diff --git a/policy-20090105.patch b/policy-20090105.patch index e98e388..652e55c 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -4253,7 +4253,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corecmd_executable_file(wm_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.4/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/kernel/corecommands.fc 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/kernel/corecommands.fc 2009-02-04 08:37:02.000000000 -0500 @@ -58,6 +58,8 @@ /etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) @@ -4308,7 +4308,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0) + -+/usr/lib(64)?/pm-utils/sleep.d(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib(64)?/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0) + +/usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:bin_t, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.4/policy/modules/kernel/corecommands.if @@ -5191,7 +5191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type power_device_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.4/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/kernel/domain.if 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/kernel/domain.if 2009-02-04 10:42:48.000000000 -0500 @@ -1247,18 +1247,34 @@ ## ## @@ -5230,9 +5230,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow specified type to receive labeled ## networking packets from all domains, over ## all protocols (TCP, UDP, etc) +@@ -1279,6 +1295,24 @@ + + ######################################## + ## ++## Polyinstatiated access to domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`domain_poly',` ++ gen_require(` ++ attribute polydomain; ++ ') ++ ++ typeattribute $1 polydomain; ++') ++ ++######################################## ++## + ## Unconfined access to domains. + ## + ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.4/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/kernel/domain.te 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/kernel/domain.te 2009-02-04 10:30:24.000000000 -0500 @@ -5,6 +5,13 @@ # # Declarations @@ -5247,7 +5272,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Mark process types as domains attribute domain; -@@ -80,6 +87,8 @@ +@@ -15,6 +22,8 @@ + # Domains that are unconfined + attribute unconfined_domain_type; + ++attribute polydomain; ++ + # Domains that can mmap low memory. + attribute mmap_low_domain_type; + neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; +@@ -80,6 +89,8 @@ allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; kernel_read_proc_symlinks(domain) @@ -5256,7 +5290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Every domain gets the key ring, so we should default # to no one allowed to look at it; afs kernel support creates # a keyring -@@ -106,6 +115,10 @@ +@@ -106,6 +117,10 @@ ') optional_policy(` @@ -5267,7 +5301,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(domain) libs_use_shared_libs(domain) ') -@@ -118,6 +131,7 @@ +@@ -118,6 +133,7 @@ optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -5275,7 +5309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -136,6 +150,9 @@ +@@ -136,6 +152,9 @@ allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; @@ -5285,7 +5319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -145,7 +162,7 @@ +@@ -145,7 +164,7 @@ # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; @@ -5294,7 +5328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys -@@ -153,3 +170,34 @@ +@@ -153,3 +172,42 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -5329,6 +5363,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; ++ ++tunable_policy(`allow_polyinstantiation',` ++ files_polyinstantiate_all(polydomain) ++ userdom_manage_user_home_content_dirs(polydomain) ++ userdom_manage_user_home_content_files(polydomain) ++ userdom_relabelto_user_home_dirs(polydomain) ++ userdom_relabelto_user_home_files(polydomain) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.4/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.4/policy/modules/kernel/files.fc 2009-02-03 22:57:29.000000000 -0500 @@ -5360,7 +5402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.4/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/kernel/files.if 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/kernel/files.if 2009-02-04 10:53:13.000000000 -0500 @@ -110,6 +110,11 @@ ## # @@ -5554,7 +5596,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4895,12 +5008,14 @@ +@@ -4873,7 +4986,7 @@ + selinux_compute_member($1) + + # Need sys_admin capability for mounting +- allow $1 self:capability { chown fsetid sys_admin }; ++ allow $1 self:capability { chown fsetid sys_admin fowner }; + + # Need to give access to the directories to be polyinstantiated + allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; +@@ -4895,12 +5008,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -5563,6 +5614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ifdef(`distro_redhat',` # namespace.init ++ files_search_tmp($1) files_search_home($1) corecmd_exec_bin($1) seutil_domtrans_setfiles($1) @@ -5570,7 +5622,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -4921,3 +5036,95 @@ +@@ -4921,3 +5037,95 @@ typeattribute $1 files_unconfined_type; ') @@ -9495,7 +9547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.4/policy/modules/services/apm.te --- nsaserefpolicy/policy/modules/services/apm.