diff --git a/modules-mls.conf b/modules-mls.conf
index 9d5e452..7e5ccb2 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -1059,3 +1059,31 @@ tzdata = base
# Abstract Machine Test Utility (AMTU)
#
amtu = module
+
+# Layer: users
+# Module: staff
+#
+# Fully Privledged user. with su/sudo/newrole
+#
+staff = base
+
+# Layer: users
+# Module: user
+#
+# Fully Privledged user. without su/sudo/newrole
+#
+user = base
+
+# Layer: users
+# Module: secadm
+#
+# Root role used to manage selinux
+#
+secadm = module
+
+# Layer: users
+# Module: auditadm
+#
+# Root role used to manage audit system
+#
+auditadm = module
diff --git a/modules-targeted.conf b/modules-targeted.conf
index fa8c19b..fa18b18 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -747,6 +747,12 @@ mount = base
#
mozilla = module
+# Layer: apps
+# Module: nsplugin
+#
+# Policy for nspluginwrapper
+#
+nsplugin = module
# Layer: apps
# Module: mplayer
@@ -755,6 +761,13 @@ mozilla = module
#
mplayer = module
+# Layer: apps
+# Module: gpg
+#
+# Policy for Mozilla and related web browsers
+#
+gpg = module
+
# Layer: admin
# Module: mrtg
#
@@ -1572,3 +1585,17 @@ bitlbee = module
#
soundserver = module
+# Layer: users
+# Module: staff
+#
+# Minimally privs guest account on tty logins
+#
+staff = base
+
+# Layer: users
+# Module: user
+#
+# Minimally privs guest account on tty logins
+#
+user = base
+
diff --git a/policy-20071130.patch b/policy-20071130.patch
index 3fc40d6..cee24d2 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -12,6 +12,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.2.5/config/appconfig-mcs/root_default_contexts
+--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2007-10-12 08:56:09.000000000 -0400
++++ serefpolicy-3.2.5/config/appconfig-mcs/root_default_contexts 2008-01-02 11:19:34.000000000 -0500
+@@ -1,11 +1,7 @@
+ system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+ system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+-staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+-sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+-user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+-
+ #
+ # Uncomment if you want to automatically login as sysadm_r
+ #
+-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
++system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.2.5/config/appconfig-mcs/seusers
--- nsaserefpolicy/config/appconfig-mcs/seusers 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.2.5/config/appconfig-mcs/seusers 2007-12-19 05:38:08.000000000 -0500
@@ -64,6 +80,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/gu
+system_r:remote_login_t guest_r:guest_t
+system_r:sshd_t guest_r:guest_t
+system_r:crond_t guest_r:guest_crond_t
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/root_default_contexts serefpolicy-3.2.5/config/appconfig-standard/root_default_contexts
+--- nsaserefpolicy/config/appconfig-standard/root_default_contexts 2007-10-12 08:56:09.000000000 -0400
++++ serefpolicy-3.2.5/config/appconfig-standard/root_default_contexts 2008-01-02 11:20:32.000000000 -0500
+@@ -1,11 +1,7 @@
+ system_r:crond_t unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
+ system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+
+-staff_r:staff_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+-sysadm_r:sysadm_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+-user_r:user_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+-
+ #
+ # Uncomment if you want to automatically login as sysadm_r
+ #
+-#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
++system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.2.5/config/appconfig-standard/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/config/appconfig-standard/xguest_u_default_contexts 2007-12-19 05:38:08.000000000 -0500
@@ -925,7 +957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.2.5/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/admin/rpm.if 2007-12-24 06:06:53.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/admin/rpm.if 2008-01-03 11:32:09.000000000 -0500
@@ -152,6 +152,24 @@
########################################
@@ -976,11 +1008,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
## Create, read, write, and delete RPM
## script temporary files.
## </summary>
-@@ -224,8 +260,29 @@
- type rpm_script_tmp_t;
+@@ -225,7 +261,29 @@
')
-- files_search_tmp($1)
+ files_search_tmp($1)
+ manage_dirs_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
manage_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
+ manage_lnk_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
@@ -1007,7 +1038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
')
########################################
-@@ -289,3 +346,137 @@
+@@ -289,3 +347,137 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -1273,7 +1304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.2.5/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/admin/su.if 2007-12-19 05:38:08.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/admin/su.if 2008-01-03 13:47:22.000000000 -0500
@@ -41,15 +41,13 @@
allow $2 $1_su_t:process signal;
@@ -1321,7 +1352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
allow $2 $1_su_t:fd use;
allow $2 $1_su_t:fifo_file rw_file_perms;
- allow $2 $1_su_t:process sigchld;
-+ allow $2 $1_su_t:process { getsched signal };
++ allow $2 $1_su_t:process { getsched signal sigchld };
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)
@@ -1344,7 +1375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
files_read_etc_files($1_su_t)
files_read_etc_runtime_files($1_su_t)
files_search_var_lib($1_su_t)
-@@ -226,6 +224,7 @@
+@@ -226,12 +224,14 @@
libs_use_ld_so($1_su_t)
libs_use_shared_libs($1_su_t)
@@ -1352,7 +1383,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
logging_send_syslog_msg($1_su_t)
miscfiles_read_localization($1_su_t)
-@@ -295,13 +294,7 @@
+
+- userdom_use_user_terminals($1,$1_su_t)
++ userdom_search_sysadm_home_dirs($1_su_t)
+ userdom_search_user_home_dirs($1,$1_su_t)
++ userdom_use_user_terminals($1,$1_su_t)
+
+ ifdef(`distro_rhel4',`
+ domain_role_change_exemption($1_su_t)
+@@ -295,13 +295,7 @@
xserver_domtrans_user_xauth($1, $1_su_t)
')
@@ -1959,13 +1998,564 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
+files_tmp_file(user_gconf_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.2.5/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/apps/gpg.fc 2007-12-19 05:38:08.000000000 -0500
-@@ -1,4 +1,4 @@
++++ serefpolicy-3.2.5/policy/modules/apps/gpg.fc 2008-01-03 16:26:50.000000000 -0500
+@@ -1,6 +1,6 @@
-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:user_gpg_secret_t,s0)
- /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
+-/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
++/usr/bin/gpg2? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
+ /usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
+ /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.2.5/policy/modules/apps/gpg.if
+--- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400
++++ serefpolicy-3.2.5/policy/modules/apps/gpg.if 2008-01-03 17:11:22.000000000 -0500
+@@ -38,6 +38,10 @@
+ gen_require(`
+ type gpg_exec_t, gpg_helper_exec_t;
+ type gpg_agent_exec_t, pinentry_exec_t;
++ type gpg_t, gpg_helper_t;
++ type gpg_agent_t, gpg_pinentry_t;
++ type user_gpg_agent_tmp_t;
++ type user_gpg_secret_t;
+ ')
+
+ ########################################
+@@ -45,275 +49,51 @@
+ # Declarations
+ #
+
+- type $1_gpg_t;
+- application_domain($1_gpg_t,gpg_exec_t)
+- role $3 types $1_gpg_t;
+-
+- type $1_gpg_agent_t;
+- application_domain($1_gpg_agent_t,gpg_agent_exec_t)
+- role $3 types $1_gpg_agent_t;
+-
+- type $1_gpg_agent_tmp_t;
+- files_tmp_file($1_gpg_agent_tmp_t)
+-
+- type $1_gpg_secret_t;
+- userdom_user_home_content($1,$1_gpg_secret_t)
+-
+- type $1_gpg_helper_t;
+- application_domain($1_gpg_helper_t,gpg_helper_exec_t)
+- role $3 types $1_gpg_helper_t;
+-
+- type $1_gpg_pinentry_t;
+- application_domain($1_gpg_pinentry_t,pinentry_exec_t)
+- role $3 types $1_gpg_pinentry_t;
++ typealias gpg_t alias $1_gpg_t;
++ role $3 types gpg_t;
+
+- ########################################
+- #
+- # GPG local policy
+- #
+-
+- allow $1_gpg_t self:capability { ipc_lock setuid };
+- allow { $2 $1_gpg_t } $1_gpg_t:process signal;
+- # setrlimit is for ulimit -c 0
+- allow $1_gpg_t self:process { setrlimit setcap setpgid };
+-
+- allow $1_gpg_t self:fifo_file rw_fifo_file_perms;
+- allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
+-
+- # transition from the gpg domain to the helper domain
+- domtrans_pattern($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
+-
+- manage_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t)
+- manage_lnk_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t)
+- allow $1_gpg_t $1_gpg_secret_t:dir create_dir_perms;
+- userdom_user_home_dir_filetrans($1, $1_gpg_t, $1_gpg_secret_t, dir)
+-
+- # transition from the userdomain to the derived domain
+- domtrans_pattern($2,gpg_exec_t,$1_gpg_t)
+-
+- # allow ps to show gpg
+- ps_process_pattern($2,$1_gpg_t)
+-
+- corenet_all_recvfrom_unlabeled($1_gpg_t)
+- corenet_all_recvfrom_netlabel($1_gpg_t)
+- corenet_tcp_sendrecv_all_if($1_gpg_t)
+- corenet_udp_sendrecv_all_if($1_gpg_t)
+- corenet_tcp_sendrecv_all_nodes($1_gpg_t)
+- corenet_udp_sendrecv_all_nodes($1_gpg_t)
+- corenet_tcp_sendrecv_all_ports($1_gpg_t)
+- corenet_udp_sendrecv_all_ports($1_gpg_t)
+- corenet_tcp_connect_all_ports($1_gpg_t)
+- corenet_sendrecv_all_client_packets($1_gpg_t)
+-
+- dev_read_rand($1_gpg_t)
+- dev_read_urand($1_gpg_t)
++ typealias gpg_agent_t alias $1_gpg_agent_t;
++ role $3 types gpg_agent_t;
+
+- fs_getattr_xattr_fs($1_gpg_t)
++ typealias gpg_helper_t alias $1_gpg_helper_t;
++ role $3 types gpg_helper_t;
+
+- domain_use_interactive_fds($1_gpg_t)
++ typealias gpg_pinentry_t alias $1_gpg_pinentry_t;
++ role $3 types gpg_pinentry_t;
+
+- files_read_etc_files($1_gpg_t)
+- files_read_usr_files($1_gpg_t)
+- files_dontaudit_search_var($1_gpg_t)
+-
+- libs_use_shared_libs($1_gpg_t)
+- libs_use_ld_so($1_gpg_t)
+-
+- miscfiles_read_localization($1_gpg_t)
+-
+- logging_send_syslog_msg($1_gpg_t)
+-
+- sysnet_read_config($1_gpg_t)
+-
+- userdom_use_user_terminals($1,$1_gpg_t)
+-
+- optional_policy(`
+- nis_use_ypbind($1_gpg_t)
++ ifelse(`$1',`user',`',`
++ typealias user_gpg_agent_tmp_t alias $1_gpg_agent_tmp_t;
++ typealias user_gpg_secret_t alias $1_gpg_secret_t;
+ ')
+
+- ifdef(`TODO',`
+- # Read content to encrypt/decrypt/sign
+- read_content($1_gpg_t, $1)
+-
+- # Write content to encrypt/decrypt/sign
+- write_trusted($1_gpg_t, $1)
+- ') dnl end TODO
+-
+- ########################################
+- #
+- # GPG helper local policy
+- #
+-
+- # for helper programs (which automatically fetch keys)
+- # Note: this is only tested with the hkp interface. If you use eg the
+- # mail interface you will likely need additional permissions.
