diff --git a/policy-20081111.patch b/policy-20081111.patch index 2e2d770..da1cb9f 100644 --- a/policy-20081111.patch +++ b/policy-20081111.patch @@ -1457,8 +1457,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.1/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/apps/gnome.if 2008-12-03 16:50:28.000000000 -0500 -@@ -91,3 +91,131 @@ ++++ serefpolicy-3.6.1/policy/modules/apps/gnome.if 2008-12-04 13:27:45.000000000 -0500 +@@ -91,3 +91,150 @@ allow $1 gnome_home_t:file manage_file_perms; userdom_search_user_home_dirs($1) ') @@ -1502,7 +1502,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + type gnome_home_t; + ') + -+ read_files_pattern($2, gnome_home_t, gnome_home_t) ++ read_files_pattern($1, gnome_home_t, gnome_home_t) +') + +######################################## @@ -1569,6 +1569,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## manage gconf home files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_manage_gconf_home_files',` ++ gen_require(` ++ type gconf_home_t; ++ ') ++ ++ allow $1 gconf_home_t:dir list_dir_perms; ++ manage_files_pattern($1, gconf_home_t, gconf_home_t) ++') ++ ++######################################## ++## +## Connect to gnome over an unix stream socket. +## +## @@ -1979,8 +1998,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +seutil_domtrans_setfiles_mac(livecd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.1/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.1/policy/modules/apps/mono.if 2008-11-25 09:45:43.000000000 -0500 -@@ -21,6 +21,99 @@ ++++ serefpolicy-3.6.1/policy/modules/apps/mono.if 2008-12-04 13:26:14.000000000 -0500 +@@ -21,6 +21,103 @@ ######################################## ## @@ -2073,6 +2092,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + fs_dontaudit_rw_tmpfs_files($1_mono_t) + corecmd_bin_domtrans($1_mono_t, $1_t) ++ ++ optional_policy(` ++ xserver_role($1_r, $1_mono_t) ++ ') +') + +######################################## @@ -2080,7 +2103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute the mono program in the caller domain. ## ## -@@ -31,7 +124,7 @@ +@@ -31,7 +128,7 @@ # interface(`mono_exec',` gen_require(` @@ -10568,8 +10591,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.1/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/dbus.if 2008-11-25 09:45:43.000000000 -0500 -@@ -185,10 +185,12 @@ ++++ serefpolicy-3.6.1/policy/modules/services/dbus.if 2008-12-04 13:28:31.000000000 -0500 +@@ -160,6 +160,10 @@ + ') + + optional_policy(` ++ gnome_read_gconf_home_files($1_dbusd_t) ++ ') ++ ++ optional_policy(` + hal_dbus_chat($1_dbusd_t) + ') + +@@ -185,10 +189,12 @@ type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; @@ -10583,7 +10617,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) -@@ -197,6 +199,10 @@ +@@ -197,6 +203,10 @@ files_search_pids($1) stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) dbus_read_config($1) @@ -10594,7 +10628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -244,6 +250,35 @@ +@@ -244,6 +254,35 @@ ######################################## ## @@ -10630,7 +10664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read dbus configuration. ## ## -@@ -318,3 +353,77 @@ +@@ -318,3 +357,77 @@ allow $1 system_dbusd_t:dbus *; ') @@ -15596,8 +15630,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.1/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/polkit.te 2008-11-25 09:45:43.000000000 -0500 -@@ -0,0 +1,218 @@ ++++ serefpolicy-3.6.1/policy/modules/services/polkit.te 2008-12-04 11:20:36.000000000 -0500 +@@ -0,0 +1,222 @@ +policy_module(polkit_auth, 1.0.0) + +######################################## @@ -15715,9 +15749,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ dbus_system_domain(polkit_auth_exec_t, polkit_auth_t) ++ + dbus_session_bus_client(polkit_auth_t) -+ consolekit_dbus_chat(polkit_auth_t) -+ dbus_system_domain(polkit_exec_t, polkit_t) ++ ++ optional_policy(` ++ consolekit_dbus_chat(polkit_t) ++ ') +') + +optional_policy(` @@ -20483,7 +20521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.1/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/xserver.if 2008-12-03 16:42:08.