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/apm.te 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/apm.te 2009-02-04 08:40:10.000000000 -0500 @@ -181,7 +181,7 @@ ') @@ -10772,7 +10824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.4/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/cron.te 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/cron.te 2009-02-04 10:53:15.000000000 -0500 @@ -38,6 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -10897,13 +10949,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_debian',` # pam_limits is used -@@ -227,21 +251,45 @@ +@@ -227,21 +251,43 @@ ') ') +tunable_policy(`allow_polyinstantiation',` -+ allow crond_t self:capability fowner; -+ files_search_tmp(crond_t) + files_polyinstantiate_all(crond_t) +') + @@ -10944,7 +10994,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -283,7 +331,14 @@ +@@ -283,7 +329,14 @@ allow system_cronjob_t cron_var_lib_t:file manage_file_perms; files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) @@ -10959,7 +11009,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -314,9 +369,13 @@ +@@ -314,9 +367,13 @@ filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -10974,7 +11024,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -370,7 +429,8 @@ +@@ -370,7 +427,8 @@ init_read_utmp(system_cronjob_t) init_dontaudit_rw_utmp(system_cronjob_t) # prelink tells init to restart it self, we either need to allow or dontaudit @@ -10984,7 +11034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(system_cronjob_t) -@@ -378,6 +438,7 @@ +@@ -378,6 +436,7 @@ libs_exec_ld_so(system_cronjob_t) logging_read_generic_logs(system_cronjob_t) @@ -10992,7 +11042,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(system_cronjob_t) miscfiles_read_localization(system_cronjob_t) -@@ -418,6 +479,10 @@ +@@ -418,6 +477,10 @@ ') optional_policy(` @@ -11003,7 +11053,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ftp_read_log(system_cronjob_t) ') -@@ -428,11 +493,20 @@ +@@ -428,11 +491,20 @@ ') optional_policy(` @@ -11024,7 +11074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -447,6 +521,7 @@ +@@ -447,6 +519,7 @@ prelink_read_cache(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_delete_cache(system_cronjob_t) @@ -11032,7 +11082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -460,8 +535,7 @@ +@@ -460,8 +533,7 @@ ') optional_policy(` @@ -11042,7 +11092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -469,24 +543,17 @@ +@@ -469,24 +541,17 @@ ') optional_policy(` @@ -11070,7 +11120,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cronjob_t self:process { signal_perms setsched }; allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; -@@ -570,6 +637,9 @@ +@@ -570,6 +635,9 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) @@ -12232,8 +12282,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.4/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/devicekit.te 2009-02-03 22:57:29.000000000 -0500 -@@ -0,0 +1,114 @@ ++++ serefpolicy-3.6.4/policy/modules/services/devicekit.te 2009-02-04 08:40:38.000000000 -0500 +@@ -0,0 +1,125 @@ +policy_module(devicekit,1.0.0) + +######################################## @@ -12290,15 +12340,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +consoletype_exec(devicekit_power_t) + ++domain_read_all_domains_state(devicekit_power_t) ++ ++kernel_read_system_state(devicekit_power_t) ++kernel_rw_hotplug_sysctls(devicekit_power_t) ++ +dev_rw_generic_usb_dev(devicekit_power_t) +dev_rw_netcontrol(devicekit_power_t) +dev_rw_sysfs(devicekit_power_t) + +files_read_etc_files(devicekit_power_t) -+files_read_usr_files(devicekit_t) ++files_read_usr_files(devicekit_power_t) + +fs_list_inotifyfs(devicekit_power_t) + ++term_use_all_terms(devicekit_power_t) ++ +auth_use_nsswitch(devicekit_power_t) + +miscfiles_read_localization(devicekit_power_t) @@ -12346,6 +12403,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ fstools_domtrans(devicekit_power_t) ++') ++ ++optional_policy(` + vbetool_domtrans(devicekit_power_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.4/policy/modules/services/dhcp.if @@ -17371,7 +17432,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.4/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/polkit.te 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/polkit.te 2009-02-04 09:00:48.000000000 -0500 @@ -0,0 +1,237 @@ +policy_module(polkit_auth, 1.0.0) + @@ -17513,7 +17574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` -+ xserver_dontaudit_write_log(polkit_auth_t) ++ xserver_xdm_append_log(polkit_auth_t) +') + +######################################## @@ -18801,7 +18862,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.4/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/prelude.te 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/prelude.te 2009-02-04 08:49:43.000000000 -0500 @@ -13,25 +13,57 @@ type prelude_spool_t; files_type(prelude_spool_t) @@ -18871,7 +18932,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_search_bin(prelude_t) corenet_all_recvfrom_unlabeled(prelude_t) -@@ -56,15 +91,23 @@ +@@ -56,15 +91,24 @@ corenet_tcp_sendrecv_generic_if(prelude_t) corenet_tcp_sendrecv_generic_node(prelude_t) corenet_tcp_bind_generic_node(prelude_t) @@ -18888,6 +18949,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(prelude_t) files_read_etc_files(prelude_t) ++files_read_etc_runtime_files(prelude_t) files_read_usr_files(prelude_t) +files_search_tmp(prelude_t) + @@ -18895,7 +18957,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(prelude_t) -@@ -86,7 +129,7 @@ +@@ -86,7 +130,7 @@ # # prelude_audisp local policy # @@ -18904,7 +18966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow prelude_audisp_t self:fifo_file