+-
+- allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+- allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+- allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
+-
+- # communicate with the user
+- allow $1_gpg_helper_t $2:fd use;
+- allow $1_gpg_helper_t $2:fifo_file write;
+-
+- dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
+-
+- corenet_all_recvfrom_unlabeled($1_gpg_helper_t)
+- corenet_all_recvfrom_netlabel($1_gpg_helper_t)
+- corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
+- corenet_raw_sendrecv_all_if($1_gpg_helper_t)
+- corenet_udp_sendrecv_all_if($1_gpg_helper_t)
+- corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t)
+- corenet_udp_sendrecv_all_nodes($1_gpg_helper_t)
+- corenet_raw_sendrecv_all_nodes($1_gpg_helper_t)
+- corenet_tcp_sendrecv_all_ports($1_gpg_helper_t)
+- corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
+- corenet_tcp_bind_all_nodes($1_gpg_helper_t)
+- corenet_udp_bind_all_nodes($1_gpg_helper_t)
+- corenet_tcp_connect_all_ports($1_gpg_helper_t)
+-
+- dev_read_urand($1_gpg_helper_t)
+-
+- files_read_etc_files($1_gpg_helper_t)
+- # for nscd
+- files_dontaudit_search_var($1_gpg_helper_t)
+-
+- libs_use_ld_so($1_gpg_helper_t)
+- libs_use_shared_libs($1_gpg_helper_t)
+-
+- sysnet_read_config($1_gpg_helper_t)
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_dontaudit_rw_nfs_files($1_gpg_helper_t)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_dontaudit_rw_cifs_files($1_gpg_helper_t)
+- ')
+-
+- optional_policy(`
+- xserver_use_xdm_fds($1_gpg_t)
+- xserver_rw_xdm_pipes($1_gpg_t)
+- ')
+-
+- ########################################
+- #
+- # GPG agent local policy
+- #
+-
+- # rlimit: gpg-agent wants to prevent coredumps
+- allow $1_gpg_agent_t self:process setrlimit;
++ # transition from the userdomain to the derived domain
++ domtrans_pattern($2,gpg_exec_t,gpg_t)
+
+- allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
+- allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms;
++ # Transition from the user domain to the derived domain.
++ domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t)
+
+- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+- manage_dirs_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
+- manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
+- manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
++ allow $2 gpg_t:process signal_perms;
+
+- # allow gpg to connect to the gpg agent
+- stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
++ # allow ps to show gpg
++ ps_process_pattern($2,gpg_t)
+
+ # allow ps to show gpg-agent
+ ps_process_pattern($2,$1_gpg_agent_t)
+
+ # Allow the user shell to signal the gpg-agent program.
+- allow $2 $1_gpg_agent_t:process { signal sigkill };
+-
+- manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+- manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+- manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+- files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
+-
+- # Transition from the user domain to the derived domain.
+- domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t)
+-
+- corecmd_search_bin($1_gpg_agent_t)
+-
+- domain_use_interactive_fds($1_gpg_agent_t)
+-
+- libs_use_ld_so($1_gpg_agent_t)
+- libs_use_shared_libs($1_gpg_agent_t)
+-
+- miscfiles_read_localization($1_gpg_agent_t)
++ allow $2 gpg_agent_t:process signal_perms;
+
++ userdom_use_user_terminals($1,gpg_t)
+ # Write to the user domain tty.
+- userdom_use_user_terminals($1,$1_gpg_agent_t)
+- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+- userdom_search_user_home_dirs($1,$1_gpg_agent_t)
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs($1_gpg_agent_t)
+- fs_manage_nfs_files($1_gpg_agent_t)
+- fs_manage_nfs_symlinks($1_gpg_agent_t)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs($1_gpg_agent_t)
+- fs_manage_cifs_files($1_gpg_agent_t)
+- fs_manage_cifs_symlinks($1_gpg_agent_t)
+- ')
+-
+- ##############################
+- #
+- # Pinentry local policy
+- #
++ userdom_use_user_terminals($1,gpg_agent_t)
+
+- allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+- allow $1_gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+-
+- # we need to allow gpg-agent to call pinentry so it can get the passphrase
+- # from the user.
+- domtrans_pattern($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t)
+-
+- # read /proc/meminfo
+- kernel_read_system_state($1_gpg_pinentry_t)
+-
+- files_read_usr_files($1_gpg_pinentry_t)
+- # read /etc/X11/qtrc
+- files_read_etc_files($1_gpg_pinentry_t)
+-
+- libs_use_ld_so($1_gpg_pinentry_t)
+- libs_use_shared_libs($1_gpg_pinentry_t)
+-
+- miscfiles_read_fonts($1_gpg_pinentry_t)
+- miscfiles_read_localization($1_gpg_pinentry_t)
+-
+- # for .Xauthority
+- userdom_read_user_home_content_files($1,$1_gpg_pinentry_t)
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files($1_gpg_pinentry_t)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files($1_gpg_pinentry_t)
+- ')
+-
+- optional_policy(`
+- xserver_stream_connect_xdm_xserver($1_gpg_pinentry_t)
+- ')
+-
+- ifdef(`TODO',`
+- allow $1_gpg_pinentry_t tmp_t:dir { getattr search };
+-
+- # wants to put some lock files into the user home dir, seems to work fine without
+- dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
+- dontaudit $1_gpg_pinentry_t $1_home_t:file write;
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- dontaudit $1_gpg_pinentry_t nfs_t:dir write;
+- dontaudit $1_gpg_pinentry_t nfs_t:file write;
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- dontaudit $1_gpg_pinentry_t cifs_t:dir write;
+- dontaudit $1_gpg_pinentry_t cifs_t:file write;
+- ')
++ # communicate with the user
++ allow gpg_helper_t $2:fd use;
++ allow gpg_helper_t $2:fifo_file write;
+
+- dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
+- ') dnl end TODO
++ manage_dirs_pattern($2,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t)
++ manage_files_pattern($2,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t)
++ manage_sock_files_pattern($2,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t)
+ ')
+
+ ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.2.5/policy/modules/apps/gpg.te
+--- nsaserefpolicy/policy/modules/apps/gpg.te 2007-12-19 05:32:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/apps/gpg.te 2008-01-03 17:11:59.000000000 -0500
+@@ -7,15 +7,223 @@
+ #
+
+ # Type for gpg or pgp executables.
++type gpg_t;
+ type gpg_exec_t;
++application_domain(gpg_t,gpg_exec_t)
++
++type gpg_helper_t;
+ type gpg_helper_exec_t;
+-application_executable_file(gpg_exec_t)
+-application_executable_file(gpg_helper_exec_t)
++application_domain(gpg_helper_t,gpg_helper_exec_t)
+
+ # Type for the gpg-agent executable.
++type gpg_agent_t;
+ type gpg_agent_exec_t;
+-application_executable_file(gpg_agent_exec_t)
++application_domain(gpg_agent_t,gpg_agent_exec_t)
+
+ # type for the pinentry executable
++type gpg_pinentry_t;
+ type pinentry_exec_t;
+-application_executable_file(pinentry_exec_t)
++application_domain(gpg_pinentry_t,pinentry_exec_t)
++
++type user_gpg_agent_tmp_t;
++files_tmp_file(user_gpg_agent_tmp_t)
++
++type user_gpg_secret_t;
++userdom_user_home_content(user,user_gpg_secret_t)
++
++########################################
++#
++# GPG local policy
++#
++
++allow gpg_t self:capability { ipc_lock setuid };
++allow gpg_t gpg_t:process signal;
++# setrlimit is for ulimit -c 0
++allow gpg_t self:process { setrlimit setcap setpgid };
++
++allow gpg_t self:fifo_file rw_fifo_file_perms;
++allow gpg_t self:tcp_socket create_stream_socket_perms;
++
++manage_files_pattern(gpg_t,user_gpg_secret_t,user_gpg_secret_t)
++manage_lnk_files_pattern(gpg_t,user_gpg_secret_t,user_gpg_secret_t)
++allow gpg_t user_gpg_secret_t:dir create_dir_perms;
++userdom_user_home_dir_filetrans(user, gpg_t, user_gpg_secret_t, dir)
++userdom_manage_user_home_content_files(user,gpg_t)
++
++# transition from the gpg domain to the helper domain
++domtrans_pattern(gpg_t,gpg_helper_exec_t,gpg_helper_t)
++
++corenet_all_recvfrom_unlabeled(gpg_t)
++corenet_all_recvfrom_netlabel(gpg_t)
++corenet_tcp_sendrecv_all_if(gpg_t)
++corenet_udp_sendrecv_all_if(gpg_t)
++corenet_tcp_sendrecv_all_nodes(gpg_t)
++corenet_udp_sendrecv_all_nodes(gpg_t)
++corenet_tcp_sendrecv_all_ports(gpg_t)
++corenet_udp_sendrecv_all_ports(gpg_t)
++corenet_tcp_connect_all_ports(gpg_t)
++corenet_sendrecv_all_client_packets(gpg_t)
++
++dev_read_rand(gpg_t)
++dev_read_urand(gpg_t)
++
++fs_getattr_xattr_fs(gpg_t)
++
++domain_use_interactive_fds(gpg_t)
++
++files_read_etc_files(gpg_t)
++files_read_usr_files(gpg_t)
++files_dontaudit_search_var(gpg_t)
++
++libs_use_shared_libs(gpg_t)
++libs_use_ld_so(gpg_t)
++
++miscfiles_read_localization(gpg_t)
++
++logging_send_syslog_msg(gpg_t)
++
++sysnet_read_config(gpg_t)
++
++optional_policy(`
++ nis_use_ypbind(gpg_t)
++')
++
++########################################
++#
++# GPG helper local policy
++#
++
++# for helper programs (which automatically fetch keys)
++# Note: this is only tested with the hkp interface. If you use eg the
++# mail interface you will likely need additional permissions.
