diff --git a/booleans-targeted.conf b/booleans-targeted.conf index d122def..e423c2a 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -258,3 +258,7 @@ browser_confine_xguest=true # Allow postfix locat to write to mail spool # allow_postfix_local_write_mail_spool=true + +# Allow common users to read/write noexattrfile systems +# +user_rw_noexattrfile=true diff --git a/policy-20071130.patch b/policy-20071130.patch index 2dfff05..b60cd16 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -1347,7 +1347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.2.5/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/admin/su.if 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/admin/su.if 2008-01-28 11:21:49.000000000 -0500 @@ -41,15 +41,13 @@ allow $2 $1_su_t:process signal; @@ -1373,7 +1373,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s logging_send_syslog_msg($1_su_t) miscfiles_read_localization($1_su_t) -@@ -119,11 +118,6 @@ +@@ -112,6 +111,10 @@ + userdom_spec_domtrans_unpriv_users($1_su_t) + ') + ++ # Deal with unconfined_terminals. ++ term_use_all_user_ttys($1_su_t) ++ term_use_all_user_ptys($1_su_t) ++ + optional_policy(` + cron_read_pipes($1_su_t) + ') +@@ -119,11 +122,6 @@ optional_policy(` kerberos_use($1_su_t) ') @@ -1385,7 +1396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ') ####################################### -@@ -172,13 +166,12 @@ +@@ -172,13 +170,12 @@ domain_interactive_fd($1_su_t) role $3 types $1_su_t; @@ -1402,7 +1413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s allow $1_su_t self:key { search write }; # Transition from the user domain to this domain. -@@ -188,7 +181,7 @@ +@@ -188,7 +185,7 @@ corecmd_shell_domtrans($1_su_t,$2) allow $2 $1_su_t:fd use; allow $2 $1_su_t:fifo_file rw_file_perms; @@ -1411,7 +1422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s kernel_read_system_state($1_su_t) kernel_read_kernel_sysctls($1_su_t) -@@ -203,15 +196,15 @@ +@@ -203,15 +200,15 @@ # needed for pam_rootok selinux_compute_access_vector($1_su_t) @@ -1430,7 +1441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s files_read_etc_files($1_su_t) files_read_etc_runtime_files($1_su_t) files_search_var_lib($1_su_t) -@@ -226,12 +219,14 @@ +@@ -226,12 +223,14 @@ libs_use_ld_so($1_su_t) libs_use_shared_libs($1_su_t) @@ -1446,7 +1457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ifdef(`distro_rhel4',` domain_role_change_exemption($1_su_t) -@@ -295,13 +290,7 @@ +@@ -295,13 +294,7 @@ xserver_domtrans_user_xauth($1, $1_su_t) ') @@ -2730,7 +2741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.2.5/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/apps/java.if 2008-01-22 12:52:42.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/apps/java.if 2008-01-28 11:17:25.000000000 -0500 @@ -32,7 +32,7 @@ ## ## @@ -3167,7 +3178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # /bin diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.5/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2008-01-21 18:10:10.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2008-01-25 16:49:06.000000000 -0500 @@ -35,7 +35,10 @@ template(`mozilla_per_role_template',` gen_require(` @@ -3563,7 +3574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -464,11 +385,11 @@ +@@ -464,11 +385,10 @@ # template(`mozilla_write_user_home_files',` gen_require(` @@ -3573,12 +3584,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. - allow $2 $1_mozilla_home_t:dir list_dir_perms; - allow $2 $1_mozilla_home_t:file write; -+ allow $2 user_mozilla_home_t:dir list_dir_perms; -+ allow $2 user_mozilla_home_t:file write; ++ write_files_pattern($2, user_mozilla_home_t, user_mozilla_home_t) ') ######################################## -@@ -573,3 +494,27 @@ +@@ -573,3 +493,27 @@ allow $2 $1_mozilla_t:tcp_socket rw_socket_perms; ') @@ -3745,8 +3755,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.5/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if 2008-01-24 13:03:01.000000000 -0500 -@@ -0,0 +1,336 @@ ++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if 2008-01-25 12:10:23.000000000 -0500 +@@ -0,0 +1,337 @@ + +## policy for nsplugin + @@ -3916,6 +3926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + allow $2 nsplugin_t:process { getattr ptrace signal_perms }; + allow $2 nsplugin_t:unix_stream_socket connectto; + userdom_use_user_terminals($1, nsplugin_t) ++ userdom_use_user_terminals($1, nsplugin_config_t) +') + +####################################### @@ -4085,8 +4096,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.5/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-24 13:03:48.000000000 -0500 -@@ -0,0 +1,129 @@ ++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-25 16:48:50.000000000 -0500 +@@ -0,0 +1,135 @@ +policy_module(nsplugin,1.0.0) + +######################################## @@ -4107,6 +4118,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +type nsplugin_rw_t; +files_type(nsplugin_rw_t) + ++type nsplugin_tmp_t; ++files_tmp_file(nsplugin_tmp_t) ++ +type user_nsplugin_home_t; +files_poly_member(user_nsplugin_home_t) +userdom_user_home_content(user,user_nsplugin_home_t) @@ -4184,6 +4198,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +allow nsplugin_config_t self:fifo_file rw_file_perms; +allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; + ++manage_dirs_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t) ++manage_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t) ++files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir }) ++ +can_exec(nsplugin_config_t, nsplugin_rw_t) +manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) +manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) @@ -4214,7 +4232,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + +nsplugin_domtrans(nsplugin_config_t) + -+dev_read_sound(nsplugin_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.5/policy/modules/apps/screen.fc --- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400 @@ -5066,22 +5083,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene +allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.2.5/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-12-12 11:35:27.