diff --git a/modules-mls.conf b/modules-mls.conf index 7e20376..39f3cb8 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -1833,3 +1833,45 @@ milter = module # wm = module +# Layer: services +# Module: aisexec +# +# RHCS - Red Hat Cluster Suite +# +aisexec = module + +# Layer: services +# Module: rgmanager +# +# rgmanager +# +rgmanager = module + +# Layer: services +# Module: clogd +# +# clogd - clustered mirror log server +# +clogd = module + +# Layer: services +# Module: ricci +# +# policy for ricci +# +ricci = module + +# Layer: services +# Module: rhcs +# +# RHCS - Red Hat Cluster Suite +# +rhcs = module + +# Layer: admin +# Module: shorewall +# +# Policy for shorewall +# +shorewall = base + diff --git a/policy-F13.patch b/policy-F13.patch index 8a5d85b..88134dc 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -240,7 +240,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.33/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.33/policy/modules/admin/logrotate.te 2009-11-12 14:26:53.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/admin/logrotate.te 2009-11-16 09:58:07.000000000 -0500 @@ -32,7 +32,7 @@ # Change ownership on log files. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; @@ -261,7 +261,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(logrotate_t, logrotate_exec_t) cron_search_spool(logrotate_t) -@@ -149,6 +150,14 @@ +@@ -137,6 +138,10 @@ + ') + + optional_policy(` ++ abrt_cache_manage(logrotate_t) ++') ++ ++optional_policy(` + acct_domtrans(logrotate_t) + acct_manage_data(logrotate_t) + acct_exec_data(logrotate_t) +@@ -149,6 +154,14 @@ ') optional_policy(` @@ -276,7 +287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consoletype_exec(logrotate_t) ') -@@ -183,6 +192,10 @@ +@@ -183,6 +196,10 @@ ') optional_policy(` @@ -664,7 +675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.33/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.33/policy/modules/admin/rpm.if 2009-11-12 14:26:53.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/admin/rpm.if 2009-11-16 09:56:52.000000000 -0500 @@ -13,11 +13,34 @@ interface(`rpm_domtrans',` gen_require(` @@ -1559,7 +1570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.33/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.33/policy/modules/admin/tmpreaper.te 2009-11-12 14:26:53.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/admin/tmpreaper.te 2009-11-16 09:57:08.000000000 -0500 @@ -42,6 +42,7 @@ cron_system_entry(tmpreaper_t, tmpreaper_exec_t) @@ -1583,7 +1594,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -+ rpm_read_cache(tmpreaper_t) ++ rpm_manage_cache(tmpreaper_t) +') + +optional_policy(` @@ -9143,7 +9154,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.33/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.33/policy/modules/roles/unconfineduser.te 2009-11-12 15:05:29.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/roles/unconfineduser.te 2009-11-16 11:05:10.000000000 -0500 @@ -0,0 +1,430 @@ +policy_module(unconfineduser, 1.0.0) + @@ -9434,10 +9445,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` -+ rtkit_daemon_system_domain(unconfined_t) -+') -+ -+optional_policy(` + samba_role_notrans(unconfined_r) + samba_run_unconfined_net(unconfined_t, unconfined_r) + samba_run_winbind_helper(unconfined_t, unconfined_r) @@ -9567,6 +9574,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + policykit_role(unconfined_r, unconfined_notrans_t) +') + ++optional_policy(` ++ rtkit_daemon_system_domain(unconfined_notrans_t) ++') ++ +######################################## +# +# Unconfined mount local policy @@ -9828,7 +9839,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.6.33/policy/modules/services/abrt.if --- nsaserefpolicy/policy/modules/services/abrt.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.33/policy/modules/services/abrt.if 2009-11-13 11:25:29.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/services/abrt.if 2009-11-16 09:55:22.000000000 -0500 @@ -19,6 +19,24 @@ domtrans_pattern($1, abrt_exec_t, abrt_t) ') @@ -9954,7 +9965,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.33/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.33/policy/modules/services/abrt.te 2009-11-13 11:25:18.