++
++allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
++allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
++allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
++
++dontaudit gpg_helper_t user_gpg_secret_t:file read;
++
++corenet_all_recvfrom_unlabeled(gpg_helper_t)
++corenet_all_recvfrom_netlabel(gpg_helper_t)
++corenet_tcp_sendrecv_all_if(gpg_helper_t)
++corenet_raw_sendrecv_all_if(gpg_helper_t)
++corenet_udp_sendrecv_all_if(gpg_helper_t)
++corenet_tcp_sendrecv_all_nodes(gpg_helper_t)
++corenet_udp_sendrecv_all_nodes(gpg_helper_t)
++corenet_raw_sendrecv_all_nodes(gpg_helper_t)
++corenet_tcp_sendrecv_all_ports(gpg_helper_t)
++corenet_udp_sendrecv_all_ports(gpg_helper_t)
++corenet_tcp_bind_all_nodes(gpg_helper_t)
++corenet_udp_bind_all_nodes(gpg_helper_t)
++corenet_tcp_connect_all_ports(gpg_helper_t)
++
++dev_read_urand(gpg_helper_t)
++
++files_read_etc_files(gpg_helper_t)
++# for nscd
++files_dontaudit_search_var(gpg_helper_t)
++
++libs_use_ld_so(gpg_helper_t)
++libs_use_shared_libs(gpg_helper_t)
++
++sysnet_read_config(gpg_helper_t)
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_dontaudit_rw_nfs_files(gpg_helper_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_dontaudit_rw_cifs_files(gpg_helper_t)
++')
++
++optional_policy(`
++ xserver_use_xdm_fds(gpg_t)
++ xserver_rw_xdm_pipes(gpg_t)
++')
++
++########################################
++#
++# GPG agent local policy
++#
++
++# rlimit: gpg-agent wants to prevent coredumps
++allow gpg_agent_t self:process setrlimit;
++
++allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
++allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
++
++# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
++manage_dirs_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
++manage_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
++manage_lnk_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
++
++# allow gpg to connect to the gpg agent
++stream_connect_pattern(gpg_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t,gpg_agent_t)
++
++files_tmp_filetrans(gpg_agent_t, user_gpg_agent_tmp_t, { file sock_file dir })
++
++corecmd_search_bin(gpg_agent_t)
++
++domain_use_interactive_fds(gpg_agent_t)
++
++libs_use_ld_so(gpg_agent_t)
++libs_use_shared_libs(gpg_agent_t)
++
++miscfiles_read_localization(gpg_agent_t)
++
++# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
++userdom_search_user_home_dirs(user,gpg_agent_t)
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_dirs(gpg_agent_t)
++ fs_manage_nfs_files(gpg_agent_t)
++ fs_manage_nfs_symlinks(gpg_agent_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_dirs(gpg_agent_t)
++ fs_manage_cifs_files(gpg_agent_t)
++ fs_manage_cifs_symlinks(gpg_agent_t)
++')
++
++##############################
++#
++# Pinentry local policy
++#
++
++allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
++allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
++
++# we need to allow gpg-agent to call pinentry so it can get the passphrase
++# from the user.
++domtrans_pattern(gpg_agent_t,pinentry_exec_t,gpg_pinentry_t)
++
++# read /proc/meminfo
++kernel_read_system_state(gpg_pinentry_t)
++
++files_read_usr_files(gpg_pinentry_t)
++# read /etc/X11/qtrc
++files_read_etc_files(gpg_pinentry_t)
++
++libs_use_ld_so(gpg_pinentry_t)
++libs_use_shared_libs(gpg_pinentry_t)
++
++miscfiles_read_fonts(gpg_pinentry_t)
++miscfiles_read_localization(gpg_pinentry_t)
++
++# for .Xauthority
++userdom_read_user_home_content_files(user,gpg_pinentry_t)
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_read_nfs_files(gpg_pinentry_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(gpg_pinentry_t)
++')
++
++optional_policy(`
++ xserver_stream_connect_xdm_xserver(gpg_pinentry_t)
++')
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.2.5/policy/modules/apps/irc.fc
--- nsaserefpolicy/policy/modules/apps/irc.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/irc.fc 2007-12-19 05:38:08.000000000 -0500
@@ -2437,7 +3027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
# /bin
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.5/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2007-12-26 18:15:18.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2008-01-03 17:10:37.000000000 -0500
@@ -35,7 +35,10 @@
template(`mozilla_per_role_template',`
gen_require(`
@@ -2763,14 +3353,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
- dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
+# dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
+# dbus_connectto_user_bus($1,$1_mozilla_t)
- ')
-
- optional_policy(`
-+ gnome_exec_gconf($1_mozilla_t)
-+ gnome_manage_user_gnome_config($1,$1_mozilla_t)
+ ')
+
+ optional_policy(`
++ gnome_exec_gconf($1_mozilla_t)
++ gnome_manage_user_gnome_config($1,$1_mozilla_t)
+ ')
+
+ optional_policy(`
+ gnome_domtrans_user_gconf($1,$1_mozilla_t)
gnome_stream_connect_gconf_template($1,$1_mozilla_t)
')
@@ -2781,7 +3371,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
')
optional_policy(`
-@@ -382,25 +318,6 @@
+@@ -370,6 +306,10 @@
+ ')
+
+ optional_policy(`
++ nsplugin_per_role_template($1, $1_mozilla_t, $1_r)
++ ')
++
++ optional_policy(`
+ mplayer_domtrans_user_mplayer($1, $1_mozilla_t)
+ mplayer_read_user_home_files($1, $1_mozilla_t)
+ ')
+@@ -382,25 +322,6 @@
thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
')
@@ -2807,7 +3408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
')
########################################
-@@ -430,11 +347,11 @@
+@@ -430,11 +351,11 @@
#
template(`mozilla_read_user_home_files',`
gen_require(`
@@ -2822,7 +3423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
')
########################################
-@@ -464,11 +381,11 @@
+@@ -464,11 +385,11 @@
#
template(`mozilla_write_user_home_files',`
gen_require(`
@@ -2837,7 +3438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
')
########################################
-@@ -573,3 +490,27 @@
+@@ -573,3 +494,27 @@
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
')
@@ -2991,35 +3592,302 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
+type user_mplayer_home_t alias user_mplayer_rw_t;
+userdom_user_home_content(user,user_mplayer_home_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.5/policy/modules/apps/screen.fc
---- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/apps/screen.fc 2007-12-19 05:38:08.000000000 -0500
-@@ -1,7 +1,7 @@
- #
- # /home
- #
--HOME_DIR/\.screenrc -- gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0)
-+HOME_DIR/\.screenrc -- gen_context(system_u:object_r:user_screen_ro_home_t,s0)
-
- #
- # /usr
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.2.5/policy/modules/apps/screen.if
---- nsaserefpolicy/policy/modules/apps/screen.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/apps/screen.if 2007-12-19 05:38:08.000000000 -0500
-@@ -50,8 +50,9 @@
- type $1_screen_tmp_t;
- files_tmp_file($1_screen_tmp_t)
-
-- type $1_screen_ro_home_t;
-- files_type($1_screen_ro_home_t)
-+ ifelse(`$1',`user',`',`
-+ typealias user_screen_ro_home_t alias $1_screen_ro_home_t;
-+ ')
-
- type $1_screen_var_run_t;
- files_pid_file($1_screen_var_run_t)
-@@ -81,9 +82,9 @@
- filetrans_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t,fifo_file)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc
+--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc 2008-01-03 15:47:01.000000000 -0500
+@@ -0,0 +1,3 @@
++
++/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
++/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.5/policy/modules/apps/nsplugin.if
+--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if 2008-01-03 17:03:53.000000000 -0500
+@@ -0,0 +1,205 @@
++
++## <summary>policy for nsplugin</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run nsplugin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`nsplugin_domtrans',`
++ gen_require(`
++ type nsplugin_t;
++ type nsplugin_exec_t;
++ ')
++
++ domtrans_pattern($1,nsplugin_exec_t,nsplugin_t)
++')
++
++
++########################################
++## <summary>
++## Search nsplugin rw directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nsplugin_search_rw_dir',`
++ gen_require(`
++ type nsplugin_rw_t;
++ ')
++
++ allow $1 nsplugin_rw_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++## Read nsplugin rw files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nsplugin_read_rw_files',`
++ gen_require(`
++ type nsplugin_rw_t;
++ ')
++
++ read_fils_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## nsplugin rw files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nsplugin_manage_rw_files',`
++ gen_require(`
++ type nsplugin_rw_t;
++ ')
++
++ allow $1 nsplugin_rw_t:file manage_file_perms;
++ allow $1 nsplugin_rw_t:dir rw_dir_perms;
++')
++
++########################################
++## <summary>
++## Manage nsplugin rw files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nsplugin_manage_rw',`
++ gen_require(`
++ type nsplugin_rw_t;
++ ')
++
++ manage_dirs_pattern($1,nsplugin_rw_t,nsplugin_rw_t)
++ manage_files_pattern($1,nsplugin_rw_t,nsplugin_rw_t)
++ manage_lnk_files_pattern($1,nsplugin_rw_t,nsplugin_rw_t)
++')
++
++
++########################################
++## <summary>
++## Execute nsplugin in the nsplugin domain, and
++## allow the specified role the nsplugin domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the nsplugin domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the role's terminal.
++## </summary>
++## </param>
++#
++interface(`nsplugin_run',`
++ gen_require(`
++ type nsplugin_t;
++ ')
++
++ nsplugin_domtrans($1)
++ role $2 types nsplugin_t;
++ dontaudit nsplugin_t $3:chr_file rw_term_perms;
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an nsplugin environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the syslog domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`nsplugin_admin',`
++ gen_require(`
++ type nsplugin_t;
++ ')
++
++ allow $1 nsplugin_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, nsplugin_t, nsplugin_t)
++ nsplugin_manage_rw($1)
++
++')
++
++#######################################
++## <summary>
++## The per role template for the nsplugin module.
++## </summary>
++## <desc>
++## <p>
++## This template creates a derived domains which are used
++## for nsplugin web browser.
++## </p>
++## <p>
++## This template is invoked automatically for each user, and
++## generally does not need to be invoked directly
++## by policy writers.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++## <param name="user_role">
++## <summary>
++## The role associated with the user domain.
++## </summary>
++## </param>
++#
++template(`nsplugin_per_role_template',`
++ gen_require(`
++ type nsplugin_t;
++ ')
++ nsplugin_domtrans($2)
++ role $3 types nsplugin_t;
++ nsplugin_read_rw_files($2)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.5/policy/modules/apps/nsplugin.te
+--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-03 15:49:43.000000000 -0500
+@@ -0,0 +1,47 @@
++policy_module(nsplugin,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type nsplugin_t;
++type nsplugin_exec_t;
++application_domain(nsplugin_t, nsplugin_exec_t)
++role system_r types nsplugin_t;
++
++
++type nsplugin_rw_t;
++files_type(nsplugin_rw_t)
++
++########################################
++#
++# nsplugin local policy
++#
++
++## internal communication is often done using fifo and unix sockets.