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/xserver.if 2008-12-04 13:08:52.000000000 -0500 @@ -397,11 +397,12 @@ gen_require(` type xdm_t, xdm_tmp_t; @@ -20854,18 +20892,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1171,8 +1468,9 @@ - # - interface(`xserver_unconfined',` - gen_require(` -- attribute xserver_unconfined_type; -+ attribute xserver_unconfined_type, x_domain; - ') - -- typeattribute $1 xserver_unconfined_type; -+ typeattribute $1 xserver_unconfined_type, x_domain; - ') -+ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2008-11-18 18:57:20.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/services/xserver.te 2008-12-03 18:27:33.000000000 -0500 @@ -22550,7 +22576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow setkey_t ipsec_conf_file_t:dir list_dir_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.1/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/iptables.te 2008-11-27 06:12:53.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/iptables.te 2008-12-04 08:58:18.000000000 -0500 @@ -22,12 +22,12 @@ # Iptables local policy # @@ -22566,6 +22592,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_filetrans(iptables_t,iptables_var_run_t,file) can_exec(iptables_t,iptables_exec_t) +@@ -53,6 +53,7 @@ + mls_file_read_all_levels(iptables_t) + + term_dontaudit_use_console(iptables_t) ++term_use_all_terms(iptables_t) + + domain_use_interactive_fds(iptables_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.1/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2008-11-11 16:13:48.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/system/iscsi.te 2008-11-25 09:45:43.000000000 -0500 @@ -22589,7 +22623,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow iscsid_t iscsi_tmp_t:dir manage_dir_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.1/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400 -+++ serefpolicy-3.6.1/policy/modules/system/libraries.fc 2008-12-01 08:43:02.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/libraries.fc 2008-12-04 08:08:10.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -22676,16 +22710,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -267,6 +283,8 @@ +@@ -267,6 +283,9 @@ /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/virtualbox/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -291,6 +309,8 @@ +@@ -291,6 +310,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -22694,7 +22729,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -310,3 +330,20 @@ +@@ -310,3 +331,20 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -22891,7 +22926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.1/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/logging.te 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/logging.te 2008-12-04 08:25:26.000000000 -0500 @@ -126,7 +126,7 @@ allow auditd_t self:process { signal_perms setpgid setsched }; allow auditd_t self:file rw_file_perms; @@ -22901,7 +22936,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow auditd_t self:tcp_socket create_stream_socket_perms; allow auditd_t auditd_etc_t:dir list_dir_perms; -@@ -215,9 +215,9 @@ +@@ -179,6 +179,8 @@ + logging_domtrans_dispatcher(auditd_t) + logging_signal_dispatcher(auditd_t) + ++auth_use_nsswitch(auditd_t) ++ + miscfiles_read_localization(auditd_t) + + mls_file_read_all_levels(auditd_t) +@@ -215,9 +217,9 @@ # audit dispatcher local policy # @@ -22913,7 +22957,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow audisp_t self:unix_stream_socket create_stream_socket_perms; allow audisp_t self:unix_dgram_socket create_socket_perms; -@@ -231,9 +231,12 @@ +@@ -231,9 +233,12 @@ domain_use_interactive_fds(audisp_t) files_read_etc_files(audisp_t) @@ -22926,7 +22970,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(audisp_t) miscfiles_read_localization(audisp_t) -@@ -337,7 +340,7 @@ +@@ -253,11 +258,16 @@ + corenet_tcp_sendrecv_all_nodes(audisp_remote_t) + corenet_tcp_connect_audit_port(audisp_remote_t) + corenet_sendrecv_audit_client_packets(audisp_remote_t) ++corenet_tcp_bind_audit_port(audisp_remote_t) ++corenet_tcp_sendrecv_all_ports(audisp_remote_t) ++corenet_tcp_bind_all_nodes(audisp_remote_t) + + files_read_etc_files(audisp_remote_t) + + logging_send_syslog_msg(audisp_remote_t) + ++auth_use_nsswitch(audisp_remote_t) ++ + miscfiles_read_localization(audisp_remote_t) + + sysnet_dns_name_resolve(audisp_remote_t) +@@ -337,7 +347,7 @@ allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; allow syslogd_t self:unix_dgram_socket sendto; @@ -23524,7 +23585,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_dontaudit_list_tmpfs(mdadm_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.1/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.1/policy/modules/system/selinuxutil.fc 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/selinuxutil.fc 2008-12-04 09:30:48.000000000 -0500 +@@ -6,7 +6,7 @@ + /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) + /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) + /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0) +-/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh) ++/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) + /etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) + /etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) + /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) @@ -38,7 +38,7 @@ /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) @@ -23938,7 +24008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.1/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/selinuxutil.te 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/selinuxutil.te 2008-12-04 11:48:11.000000000 -0500 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -23949,7 +24019,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type checkpolicy_t, can_write_binary_policy; type checkpolicy_exec_t; application_domain(checkpolicy_t, checkpolicy_exec_t) -@@ -75,7 +78,6 @@ +@@ -58,8 +61,9 @@ + # policy_config_t is the type of /etc/security/selinux/* + # the security server policy configuration. + # +-type policy_config_t; +-files_type(policy_config_t) ++#type policy_config_t; ++#files_type(policy_config_t) ++typealias semanage_store_t alias policy_config_t; + + neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; + #neverallow ~can_write_binary_policy policy_config_t:file { write append }; +@@ -75,7 +79,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) domain_obj_id_change_exemption(restorecond_t) @@ -23957,7 +24039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) -@@ -92,6 +94,10 @@ +@@ -92,6 +95,10 @@ domain_interactive_fd(semanage_t) role system_r types semanage_t; @@ -23968,7 +24050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type semanage_store_t; files_type(semanage_store_t) -@@ -109,6 +115,11 @@ +@@ -109,6 +116,11 @@ init_system_domain(setfiles_t,setfiles_exec_t) domain_obj_id_change_exemption(setfiles_t) @@ -23980,7 +24062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Checkpolicy local policy -@@ -166,6 +177,7 @@ +@@ -166,6 +178,7 @@ files_read_etc_runtime_files(load_policy_t) fs_getattr_xattr_fs(load_policy_t) @@ -23988,7 +24070,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mls_file_read_all_levels(load_policy_t) -@@ -191,15 +203,6 @@ +@@ -191,15 +204,6 @@ ') ') @@ -24004,7 +24086,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Newrole local policy -@@ -217,7 +220,7 @@ +@@ -217,7 +221,7 @@ allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -24013,7 +24095,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern(newrole_t,default_context_t,default_context_t) read_lnk_files_pattern(newrole_t,default_context_t,default_context_t) -@@ -270,12 +273,14 @@ +@@ -270,12 +274,14 @@ init_rw_utmp(newrole_t) init_use_fds(newrole_t) @@ -24028,7 +24110,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for some PAM modules and for cwd userdom_dontaudit_search_user_home_content(newrole_t) userdom_search_user_home_dirs(newrole_t) -@@ -336,6 +341,8 @@ +@@ -336,6 +342,8 @@ seutil_libselinux_linked(restorecond_t) @@ -24037,7 +24119,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -354,7 +361,7 @@ +@@ -354,7 +362,7 @@ allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; @@ -24046,7 +24128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit -@@ -383,7 +390,6 @@ +@@ -383,7 +391,6 @@ auth_use_nsswitch(run_init_t) auth_domtrans_chk_passwd(run_init_t) @@ -24054,7 +24136,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_dontaudit_read_shadow(run_init_t) init_spec_domtrans_script(run_init_t) -@@ -421,61 +427,22 @@ +@@ -421,61 +428,22 @@ # semodule local policy # @@ -24124,7 +24206,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -@@ -484,12 +451,23 @@ +@@ -484,12 +452,23 @@ files_read_var_lib_symlinks(semanage_t) ') @@ -24148,7 +24230,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -499,111 +477,36 @@ +@@ -499,111 +478,36 @@ userdom_read_user_tmp_files(semanage_t) ') @@ -24792,7 +24874,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/bin/gcl -- gen_context(system_u:object_r:execmem_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.1/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/unconfined.if 2008-12-01 16:30:53.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/unconfined.if 2008-12-04 11:28:02.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -24827,11 +24909,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_unconfined($1) corenet_unconfined($1) -@@ -44,6 +44,11 @@ +@@ -44,6 +44,14 @@ fs_unconfined($1) selinux_unconfined($1) + domain_mmap_low_type($1) ++ ++ ubac_process_exempt($1) ++ + tunable_policy(`allow_unconfined_mmap_low',` + domain_mmap_low($1) + ') @@ -24839,7 +24924,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`allow_execheap',` # Allow making the stack executable via mprotect. allow $1 self:process execheap; -@@ -69,6 +74,7 @@ +@@ -69,6 +77,7 @@ optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) @@ -24847,7 +24932,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -367,6 +373,24 @@ +@@ -367,6 +376,24 @@ ######################################## ## @@ -24872,7 +24957,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send generic signals to the unconfined domain. ## ## -@@ -581,3 +605,150 @@ +@@ -581,3 +608,150 @@ allow $1 unconfined_t:dbus acquire_svc; ') @@ -25369,7 +25454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-02 14:58:08.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-04 13:27:59.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -25621,12 +25706,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - gen_require(` - type $1_t; - ') -+interface(`userdom_basic_networking',` - +- - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; -+ allow $1 self:tcp_socket create_stream_socket_perms; -+ allow $1 self:udp_socket create_socket_perms; ++interface(`userdom_basic_networking',` - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) @@ -25638,7 +25721,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_all_client_packets($1_t) -- ++ allow $1 self:tcp_socket create_stream_socket_perms; ++ allow $1 self:udp_socket create_socket_perms; + - corenet_all_recvfrom_labeled($1_t, $1_t) + corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) @@ -25737,7 +25822,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -512,111 +524,115 @@ +@@ -512,189 +524,192 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -25755,26 +25840,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) +- +- corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) -- corecmd_exec_bin($1_t) +- corenet_udp_bind_all_nodes($1_t) +- corenet_udp_bind_generic_port($1_t) + corenet_udp_bind_all_nodes($1_usertype) + corenet_udp_bind_generic_port($1_usertype) -- corenet_udp_bind_all_nodes($1_t) -- corenet_udp_bind_generic_port($1_t) +- dev_read_rand($1_t) +- dev_write_sound($1_t) +- dev_read_sound($1_t) +- dev_read_sound_mixer($1_t) +- dev_write_sound_mixer($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) -- dev_read_rand($1_t) -- dev_write_sound($1_t) -- dev_read_sound($1_t) -- dev_read_sound_mixer($1_t) -- dev_write_sound_mixer($1_t) -- - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) @@ -25882,46 +25967,50 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` - dbus_system_bus_client($1_t) +- dbus_system_bus_client($1_t) ++ dbus_system_bus_client($1_usertype) optional_policy(` -+ avahi_dbus_chat($1_t) -+ ') -+ -+ optional_policy(` - bluetooth_dbus_chat($1_t) +- bluetooth_dbus_chat($1_t) ++ avahi_dbus_chat($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) -+ consolekit_dbus_chat($1_t) -+ consolekit_read_log($1_t) ++ bluetooth_dbus_chat($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ evolution_dbus_chat($1_t) -+ evolution_alarm_dbus_chat($1_t) ++ consolekit_dbus_chat($1_usertype) ++ consolekit_read_log($1_usertype) ') optional_policy(` -@@ -626,75 +642,75 @@ - optional_policy(` - networkmanager_dbus_chat($1_t) +- hal_dbus_chat($1_t) ++ evolution_dbus_chat($1_usertype) ++ evolution_alarm_dbus_chat($1_usertype) ') -- ') + + optional_policy(` +- networkmanager_dbus_chat($1_t) +- ') ++ hal_dbus_chat($1_usertype) + ') optional_policy(` - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) -+ vpnc_dbus_chat($1_t) ++ networkmanager_dbus_chat($1_usertype) ') -- optional_policy(` + optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) ++ vpnc_dbus_chat($1_usertype) ++ ') ') optional_policy(` @@ -25969,64 +26058,64 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - postgresql_stream_connect($1_t) - postgresql_tcp_connect($1_t) + postgresql_stream_connect($1_usertype) ++ ') ') - ') - - optional_policy(` -- resmgr_stream_connect($1_t) ++ ++ optional_policy(` + # to allow monitoring of pcmcia status + pcmcia_read_pid($1_usertype) ') optional_policy(` -- rpc_dontaudit_getattr_exports($1_t) -- rpc_manage_nfs_rw_content($1_t) +- resmgr_stream_connect($1_t) + pcscd_read_pub_files($1_usertype) + pcscd_stream_connect($1_usertype) ') optional_policy(` -- samba_stream_connect_winbind($1_t) +- rpc_dontaudit_getattr_exports($1_t) +- rpc_manage_nfs_rw_content($1_t) + resmgr_stream_connect($1_usertype) ') optional_policy(` -- slrnpull_search_spool($1_t) +- samba_stream_connect_winbind($1_t) + rpc_dontaudit_getattr_exports($1_usertype) + rpc_manage_nfs_rw_content($1_usertype) ') optional_policy(` -- usernetctl_run($1_t,$1_r) +- slrnpull_search_spool($1_t) + samba_stream_connect_winbind($1_usertype) ') -+ -+ optional_policy(` + + optional_policy(` +- usernetctl_run($1_t,$1_r) + slrnpull_search_spool($1_usertype) -+ ') + ') + ') ####################################### -@@ -722,15 +738,27 @@ +@@ -722,15 +737,27 @@ userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_change_password_template($1) ++ ++ userdom_manage_home_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) -+ userdom_manage_home_role($1_r, $1_usertype) ++ userdom_manage_tmp_role($1_r, $1_usertype) ++ userdom_manage_tmpfs_role($1_r, $1_usertype) - userdom_exec_user_tmp_files($1_t) - userdom_exec_user_home_content_files($1_t) -+ userdom_manage_tmp_role($1_r, $1_usertype) -+ userdom_manage_tmpfs_role($1_r, $1_usertype) ++ gen_tunable(allow_$1_exec_content, true) - userdom_change_password_template($1) -+ gen_tunable(allow_$1_exec_content, true) -+ + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -26042,7 +26131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -746,70 +774,72 @@ +@@ -746,70 +773,72 @@ allow $1_t self:context contains; @@ -26148,7 +26237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -846,6 +876,26 @@ +@@ -846,6 +875,27 @@ # Local policy # @@ -26164,11 +26253,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dbus_system_bus_client($1_t) + + optional_policy(` -+ consolekit_dbus_chat($1_t) ++ consolekit_dbus_chat($1_usertype) + ') ++ + optional_policy(` -+ cups_dbus_chat($1_t) -+ cups_dbus_chat_config($1_t) ++ cups_dbus_chat($1_usertype) ++ cups_dbus_chat_config($1_usertype) + ') + ') + @@ -26184,12 +26274,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -884,14 +934,16 @@ +@@ -884,14 +934,18 @@ # auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) + auth_search_pam_console_data($1_usertype) ++ ++ xserver_role($1_r, $1_t) - dev_read_sound($1_t) - dev_write_sound($1_t) @@ -26206,7 +26298,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -899,28 +951,19 @@ +@@ -899,28 +953,24 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -26226,20 +26318,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - cups_dbus_chat($1_t) - ') -+ openoffice_role_template($1, $1_r, $1_usertype) ++ gnome_manage_config($1_usertype) ++ gnome_manage_gconf_home_files($1_usertype) ') optional_policy(` - java_role($1_r, $1_t) -- ') -- -- optional_policy(` ++ openoffice_role_template($1, $1_r, $1_usertype) + ') + + optional_policy(` - setroubleshoot_dontaudit_stream_connect($1_t) + polkit_role($1_r, $1_usertype) ') ') -@@ -931,8 +974,7 @@ +@@ -931,8 +981,7 @@ ## ## ##