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/kernel/devices.fc 2008-01-18 12:40:46.000000000 -0500 -@@ -22,6 +22,7 @@ ++++ serefpolicy-3.2.5/policy/modules/kernel/devices.fc 2008-01-24 14:06:12.000000000 -0500 +@@ -1,7 +1,7 @@ + + /dev -d gen_context(system_u:object_r:device_t,s0) + /dev/.* gen_context(system_u:object_r:device_t,s0) +- ++/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0) +@@ -16,28 +16,40 @@ + /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) ++/dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) ++/dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0) ++/dev/gtrsc.* -c gen_context(system_u:object_r:clock_device_t,s0) ++/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0) + /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) + /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/event.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) /dev/full -c gen_context(system_u:object_r:null_device_t,s0) +/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0) ++/dev/hfmodem -c gen_context(system_u:object_r:sound_device_t,s0) /dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0) -@@ -29,10 +30,13 @@ + /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0) +/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) +/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) ++/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) ++/dev/jbm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) @@ -5089,6 +5128,56 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) + /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) + /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) ++/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) + /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0) + /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0) +@@ -48,6 +60,7 @@ + /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) + /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) ++/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) + /dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) +@@ -69,9 +82,8 @@ + /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) +-/dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) +-/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0) +-/dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) ++/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) ++/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) + /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) + ifdef(`distro_suse', ` + /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) +@@ -98,13 +110,23 @@ + + /dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0) + ++/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) ++/dev/input/keyboard.* -c gen_context(system_u:object_r:event_device_t,s0) + /dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0) + /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0) ++/dev/pc110pad -c gen_context(system_u:object_r:mouse_device_t,s0) ++/dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0) ++/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) ++/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) ++/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0) ++/dev/bometric/sensor.* -c gen_context(system_u:object_r:event_device_t,s0) + + /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) ++/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) ++/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + + /dev/pts(/.*)? <> + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.5/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/kernel/devices.if 2008-01-18 12:40:46.000000000 -0500 @@ -5327,7 +5416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.5/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/kernel/files.if 2008-01-21 17:43:20.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/kernel/files.if 2008-01-28 10:12:03.000000000 -0500 @@ -1266,6 +1266,24 @@ ######################################## @@ -5430,8 +5519,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # etc_runtime_t is the type of various diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.2.5/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-24 15:00:24.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/kernel/filesystem.if 2008-01-24 12:36:13.000000000 -0500 -@@ -1171,6 +1171,25 @@ ++++ serefpolicy-3.2.5/policy/modules/kernel/filesystem.if 2008-01-24 15:48:29.000000000 -0500 +@@ -310,6 +310,25 @@ + + ######################################## + ## ++## Read and write files on hugetlbfs files ++## file systems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_hugetlbfs_files',` ++ gen_require(` ++ type hugetlbfs_t; ++ ++ ') ++ ++ rw_files_pattern($1,hugetlbfs_t,hugetlbfs_t) ++') ++######################################## ++## + ## Mount an automount pseudo filesystem. + ## + ## +@@ -1171,6 +1190,25 @@ ######################################## ## @@ -5459,7 +5574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.2.5/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-12-19 05:32:07.