++allow nsplugin_t self:capability { setuid setgid };
++allow nsplugin_t self:fifo_file rw_file_perms;
++allow nsplugin_t self:unix_stream_socket create_stream_socket_perms;
++
++can_exec(nsplugin_t, nsplugin_rw_t)
++manage_dirs_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
++manage_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
++manage_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
++
++corecmd_exec_bin(nsplugin_t)
++corecmd_exec_shell(nsplugin_t)
++
++kernel_read_system_state(nsplugin_t)
++
++files_read_etc_files(nsplugin_t)
++files_dontaudit_search_home(nsplugin_t)
++
++libs_use_ld_so(nsplugin_t)
++libs_use_shared_libs(nsplugin_t)
++
++miscfiles_read_localization(nsplugin_t)
++
++userdom_dontaudit_search_all_users_home_content(nsplugin_t)
++
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.5/policy/modules/apps/screen.fc
+--- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400
++++ serefpolicy-3.2.5/policy/modules/apps/screen.fc 2007-12-19 05:38:08.000000000 -0500
+@@ -1,7 +1,7 @@
+ #
+ # /home
+ #
+-HOME_DIR/\.screenrc -- gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0)
++HOME_DIR/\.screenrc -- gen_context(system_u:object_r:user_screen_ro_home_t,s0)
+
+ #
+ # /usr
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.2.5/policy/modules/apps/screen.if
+--- nsaserefpolicy/policy/modules/apps/screen.if 2007-07-23 10:20:12.000000000 -0400
++++ serefpolicy-3.2.5/policy/modules/apps/screen.if 2007-12-19 05:38:08.000000000 -0500
+@@ -50,8 +50,9 @@
+ type $1_screen_tmp_t;
+ files_tmp_file($1_screen_tmp_t)
+
+- type $1_screen_ro_home_t;
+- files_type($1_screen_ro_home_t)
++ ifelse(`$1',`user',`',`
++ typealias user_screen_ro_home_t alias $1_screen_ro_home_t;
++ ')
+
+ type $1_screen_var_run_t;
+ files_pid_file($1_screen_var_run_t)
+@@ -81,9 +82,9 @@
+ filetrans_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t,fifo_file)
files_pid_filetrans($1_screen_t,screen_dir_t,dir)
- allow $1_screen_t $1_screen_ro_home_t:dir list_dir_perms;
@@ -3061,6 +3929,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.t
+type user_screen_ro_home_t;
+userdom_user_home_content(user,user_screen_ro_home_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.2.5/policy/modules/apps/slocate.te
+--- nsaserefpolicy/policy/modules/apps/slocate.te 2007-10-02 09:54:50.000000000 -0400
++++ serefpolicy-3.2.5/policy/modules/apps/slocate.te 2008-01-03 10:04:21.000000000 -0500
+@@ -39,6 +39,7 @@
+
+ files_list_all(locate_t)
+ files_getattr_all_files(locate_t)
++files_getattr_all_pipes(locate_t)
+ files_getattr_all_sockets(locate_t)
+ files_read_etc_runtime_files(locate_t)
+ files_read_etc_files(locate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.2.5/policy/modules/apps/thunderbird.fc
--- nsaserefpolicy/policy/modules/apps/thunderbird.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/thunderbird.fc 2007-12-19 05:38:08.000000000 -0500
@@ -3463,7 +4342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc 2007-12-31 11:50:26.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc 2008-01-03 14:26:07.000000000 -0500
@@ -7,6 +7,7 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -3508,6 +4387,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
+@@ -284,3 +291,6 @@
+ ifdef(`distro_suse',`
+ /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
+ ')
++/usr/lib/nspluginwrapper/npconfig gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nspluginwrapper/npviewer gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nspluginwrapper/npviewer.bin gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.5/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.if 2007-12-19 05:38:08.000000000 -0500
@@ -3566,7 +4452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.5/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/kernel/devices.if 2007-12-19 05:38:08.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/kernel/devices.if 2008-01-02 13:28:34.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -9169,20 +10055,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2007-12-26 18:16:54.000000000 -0500
-@@ -129,7 +129,12 @@
++++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2008-01-03 10:56:43.000000000 -0500
+@@ -129,7 +129,9 @@
corenet_udp_bind_generic_port(procmail_t)
corenet_dontaudit_udp_bind_all_ports(procmail_t)
-+ spamassassin_read_user_home_files(procmail_t)
- spamassassin_exec(procmail_t)
- spamassassin_exec_client(procmail_t)
- spamassassin_read_lib_files(procmail_t)
- ')
+- spamassassin_exec(procmail_t)
+- spamassassin_exec_client(procmail_t)
+- spamassassin_read_lib_files(procmail_t)
++ spamassassin_domtrans(procmail_t)
++')
+
+optional_policy(`
+ mailscanner_read_spool(procmail_t)
-+')
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.2.5/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/pyzor.fc 2007-12-19 05:38:09.000000000 -0500
@@ -10457,85 +11343,251 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.5/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2007-12-30 10:11:43.000000000 -0500
-@@ -38,6 +38,8 @@
++++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2008-01-03 12:06:11.000000000 -0500
+@@ -37,7 +37,9 @@
+
gen_require(`
type spamc_exec_t, spamassassin_exec_t;
- type spamd_t, spamd_tmp_t;
+- type spamd_t, spamd_tmp_t;
++ type spamc_t, spamd_t, spamd_tmp_t;
+ type user_spamassissin_home_t, user_spamassissin_tmp_t;
+ type user_spamc_tmp_t;
')
##############################
-@@ -49,19 +51,15 @@
- application_domain($1_spamc_t,spamc_exec_t)
- role $3 types $1_spamc_t;
+@@ -45,278 +47,28 @@
+ # Declarations
+ #
+- type $1_spamc_t;
+- application_domain($1_spamc_t,spamc_exec_t)
+- role $3 types $1_spamc_t;
+-
- type $1_spamc_tmp_t;
- files_tmp_file($1_spamc_tmp_t)
-
- type $1_spamassassin_t;
- application_domain($1_spamassassin_t,spamassassin_exec_t)
- role $3 types $1_spamassassin_t;
-
+- type $1_spamassassin_t;
+- application_domain($1_spamassassin_t,spamassassin_exec_t)
+- role $3 types $1_spamassassin_t;
+-
- type $1_spamassassin_home_t alias $1_spamassassin_rw_t;
- userdom_user_home_content($1,$1_spamassassin_home_t)
- files_poly_member($1_spamassassin_home_t)
--
++ typealias spamc_t alias $1_spamc_t;
++ role $3 types spamc_t;
+
- type $1_spamassassin_tmp_t;
- files_tmp_file($1_spamassassin_tmp_t)
-+ ifelse(`$1',`user',`',`
-+ typealias user_spamassassin_home_t alias $1_spamassassin_home_t;
-+ typealias user_spamassassin_tmp_t alias $1_spamassassin_tmp_t;
-+ typealias user_spamc_tmp_t alias $1_spamc_tmp_t;
-+ ')
-
- ##############################
- #
-@@ -83,9 +81,9 @@
- allow $1_spamc_t self:tcp_socket create_stream_socket_perms;
- allow $1_spamc_t self:udp_socket create_socket_perms;
++ typealias spamassassin_t alias $1_spamassassin_t;
++ role $3 types spamassassin_t;
+- ##############################
+- #
+- # $1_spamc_t local policy
+- #
+-
+- allow $1_spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+- allow $1_spamc_t self:fd use;
+- allow $1_spamc_t self:fifo_file rw_fifo_file_perms;
+- allow $1_spamc_t self:sock_file read_sock_file_perms;
+- allow $1_spamc_t self:shm create_shm_perms;
+- allow $1_spamc_t self:sem create_sem_perms;
+- allow $1_spamc_t self:msgq create_msgq_perms;
+- allow $1_spamc_t self:msg { send receive };
+- allow $1_spamc_t self:unix_dgram_socket create_socket_perms;
+- allow $1_spamc_t self:unix_stream_socket create_stream_socket_perms;
+- allow $1_spamc_t self:unix_dgram_socket sendto;
+- allow $1_spamc_t self:unix_stream_socket connectto;
+- allow $1_spamc_t self:tcp_socket create_stream_socket_perms;
+- allow $1_spamc_t self:udp_socket create_socket_perms;
+-
- manage_dirs_pattern($1_spamc_t,$1_spamc_tmp_t,$1_spamc_tmp_t)
- manage_files_pattern($1_spamc_t,$1_spamc_tmp_t,$1_spamc_tmp_t)
- files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir })
-+ manage_dirs_pattern($1_spamc_t,user_spamc_tmp_t,user_spamc_tmp_t)
-+ manage_files_pattern($1_spamc_t,user_spamc_tmp_t,user_spamc_tmp_t)
-+ files_tmp_filetrans($1_spamc_t, user_spamc_tmp_t, { file dir })
-
- # Allow connecting to a local spamd
- allow $1_spamc_t spamd_t:unix_stream_socket connectto;
-@@ -186,32 +184,32 @@
- allow $1_spamassassin_t self:msgq create_msgq_perms;
- allow $1_spamassassin_t self:msg { send receive };
-
-- manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
-- manage_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
-- manage_lnk_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
-- manage_fifo_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
-- manage_sock_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
-- userdom_user_home_dir_filetrans($1,$1_spamassassin_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
-
-- manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_tmp_t,$1_spamassassin_tmp_t)
-- manage_files_pattern($1_spamassassin_t, $1_spamassassin_tmp_t,$1_spamassassin_tmp_t)
-- files_tmp_filetrans($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir })
+- # Allow connecting to a local spamd
+- allow $1_spamc_t spamd_t:unix_stream_socket connectto;
+- allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms;
-
-- manage_dirs_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
-- manage_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
-- manage_lnk_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
-- relabel_dirs_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
-- relabel_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
-- relabel_lnk_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
-+ manage_dirs_pattern($1_spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t)
-+ manage_files_pattern($1_spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t)
-+ manage_lnk_files_pattern($1_spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t)
-+ manage_fifo_files_pattern($1_spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t)
-+ manage_sock_files_pattern($1_spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t)
-+ userdom_user_home_dir_filetrans($1,$1_spamassassin_t,user_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
-+
-+ manage_dirs_pattern($1_spamassassin_t, user_spamassassin_tmp_t,user_spamassassin_tmp_t)
-+ manage_files_pattern($1_spamassassin_t, user_spamassassin_tmp_t,user_spamassassin_tmp_t)
-+ files_tmp_filetrans($1_spamassassin_t, user_spamassassin_tmp_t, { file dir })
+- domtrans_pattern($2, spamc_exec_t, $1_spamc_t)
+-
+- kernel_read_kernel_sysctls($1_spamc_t)
+-
+- corenet_all_recvfrom_unlabeled($1_spamc_t)
+- corenet_all_recvfrom_netlabel($1_spamc_t)
+- corenet_tcp_sendrecv_generic_if($1_spamc_t)
+- corenet_udp_sendrecv_generic_if($1_spamc_t)
+- corenet_tcp_sendrecv_all_nodes($1_spamc_t)
+- corenet_udp_sendrecv_all_nodes($1_spamc_t)
+- corenet_tcp_sendrecv_all_ports($1_spamc_t)