@@ -26249,7 +26343,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This template creates a user domain, types, and -@@ -954,8 +996,8 @@ +@@ -954,8 +1003,8 @@ # Declarations # @@ -26259,7 +26353,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -964,11 +1006,10 @@ +@@ -964,11 +1013,10 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -26272,7 +26366,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -986,36 +1027,37 @@ +@@ -986,36 +1034,37 @@ ') ') @@ -26323,7 +26417,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1050,7 +1092,7 @@ +@@ -1050,7 +1099,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -26332,7 +26426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1059,8 +1101,7 @@ +@@ -1059,8 +1108,7 @@ # # Inherit rules for ordinary users. @@ -26342,7 +26436,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1083,7 +1124,8 @@ +@@ -1083,7 +1131,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -26352,7 +26446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1106,8 +1148,6 @@ +@@ -1106,8 +1155,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -26361,7 +26455,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1162,20 +1202,6 @@ +@@ -1162,20 +1209,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -26382,7 +26476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1221,6 +1247,7 @@ +@@ -1221,6 +1254,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -26390,7 +26484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1291,6 +1318,8 @@ +@@ -1291,6 +1325,8 @@ allow $1 user_home_t:filesystem associate; files_type($1) ubac_constrained($1) @@ -26399,7 +26493,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1387,7 +1416,7 @@ +@@ -1387,7 +1423,7 @@ ######################################## ##

@@ -26408,7 +26502,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1420,6 +1449,14 @@ +@@ -1420,6 +1456,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -26423,7 +26517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1435,9 +1472,11 @@ +@@ -1435,9 +1479,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -26435,7 +26529,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1494,6 +1533,25 @@ +@@ -1494,6 +1540,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -26461,7 +26555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1547,9 +1605,9 @@ +@@ -1547,9 +1612,9 @@ type user_home_dir_t, user_home_t; ') @@ -26473,7 +26567,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1568,6 +1626,8 @@ +@@ -1568,6 +1633,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -26482,7 +26576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1741,6 +1801,62 @@ +@@ -1741,6 +1808,62 @@ ######################################## ## @@ -26545,7 +26639,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute user home files. ## ## -@@ -1757,14 +1873,6 @@ +@@ -1757,14 +1880,6 @@ files_search_home($1) exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) @@ -26560,7 +26654,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1787,6 +1895,46 @@ +@@ -1787,6 +1902,46 @@ ######################################## ## @@ -26607,7 +26701,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete files ## in a user home subdirectory. ## -@@ -2819,6 +2967,24 @@ +@@ -2819,6 +2974,24 @@ ######################################## ## @@ -26632,7 +26726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to use user ttys. ## ## -@@ -2965,6 +3131,24 @@ +@@ -2965,6 +3138,24 @@ ######################################## ## @@ -26657,7 +26751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a dbus message to all user domains. ## ## -@@ -2981,3 +3165,245 @@ +@@ -2981,3 +3172,245 @@ allow $1 userdomain:dbus send_msg; ') @@ -26766,7 +26860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + optional_policy(` -+ rpm_dbus_chat($1_t) ++ rpm_dbus_chat($1_usertype) + ') + + optional_policy(`