp_t, user_file_type, user_tmpfile; +files_tmp_file(user_tmp_t) +-# only staff_r can change to sysadm_r +-userdom_role_change_template(staff, sysadm) +-dontaudit staff_t admin_terminal:chr_file { read write }; +- -ifdef(`enable_mls',` - userdom_unpriv_user_template(secadm) - userdom_unpriv_user_template(auditadm) @@ -35142,7 +35346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## # -@@ -153,6 +154,12 @@ +@@ -153,6 +147,12 @@ mls_process_read_up(sysadm_t) init_exec(sysadm_t) @@ -35155,7 +35359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Following for sending reboot and wall messages userdom_use_unpriv_users_ptys(sysadm_t) -@@ -170,46 +177,7 @@ +@@ -170,46 +170,7 @@ ') ') @@ -35203,7 +35407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_manage_audit_log(sysadm_t) logging_manage_audit_config(sysadm_t) logging_run_auditctl(sysadm_t, sysadm_r, admin_terminal) -@@ -224,6 +192,10 @@ +@@ -224,6 +185,10 @@ ') optional_policy(` @@ -35214,7 +35418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo apache_run_helper(sysadm_t, sysadm_r, admin_terminal) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) -@@ -279,14 +251,6 @@ +@@ -279,14 +244,6 @@ ') optional_policy(` @@ -35229,7 +35433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo cron_admin_template(sysadm, sysadm_t, sysadm_r) ') -@@ -302,12 +266,9 @@ +@@ -302,12 +259,9 @@ optional_policy(` dmesg_exec(sysadm_t) @@ -35243,7 +35447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` dmidecode_run(sysadm_t, sysadm_r, admin_terminal) ') -@@ -352,6 +313,10 @@ +@@ -352,6 +306,10 @@ ') optional_policy(` @@ -35254,7 +35458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo lvm_run(sysadm_t, sysadm_r, admin_terminal) ') -@@ -387,6 +352,10 @@ +@@ -387,6 +345,10 @@ ') optional_policy(` @@ -35265,7 +35469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo netutils_run(sysadm_t, sysadm_r, admin_terminal) netutils_run_ping(sysadm_t, sysadm_r, admin_terminal) netutils_run_traceroute(sysadm_t, sysadm_r, admin_terminal) -@@ -436,15 +405,19 @@ +@@ -436,15 +398,19 @@ optional_policy(` samba_run_net(sysadm_t, sysadm_r, admin_terminal) @@ -35286,7 +35490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ', ` userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal) ') -@@ -487,3 +460,31 @@ +@@ -487,3 +453,31 @@ optional_policy(` yam_run(sysadm_t, sysadm_r, admin_terminal) ') @@ -36267,8 +36471,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i +## Policy for staff user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.3.1/policy/modules/users/staff.te --- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/users/staff.te 2008-04-24 15:09:37.000000000 -0400 -@@ -0,0 +1,23 @@ ++++ serefpolicy-3.3.1/policy/modules/users/staff.te 2008-04-30 13:20:29.000000000 -0400 +@@ -0,0 +1,25 @@ +policy_module(staff,1.0.1) +userdom_admin_login_user_template(staff) + @@ -36276,6 +36480,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t +userdom_role_change_template(staff, sysadm) +userdom_dontaudit_use_sysadm_terms(staff_t) + ++kernel_read_ring_buffer(staff_t) ++ +auth_domtrans_pam_console(staff_t) + +optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 5952351..a8fab7c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 44%{?dist} +Release: 45%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -385,6 +385,10 @@ exit 0 %endif %changelog +* Wed Apr 30 2008 Dan Walsh 3.3.1-45 +- Remove dmesg boolean +- Allow user domains to read/write game data + * Mon Apr 28 2008 Dan Walsh 3.3.1-44 - Change unconfined_t to transition to unconfined_mono_t when running mono - Change XXX_mono_t to transition to XXX_t when executing bin_t files, so gnome-do will work