+- corenet_udp_sendrecv_all_ports($1_spamc_t)
+- corenet_tcp_connect_all_ports($1_spamc_t)
+- corenet_sendrecv_all_client_packets($1_spamc_t)
+-
+- fs_search_auto_mountpoints($1_spamc_t)
+-
+- # cjp: these should probably be removed:
+- corecmd_list_bin($1_spamc_t)
+- corecmd_read_bin_symlinks($1_spamc_t)
+- corecmd_read_bin_files($1_spamc_t)
+- corecmd_read_bin_pipes($1_spamc_t)
+- corecmd_read_bin_sockets($1_spamc_t)
+-
+- domain_use_interactive_fds($1_spamc_t)
+-
+- files_read_etc_files($1_spamc_t)
+- files_read_etc_runtime_files($1_spamc_t)
+- files_read_usr_files($1_spamc_t)
+- files_dontaudit_search_var($1_spamc_t)
+- # cjp: this may be removable:
+- files_list_home($1_spamc_t)
+-
+- libs_use_ld_so($1_spamc_t)
+- libs_use_shared_libs($1_spamc_t)
+-
+- logging_send_syslog_msg($1_spamc_t)
+-
+- miscfiles_read_localization($1_spamc_t)
+-
+- # cjp: this should probably be removed:
+- seutil_read_config($1_spamc_t)
+-
+- sysnet_read_config($1_spamc_t)
+-
+- userdom_use_unpriv_users_fds($1_spamc_t)
+- # cjp: this really should just be the
+- # terminal specific to the role
+- userdom_use_unpriv_users_ptys($1_spamc_t)
+-
+- # cjp: this should probably be removed:
+- tunable_policy(`read_default_t',`
+- files_list_default($1_spamc_t)
+- files_read_default_files($1_spamc_t)
+- files_read_default_symlinks($1_spamc_t)
+- files_read_default_sockets($1_spamc_t)
+- files_read_default_pipes($1_spamc_t)
+- ')
+-
+- optional_policy(`
+- # Allow connection to spamd socket above
+- evolution_stream_connect($1,$1_spamc_t)
+- ')
+-
+- optional_policy(`
+- nis_use_ypbind($1_spamc_t)
+- ')
+-
+- optional_policy(`
+- nscd_socket_use($1_spamc_t)
+- ')
+-
+- optional_policy(`
+- mta_read_config($1_spamc_t)
+- sendmail_stub($1_spamc_t)
+- ')
+-
+- ##############################
+- #
+- # $1_spamassassin_t local policy
+- #
+-
+- allow $1_spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+- allow $1_spamassassin_t self:fd use;
+- allow $1_spamassassin_t self:fifo_file rw_fifo_file_perms;
+- allow $1_spamassassin_t self:sock_file read_sock_file_perms;
+- allow $1_spamassassin_t self:unix_dgram_socket create_socket_perms;
+- allow $1_spamassassin_t self:unix_stream_socket create_stream_socket_perms;
+- allow $1_spamassassin_t self:unix_dgram_socket sendto;
+- allow $1_spamassassin_t self:unix_stream_socket connectto;
+- allow $1_spamassassin_t self:shm create_shm_perms;
+- allow $1_spamassassin_t self:sem create_sem_perms;
+- allow $1_spamassassin_t self:msgq create_msgq_perms;
+- allow $1_spamassassin_t self:msg { send receive };
+-
+- manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
+- manage_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
+- manage_lnk_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
+- manage_fifo_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
+- manage_sock_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
+- userdom_user_home_dir_filetrans($1,$1_spamassassin_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
+-
+- manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_tmp_t,$1_spamassassin_tmp_t)
+- manage_files_pattern($1_spamassassin_t, $1_spamassassin_tmp_t,$1_spamassassin_tmp_t)
+- files_tmp_filetrans($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir })
+-
+- manage_dirs_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
+- manage_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
+- manage_lnk_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
+- relabel_dirs_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
+- relabel_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
+- relabel_lnk_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
+-
+- domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t)
+-
+- manage_dirs_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
+- manage_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
+- manage_lnk_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
+- manage_fifo_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
+- manage_sock_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
+- userdom_user_home_dir_filetrans($1,spamd_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
+-
+- kernel_read_kernel_sysctls($1_spamassassin_t)
+-
+- dev_read_urand($1_spamassassin_t)
+-
+- fs_search_auto_mountpoints($1_spamassassin_t)
+-
+- # this should probably be removed
+- corecmd_list_bin($1_spamassassin_t)
+- corecmd_read_bin_symlinks($1_spamassassin_t)
+- corecmd_read_bin_files($1_spamassassin_t)
+- corecmd_read_bin_pipes($1_spamassassin_t)
+- corecmd_read_bin_sockets($1_spamassassin_t)
+-
+- domain_use_interactive_fds($1_spamassassin_t)
+-
+- files_read_etc_files($1_spamassassin_t)
+- files_read_etc_runtime_files($1_spamassassin_t)
+- files_list_home($1_spamassassin_t)
+- files_read_usr_files($1_spamassassin_t)
+- files_dontaudit_search_var($1_spamassassin_t)
+-
+- libs_use_ld_so($1_spamassassin_t)
+- libs_use_shared_libs($1_spamassassin_t)
+-
+- logging_send_syslog_msg($1_spamassassin_t)
+-
+- miscfiles_read_localization($1_spamassassin_t)
+-
+- # cjp: this could probably be removed
+- seutil_read_config($1_spamassassin_t)
+-
+- sysnet_dns_name_resolve($1_spamassassin_t)
+-
+- userdom_use_unpriv_users_fds($1_spamassassin_t)
+- userdom_search_user_home_dirs($1,$1_spamassassin_t)
+- # cjp: this really should just be the
+- # terminal specific to the role
+- userdom_use_unpriv_users_ptys($1_spamassassin_t)
+-
+- # this should probably be removed:
+- tunable_policy(`read_default_t',`
+- files_list_default($1_spamassassin_t)
+- files_read_default_files($1_spamassassin_t)
+- files_read_default_symlinks($1_spamassassin_t)
+- files_read_default_sockets($1_spamassassin_t)
+- files_read_default_pipes($1_spamassassin_t)
+- ')
+-
+- # set tunable if you have spamassassin do DNS lookups
+- tunable_policy(`spamassassin_can_network',`
+- allow $1_spamassassin_t self:tcp_socket create_stream_socket_perms;
+- allow $1_spamassassin_t self:udp_socket create_socket_perms;
++ ifelse(`$1',`user',`',`
++ typealias user_spamassassin_home_t alias $1_spamassassin_home_t;
++ typealias user_spamassassin_tmp_t alias $1_spamassassin_tmp_t;
++ typealias user_spamc_tmp_t alias $1_spamc_tmp_t;
++ ')
+
+ manage_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
+ manage_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
@@ -10544,27 +11596,97 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+ relabel_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
+ relabel_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
- domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t)
-
-- manage_dirs_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
-- manage_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
-- manage_lnk_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
-- manage_fifo_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
-- manage_sock_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
-- userdom_user_home_dir_filetrans($1,spamd_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
-+ manage_dirs_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t)
-+ manage_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t)
-+ manage_lnk_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t)
-+ manage_fifo_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t)
-+ manage_sock_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t)
-+ userdom_user_home_dir_filetrans($1,spamd_t,user_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
-
- kernel_read_kernel_sysctls($1_spamassassin_t)
-
-@@ -407,6 +405,40 @@
+- corenet_all_recvfrom_unlabeled($1_spamassassin_t)
+- corenet_all_recvfrom_netlabel($1_spamassassin_t)
+- corenet_tcp_sendrecv_generic_if($1_spamassassin_t)
+- corenet_udp_sendrecv_generic_if($1_spamassassin_t)
+- corenet_tcp_sendrecv_all_nodes($1_spamassassin_t)
+- corenet_udp_sendrecv_all_nodes($1_spamassassin_t)
+- corenet_tcp_sendrecv_all_ports($1_spamassassin_t)
+- corenet_udp_sendrecv_all_ports($1_spamassassin_t)
+- corenet_tcp_connect_all_ports($1_spamassassin_t)
+- corenet_sendrecv_all_client_packets($1_spamassassin_t)
++ domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
++ domtrans_pattern($2, spamc_exec_t, spamc_t)
+
+- sysnet_read_config($1_spamassassin_t)
+- ')
+-
+- tunable_policy(`spamd_enable_home_dirs',`
+- userdom_manage_user_home_content_dirs($1,spamd_t)
+- userdom_manage_user_home_content_files($1,spamd_t)
+- userdom_manage_user_home_content_symlinks($1,spamd_t)
+- ')
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs($1_spamassassin_t)
+- fs_manage_nfs_files($1_spamassassin_t)
+- fs_manage_nfs_symlinks($1_spamassassin_t)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs($1_spamassassin_t)
+- fs_manage_cifs_files($1_spamassassin_t)
+- fs_manage_cifs_symlinks($1_spamassassin_t)
+- ')
+-
+- optional_policy(`
+- # Write pid file and socket in ~/.evolution/cache/tmp
+- evolution_home_filetrans($1,spamd_t,spamd_tmp_t,{ file sock_file })
+- ')
+-
+- optional_policy(`
+- # cjp: clearly some redundancy here
+-
+- nis_use_ypbind($1_spamassassin_t)
+-
+- tunable_policy(`spamassassin_can_network && allow_ypbind',`
+- nis_use_ypbind_uncond($1_spamassassin_t)
+- ')
+- ')
+-
+- optional_policy(`
+- mta_read_config($1_spamassassin_t)
+- sendmail_stub($1_spamassassin_t)
+- ')
+ ')
########################################
- ## <summary>
+@@ -398,11 +150,65 @@
+ ## </param>
+ #
+ template(`spamassassin_domtrans_user_client',`
++ spamassassin_domtrans_spamc($2)
++')
++
++########################################
++## <summary>
++## Execute spamassassin client in the spamassassin client domain.
++## </summary>
++## <desc>
++## <p>
++## This is a template and should only be called
++## from per user domain tempaltes.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`spamassassin_domtrans_spamc',`
+ gen_require(`
+- type $1_spamc_t, spamc_exec_t;
++ type spamc_t, spamc_exec_t;
+ ')
+
+- domtrans_pattern($2,spamc_exec_t,$1_spamc_t)
++ domtrans_pattern($1,spamc_exec_t,spamc_t)
++')
++
++########################################
++## <summary>
+## Read spamassassin per user homedir
+## </summary>
+## <desc>
@@ -10595,14 +11717,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+
+ allow $1 user_spamassassin_home_t:dir list_dir_perms;
+ allow $1 user_spamassassin_home_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -446,11 +252,31 @@
+ ## </param>
+ #
+ template(`spamassassin_domtrans_user_local_client',`
++ spamassassin_domtrans($2)
+')
+
+########################################
+## <summary>
- ## Execute the spamassassin client
- ## program in the caller directory.
- ## </summary>
-@@ -469,6 +501,7 @@
++## Execute spamassassin in the user spamassassin domain.