rw_file_perms; allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms; allow prelude_audisp_t self:unix_dgram_socket create_socket_perms; -@@ -107,6 +150,7 @@ +@@ -107,6 +151,7 @@ corenet_tcp_sendrecv_generic_if(prelude_audisp_t) corenet_tcp_sendrecv_generic_node(prelude_audisp_t) corenet_tcp_bind_generic_node(prelude_audisp_t) @@ -18912,7 +18974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(prelude_audisp_t) dev_read_urand(prelude_audisp_t) -@@ -114,12 +158,134 @@ +@@ -114,12 +159,134 @@ # Init script handling domain_use_interactive_fds(prelude_audisp_t) @@ -19047,7 +19109,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # prewikka_cgi Declarations -@@ -128,6 +294,20 @@ +@@ -128,6 +295,20 @@ optional_policy(` apache_content_template(prewikka) files_read_etc_files(httpd_prewikka_script_t) @@ -22720,7 +22782,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.4/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/xserver.fc 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/xserver.fc 2009-02-04 08:58:37.000000000 -0500 @@ -3,12 +3,16 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -22768,8 +22830,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) -/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) +-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0) +/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) - /var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) @@ -22789,7 +22852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.4/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/xserver.if 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/xserver.if 2009-02-04 10:10:19.000000000 -0500 @@ -90,7 +90,7 @@ allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; @@ -22995,7 +23058,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1018,10 +1063,11 @@ +@@ -872,6 +917,27 @@ + + ######################################## + ## ++## Allow append the xdm ++## log files. ++## ++## ++## ++## Domain to not audit ++## ++## ++# ++interface(`xserver_xdm_append_log',` ++ gen_require(` ++ type xdm_log_t; ++ attribute xdmhomewriter; ++ ') ++ ++ typeattribute $1 xdmhomewriter; ++ append_files_pattern($1, xdm_log_t, xdm_log_t) ++') ++ ++######################################## ++## + ## Do not audit attempts to write the X server + ## log files. + ## +@@ -1018,10 +1084,11 @@ # interface(`xserver_domtrans',` gen_require(` @@ -23008,7 +23099,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern($1, xserver_exec_t, xserver_t) ') -@@ -1159,6 +1205,275 @@ +@@ -1159,6 +1226,275 @@ ######################################## ## @@ -23284,7 +23375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1172,7 +1487,99 @@ +@@ -1172,7 +1508,99 @@ interface(`xserver_unconfined',` gen_require(` attribute xserver_unconfined_type; @@ -23386,7 +23477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.4/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/xserver.te 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/xserver.te 2009-02-04 10:49:48.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -23401,7 +23492,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow xdm logins as sysadm ##

## -@@ -65,14 +72,14 @@ +@@ -46,6 +53,7 @@ + ## + gen_tunable(xserver_object_manager, false) + ++attribute xdmhomewriter; + attribute input_xevent_type; + attribute xserver_unconfined_type; + attribute x_domain; +@@ -65,14 +73,14 @@ type iceauth_t; type iceauth_exec_t; @@ -23418,7 +23517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_poly_member(iceauth_home_t) userdom_user_home_content(iceauth_home_t) -@@ -112,17 +119,17 @@ +@@ -112,17 +120,17 @@ typealias user_client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t }; type user_fonts_t; @@ -23440,7 +23539,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t }; userdom_user_home_content(user_fonts_config_t) -@@ -134,18 +141,18 @@ +@@ -134,18 +142,18 @@ type xauth_t; type xauth_exec_t; typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t }; @@ -23462,7 +23561,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; files_tmp_file(xauth_tmp_t) ubac_constrained(xauth_tmp_t) -@@ -166,7 +173,10 @@ +@@ -166,7 +174,10 @@ files_lock_file(xdm_lock_t) type xdm_rw_etc_t; @@ -23474,7 +23573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type xdm_var_lib_t; files_type(xdm_var_lib_t) -@@ -174,6 +184,12 @@ +@@ -174,6 +185,12 @@ type xdm_var_run_t; files_pid_file(xdm_var_run_t) @@ -23487,17 +23586,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type xdm_tmp_t; files_tmp_file(xdm_tmp_t) typealias xdm_tmp_t alias ice_tmp_t; -@@ -181,6 +197,9 @@ +@@ -181,6 +198,12 @@ type xdm_tmpfs_t; files_tmpfs_file(xdm_tmpfs_t) +type xdm_home_t; +userdom_user_home_content(xdm_home_t) + ++type xdm_log_t; ++logging_log_file(xdm_log_t) ++ # type for /var/lib/xkb type xkb_var_lib_t; files_type(xkb_var_lib_t) -@@ -189,7 +208,7 @@ +@@ -189,7 +212,7 @@ type xserver_t; type xserver_exec_t; typealias xserver_t alias { user_xserver_t staff_xserver_t sysadm_xserver_t }; @@ -23506,7 +23608,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_object_types_template(xdm) xserver_common_x_domain_template(xdm,xdm_t) init_system_domain(xserver_t, xserver_exec_t) -@@ -197,12 +216,12 @@ +@@ -197,12 +220,12 @@ type xserver_tmp_t; typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t }; @@ -23521,7 +23623,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t }; files_tmpfs_file(xserver_tmpfs_t) ubac_constrained(xserver_tmpfs_t) -@@ -250,19 +269,21 @@ +@@ -250,19 +273,21 @@ # Xauth local policy # @@ -23546,7 +23648,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(xauth_t) files_read_etc_files(xauth_t) -@@ -300,13 +321,14 @@ +@@ -300,13 +325,14 @@ # XDM Local policy # @@ -23564,7 +23666,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t self:tcp_socket create_stream_socket_perms; allow xdm_t self:udp_socket create_socket_perms; allow xdm_t self:socket create_socket_perms; -@@ -314,6 +336,11 @@ +@@ -314,6 +340,11 @@ allow xdm_t self:key { search link write }; allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; @@ -23576,7 +23678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -329,6 +356,8 @@ +@@ -329,6 +360,8 @@ manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) @@ -23585,7 +23687,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -@@ -336,15 +365,30 @@ +@@ -336,15 +369,30 @@ manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) @@ -23618,7 +23720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:unix_stream_socket connectto; -@@ -358,6 +402,7 @@ +@@ -358,6 +406,7 @@ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -23626,7 +23728,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t) -@@ -389,11 +434,13 @@ +@@ -366,10 +415,14 @@ + delete_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t) + delete_sock_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t) + ++manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t) ++manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t) ++manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t) ++logging_log_filetrans(xdm_t, xdm_log_t, file) ++ + manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t) + manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t) + manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t) +-logging_log_filetrans(xdm_t, xserver_log_t, file) + + kernel_read_system_state(xdm_t) + kernel_read_kernel_sysctls(xdm_t) +@@ -389,11 +442,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -23640,7 +23758,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -401,6 +448,7 @@ +@@ -401,6 +456,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -23648,7 +23766,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -413,14 +461,17 @@ +@@ -413,14 +469,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -23668,7 +23786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +482,13 @@ +@@ -431,9 +490,13 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -23682,7 +23800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,6 +497,7 @@ +@@ -442,6 +505,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -23690,7 +23808,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -450,6 +506,7 @@ +@@ -450,6 +514,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -23698,7 +23816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -460,10 +517,10 @@ +@@ -460,10 +525,10 @@ logging_read_generic_logs(xdm_t) @@ -23711,7 +23829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -504,10 +561,12 @@ +@@ -504,10 +569,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -23724,7 +23842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -515,12 +574,41 @@ +@@ -515,12 +582,41 @@ ') optional_policy(` @@ -23766,7 +23884,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -542,6 +630,19 @@ +@@ -542,6 +638,19 @@ ') optional_policy(` @@ -23786,7 +23904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +651,9 @@ +@@ -550,8 +659,9 @@ ') optional_policy(` @@ -23798,7 +23916,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -560,7 +662,6 @@ +@@ -560,7 +670,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -23806,7 +23924,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -571,6 +672,10 @@ +@@ -571,6 +680,10 @@ ') optional_policy(` @@ -23817,7 +23935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,7 +692,7 @@ +@@ -587,7 +700,7 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -23826,7 +23944,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:memprotect mmap_zero; -@@ -602,9 +707,11 @@ +@@ -602,9 +715,11 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -23838,7 +23956,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -@@ -622,7 +729,7 @@ +@@ -622,7 +737,7 @@ manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) @@ -23847,7 +23965,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,6 +742,15 @@ +@@ -635,9 +750,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -23863,7 +23981,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Create files in /var/log with the xserver_log_t type. manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) logging_log_filetrans(xserver_t, xserver_log_t,file) -@@ -680,9 +796,14 @@ ++manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t) + + kernel_read_system_state(xserver_t) + kernel_read_device_sysctls(xserver_t) +@@ -680,9 +805,14 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -23878,7 +24000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -697,8 +818,13 @@ +@@ -697,8 +827,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -23892,7 +24014,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -720,6 +846,7 @@ +@@ -720,6 +855,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -23900,7 +24022,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -742,7 +869,7 @@ +@@ -742,7 +878,7 @@ ') ifdef(`enable_mls',` @@ -23909,7 +24031,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -774,6 +901,10 @@ +@@ -774,6 +910,10 @@ ') optional_policy(` @@ -23920,7 +24042,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rhgb_getpgid(xserver_t) rhgb_signal(xserver_t) ') -@@ -806,7 +937,7 @@ +@@ -806,7 +946,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -23929,7 +24051,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -827,9 +958,14 @@ +@@ -827,9 +967,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -23944,7 +24066,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -844,11 +980,14 @@ +@@ -844,11 +989,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -23960,7 +24082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -856,6 +995,11 @@ +@@ -856,6 +1004,11 @@ rhgb_rw_tmpfs_files(xserver_t) ') @@ -23972,7 +24094,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Rules common to all X window domains -@@ -881,6 +1025,8 @@ +@@ -881,6 +1034,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -23981,7 +24103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -905,6 +1051,8 @@ +@@ -905,6 +1060,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -23990,10 +24112,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -972,6 +1120,37 @@ +@@ -972,13 +1129,35 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; +-ifdef(`TODO',` +-tunable_policy(`allow_polyinstantiation',` +-# xdm needs access for linking .X11-unix to poly /tmp +-allow xdm_t polymember:dir { add_name remove_name write }; +-allow xdm_t polymember:lnk_file { create unlink }; +-# xdm needs access for copying .Xauthority into new home +-allow xdm_t polymember:file { create getattr write }; +allow xserver_unconfined_type self:x_drawable all_x_drawable_perms; +allow xserver_unconfined_type self:x_screen all_x_screen_perms; +allow xserver_unconfined_type self:x_gc all_x_gc_perms; @@ -24023,12 +24152,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +tunable_policy(`allow_xserver_execmem',` + allow xserver_t self:process { execheap execmem execstack }; -+') -+ - ifdef(`TODO',` - tunable_policy(`allow_polyinstantiation',` - # xdm needs access for linking .X11-unix to poly /tmp -@@ -986,3 +1165,12 @@ + ') + + # +@@ -986,3 +1165,21 @@ # allow xdm_t user_home_type:file unlink; ') dnl end TODO @@ -24041,6 +24168,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +tunable_policy(`allow_execstack',` + allow xdm_t self:process { execstack execmem }; +') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_append_nfs_files(xdmhomewriter) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_append_cifs_files(xdmhomewriter) ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.fc serefpolicy-3.6.4/policy/modules/services/zosremote.fc --- nsaserefpolicy/policy/modules/services/zosremote.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.4/policy/modules/services/zosremote.fc 2009-02-03 22:57:29.000000000 -0500 @@ -24181,8 +24317,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.4/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/system/authlogin.if 2009-02-03 22:57:29.000000000 -0500 -@@ -43,6 +43,7 @@ ++++ serefpolicy-3.6.4/policy/modules/system/authlogin.if 2009-02-04 10:32:13.000000000 -0500 +@@ -43,20 +43,38 @@ interface(`auth_login_pgm_domain',` gen_require(` type var_auth_t; @@ -24190,7 +24326,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') domain_type($1) -@@ -51,12 +52,27 @@ ++ domain_poly($1) ++ + domain_subj_id_change_exemption($1) + domain_role_change_exemption($1) domain_obj_id_change_exemption($1) role system_r types $1; @@ -24218,7 +24357,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for SSP/ProPolice dev_read_urand($1) # for fingerprint readers -@@ -90,6 +106,7 @@ +@@ -90,6 +108,7 @@ auth_rw_faillog($1) auth_exec_pam($1) auth_use_nsswitch($1) @@ -24226,10 +24365,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_rw_utmp($1) -@@ -100,8 +117,44 @@ +@@ -100,9 +119,38 @@ seutil_read_config($1) seutil_read_default_contexts($1) +- tunable_policy(`allow_polyinstantiation',` +- files_polyinstantiate_all($1) + userdom_set_rlimitnh($1) + userdom_read_user_home_content_symlinks($1) + userdom_delete_user_tmp_files($1) @@ -24255,23 +24396,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + optional_policy(` + nis_authenticate($1) -+ ') + ') + + optional_policy(` + ssh_agent_exec($1) + userdom_read_user_home_content_files($1) + ') + - tunable_policy(`allow_polyinstantiation',` - files_polyinstantiate_all($1) -+ userdom_manage_user_home_content_dirs($1) -+ userdom_manage_user_home_content_files($1) -+ userdom_relabelto_user_home_dirs($1) -+ userdom_relabelto_user_home_files($1) - ') ') -@@ -197,8 +250,11 @@ + ######################################## +@@ -197,8 +245,11 @@ interface(`auth_domtrans_chk_passwd',` gen_require(` type chkpwd_t, chkpwd_exec_t, shadow_t; @@ -24283,7 +24418,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_search_bin($1) domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) -@@ -207,19 +263,16 @@ +@@ -207,19 +258,16 @@ dev_read_rand($1) dev_read_urand($1) @@ -24308,7 +24443,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -230,6 +283,29 @@ +@@ -230,6 +278,29 @@ optional_policy(` samba_stream_connect_winbind($1) ') @@ -24338,7 +24473,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -254,6 +330,7 @@ +@@ -254,6 +325,7 @@ auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -24346,7 +24481,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -650,7 +727,7 @@ +@@ -650,7 +722,7 @@ ######################################## ## @@ -24355,7 +24490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1031,6 +1108,32 @@ +@@ -1031,6 +1103,32 @@ ######################################## ## @@ -24388,7 +24523,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Manage all files on the filesystem, except ## the shadow passwords and listed exceptions. ## -@@ -1297,6 +1400,10 @@ +@@ -1297,6 +1395,10 @@ ') optional_policy(` @@ -24399,7 +24534,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol nis_use_ypbind($1) ') -@@ -1307,6 +1414,7 @@ +@@ -1307,6 +1409,7 @@ optional_policy(` samba_stream_connect_winbind($1) samba_read_var_files($1) @@ -24407,7 +24542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1341,3 +1449,99 @@ +@@ -1341,3 +1444,99 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -24509,7 +24644,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.4/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/system/authlogin.te 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/system/authlogin.te 2009-02-04 10:29:49.000000000 -0500 @@ -12,7 +12,7 @@ type chkpwd_t, can_read_shadow_passwords; @@ -26461,16 +26596,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_dontaudit_list_tmpfs(mdadm_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.4/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.4/policy/modules/system/selinuxutil.fc 2009-02-03 22:57:29.000000000 -0500 -@@ -6,7 +6,7 @@ ++++ serefpolicy-3.6.4/policy/modules/system/selinuxutil.fc 2009-02-04 11:12:45.000000000 -0500 +@@ -6,13 +6,13 @@ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0) -/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh) +/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) /etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) - /etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) +-/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) ++/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) + /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0) + /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) +-/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) ++/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s0) + + # + # /root @@ -38,7 +38,7 @@ /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) @@ -28401,7 +28544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.4/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-04 10:39:52.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -28562,27 +28705,51 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -174,9 +194,6 @@ - fs_read_nfs_symlinks($2) - fs_read_nfs_named_sockets($2) - fs_read_nfs_named_pipes($2) +@@ -147,6 +167,7 @@ + interface(`userdom_ro_home_role',` + gen_require(` + type user_home_t, user_home_dir_t; ++ attribute userhomereader; + ') + + role $1 types { user_home_t user_home_dir_t }; +@@ -157,6 +178,7 @@ + # + + type_member $2 user_home_dir_t:dir user_home_dir_t; ++ typeattribute $2 userhomereader; + + # read-only home directory + allow $2 user_home_dir_t:dir list_dir_perms; +@@ -168,27 +190,6 @@ + read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) + files_list_home($2) + +- tunable_policy(`use_nfs_home_dirs',` +- fs_list_nfs($2) +- fs_read_nfs_files($2) +- fs_read_nfs_symlinks($2) +- fs_read_nfs_named_sockets($2) +- fs_read_nfs_named_pipes($2) - ',` - fs_dontaudit_list_nfs($2) - fs_dontaudit_read_nfs_files($2) - ') - - tunable_policy(`use_samba_home_dirs',` -@@ -185,9 +202,6 @@ - fs_read_cifs_symlinks($2) - fs_read_cifs_named_sockets($2) - fs_read_cifs_named_pipes($2) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_list_cifs($2) +- fs_read_cifs_files($2) +- fs_read_cifs_symlinks($2) +- fs_read_cifs_named_sockets($2) +- fs_read_cifs_named_pipes($2) - ',` - fs_dontaudit_list_cifs($2) - fs_dontaudit_read_cifs_files($2) - ') +- ') ') -@@ -220,9 +234,10 @@ + ####################################### +@@ -220,9 +221,10 @@ interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -28594,7 +28761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -232,17 +247,20 @@ +@@ -232,17 +234,20 @@ type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -28625,12 +28792,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) -@@ -250,25 +268,23 @@ +@@ -250,25 +255,23 @@ allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` -+ fs_mount_nfs($2) -+ fs_mounton_nfs($2) ++ fs_mount_nfs($2) ++ fs_mounton_nfs($2) fs_manage_nfs_dirs($2) fs_manage_nfs_files($2) fs_manage_nfs_symlinks($2) @@ -28642,8 +28809,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`use_samba_home_dirs',` -+ fs_mount_cifs($2) -+ fs_mounton_cifs($2) ++ fs_mount_cifs($2) ++ fs_mounton_cifs($2) fs_manage_cifs_dirs($2) fs_manage_cifs_files($2) fs_manage_cifs_symlinks($2) @@ -28655,7 +28822,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -303,6 +319,7 @@ +@@ -303,6 +306,7 @@ manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) @@ -28663,7 +28830,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -368,46 +385,41 @@ +@@ -368,46 +372,41 @@ ####################################### ## @@ -28685,12 +28852,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - gen_require(` - type $1_t; - ') -+interface(`userdom_basic_networking',` - +- - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; -+ allow $1 self:tcp_socket create_stream_socket_perms; -+ allow $1 self:udp_socket create_socket_perms; ++interface(`userdom_basic_networking',` - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) @@ -28702,7 +28867,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_all_client_packets($1_t) -- ++ allow $1 self:tcp_socket create_stream_socket_perms; ++ allow $1 self:udp_socket create_socket_perms; + - corenet_all_recvfrom_labeled($1_t, $1_t) + corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) @@ -28730,7 +28897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -420,34 +432,41 @@ +@@ -420,34 +419,41 @@ ## is the prefix for