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/kernel/filesystem.te 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/kernel/filesystem.te 2008-01-24 15:45:23.000000000 -0500 @@ -25,6 +25,8 @@ fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); @@ -6825,7 +6940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.2.5/policy/modules/services/apcupsd.te --- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/apcupsd.te 2008-01-18 14:00:42.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/apcupsd.te 2008-01-25 14:08:48.000000000 -0500 @@ -22,6 +22,9 @@ type apcupsd_var_run_t; files_pid_file(apcupsd_var_run_t) @@ -7950,10 +8065,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam +optional_policy(` + mailscanner_manage_spool(clamscan_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.2.5/policy/modules/services/consolekit.fc +--- nsaserefpolicy/policy/modules/services/consolekit.fc 2007-10-12 08:56:07.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/consolekit.fc 2008-01-28 11:43:14.000000000 -0500 +@@ -1,3 +1,5 @@ + /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) + + /var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) ++ ++/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.5/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/consolekit.te 2008-01-18 12:56:56.000000000 -0500 -@@ -36,6 +36,7 @@ ++++ serefpolicy-3.2.5/policy/modules/services/consolekit.te 2008-01-28 11:46:35.000000000 -0500 +@@ -13,6 +13,9 @@ + type consolekit_var_run_t; + files_pid_file(consolekit_var_run_t) + ++type consolekit_log_t; ++files_pid_file(consolekit_log_t) ++ + ######################################## + # + # consolekit local policy +@@ -24,6 +27,9 @@ + allow consolekit_t self:unix_stream_socket create_stream_socket_perms; + allow consolekit_t self:unix_dgram_socket create_socket_perms; + ++manage_files_pattern(consolekit_t,consolekit_log_t,consolekit_log_t) ++logging_log_filetrans(consolekit_t,consolekit_log_t, file) ++ + manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t) + files_pid_filetrans(consolekit_t,consolekit_var_run_t, file) + +@@ -36,6 +42,7 @@ domain_read_all_domains_state(consolekit_t) domain_use_interactive_fds(consolekit_t) @@ -7961,7 +8105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons files_read_etc_files(consolekit_t) # needs to read /var/lib/dbus/machine-id -@@ -50,8 +51,16 @@ +@@ -50,12 +57,24 @@ libs_use_ld_so(consolekit_t) libs_use_shared_libs(consolekit_t) @@ -7975,10 +8119,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons +hal_ptrace(consolekit_t) +mcs_ptrace_all(consolekit_t) + ++optional_policy(` ++ cron_read_system_job_lib_files(consolekit_t) ++') ++ optional_policy(` dbus_system_bus_client_template(consolekit, consolekit_t) dbus_connect_system_bus(consolekit_t) -@@ -67,3 +76,13 @@ +- ++ dbus_system_domain(consolekit_t, consolekit_exec_t) + hal_dbus_chat(consolekit_t) + + optional_policy(` +@@ -67,3 +86,14 @@ xserver_read_all_users_xauth(consolekit_t) xserver_stream_connect_xdm_xserver(consolekit_t) ') @@ -7992,6 +8145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons +optional_policy(` + userdom_read_user_tmp_files(user, consolekit_t) +') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.5/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/cron.fc 2008-01-18 12:40:46.000000000 -0500 @@ -8011,7 +8165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.5/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/cron.if 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/cron.if 2008-01-28 11:45:43.000000000 -0500 @@ -35,38 +35,23 @@ # template(`cron_per_role_template',` @@ -9289,7 +9443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2008-01-22 12:53:47.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2008-01-25 14:07:09.000000000 -0500 @@ -53,6 +53,7 @@ gen_require(` type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; @@ -9298,7 +9452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') ############################## -@@ -84,6 +85,9 @@ +@@ -84,14 +85,20 @@ allow $1_dbusd_t self:tcp_socket create_stream_socket_perms; allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms; @@ -9306,9 +9460,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + allow $1_dbusd_t dbusd_unconfined:dbus send_msg; + # For connecting to the bus - allow $2 $1_dbusd_t:unix_stream_socket connectto; +- allow $2 $1_dbusd_t:unix_stream_socket connectto; ++ allow $2 $1_dbusd_t:unix_stream_socket { getattr connectto }; ++ allow $2 $1_dbusd_t:unix_dgram_socket getattr; type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t; -@@ -91,7 +95,9 @@ + # SE-DBus specific permissions allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; allow $2 $1_dbusd_t:dbus { send_msg acquire_svc }; @@ -9319,7 +9475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; read_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t) -@@ -102,10 +108,9 @@ +@@ -102,10 +109,9 @@ files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir }) domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t) @@ -9332,7 +9488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus allow $1_dbusd_t $2:process sigkill; allow $2 $1_dbusd_t:fd use; allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms; -@@ -139,6 +144,7 @@ +@@ -139,6 +145,7 @@ fs_getattr_romfs($1_dbusd_t) fs_getattr_xattr_fs($1_dbusd_t) @@ -9340,7 +9496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus selinux_get_fs_mount($1_dbusd_t) selinux_validate_context($1_dbusd_t) -@@ -161,7 +167,9 @@ +@@ -161,7 +168,9 @@ seutil_read_config($1_dbusd_t) seutil_read_default_contexts($1_dbusd_t) @@ -9351,7 +9507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ifdef(`hide_broken_symptoms', ` dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write }; -@@ -182,6 +190,7 @@ +@@ -182,6 +191,7 @@ optional_policy(` xserver_use_xdm_fds($1_dbusd_t) xserver_rw_xdm_pipes($1_dbusd_t) @@ -9359,7 +9515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') ') -@@ -214,7 +223,7 @@ +@@ -214,7 +224,7 @@ # SE-DBus specific permissions # allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg; @@ -9368,7 +9524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($2) -@@ -223,6 +232,10 @@ +@@ -223,6 +233,10 @@ files_search_pids($2) stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t) dbus_read_config($2) @@ -9379,7 +9535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') ####################################### -@@ -251,6 +264,7 @@ +@@ -251,6 +265,7 @@ template(`dbus_user_bus_client_template',` gen_require(` type $1_dbusd_t; @@ -9387,7 +9543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus class dbus send_msg; ') -@@ -263,6 +277,7 @@ +@@ -263,6 +278,7 @@ # For connecting to the bus allow $3 $1_dbusd_t:unix_stream_socket connectto; @@ -9395,7 +9551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') ######################################## -@@ -292,6 +307,59 @@ +@@ -292,6 +308,59 @@ ######################################## ## @@ -9455,7 +9611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ## Read dbus configuration. ## ## -@@ -366,3 +434,52 @@ +@@ -366,3 +435,52 @@ allow $1 system_dbusd_t:dbus *; ') @@ -11935,7 +12091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail +files_type(mailscanner_spool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mta.if 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/mta.if 2008-01-24 14:27:32.000000000 -0500 @@ -133,6 +133,12 @@ sendmail_create_log($1_mail_t) ') @@ -12537,7 +12693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.5/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mysql.te 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/mysql.te 2008-01-24 15:46:30.000000000 -0500 @@ -1,4 +1,3 @@ - policy_module(mysql,1.6.0) @@ -12563,6 +12719,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq allow mysqld_t self:unix_stream_socket create_stream_socket_perms; allow mysqld_t self:tcp_socket create_stream_socket_perms; allow mysqld_t self:udp_socket create_socket_perms; +@@ -79,6 +82,7 @@ + + fs_getattr_all_fs(mysqld_t) + fs_search_auto_mountpoints(mysqld_t) ++fs_rw_hugetlbfs_files(mysqld_t) + + domain_use_interactive_fds(mysqld_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.5/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/nagios.fc 2008-01-18 12:40:46.000000000 -0500 @@ -12847,7 +13011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.5/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2008-01-22 09:23:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2008-01-24 13:26:30.000000000 -0500 @@ -13,6 +13,9 @@ type NetworkManager_var_run_t; files_pid_file(NetworkManager_var_run_t) @@ -12923,7 +13087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -155,6 +168,7 @@ +@@ -155,19 +168,20 @@ ppp_domtrans(NetworkManager_t) ppp_read_pid_files(NetworkManager_t) ppp_signal(NetworkManager_t) @@ -12931,18 +13095,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -166,11 +180,6 @@ +- seutil_sigchld_newrole(NetworkManager_t) ++ # Dispatcher starting and stoping ntp ++ ntp_script_domtrans(NetworkManager_t) + ') + + optional_policy(` +- udev_read_db(NetworkManager_t) ++ seutil_sigchld_newrole(NetworkManager_t) ') optional_policy(` - # Read gnome-keyring - unconfined_read_home_content_files(NetworkManager_t) --') -- --optional_policy(` - vpn_domtrans(NetworkManager_t) - vpn_signal(NetworkManager_t) ++ udev_read_db(NetworkManager_t) ') + + optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.2.5/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2007-02-19 11:32:53.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/nis.fc 2008-01-18 12:40:46.000000000 -0500 @@ -13344,7 +13513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. +/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.2.5/policy/modules/services/ntp.if --- nsaserefpolicy/policy/modules/services/ntp.if 2007-03-26 10:39:05.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/ntp.if 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/ntp.if 2008-01-24 13:25:46.000000000 -0500 @@ -53,3 +53,76 @@ corecmd_search_bin($1) domtrans_pattern($1,ntpdate_exec_t,ntpd_t) @@ -13770,10 +13939,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.2.5/policy/modules/services/polkit.fc --- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/polkit.fc 2008-01-18 12:40:46.000000000 -0500 -@@ -0,0 +1,6 @@ ++++ serefpolicy-3.2.5/policy/modules/services/polkit.fc 2008-01-28 10:53:34.000000000 -0500 +@@ -0,0 +1,7 @@ + +/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) ++/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0) + +/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) +/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0) @@ -13843,8 +14013,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.5/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/polkit.te 2008-01-18 12:40:46.000000000 -0500 -@@ -0,0 +1,63 @@ ++++ serefpolicy-3.2.5/policy/modules/services/polkit.te 2008-01-28 11:29:32.000000000 -0500 +@@ -0,0 +1,110 @@ +policy_module(polkit_auth,1.0.0) + +######################################## @@ -13852,6 +14022,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +# Declarations +# + ++type polkit_t; ++type polkit_exec_t; ++domain_type(polkit_t) ++init_daemon_domain(polkit_t, polkit_exec_t) ++ +type polkit_auth_t; +type polkit_auth_exec_t; +domain_type(polkit_auth_t) @@ -13865,6 +14040,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + +######################################## +# ++# polkit local policy ++# ++ ++allow polkit_t self:process getattr; ++ ++allow polkit_t self:unix_dgram_socket create_socket_perms; ++allow polkit_t self:fifo_file rw_file_perms; ++allow polkit_t self:unix_stream_socket create_stream_socket_perms; ++ ++can_exec(polkit_t, polkit_exec_t) ++corecmd_search_bin(polkit_t) ++ ++domain_use_interactive_fds(polkit_t) ++ ++files_read_etc_files(polkit_t) ++files_read_usr_files(polkit_t) ++ ++auth_use_nsswitch(polkit_t) ++ ++libs_use_ld_so(polkit_t) ++libs_use_shared_libs(polkit_t) ++ ++miscfiles_read_localization(polkit_t) ++ ++logging_send_syslog_msg(polkit_t) ++ ++manage_files_pattern(polkit_t, polkit_var_lib_t, polkit_var_lib_t) ++ ++# pid file ++manage_dirs_pattern(polkit_t,polkit_var_run_t,polkit_var_run_t) ++manage_files_pattern(polkit_t,polkit_var_run_t,polkit_var_run_t) ++files_pid_filetrans(polkit_t,polkit_var_run_t, { file dir }) ++ ++optional_policy(` ++ dbus_system_bus_client_template(polkit, polkit_t) ++ consolekit_dbus_chat(polkit_t) ++ dbus_system_domain(polkit_t, polkit_exec_t) ++') ++ ++######################################## ++# +# polkit_auth local policy +# + @@ -13901,6 +14117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +optional_policy(` + dbus_system_bus_client_template(polkit_auth, polkit_auth_t) + consolekit_dbus_chat(polkit_auth_t) ++ dbus_system_domain(polkit_exec_t, polkit_t) +') + +optional_policy(` @@ -13926,8 +14143,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.5/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/postfix.if 2008-01-21 09:39:32.000000000 -0500 -@@ -416,7 +416,7 @@ ++++ serefpolicy-3.2.5/policy/modules/services/postfix.if 2008-01-24 13:33:34.000000000 -0500 +@@ -206,9 +206,8 @@ + type postfix_etc_t; + ') + +- allow $1 postfix_etc_t:dir { getattr read search }; +- allow $1 postfix_etc_t:file { read getattr }; +- allow $1 postfix_etc_t:lnk_file { getattr read }; ++ read_files_pattern($1, postfix_etc_t, postfix_etc_t) ++ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t) + files_search_etc($1) + ') + +@@ -416,7 +415,7 @@ ## ## # @@ -13936,7 +14165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post gen_require(` type postfix_private_t; ') -@@ -427,6 +427,26 @@ +@@ -427,6 +426,26 @@ ######################################## ## @@ -13963,7 +14192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Execute the master postfix program in the ## postfix_master domain. ## -@@ -503,6 +523,25 @@ +@@ -503,6 +522,25 @@ ######################################## ## @@ -14331,7 +14560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.2.5/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/postgresql.te 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/postgresql.te 2008-01-24 15:46:50.000000000 -0500 @@ -27,6 +27,9 @@ type postgresql_var_run_t; files_pid_file(postgresql_var_run_t) @@ -14342,6 +14571,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # postgresql Local policy +@@ -100,6 +103,7 @@ + + fs_getattr_all_fs(postgresql_t) + fs_search_auto_mountpoints(postgresql_t) ++fs_rw_hugetlbfs_files(postgresql_t) + + term_use_controlling_term(postgresql_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.fc serefpolicy-3.2.5/policy/modules/services/postgrey.fc --- nsaserefpolicy/policy/modules/services/postgrey.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/postgrey.fc 2008-01-18 12:40:46.000000000 -0500 @@ -18382,7 +18619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.2.5/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/squid.te 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/squid.te 2008-01-25 09:45:17.000000000 -0500 @@ -31,12 +31,15 @@ type squid_var_run_t; files_pid_file(squid_var_run_t) @@ -18400,7 +18637,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi dontaudit squid_t self:capability sys_tty_config; allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; allow squid_t self:fifo_file rw_fifo_file_perms; -@@ -92,6 +95,7 @@ +@@ -85,6 +88,7 @@ + corenet_udp_sendrecv_all_ports(squid_t) + corenet_tcp_bind_all_nodes(squid_t) + corenet_udp_bind_all_nodes(squid_t) ++corenet_tcp_bind_http_port(squid_t) + corenet_tcp_bind_http_cache_port(squid_t) + corenet_udp_bind_http_cache_port(squid_t) + corenet_tcp_bind_ftp_port(squid_t) +@@ -92,6 +96,7 @@ corenet_udp_bind_gopher_port(squid_t) corenet_tcp_bind_squid_port(squid_t) corenet_udp_bind_squid_port(squid_t) @@ -18408,7 +18653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi corenet_tcp_connect_ftp_port(squid_t) corenet_tcp_connect_gopher_port(squid_t) corenet_tcp_connect_http_port(squid_t) -@@ -109,6 +113,8 @@ +@@ -109,6 +114,8 @@ fs_getattr_all_fs(squid_t) fs_search_auto_mountpoints(squid_t) @@ -18417,7 +18662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi selinux_dontaudit_getattr_dir(squid_t) -@@ -148,11 +154,7 @@ +@@ -148,11 +155,7 @@ ') optional_policy(` @@ -18430,7 +18675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi ') optional_policy(` -@@ -167,7 +169,12 @@ +@@ -167,7 +170,12 @@ udev_read_db(squid_t) ') @@ -19099,7 +19344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.5/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2008-01-25 16:50:51.000000000 -0500 @@ -15,6 +15,7 @@ template(`xserver_common_domain_template',` gen_require(` @@ -19803,7 +20048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.5/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/xserver.te 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/xserver.te 2008-01-24 13:41:40.000000000 -0500 @@ -16,6 +16,13 @@ ## @@ -19878,11 +20123,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_common_domain_template(xdm) init_system_domain(xdm_xserver_t,xserver_exec_t) -@@ -96,7 +135,7 @@ +@@ -95,8 +134,8 @@ + # XDM Local policy # - allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; +-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; ++allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; +allow xdm_t self:process { setexec setpgid getsched ptrace setsched setrlimit signal_perms }; allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; @@ -21249,10 +21496,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.2.5/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/ipsec.te 2008-01-18 12:40:46.000000000 -0500 -@@ -302,6 +302,7 @@ ++++ serefpolicy-3.2.5/policy/modules/system/ipsec.te 2008-01-25 11:41:57.000000000 -0500 +@@ -297,11 +297,14 @@ + read_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t) + read_lnk_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t) + ++kernel_read_system_state(racoon_t) + kernel_read_network_state(racoon_t) + corenet_all_recvfrom_unlabeled(racoon_t) corenet_tcp_bind_all_nodes(racoon_t) ++corenet_udp_bind_all_nodes(racoon_t) corenet_udp_bind_isakmp_port(racoon_t) +corenet_udp_bind_ipsecnat_port(racoon_t) @@ -23147,7 +23401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-23 13:13:29.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-28 10:11:41.000000000 -0500 @@ -6,35 +6,59 @@ # Declarations # @@ -23440,7 +23694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-24 13:04:29.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-25 11:51:09.000000000 -0500 @@ -29,9 +29,14 @@ ') @@ -23450,7 +23704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - type $1_t, userdomain; + type $1_t, userdomain, $1_usertype; domain_type($1_t) -+ ifdef(`targeted_policy',` ++ ifndef(`enable_mls',` + # ignore user componant labeling on homedir entry + domain_obj_id_change_exemption($1_t) + ') @@ -23557,6 +23811,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - libs_use_ld_so($1_t) - libs_use_shared_libs($1_t) - libs_exec_ld_so($1_t) +- +- miscfiles_read_localization($1_t) +- miscfiles_read_certs($1_t) + files_dontaudit_getattr_all_dirs($1_usertype) + files_dontaudit_list_non_security($1_usertype) + files_dontaudit_getattr_non_security_files($1_usertype) @@ -23573,9 +23830,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + libs_use_shared_libs($1_usertype) + libs_exec_ld_so($1_usertype) -- miscfiles_read_localization($1_t) -- miscfiles_read_certs($1_t) -- - sysnet_read_config($1_t) + miscfiles_read_localization($1_usertype) + miscfiles_read_certs($1_usertype) @@ -23928,71 +24182,218 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -717,6 +695,12 @@ +@@ -686,183 +664,192 @@ + dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; + dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; + +- allow $1_t unpriv_userdomain:fd use; ++ allow $1_usertype unpriv_userdomain:fd use; + +- kernel_read_system_state($1_t) +- kernel_read_network_state($1_t) +- kernel_read_net_sysctls($1_t) ++ kernel_read_system_state($1_usertype) ++ kernel_read_network_state($1_usertype) ++ kernel_read_net_sysctls($1_usertype) + # Very permissive allowing every domain to see every type: +- kernel_get_sysvipc_info($1_t) ++ kernel_get_sysvipc_info($1_usertype) + # Find CDROM devices: +- kernel_read_device_sysctls($1_t) ++ kernel_read_device_sysctls($1_usertype) + +- corenet_udp_bind_all_nodes($1_t) +- corenet_udp_bind_generic_port($1_t) ++ corenet_udp_bind_all_nodes($1_usertype) ++ corenet_udp_bind_generic_port($1_usertype) + +- dev_read_rand($1_t) +- dev_write_sound($1_t) +- dev_read_sound($1_t) +- dev_read_sound_mixer($1_t) +- dev_write_sound_mixer($1_t) ++ dev_read_rand($1_usertype) ++ dev_write_sound($1_usertype) ++ dev_read_sound($1_usertype) ++ dev_read_sound_mixer($1_usertype) ++ dev_write_sound_mixer($1_usertype) + +- files_exec_etc_files($1_t) +- files_search_locks($1_t) ++ files_exec_etc_files($1_usertype) ++ files_search_locks($1_usertype) + # Check to see if cdrom is mounted +- files_search_mnt($1_t) ++ files_search_mnt($1_usertype) + # cjp: perhaps should cut back on file reads: +- files_read_var_files($1_t) +- files_read_var_symlinks($1_t) +- files_read_generic_spool($1_t) +- files_read_var_lib_files($1_t) ++ files_read_var_files($1_usertype) ++ files_read_var_symlinks($1_usertype) ++ files_read_generic_spool($1_usertype) ++ files_read_var_lib_files($1_usertype) # Stat lost+found. - files_getattr_lost_found_dirs($1_t) - +- files_getattr_lost_found_dirs($1_t) ++ files_getattr_lost_found_dirs($1_usertype) ++ ++ tunable_policy(`user_rw_noexattrfile',` ++ fs_manage_noxattr_fs_files($1_usertype) ++ fs_manage_noxattr_fs_dirs($1_usertype) ++ ',` ++ fs_read_noxattr_fs_files($1_usertype) ++ ') ++ + logging_send_syslog_msg($1_usertype) -+ logging_dontaudit_send_audit_msgs($1_t) ++ logging_dontaudit_send_audit_msgs($1_usertype) + # Need to to this just so screensaver will work. Should be moved to screensaver domain -+ logging_send_audit_msgs($1_t) -+ selinux_get_enforce_mode($1_t) -+ ++ logging_send_audit_msgs($1_usertype) ++ selinux_get_enforce_mode($1_usertype) + # cjp: some of this probably can be removed - selinux_get_fs_mount($1_t) - selinux_validate_context($1_t) -@@ -728,11 +712,11 @@ +- selinux_get_fs_mount($1_t) +- selinux_validate_context($1_t) +- selinux_compute_access_vector($1_t) +- selinux_compute_create_context($1_t) +- selinux_compute_relabel_context($1_t) +- selinux_compute_user_contexts($1_t) ++ selinux_get_fs_mount($1_usertype) ++ selinux_validate_context($1_usertype) ++ selinux_compute_access_vector($1_usertype) ++ selinux_compute_create_context($1_usertype) ++ selinux_compute_relabel_context($1_usertype) ++ selinux_compute_user_contexts($1_usertype) + # for eject - storage_getattr_fixed_disk_dev($1_t) +- storage_getattr_fixed_disk_dev($1_t) ++ storage_getattr_fixed_disk_dev($1_usertype) - auth_use_nsswitch($1_t) - auth_read_login_records($1_t) - auth_search_pam_console_data($1_t) +- auth_read_login_records($1_t) +- auth_search_pam_console_data($1_t) ++ auth_read_login_records($1_usertype) ++ auth_search_pam_console_data($1_usertype) auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + authlogin_per_role_template($1, $1_t, $1_r) - init_read_utmp($1_t) - -@@ -758,10 +742,6 @@ - dev_read_mouse($1_t) +- init_read_utmp($1_t) ++ init_read_utmp($1_usertype) + +- seutil_read_file_contexts($1_t) +- seutil_read_default_contexts($1_t) ++ seutil_read_file_contexts($1_usertype) ++ seutil_read_default_contexts($1_usertype) + seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) + seutil_exec_checkpolicy($1_t) +- seutil_exec_setfiles($1_t) ++ seutil_exec_setfiles($1_usertype) + # for when the network connection is killed + # this is needed when a login role can change + # to this one. + seutil_dontaudit_signal_newrole($1_t) + + tunable_policy(`read_default_t',` +- files_list_default($1_t) +- files_read_default_files($1_t) +- files_read_default_symlinks($1_t) +- files_read_default_sockets($1_t) +- files_read_default_pipes($1_t) ++ files_list_default($1_usertype) ++ files_read_default_files($1_usertype) ++ files_read_default_symlinks($1_usertype) ++ files_read_default_sockets($1_usertype) ++ files_read_default_pipes($1_usertype) ') -- tunable_policy(`user_ttyfile_stat',` -- term_getattr_all_user_ttys($1_t) + tunable_policy(`user_direct_mouse',` +- dev_read_mouse($1_t) - ') - +- tunable_policy(`user_ttyfile_stat',` +- term_getattr_all_user_ttys($1_t) ++ dev_read_mouse($1_usertype) + ') + + optional_policy(` +- alsa_read_rw_config($1_t) ++ alsa_read_rw_config($1_usertype) + ') + optional_policy(` - alsa_read_rw_config($1_t) + # Allow graphical boot to check battery lifespan +- apm_stream_connect($1_t) ++ apm_stream_connect($1_usertype) ') -@@ -783,20 +763,20 @@ + + optional_policy(` +- canna_stream_connect($1_t) ++ canna_stream_connect($1_usertype) + ') + + optional_policy(` +- dbus_system_bus_client_template($1,$1_t) ++ dbus_system_bus_client_template($1,$1_usertype) + + optional_policy(` +- bluetooth_dbus_chat($1_t) ++ bluetooth_dbus_chat($1_usertype) ') optional_policy(` - evolution_dbus_chat($1,$1_t) - evolution_alarm_dbus_chat($1,$1_t) -+ consolekit_dbus_chat($1_t) ++ consolekit_dbus_chat($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ evolution_dbus_chat($1,$1_t) -+ evolution_alarm_dbus_chat($1,$1_t) ++ evolution_dbus_chat($1,$1_usertype) ++ evolution_alarm_dbus_chat($1,$1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ networkmanager_dbus_chat($1_t) ++ networkmanager_dbus_chat($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) -+ vpnc_dbus_chat($1_t) ++ vpnc_dbus_chat($1_usertype) ') ') -@@ -824,11 +804,18 @@ - mta_rw_spool($1_t) + optional_policy(` +- inetd_use_fds($1_t) +- inetd_rw_tcp_sockets($1_t) ++ inetd_use_fds($1_usertype) ++ inetd_rw_tcp_sockets($1_usertype) + ') + + optional_policy(` +- inn_read_config($1_t) +- inn_read_news_lib($1_t) +- inn_read_news_spool($1_t) ++ inn_read_config($1_usertype) ++ inn_read_news_lib($1_usertype) ++ inn_read_news_spool($1_usertype) + ') + + optional_policy(` +- locate_read_lib_files($1_t) ++ locate_read_lib_files($1_usertype) + ') + + # for running depmod as part of the kernel packaging process + optional_policy(` +- modutils_read_module_config($1_t) ++ modutils_read_module_config($1_usertype) + ') + + optional_policy(` +- mta_rw_spool($1_t) ++ mta_rw_spool($1_usertype) ') - @@ -24000,21 +24401,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - tunable_policy(`allow_user_mysql_connect',` - mysql_stream_connect($1_t) - ') -+ alsa_read_rw_config($1_t) -+ ') -+ ++ alsa_read_rw_config($1_usertype) + ') + +- optional_policy(` +- # to allow monitoring of pcmcia status +- pcmcia_read_pid($1_t) + optional_policy(` + tunable_policy(`allow_user_postgresql_connect',` -+ postgresql_stream_connect($1_t) ++ postgresql_stream_connect($1_usertype) + ') + ') + + tunable_policy(`user_ttyfile_stat',` -+ term_getattr_all_user_ttys($1_t) ++ term_getattr_all_user_ttys($1_usertype) ') optional_policy(` -@@ -842,13 +829,6 @@ +- pcscd_read_pub_files($1_t) +- pcscd_stream_connect($1_t) ++ # to allow monitoring of pcmcia status ++ pcmcia_read_pid($1_usertype) ') optional_policy(` @@ -24022,13 +24429,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - postgresql_stream_connect($1_t) - postgresql_tcp_connect($1_t) - ') -- ') -- -- optional_policy(` - resmgr_stream_connect($1_t) ++ pcscd_read_pub_files($1_usertype) ++ pcscd_stream_connect($1_usertype) + ') + + optional_policy(` +- resmgr_stream_connect($1_t) ++ resmgr_stream_connect($1_usertype) + ') + + optional_policy(` +- rpc_dontaudit_getattr_exports($1_t) +- rpc_manage_nfs_rw_content($1_t) ++ rpc_dontaudit_getattr_exports($1_usertype) ++ rpc_manage_nfs_rw_content($1_usertype) + ') + + optional_policy(` +- samba_stream_connect_winbind($1_t) ++ samba_stream_connect_winbind($1_usertype) + ') + + optional_policy(` +- slrnpull_search_spool($1_t) ++ slrnpull_search_spool($1_usertype) ') -@@ -889,6 +869,8 @@ + optional_policy(` +@@ -889,6 +876,8 @@ ## # template(`userdom_login_user_template', ` @@ -24037,7 +24465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_base_user_template($1) userdom_manage_home_template($1) -@@ -917,26 +899,26 @@ +@@ -917,26 +906,26 @@ allow $1_t self:context contains; @@ -24078,7 +24506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo auth_dontaudit_write_login_records($1_t) -@@ -944,43 +926,43 @@ +@@ -944,43 +933,43 @@ # The library functions always try to open read-write first, # then fall back to read-only if it fails. @@ -24140,7 +24568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1014,9 +996,6 @@ +@@ -1014,9 +1003,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -24150,7 +24578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1025,16 +1004,29 @@ +@@ -1025,16 +1011,29 @@ # # privileged home directory writers @@ -24186,7 +24614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1062,6 +1054,13 @@ +@@ -1062,6 +1061,13 @@ userdom_restricted_user_template($1) @@ -24200,7 +24628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_xwindows_client_template($1) ############################## -@@ -1070,14 +1069,14 @@ +@@ -1070,14 +1076,14 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -24220,7 +24648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1085,32 +1084,17 @@ +@@ -1085,32 +1091,17 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -24260,7 +24688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1121,10 +1105,10 @@ +@@ -1121,10 +1112,10 @@ ## ## ##

@@ -24275,7 +24703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1187,12 +1171,11 @@ +@@ -1187,12 +1178,11 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -24290,7 +24718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') # Run pppd in pppd_t by default for user -@@ -1201,7 +1184,7 @@ +@@ -1201,7 +1191,7 @@ ') optional_policy(` @@ -24299,7 +24727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1278,8 +1261,6 @@ +@@ -1278,8 +1268,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -24308,6 +24736,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) +@@ -1357,13 +1345,6 @@ + # But presently necessary for installing the file_contexts file. + seutil_manage_bin_policy($1_t) + +- tunable_policy(`user_rw_noexattrfile',` +- fs_manage_noxattr_fs_files($1_t) +- fs_manage_noxattr_fs_dirs($1_t) +- ',` +- fs_read_noxattr_fs_files($1_t) +- ') +- + optional_policy(` + userhelper_exec($1_t) + ') @@ -1416,6 +1397,7 @@ dev_relabel_all_dev_nodes($1) @@ -25033,7 +25475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4301,17 +4397,32 @@ +@@ -4301,12 +4397,27 @@ ## ## # @@ -25046,11 +25488,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - dontaudit $1 staff_home_t:file append; + dontaudit $1 user_home_t:file append_file_perms; - ') - - ######################################## - ##

--## Read files in the staff users home directory. ++') ++ ++######################################## ++## +## Do not audit attempts to append to the staff +## users home directory. +## @@ -25062,14 +25503,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +# +interface(`userdom_dontaudit_append_staff_home_content_files',` + userdom_dontaudit_append_unpriv_home_content_files($1) -+') -+ -+######################################## -+## -+## Read files in the staff users home directory. - ## - ## - ## + ') + + ######################################## @@ -4321,13 +4432,13 @@ # interface(`userdom_read_staff_home_content_files',` @@ -26472,8 +26908,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i +## Policy for staff user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.5/policy/modules/users/staff.te --- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/users/staff.te 2008-01-18 14:02:43.000000000 -0500 -@@ -0,0 +1,42 @@ ++++ serefpolicy-3.2.5/policy/modules/users/staff.te 2008-01-24 16:05:12.000000000 -0500 +@@ -0,0 +1,47 @@ +policy_module(staff,1.0.1) +userdom_unpriv_user_template(staff) + @@ -26484,9 +26920,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t +domain_read_all_domains_state(staff_t) +domain_getattr_all_domains(staff_t) + -+optional_policy(` -+ xserver_per_role_template(staff, staff_t, staff_r) -+') ++files_read_kernel_modules(staff_t) ++ ++modutils_read_module_config(staff_t) ++modutils_read_module_deps(staff_t) + +sudo_per_role_template(staff, staff_t, staff_r) +seutil_run_newrole(staff_t, staff_r, { staff_tty_device_t staff_devpts_t }) @@ -26516,6 +26953,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t + netutils_run_traceroute_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t }) +') + ++optional_policy(` ++ xserver_per_role_template(staff, staff_t, staff_r) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.fc serefpolicy-3.2.5/policy/modules/users/user.fc --- nsaserefpolicy/policy/modules/users/user.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/users/user.fc 2008-01-18 12:40:46.000000000 -0500 diff --git a/selinux-policy.spec b/selinux-policy.spec index 525cec3..d8525d1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.2.5 -Release: 19%{?dist} +Release: 20%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -387,6 +387,9 @@ exit 0 %endif %changelog +* Fri Jan 25 2008 Dan Walsh 3.2.5-20 +- Allow usertypes to read/write noxattr file systems + * Thu Jan 24 2008 Dan Walsh 3.2.5-19 - Fix nsplugin to allow flashplugin to work in enforcing mode