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/services/abrt.te 2009-11-16 10:52:33.000000000 -0500 @@ -33,12 +33,23 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -9980,8 +9991,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow abrt_t self:process { signal signull setsched getsched }; allow abrt_t self:fifo_file rw_fifo_file_perms; -@@ -60,13 +71,15 @@ +@@ -58,15 +69,18 @@ + manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) + manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) ++can_exec(abrt_t, abrt_tmp_t) # abrt var/cache files -manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) @@ -9998,7 +10012,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) kernel_read_ring_buffer(abrt_t) -@@ -75,11 +88,17 @@ +@@ -75,10 +89,17 @@ corecmd_exec_bin(abrt_t) corecmd_exec_shell(abrt_t) @@ -10009,14 +10023,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corenet_tcp_connect_all_ports(abrt_t) dev_read_urand(abrt_t) - ++dev_rw_sysfs(abrt_t) ++ +domain_read_all_domains_state(abrt_t) +domain_signull_all_domains(abrt_t) -+ + files_getattr_all_files(abrt_t) files_read_etc_files(abrt_t) - files_read_usr_files(abrt_t) -@@ -96,22 +115,59 @@ +@@ -87,6 +108,7 @@ + fs_list_inotifyfs(abrt_t) + fs_getattr_all_fs(abrt_t) + fs_getattr_all_dirs(abrt_t) ++fs_search_all(abrt_t) + + sysnet_read_config(abrt_t) + +@@ -96,22 +118,59 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -10047,11 +10069,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - rpm_manage_db(abrt_t) - rpm_domtrans(abrt_t) -+ rpm_manage_cache(abrt_t) -+ rpm_read_db(abrt_t) -+ rpm_read_pid_files(abrt_t) + rpm_exec(abrt_t) + rpm_dontaudit_manage_db(abrt_t) ++ rpm_manage_cache(abrt_t) ++ rpm_manage_pid_files(abrt_t) ++ rpm_read_db(abrt_t) + rpm_signull(abrt_t) ') @@ -16296,7 +16318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.33/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.33/policy/modules/services/networkmanager.te 2009-11-12 14:26:53.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/services/networkmanager.te 2009-11-16 10:30:18.000000000 -0500 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -16324,7 +16346,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow NetworkManager_t self:tcp_socket create_stream_socket_perms; allow NetworkManager_t self:udp_socket create_socket_perms; allow NetworkManager_t self:packet_socket create_socket_perms; -@@ -51,8 +55,11 @@ +@@ -51,8 +55,13 @@ manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) @@ -16334,11 +16356,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) +files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) + ++manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) +manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) ++files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, dir) manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -@@ -63,6 +70,9 @@ +@@ -63,6 +72,9 @@ kernel_read_network_state(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t) kernel_load_module(NetworkManager_t) @@ -16348,7 +16372,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(NetworkManager_t) corenet_all_recvfrom_netlabel(NetworkManager_t) -@@ -81,13 +91,18 @@ +@@ -81,13 +93,18 @@ corenet_sendrecv_isakmp_server_packets(NetworkManager_t) corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) corenet_sendrecv_all_client_packets(NetworkManager_t) @@ -16367,7 +16391,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mls_file_read_all_levels(NetworkManager_t) -@@ -98,15 +113,20 @@ +@@ -98,15 +115,20 @@ domain_use_interactive_fds(NetworkManager_t) domain_read_confined_domains_state(NetworkManager_t) @@ -16389,7 +16413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) -@@ -116,25 +136,40 @@ +@@ -116,25 +138,40 @@ seutil_read_config(NetworkManager_t) @@ -16437,7 +16461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -146,8 +181,25 @@ +@@ -146,8 +183,25 @@ ') optional_policy(` @@ -16465,7 +16489,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -155,23 +207,51 @@ +@@ -155,23 +209,51 @@ ') optional_policy(` @@ -16492,17 +16516,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) + openvpn_signull(NetworkManager_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + policykit_dbus_chat(NetworkManager_t) + policykit_domtrans_auth(NetworkManager_t) + policykit_read_lib(NetworkManager_t) + policykit_read_reload(NetworkManager_t) + userdom_read_all_users_state(NetworkManager_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + ppp_initrc_domtrans(NetworkManager_t) ppp_domtrans(NetworkManager_t) ppp_read_pid_files(NetworkManager_t) @@ -16519,7 +16543,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -179,12 +259,15 @@ +@@ -179,12 +261,15 @@ ') optional_policy(` @@ -17696,8 +17720,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.33/policy/modules/services/plymouth.te --- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.33/policy/modules/services/plymouth.te 2009-11-12 14:26:53.000000000 -0500 -@@ -0,0 +1,97 @@ ++++ serefpolicy-3.6.33/policy/modules/services/plymouth.te 2009-11-16 10:36:01.000000000 -0500 +@@ -0,0 +1,101 @@ +policy_module(plymouthd, 1.0.0) + +######################################## @@ -17789,6 +17813,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +plymouth_stream_connect(plymouth_t) + ++optional_policy(` ++ lvm_domtrans(plymouth_t) ++') ++ +ifdef(`hide_broken_symptoms', ` +optional_policy(` + hal_dontaudit_write_log(plymouth_t) @@ -27355,7 +27383,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive kdump_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.33/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.33/policy/modules/system/libraries.fc 2009-11-12 14:26:53.