++## </summary>
++## <desc>
++## <p>
++## This is a template and should only be called
++## from per user domain tempaltes.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`spamassassin_domtrans',`
+ gen_require(`
+- type $1_spamassassin_t, spamassassin_exec_t;
++ type spamassassin_t, spamassassin_exec_t;
+ ')
+
+- domtrans_pattern($2,spamassassin_exec_t,$1_spamassassin_t)
++ domtrans_pattern($1,spamassassin_exec_t,spamassassin_t)
+ ')
+
+ ########################################
+@@ -469,6 +295,7 @@
')
files_search_var_lib($1)
@@ -10610,7 +11762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
')
-@@ -528,3 +561,22 @@
+@@ -528,3 +355,22 @@
dontaudit $1 spamd_tmp_t:sock_file getattr;
')
@@ -10635,11 +11787,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.5/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2007-12-19 05:38:09.000000000 -0500
-@@ -44,6 +44,15 @@
- type spamassassin_exec_t;
- application_executable_file(spamassassin_exec_t)
++++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2008-01-03 12:54:53.000000000 -0500
+@@ -21,8 +21,9 @@
+ gen_tunable(spamd_enable_home_dirs,true)
+
+ # spamassassin client executable
++type spamc_t;
+ type spamc_exec_t;
+-application_executable_file(spamc_exec_t)
++application_domain(spamc_t,spamc_exec_t)
+
+ type spamd_t;
+ type spamd_exec_t;
+@@ -42,7 +43,17 @@
+ files_pid_file(spamd_var_run_t)
+ type spamassassin_exec_t;
+-application_executable_file(spamassassin_exec_t)
++type spamassassin_t;
++application_domain(spamassassin_t,spamassassin_exec_t)
++
+type user_spamassassin_home_t;
+userdom_user_home_content(user,user_spamassassin_home_t)
+
@@ -10648,11 +11815,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+
+type user_spamc_tmp_t;
+files_tmp_file(user_spamc_tmp_t)
-+
+
########################################
#
- # Spamassassin daemon local policy
-@@ -81,10 +90,11 @@
+@@ -81,10 +92,11 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -10665,9 +11831,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
-@@ -150,10 +160,12 @@
+@@ -149,11 +161,31 @@
+ userdom_search_unpriv_users_home_dirs(spamd_t)
userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
++manage_dirs_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t)
++manage_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t)
++manage_lnk_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t)
++manage_fifo_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t)
++manage_sock_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t)
++userdom_user_home_dir_filetrans(user,spamd_t,user_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
++
++optional_policy(`
++ # Write pid file and socket in ~/.evolution/cache/tmp
++ evolution_home_filetrans(user,spamd_t,spamd_tmp_t,{ file sock_file })
++')
++
++tunable_policy(`spamd_enable_home_dirs',`
++ userdom_manage_user_home_content_dirs(user,spamd_t)
++ userdom_manage_user_home_content_files(user,spamd_t)
++ userdom_manage_user_home_content_symlinks(user,spamd_t)
++')
++
tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(spamd_t)
fs_manage_nfs_files(spamd_t)
@@ -10678,7 +11863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
fs_manage_cifs_files(spamd_t)
')
-@@ -171,6 +183,7 @@
+@@ -171,6 +203,7 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -10686,6 +11871,213 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
dcc_stream_connect_dccifd(spamd_t)
')
+@@ -212,3 +245,206 @@
+ optional_policy(`
+ udev_read_db(spamd_t)
+ ')
++
++##############################
++#
++# spamassassin_t local policy
++#
++
++allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++allow spamassassin_t self:fd use;
++allow spamassassin_t self:fifo_file rw_fifo_file_perms;
++allow spamassassin_t self:sock_file read_sock_file_perms;
++allow spamassassin_t self:unix_dgram_socket create_socket_perms;
++allow spamassassin_t self:unix_stream_socket create_stream_socket_perms;
++allow spamassassin_t self:unix_dgram_socket sendto;
++allow spamassassin_t self:unix_stream_socket connectto;
++allow spamassassin_t self:shm create_shm_perms;
++allow spamassassin_t self:sem create_sem_perms;
++allow spamassassin_t self:msgq create_msgq_perms;
++allow spamassassin_t self:msg { send receive };
++
++manage_dirs_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t)
++manage_files_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t)
++manage_lnk_files_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t)
++manage_fifo_files_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t)
++manage_sock_files_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t)
++userdom_user_home_dir_filetrans($1,spamassassin_t,user_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
++
++manage_dirs_pattern(spamassassin_t, user_spamassassin_tmp_t,user_spamassassin_tmp_t)
++manage_files_pattern(spamassassin_t, user_spamassassin_tmp_t,user_spamassassin_tmp_t)
++files_tmp_filetrans(spamassassin_t, user_spamassassin_tmp_t, { file dir })
++
++kernel_read_kernel_sysctls(spamassassin_t)
++
++dev_read_urand(spamassassin_t)
++
++fs_search_auto_mountpoints(spamassassin_t)
++
++# this should probably be removed
++corecmd_list_bin(spamassassin_t)
++corecmd_read_bin_symlinks(spamassassin_t)
++corecmd_read_bin_files(spamassassin_t)
++corecmd_read_bin_pipes(spamassassin_t)
++corecmd_read_bin_sockets(spamassassin_t)
++
++domain_use_interactive_fds(spamassassin_t)
++
++files_read_etc_files(spamassassin_t)
++files_read_etc_runtime_files(spamassassin_t)
++files_list_home(spamassassin_t)
++files_read_usr_files(spamassassin_t)
++files_dontaudit_search_var(spamassassin_t)
++
++libs_use_ld_so(spamassassin_t)
++libs_use_shared_libs(spamassassin_t)
++
++logging_send_syslog_msg(spamassassin_t)
++
++miscfiles_read_localization(spamassassin_t)
++
++# cjp: this could probably be removed
++seutil_read_config(spamassassin_t)
++
++sysnet_dns_name_resolve(spamassassin_t)
++
++userdom_use_unpriv_users_fds(spamassassin_t)
++userdom_search_user_home_dirs(user,spamassassin_t)
++# cjp: this really should just be the
++# terminal specific to the role
++userdom_use_unpriv_users_ptys(spamassassin_t)
++
++# set tunable if you have spamassassin do DNS lookups
++tunable_policy(`spamassassin_can_network',`
++ allow spamassassin_t self:tcp_socket create_stream_socket_perms;
++ allow spamassassin_t self:udp_socket create_socket_perms;
++
++ corenet_all_recvfrom_unlabeled(spamassassin_t)
++ corenet_all_recvfrom_netlabel(spamassassin_t)
++ corenet_tcp_sendrecv_generic_if(spamassassin_t)
++ corenet_udp_sendrecv_generic_if(spamassassin_t)
++ corenet_tcp_sendrecv_all_nodes(spamassassin_t)
++ corenet_udp_sendrecv_all_nodes(spamassassin_t)
++ corenet_tcp_sendrecv_all_ports(spamassassin_t)
++ corenet_udp_sendrecv_all_ports(spamassassin_t)
++ corenet_tcp_connect_all_ports(spamassassin_t)
++ corenet_sendrecv_all_client_packets(spamassassin_t)
++
++ sysnet_read_config(spamassassin_t)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_dirs(spamassassin_t)
++ fs_manage_nfs_files(spamassassin_t)
++ fs_manage_nfs_symlinks(spamassassin_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_dirs(spamassassin_t)
++ fs_manage_cifs_files(spamassassin_t)
++ fs_manage_cifs_symlinks(spamassassin_t)
++')
++
++optional_policy(`
++ # cjp: clearly some redundancy here
++
++ nis_use_ypbind(spamassassin_t)
++
++ tunable_policy(`spamassassin_can_network && allow_ypbind',`
++ nis_use_ypbind_uncond(spamassassin_t)
++ ')
++')
++
++optional_policy(`
++ mta_read_config(spamassassin_t)
++ sendmail_stub(spamassassin_t)
++')
++
++##############################
++#
++# spamc_t local policy
++#
++
++allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++allow spamc_t self:fd use;
++allow spamc_t self:fifo_file rw_fifo_file_perms;
++allow spamc_t self:sock_file read_sock_file_perms;
++allow spamc_t self:shm create_shm_perms;
++allow spamc_t self:sem create_sem_perms;
++allow spamc_t self:msgq create_msgq_perms;
++allow spamc_t self:msg { send receive };
++allow spamc_t self:unix_dgram_socket create_socket_perms;
++allow spamc_t self:unix_stream_socket create_stream_socket_perms;
++allow spamc_t self:unix_dgram_socket sendto;
++allow spamc_t self:unix_stream_socket connectto;
++allow spamc_t self:tcp_socket create_stream_socket_perms;
++allow spamc_t self:udp_socket create_socket_perms;
++
++manage_dirs_pattern(spamc_t,user_spamc_tmp_t,user_spamc_tmp_t)
++manage_files_pattern(spamc_t,user_spamc_tmp_t,user_spamc_tmp_t)
++files_tmp_filetrans(spamc_t, user_spamc_tmp_t, { file dir })
++
++# Allow connecting to a local spamd
++allow spamc_t spamd_t:unix_stream_socket connectto;
++allow spamc_t spamd_tmp_t:sock_file rw_file_perms;
++
++kernel_read_kernel_sysctls(spamc_t)
++
++corenet_all_recvfrom_unlabeled(spamc_t)
++corenet_all_recvfrom_netlabel(spamc_t)
++corenet_tcp_sendrecv_generic_if(spamc_t)
++corenet_udp_sendrecv_generic_if(spamc_t)
++corenet_tcp_sendrecv_all_nodes(spamc_t)
++corenet_udp_sendrecv_all_nodes(spamc_t)
++corenet_tcp_sendrecv_all_ports(spamc_t)
++corenet_udp_sendrecv_all_ports(spamc_t)
++corenet_tcp_connect_all_ports(spamc_t)
++corenet_sendrecv_all_client_packets(spamc_t)
++
++fs_search_auto_mountpoints(spamc_t)
++
++# cjp: these should probably be removed:
++corecmd_list_bin(spamc_t)
++corecmd_read_bin_symlinks(spamc_t)
++corecmd_read_bin_files(spamc_t)
++corecmd_read_bin_pipes(spamc_t)
++corecmd_read_bin_sockets(spamc_t)
++
++domain_use_interactive_fds(spamc_t)
++
++files_read_etc_files(spamc_t)
++files_read_etc_runtime_files(spamc_t)
++files_read_usr_files(spamc_t)
++files_dontaudit_search_var(spamc_t)
++# cjp: this may be removable:
++files_list_home(spamc_t)
++
++auth_use_nsswitch(spamc_t)
++
++libs_use_ld_so(spamc_t)
++libs_use_shared_libs(spamc_t)
++
++logging_send_syslog_msg(spamc_t)
++
++miscfiles_read_localization(spamc_t)
++
++# cjp: this should probably be removed:
++seutil_read_config(spamc_t)
++
++sysnet_read_config(spamc_t)
++
++userdom_use_unpriv_users_fds(spamc_t)
++# cjp: this really should just be the
++# terminal specific to the role
++userdom_use_unpriv_users_ptys(spamc_t)
++
++optional_policy(`
++ # Allow connection to spamd socket above
++ evolution_stream_connect(user,spamc_t)
++')
++
++optional_policy(`
++ mta_read_config(spamc_t)
++ sendmail_stub(spamc_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.2.5/policy/modules/services/squid.fc
--- nsaserefpolicy/policy/modules/services/squid.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/squid.fc 2007-12-19 05:38:09.000000000 -0500
@@ -11170,8 +12562,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.5/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2007-12-27 11:37:04.000000000 -0500
-@@ -45,7 +45,7 @@
++++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2008-01-03 16:24:11.000000000 -0500
+@@ -15,6 +15,7 @@
+ template(`xserver_common_domain_template',`
+ gen_require(`