user_t). ## ## @@ -28790,7 +28957,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -497,11 +516,7 @@ +@@ -497,11 +503,7 @@ attribute unpriv_userdomain; ') @@ -28803,7 +28970,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -512,189 +527,198 @@ +@@ -512,189 +514,198 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -28821,26 +28988,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) +- +- corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) -- corecmd_exec_bin($1_t) +- corenet_udp_bind_generic_node($1_t) +- corenet_udp_bind_generic_port($1_t) + corenet_udp_bind_generic_node($1_usertype) + corenet_udp_bind_generic_port($1_usertype) -- corenet_udp_bind_generic_node($1_t) -- corenet_udp_bind_generic_port($1_t) +- dev_read_rand($1_t) +- dev_write_sound($1_t) +- dev_read_sound($1_t) +- dev_read_sound_mixer($1_t) +- dev_write_sound_mixer($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) -- dev_read_rand($1_t) -- dev_write_sound($1_t) -- dev_read_sound($1_t) -- dev_read_sound_mixer($1_t) -- dev_write_sound_mixer($1_t) -- - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) @@ -29044,16 +29211,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - postgresql_stream_connect($1_t) - postgresql_tcp_connect($1_t) + postgresql_stream_connect($1_usertype) ++ ') ') ++ ++ optional_policy(` ++ # to allow monitoring of pcmcia status ++ pcmcia_read_pid($1_usertype) ') optional_policy(` - resmgr_stream_connect($1_t) -+ # to allow monitoring of pcmcia status -+ pcmcia_read_pid($1_usertype) -+ ') -+ -+ optional_policy(` + pcscd_read_pub_files($1_usertype) + pcscd_stream_connect($1_usertype) ') @@ -29083,22 +29250,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -722,15 +746,29 @@ +@@ -722,15 +733,29 @@ userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_change_password_template($1) -+ -+ userdom_manage_home_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) -+ userdom_manage_tmp_role($1_r, $1_usertype) -+ userdom_manage_tmpfs_role($1_r, $1_usertype) ++ userdom_manage_home_role($1_r, $1_usertype) - userdom_exec_user_tmp_files($1_t) - userdom_exec_user_home_content_files($1_t) ++ userdom_manage_tmp_role($1_r, $1_usertype) ++ userdom_manage_tmpfs_role($1_r, $1_usertype) ++ + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) + @@ -29119,7 +29286,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -746,70 +784,72 @@ +@@ -746,70 +771,72 @@ allow $1_t self:context contains; @@ -29225,7 +29392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -846,6 +886,28 @@ +@@ -846,6 +873,28 @@ # Local policy # @@ -29254,7 +29421,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -876,7 +938,7 @@ +@@ -876,7 +925,7 @@ userdom_restricted_user_template($1) @@ -29263,18 +29430,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -884,14 +946,19 @@ +@@ -884,14 +933,19 @@ # auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) + auth_search_pam_console_data($1_usertype) -+ -+ xserver_role($1_r, $1_t) -+ xserver_communicate($1_usertype, $1_usertype) - dev_read_sound($1_t) - dev_write_sound($1_t) ++ xserver_role($1_r, $1_t) ++ xserver_communicate($1_usertype, $1_usertype) ++ + dev_read_sound($1_usertype) + dev_write_sound($1_usertype) # gnome keyring wants to read this. @@ -29288,7 +29455,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -899,28 +966,28 @@ +@@ -899,28 +953,28 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -29325,7 +29492,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -931,8 +998,7 @@ +@@ -931,8 +985,7 @@ ## ## ##

@@ -29335,7 +29502,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This template creates a user domain, types, and -@@ -954,8 +1020,8 @@ +@@ -954,8 +1007,8 @@ # Declarations # @@ -29345,7 +29512,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -964,11 +1030,12 @@ +@@ -964,11 +1017,12 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -29360,7 +29527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -986,37 +1053,47 @@ +@@ -986,37 +1040,47 @@ ') ') @@ -29411,17 +29578,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + optional_policy(` + mount_run($1_t, $1_r) -+ ') + ') + + # Run pppd in pppd_t by default for user + optional_policy(` + ppp_run_cond($1_t, $1_r) - ') ++ ') + ') ####################################### -@@ -1050,7 +1127,7 @@ +@@ -1050,7 +1114,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -29430,7 +29597,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1059,8 +1136,7 @@ +@@ -1059,8 +1123,7 @@ # # Inherit rules for ordinary users. @@ -29440,7 +29607,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1083,7 +1159,8 @@ +@@ -1083,7 +1146,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -29450,7 +29617,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1099,6 +1176,7 @@ +@@ -1099,6 +1163,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -29458,7 +29625,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1106,8 +1184,6 @@ +@@ -1106,8 +1171,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -29467,7 +29634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1162,20 +1238,6 @@ +@@ -1162,20 +1225,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -29488,7 +29655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1221,6 +1283,7 @@ +@@ -1221,6 +1270,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -29496,7 +29663,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1286,11 +1349,15 @@ +@@ -1286,11 +1336,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -29512,7 +29679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1387,7 +1454,7 @@ +@@ -1387,7 +1441,7 @@ ######################################## ##