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/system/libraries.fc 2009-11-16 09:36:01.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -27551,7 +27579,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -307,10 +302,102 @@ +@@ -307,10 +302,104 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) @@ -27575,6 +27603,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ++/opt/altera9.1/quartus/linux/libccl_err\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ +/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -31039,7 +31069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.33/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.33/policy/modules/system/userdomain.if 2009-11-13 11:30:17.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/system/userdomain.if 2009-11-16 11:06:05.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -31957,7 +31987,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol loadkeys_run($1_t,$1_r) ') ') -@@ -865,51 +950,93 @@ +@@ -865,51 +950,97 @@ userdom_restricted_user_template($1) @@ -32014,8 +32044,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + optional_policy(` + alsa_read_rw_config($1_usertype) + ') - -- xserver_restricted_role($1_r, $1_t) ++ + optional_policy(` + apache_role($1_r, $1_usertype) + ') @@ -32026,36 +32055,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + devicekit_dbus_chat_power($1_usertype) + ') +- xserver_restricted_role($1_r, $1_t) ++ optional_policy(` ++ fprintd_dbus_chat($1_t) ++ ') + optional_policy(` - alsa_read_rw_config($1_t) -+ fprintd_dbus_chat($1_t) ++ gnomeclock_dbus_chat($1_t) ') optional_policy(` - dbus_role_template($1, $1_r, $1_t) - dbus_system_bus_client($1_t) -+ gnomeclock_dbus_chat($1_t) -+ ') - - optional_policy(` -- consolekit_dbus_chat($1_t) + gnome_manage_config($1_usertype) + gnome_manage_gconf_home_files($1_usertype) + gnome_read_gconf_config($1_usertype) ++ ') + + optional_policy(` +- consolekit_dbus_chat($1_t) ++ openoffice_role_template($1, $1_r, $1_usertype) ') optional_policy(` - cups_dbus_chat($1_t) -+ openoffice_role_template($1, $1_r, $1_usertype) ++ policykit_role($1_r, $1_usertype) ') + + optional_policy(` -+ policykit_role($1_r, $1_usertype) ++ pulseaudio_role($1_r, $1_usertype) ') optional_policy(` - java_role($1_r, $1_t) -+ pulseaudio_role($1_r, $1_usertype) ++ rtkit_daemon_system_domain($1_usertype) ') optional_policy(` @@ -32064,7 +32098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -943,8 +1070,8 @@ +@@ -943,8 +1074,8 @@ # Declarations # @@ -32074,7 +32108,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -953,58 +1080,67 @@ +@@ -953,58 +1084,67 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -32108,14 +32142,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - storage_raw_read_removable_device($1_t) + optional_policy(` + cdrecord_role($1_r, $1_t) -+ ') -+ -+ optional_policy(` -+ cron_role($1_r, $1_t) ') + + optional_policy(` -+ games_rw_data($1_usertype) ++ cron_role($1_r, $1_t) ') - tunable_policy(`user_dmesg',` @@ -32123,7 +32153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - ',` - kernel_dontaudit_read_ring_buffer($1_t) + optional_policy(` -+ gpg_role($1_r, $1_usertype) ++ games_rw_data($1_usertype) ') - # Allow users to run TCP servers (bind to ports and accept connection from @@ -32133,28 +32163,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_generic_port($1_t) + optional_policy(` -+ gpm_stream_connect($1_usertype) ++ gpg_role($1_r, $1_usertype) ') optional_policy(` - netutils_run_ping_cond($1_t,$1_r) - netutils_run_traceroute_cond($1_t,$1_r) -+ execmem_role_template($1, $1_r, $1_t) ++ gpm_stream_connect($1_usertype) ') optional_policy(` - postgresql_role($1_r,$1_t) -+ java_role_template($1, $1_r, $1_t) ++ execmem_role_template($1, $1_r, $1_t) ') - # Run pppd in pppd_t by default for user optional_policy(` - ppp_run_cond($1_t,$1_r) -+ mono_role_template($1, $1_r, $1_t) ++ java_role_template($1, $1_r, $1_t) ') optional_policy(` - setroubleshoot_stream_connect($1_t) ++ mono_role_template($1, $1_r, $1_t) ++ ') ++ ++ optional_policy(` + mount_run($1_t, $1_r) + ') + @@ -32172,7 +32206,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1040,7 +1176,7 @@ +@@ -1040,7 +1180,7 @@ template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -32181,7 +32215,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1049,8 +1185,7 @@ +@@ -1049,8 +1189,7 @@ # # Inherit rules for ordinary users. @@ -32191,7 +32225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1075,6 +1210,9 @@ +@@ -1075,6 +1214,9 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -32201,7 +32235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1089,6 +1227,7 @@ +@@ -1089,6 +1231,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -32209,7 +32243,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1096,8 +1235,6 @@ +@@ -1096,8 +1239,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -32218,7 +32252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1124,12 +1261,11 @@ +@@ -1124,12 +1265,11 @@ files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) @@ -32233,7 +32267,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_terms($1_t) auth_getattr_shadow($1_t) -@@ -1152,20 +1288,6 @@ +@@ -1152,20 +1292,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -32254,7 +32288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1211,6 +1333,7 @@ +@@ -1211,6 +1337,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -32262,7 +32296,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1276,11 +1399,15 @@ +@@ -1276,11 +1403,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -32278,7 +32312,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1391,12 +1518,13 @@ +@@ -1391,12 +1522,13 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -32293,7 +32327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1429,6 +1557,14 @@ +@@ -1429,6 +1561,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -32308,7 +32342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1444,9 +1580,11 @@ +@@ -1444,9 +1584,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -32320,7 +32354,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1503,6 +1641,42 @@ +@@ -1503,6 +1645,42 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -32363,7 +32397,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1577,6 +1751,8 @@ +@@ -1577,6 +1755,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -32372,7 +32406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1619,6 +1795,24 @@ +@@ -1619,6 +1799,24 @@ ######################################## ## @@ -32397,7 +32431,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1670,6 +1864,7 @@ +@@ -1670,6 +1868,7 @@ type user_home_dir_t, user_home_t; ') @@ -32405,7 +32439,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1686,11 +1881,11 @@ +@@ -1686,11 +1885,11 @@ # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -32420,7 +32454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1797,19 +1992,32 @@ +@@ -1797,19 +1996,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -32460,7 +32494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1844,6 +2052,7 @@ +@@ -1844,6 +2056,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -32468,7 +32502,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2196,7 +2405,7 @@ +@@ -2196,7 +2409,7 @@ ######################################## ## @@ -32477,7 +32511,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## temporary files. ## ## -@@ -2205,37 +2414,56 @@ +@@ -2205,31 +2418,50 @@ ## ## # @@ -32512,13 +32546,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) - allow $1 user_tmp_t:dir list_dir_perms; -- files_search_tmp($1) + dontaudit $1 user_tmp_t:file manage_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete user ++') ++ ++######################################## ++## +## Read user temporary symbolic links. +## +## @@ -32534,16 +32566,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) + allow $1 user_tmp_t:dir list_dir_perms; -+ files_search_tmp($1) -+') -+ -+######################################## -+## -+## Create, read, write, and delete user - ## temporary directories. - ## - ## -@@ -2276,6 +2504,46 @@ + files_search_tmp($1) + ') + +@@ -2276,6 +2508,46 @@ ######################################## ## ## Create, read, write, and delete user @@ -32590,7 +32616,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## temporary symbolic links. ## ## -@@ -2391,7 +2659,7 @@ +@@ -2391,7 +2663,7 @@ ######################################## ## @@ -32599,7 +32625,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2399,19 +2667,21 @@ +@@ -2399,19 +2671,21 @@ ## ## # @@ -32625,7 +32651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2419,15 +2689,14 @@ +@@ -2419,15 +2693,14 @@ ## ## # @@ -32645,7 +32671,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2749,7 +3018,7 @@ +@@ -2749,7 +3022,7 @@ domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -32654,7 +32680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow unpriv_userdomain $1:process sigchld; ') -@@ -2765,11 +3034,32 @@ +@@ -2765,11 +3038,32 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -32689,7 +32715,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2897,7 +3187,43 @@ +@@ -2897,7 +3191,43 @@ type user_tmp_t; ') @@ -32734,7 +32760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2934,6 +3260,7 @@ +@@ -2934,6 +3264,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -32742,7 +32768,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3064,3 +3391,578 @@ +@@ -3064,3 +3395,578 @@ allow $1 userdomain:dbus send_msg; ')