+ type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
++ type xdm_xserver_tmp_t;
+ ')
+
+ ##############################
+@@ -45,7 +46,7 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -11180,7 +12580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dontaudit $1_xserver_t self:capability chown;
allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_xserver_t self:memprotect mmap_zero;
-@@ -115,18 +115,23 @@
+@@ -115,18 +116,23 @@
dev_rw_agp($1_xserver_t)
dev_rw_framebuffer($1_xserver_t)
dev_manage_dri_dev($1_xserver_t)
@@ -11206,7 +12606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files($1_xserver_t)
files_read_etc_runtime_files($1_xserver_t)
-@@ -140,12 +145,16 @@
+@@ -140,12 +146,16 @@
fs_getattr_xattr_fs($1_xserver_t)
fs_search_nfs($1_xserver_t)
fs_search_auto_mountpoints($1_xserver_t)
@@ -11224,7 +12624,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t)
-@@ -232,39 +241,26 @@
+@@ -223,8 +233,10 @@
+ template(`xserver_per_role_template',`
+
+ gen_require(`
+- type iceauth_exec_t, xauth_exec_t;
+- attribute fonts_type, fonts_cache_type, fonts_config_type;
++ type iceauth_exec_t, iceauth_t, user_iceauth_home_t;
++ type xauth_t, xauth_exec_t, user_xauth_home_t;
++ type user_fonts_t, user_fonts_config_t, user_fonts_cache_t;
++ type xdm_xserver_tmp_t, xdm_xserver_t;
+ ')
+
+ ##############################
+@@ -232,66 +244,51 @@
# Declarations
#
@@ -11246,38 +12659,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-
- type $1_fonts_config_t, fonts_config_type;
- userdom_user_home_content($1,$1_fonts_cache_t)
--
- type $1_iceauth_t;
- domain_type($1_iceauth_t)
- domain_entry_file($1_iceauth_t,iceauth_exec_t)
- role $3 types $1_iceauth_t;
++ typealias xauth_t alias $1_xauth_t;
++ role $3 types xauth_t;
+- type $1_iceauth_t;
+- domain_type($1_iceauth_t)
+- domain_entry_file($1_iceauth_t,iceauth_exec_t)
+- role $3 types $1_iceauth_t;
+-
- type $1_iceauth_home_t alias $1_iceauth_rw_t;
- files_poly_member($1_iceauth_home_t)
- userdom_user_home_content($1,$1_iceauth_home_t)
-
- type $1_xauth_t;
- domain_type($1_xauth_t)
- domain_entry_file($1_xauth_t,xauth_exec_t)
- role $3 types $1_xauth_t;
-
+- type $1_xauth_t;
+- domain_type($1_xauth_t)
+- domain_entry_file($1_xauth_t,xauth_exec_t)
+- role $3 types $1_xauth_t;
+-
- type $1_xauth_home_t alias $1_xauth_rw_t, xauth_home_type;
- files_poly_member($1_xauth_home_t)
- userdom_user_home_content($1,$1_xauth_home_t)
-
- type $1_xauth_tmp_t;
- files_tmp_file($1_xauth_tmp_t)
--
++ typealias iceauth_t alias $1_iceauth_t;
++ role $3 types iceauth_t;
+
##############################
#
# $1_xserver_t Local policy
-@@ -272,12 +268,15 @@
-
- domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
+ #
++ domtrans_pattern($1_xserver_t, xauth_exec_t, xauth_t)
+- domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
+-
- allow $1_xserver_t $1_xauth_home_t:file { getattr read };
+ allow $1_xserver_t user_xauth_home_t:file { getattr read };
-+ allow xdm_t user_xauth_home_t:file append_file_perms;
domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
allow $1_xserver_t $2:process signal;
@@ -11286,85 +12703,163 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow $1_xserver_t $2:shm rw_shm_perms;
+ allow $1_xserver_t $2:file read_file_perms;
- manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
- manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
-@@ -307,6 +306,7 @@
+- manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
+- manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
+- relabel_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
+- relabel_files_pattern($2,$1_fonts_t,$1_fonts_t)
+-
+- manage_dirs_pattern($2,$1_fonts_config_t,$1_fonts_config_t)
+- manage_files_pattern($2,$1_fonts_config_t,$1_fonts_config_t)
+- relabel_files_pattern($2,$1_fonts_config_t,$1_fonts_config_t)
++ manage_dirs_pattern($2,user_fonts_t,user_fonts_t)
++ manage_files_pattern($2,user_fonts_t,user_fonts_t)
++ relabel_dirs_pattern($2,user_fonts_t,user_fonts_t)
++ relabel_files_pattern($2,user_fonts_t,user_fonts_t)
++
++ manage_dirs_pattern($2,user_fonts_config_t,user_fonts_config_t)
++ manage_files_pattern($2,user_fonts_config_t,user_fonts_config_t)
++ relabel_files_pattern($2,user_fonts_config_t,user_fonts_config_t)
+
+ # For startup relabel
+- allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
++ allow $2 user_fonts_cache_t:{ dir file } { relabelto relabelfrom };
+
+ stream_connect_pattern($2,$1_xserver_tmp_t,$1_xserver_tmp_t,$1_xserver_t)
++ stream_connect_pattern($2,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
+
+ allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+
+@@ -307,113 +304,49 @@
userdom_use_user_ttys($1,$1_xserver_t)
userdom_setattr_user_ttys($1,$1_xserver_t)
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
+ userdom_rw_user_tmp_files($1,$1_xserver_t)
xserver_use_user_fonts($1,$1_xserver_t)
- xserver_rw_xdm_tmp_files($1_xauth_t)
-@@ -330,12 +330,12 @@
- allow $1_xauth_t self:process signal;
- allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
+- xserver_rw_xdm_tmp_files($1_xauth_t)
+
+ optional_policy(`
+ userhelper_search_config($1_xserver_t)
+ ')
+- ifdef(`TODO',`
+- ifdef(`xdm.te', `
+- allow $1_t xdm_tmp_t:sock_file unlink;
+- allow $1_xserver_t xdm_var_run_t:dir search;
+- ')
+- ') dnl end TODO
+-
+ ##############################
+ #
+- # $1_xauth_t Local policy
++ # xauth_t Local policy
+ #
+
+- allow $1_xauth_t self:process signal;
+- allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
+-
- allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file)
-+ allow $1_xauth_t user_xauth_home_t:file manage_file_perms;
-+ userdom_user_home_dir_filetrans($1,$1_xauth_t,user_xauth_home_t,file)
-
+-
- manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
- manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
-+ manage_dirs_pattern($1_xauth_t,user_xauth_tmp_t,user_xauth_tmp_t)
-+ manage_files_pattern($1_xauth_t,user_xauth_tmp_t,user_xauth_tmp_t)
-+ files_tmp_filetrans($1_xauth_t, user_xauth_tmp_t, { file dir })
++ domtrans_pattern($2, xauth_exec_t, xauth_t)
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+-
+- allow $2 $1_xauth_t:process signal;
++ allow $2 xauth_t:process signal;
-@@ -344,12 +344,6 @@
# allow ps to show xauth
- ps_process_pattern($2,$1_xauth_t)
-
+- ps_process_pattern($2,$1_xauth_t)
+-
- allow $2 $1_xauth_home_t:file manage_file_perms;
- allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
-
- allow xdm_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file)
-
- domain_use_interactive_fds($1_xauth_t)
+- domain_use_interactive_fds($1_xauth_t)
+-
+- files_read_etc_files($1_xauth_t)
+- files_search_pids($1_xauth_t)
+-
+- fs_getattr_xattr_fs($1_xauth_t)
+- fs_search_auto_mountpoints($1_xauth_t)
++ ps_process_pattern($2,xauth_t)
- files_read_etc_files($1_xauth_t)
-@@ -378,6 +372,14 @@
- ')
+- # cjp: why?
+- term_use_ptmx($1_xauth_t)
+-
+- auth_use_nsswitch($1_xauth_t)
+-
+- libs_use_ld_so($1_xauth_t)
+- libs_use_shared_libs($1_xauth_t)
+-
+- userdom_use_user_terminals($1,$1_xauth_t)
+- userdom_read_user_tmp_files($1,$1_xauth_t)
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_files($1_xauth_t)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files($1_xauth_t)
+- ')
++ userdom_use_user_terminals($1,xauth_t)
++ userdom_read_user_tmp_files($1,xauth_t)
optional_policy(`
+- ssh_sigchld($1_xauth_t)
+- ssh_read_pipes($1_xauth_t)
+- ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
+ xserver_read_user_xauth($1, $2)
-+ ')
-+
-+ optional_policy(`
-+ xserver_read_user_iceauth($1, $2)
-+ ')
-+
-+ optional_policy(`
- ssh_sigchld($1_xauth_t)
- ssh_read_pipes($1_xauth_t)
- ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
-@@ -390,16 +392,16 @@
-
- domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
+ ')
+ ##############################
+ #
+- # $1_iceauth_t Local policy
++ # iceauth_t Local policy
+ #
+-
+- domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
+-
- allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,$1_iceauth_t,$1_iceauth_home_t,file)
-+ allow $1_iceauth_t user_iceauth_home_t:file manage_file_perms;
-+ userdom_user_home_dir_filetrans($1,$1_iceauth_t,user_iceauth_home_t,file)
++ domtrans_pattern($2, iceauth_exec_t, iceauth_t)
# allow ps to show iceauth
- ps_process_pattern($2,$1_iceauth_t)
-
+- ps_process_pattern($2,$1_iceauth_t)
+-
- allow $2 $1_iceauth_home_t:file manage_file_perms;
- allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
+-
+- allow xdm_t $1_iceauth_home_t:file read_file_perms;
+-
+- fs_search_auto_mountpoints($1_iceauth_t)
++ ps_process_pattern($2,iceauth_t)
+
+- libs_use_ld_so($1_iceauth_t)
+- libs_use_shared_libs($1_iceauth_t)
+ allow $2 user_iceauth_home_t:file manage_file_perms;
+ allow $2 user_iceauth_home_t:file { relabelfrom relabelto };
-- allow xdm_t $1_iceauth_home_t:file read_file_perms;
-+ allow xdm_t user_iceauth_home_t:file read_file_perms;
+- userdom_use_user_terminals($1,$1_iceauth_t)
++ userdom_use_user_terminals($1,iceauth_t)
- fs_search_auto_mountpoints($1_iceauth_t)
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_files($1_iceauth_t)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files($1_iceauth_t)
++ optional_policy(`
++ xserver_read_user_iceauth($1, $2)
+ ')
+ ')
-@@ -523,17 +525,16 @@
+@@ -523,17 +456,16 @@
template(`xserver_user_client_template',`
gen_require(`
@@ -11389,7 +12884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -542,25 +543,55 @@
+@@ -542,25 +474,55 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -11453,7 +12948,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
')
-@@ -613,6 +644,24 @@
+@@ -593,26 +555,44 @@
+ #
+ template(`xserver_use_user_fonts',`
+ gen_require(`
+- type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
++ type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+ ')
+
+ # Read per user fonts
+- allow $2 $1_fonts_t:dir list_dir_perms;
+- allow $2 $1_fonts_t:file read_file_perms;
++ allow $2 user_fonts_t:dir list_dir_perms;
++ allow $2 user_fonts_t:file read_file_perms;
+
+ # Manipulate the global font cache
+- manage_dirs_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t)
+- manage_files_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t)
++ manage_dirs_pattern($2,user_fonts_cache_t,user_fonts_cache_t)
++ manage_files_pattern($2,user_fonts_cache_t,user_fonts_cache_t)
+
+ # Read per user font config
+- allow $2 $1_fonts_config_t:dir list_dir_perms;
+- allow $2 $1_fonts_config_t:file read_file_perms;
++ allow $2 user_fonts_config_t:dir list_dir_perms;
++ allow $2 user_fonts_config_t:file read_file_perms;
+
+ userdom_search_user_home_dirs($1,$2)
+ ')
########################################
## <summary>
@@ -11475,13 +12997,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+########################################
+## <summary>
- ## Transition to a user Xauthority domain.