@@ -29521,7 +29688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1420,6 +1487,14 @@ +@@ -1420,6 +1474,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -29536,7 +29703,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1435,9 +1510,11 @@ +@@ -1435,9 +1497,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -29548,7 +29715,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1494,6 +1571,25 @@ +@@ -1494,6 +1558,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -29574,7 +29741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1547,9 +1643,9 @@ +@@ -1547,9 +1630,9 @@ type user_home_dir_t, user_home_t; ') @@ -29586,7 +29753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1568,6 +1664,8 @@ +@@ -1568,6 +1651,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -29595,7 +29762,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1643,6 +1741,7 @@ +@@ -1643,6 +1728,7 @@ type user_home_dir_t, user_home_t; ') @@ -29603,7 +29770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1741,6 +1840,62 @@ +@@ -1741,6 +1827,62 @@ ######################################## ## @@ -29666,7 +29833,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute user home files. ## ## -@@ -1757,14 +1912,6 @@ +@@ -1757,14 +1899,6 @@ files_search_home($1) exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) @@ -29681,7 +29848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1787,6 +1934,46 @@ +@@ -1787,6 +1921,46 @@ ######################################## ## @@ -29728,7 +29895,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete files ## in a user home subdirectory. ## -@@ -1921,7 +2108,7 @@ +@@ -1799,6 +1973,7 @@ + interface(`userdom_manage_user_home_content_files',` + gen_require(` + type user_home_dir_t, user_home_t; ++ attribute userhomewriter; + ') + + manage_files_pattern($1, user_home_t, user_home_t) +@@ -1921,7 +2096,7 @@ ######################################## ## @@ -29737,7 +29912,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## with an automatic type transition to ## a specified private type. ## -@@ -1941,34 +2128,64 @@ +@@ -1941,28 +2116,58 @@ ## ## # @@ -29766,18 +29941,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Domain allowed access. ## ## +-## +## +## +## The type of the object to create. +## +## - ## - ## - ## The class of the object to be created. - ## - ## - # --interface(`userdom_user_home_dir_filetrans_user_home_content',` ++## ++## ++## The class of the object to be created. ++## ++## ++# +interface(`userdom_user_home_content_filetrans',` + gen_require(` + type user_home_dir_t, user_home_t; @@ -29800,16 +29975,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +## -+## -+## The class of the object to be created. -+## -+## -+# -+interface(`userdom_user_home_dir_filetrans_user_home_content',` - gen_require(` - type user_home_dir_t, user_home_t; - ') -@@ -2819,6 +3036,24 @@ + ## + ## The class of the object to be created. + ## +@@ -2819,6 +3024,24 @@ ######################################## ## @@ -29834,7 +30003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to use user ttys. ## ## -@@ -2851,6 +3086,7 @@ +@@ -2851,6 +3074,7 @@ ') read_files_pattern($1,userdomain,userdomain) @@ -29842,7 +30011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -2965,6 +3201,24 @@ +@@ -2965,6 +3189,24 @@ ######################################## ## @@ -29867,7 +30036,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a dbus message to all user domains. ## ## -@@ -2981,3 +3235,313 @@ +@@ -2981,3 +3223,313 @@ allow $1 userdomain:dbus send_msg; ') @@ -30183,7 +30352,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.4/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/system/userdomain.te 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/system/userdomain.te 2009-02-04 10:39:31.000000000 -0500 @@ -8,13 +8,6 @@ ## @@ -30212,7 +30381,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow user to r/w files on filesystems ## that do not have extended attributes (FAT, CDROM, FLOPPY) ##

-@@ -55,8 +41,14 @@ +@@ -52,11 +38,20 @@ + # all user domains + attribute userdomain; + ++attribute userhomereader; ++attribute userhomewriter; ++ # unprivileged user domains attribute unpriv_userdomain; @@ -30229,7 +30404,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) -@@ -70,6 +62,7 @@ +@@ -70,6 +65,7 @@ type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -30237,7 +30412,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_user_home_content(user_home_t) fs_associate_tmpfs(user_home_t) files_associate_tmp(user_home_t) -@@ -95,3 +88,7 @@ +@@ -95,3 +91,23 @@ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) @@ -30245,6 +30420,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +tunable_policy(`allow_console_login',` + term_use_console(userdomain) +') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_list_nfs(userhomereader) ++ fs_read_nfs_files(userhomereader) ++ fs_read_nfs_symlinks(userhomereader) ++ fs_read_nfs_named_sockets(userhomereader) ++ fs_read_nfs_named_pipes(userhomereader) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_list_cifs(userhomereader) ++ fs_read_cifs_files(userhomereader) ++ fs_read_cifs_symlinks(userhomereader) ++ fs_read_cifs_named_sockets(userhomereader) ++ fs_read_cifs_named_pipes(userhomereader) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.4/policy/modules/system/xen.fc --- nsaserefpolicy/policy/modules/system/xen.fc 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.4/policy/modules/system/xen.fc 2009-02-03 22:57:29.000000000 -0500