- ## </summary>
- ## <desc>
-@@ -646,6 +695,73 @@
-
- ########################################
- ## <summary>
+ ## Transition to a user Xauthority domain.
+ ## </summary>
+ ## <desc>
+@@ -638,10 +618,77 @@
+ #
+ template(`xserver_domtrans_user_xauth',`
+ gen_require(`
+- type $1_xauth_t, xauth_exec_t;
++ type xauth_exec_t, xauth_t;
++ ')
++
++ domtrans_pattern($2, xauth_exec_t, xauth_t)
++')
++
++########################################
++## <summary>
+## Read a user Xauthority domain.
+## </summary>
+## <desc>
@@ -11508,8 +13039,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+template(`xserver_read_user_xauth',`
+ gen_require(`
+ type user_xauth_home_t;
-+ ')
-+
+ ')
+
+- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+ allow $2 user_xauth_home_t:file { getattr read };
+')
+
@@ -11545,14 +13077,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+ # Read .Iceauthority file
+ allow $2 user_iceauth_home_t:file { getattr read };
-+')
-+
-+########################################
-+## <summary>
- ## Transition to a user Xauthority domain.
- ## </summary>
- ## <desc>
-@@ -671,10 +787,10 @@
+ ')
+
+ ########################################
+@@ -671,10 +718,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
@@ -11565,7 +13093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -760,7 +876,7 @@
+@@ -760,7 +807,7 @@
type xconsole_device_t;
')
@@ -11574,7 +13102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -860,6 +976,25 @@
+@@ -860,6 +907,25 @@
########################################
## <summary>
@@ -11600,7 +13128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Read xdm-writable configuration files.
## </summary>
## <param name="domain">
-@@ -914,6 +1049,7 @@
+@@ -914,6 +980,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -11608,7 +13136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -974,6 +1110,37 @@
+@@ -974,6 +1041,37 @@
########################################
## <summary>
@@ -11646,7 +13174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1123,7 +1290,7 @@
+@@ -1123,7 +1221,7 @@
type xdm_xserver_tmp_t;
')
@@ -11655,7 +13183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1312,3 +1479,45 @@
+@@ -1312,3 +1410,45 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -11703,7 +13231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.5/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/xserver.te 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/xserver.te 2008-01-03 09:15:47.000000000 -0500
@@ -16,6 +16,13 @@
## <desc>
@@ -11718,7 +13246,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Allow xdm logins as sysadm
## </p>
## </desc>
-@@ -56,6 +63,12 @@
+@@ -26,11 +33,14 @@
+ attribute fonts_config_type;
+ attribute xauth_home_type;
+
++type iceauth_t;
+ type iceauth_exec_t;
+-application_executable_file(iceauth_exec_t)
++application_domain(iceauth_t,iceauth_exec_t)
+
++type xauth_t;
+ type xauth_exec_t;
+-application_executable_file(xauth_exec_t)
++application_domain(xauth_t, xauth_exec_t)
++role system_r types xauth_t;
+
+ # this is not actually a device, its a pipe
+ type xconsole_device_t;
+@@ -56,6 +66,12 @@
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
@@ -11731,7 +13276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
type xdm_tmp_t;
files_tmp_file(xdm_tmp_t)
typealias xdm_tmp_t alias ice_tmp_t;
-@@ -78,6 +91,26 @@
+@@ -78,6 +94,29 @@
type xserver_log_t;
logging_log_file(xserver_log_t)
@@ -11752,13 +13297,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+files_poly_member(user_xauth_home_t)
+userdom_user_home_content(user,user_xauth_home_t)
+
++type admin_xauth_home_t;
++files_type(user_xauth_home_t)
++
+type user_xauth_tmp_t;
+files_tmp_file(user_xauth_tmp_t)
+
xserver_common_domain_template(xdm)
init_system_domain(xdm_xserver_t,xserver_exec_t)
-@@ -96,7 +129,7 @@
+@@ -96,7 +135,7 @@
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
@@ -11767,7 +13315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
-@@ -109,6 +142,8 @@
+@@ -109,6 +148,8 @@
allow xdm_t self:key { search link write };
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@@ -11776,7 +13324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -131,15 +166,22 @@
+@@ -131,15 +172,22 @@
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -11800,7 +13348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -153,6 +195,7 @@
+@@ -153,6 +201,7 @@
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
@@ -11808,7 +13356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
-@@ -184,6 +227,7 @@
+@@ -184,6 +233,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@@ -11816,7 +13364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
-@@ -196,6 +240,7 @@
+@@ -196,6 +246,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -11824,7 +13372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -208,8 +253,8 @@
+@@ -208,8 +259,8 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -11835,7 +13383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_getattr_power_mgmt_dev(xdm_t)
dev_setattr_power_mgmt_dev(xdm_t)
-@@ -245,6 +290,7 @@
+@@ -245,6 +296,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -11843,7 +13391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -256,12 +302,11 @@
+@@ -256,12 +308,11 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -11857,7 +13405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -270,6 +315,10 @@
+@@ -270,6 +321,10 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -11868,7 +13416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-@@ -304,7 +353,16 @@
+@@ -304,7 +359,16 @@
')
optional_policy(`
@@ -11885,7 +13433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -322,6 +380,10 @@
+@@ -322,6 +386,10 @@
')
optional_policy(`
@@ -11896,7 +13444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
loadkeys_exec(xdm_t)
')
-@@ -343,8 +405,8 @@
+@@ -343,8 +411,8 @@
')
optional_policy(`
@@ -11906,7 +13454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -380,7 +442,7 @@
+@@ -380,7 +448,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -11915,7 +13463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +454,15 @@
+@@ -392,6 +460,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -11931,7 +13479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -404,6 +475,7 @@
+@@ -404,6 +481,7 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -11939,7 +13487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_use_all_users_fonts(xdm_xserver_t)
-@@ -420,6 +492,14 @@
+@@ -420,6 +498,14 @@
')
optional_policy(`
@@ -11954,7 +13502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t)
')
-@@ -429,47 +509,30 @@
+@@ -429,47 +515,103 @@
')
optional_policy(`
@@ -11978,6 +13526,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ # xserver signals unconfined user on startx
+ unconfined_signal(xdm_xserver_t)
+ unconfined_getpgid(xdm_xserver_t)
++')
++
++
++tunable_policy(`allow_xserver_execmem', `
++ allow xdm_xserver_t self:process { execheap execmem execstack };
++')
++
++ifndef(`distro_redhat',`
++ allow xdm_xserver_t self:process { execheap execmem };
')
-ifdef(`TODO',`
@@ -12001,28 +13558,88 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-allow xdm_t polymember:lnk_file { create unlink };
-# xdm needs access for copying .Xauthority into new home
-allow xdm_t polymember:file { create getattr write };
-+
-+tunable_policy(`allow_xserver_execmem', `
-+ allow xdm_xserver_t self:process { execheap execmem execstack };
-+')
-+
-+ifndef(`distro_redhat',`
-+ allow xdm_xserver_t self:process { execheap execmem };
-+')
-+
+ifdef(`distro_rhel4',`
+ allow xdm_xserver_t self:process { execheap execmem };
')
--#
++##############################
+ #
-# Wants to delete .xsession-errors file
--#
++# xauth_t Local policy
+ #
-allow xdm_t user_home_type:file unlink;
--#
++domtrans_pattern(xdm_xserver_t, xauth_exec_t, xauth_t)
++
++userdom_user_home_dir_filetrans(user,xauth_t,user_xauth_home_t,file)
++xserver_rw_xdm_tmp_files(xauth_t)
++allow xauth_t self:process signal;
++allow xauth_t self:unix_stream_socket create_stream_socket_perms;
++
++allow xauth_t user_xauth_home_t:file manage_file_perms;
++allow xdm_t user_xauth_home_t:file append_file_perms;
++
++manage_dirs_pattern(xauth_t,user_xauth_tmp_t,user_xauth_tmp_t)
++manage_files_pattern(xauth_t,user_xauth_tmp_t,user_xauth_tmp_t)
++files_tmp_filetrans(xauth_t, user_xauth_tmp_t, { file dir })
++
++domain_use_interactive_fds(xauth_t)
++
++files_read_etc_files(xauth_t)
++files_search_pids(xauth_t)
++
++fs_getattr_xattr_fs(xauth_t)
++fs_search_auto_mountpoints(xauth_t)
++
++# cjp: why?
++term_use_ptmx(xauth_t)
++
++auth_use_nsswitch(xauth_t)
++
++libs_use_ld_so(xauth_t)
++libs_use_shared_libs(xauth_t)
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_files(xauth_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_files(xauth_t)
++')
++
++optional_policy(`
++ ssh_sigchld(xauth_t)
++ ssh_read_pipes(xauth_t)
++ ssh_dontaudit_rw_tcp_sockets(xauth_t)
++')
++
++##############################
+ #
-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
--#
++# iceauth_t Local policy
+ #
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
-') dnl end TODO
++
++allow iceauth_t user_iceauth_home_t:file manage_file_perms;
++userdom_user_home_dir_filetrans($1,iceauth_t,user_iceauth_home_t,file)
++
++allow xdm_t user_iceauth_home_t:file read_file_perms;
++
++fs_search_auto_mountpoints(iceauth_t)
++
++libs_use_ld_so(iceauth_t)
++libs_use_shared_libs(iceauth_t)
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_files(iceauth_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_files(iceauth_t)
++')
++
++allow xauth_t admin_xauth_home_t:file manage_file_perms;
++userdom_sysadm_home_dir_filetrans(xauth_t, admin_xauth_home_t, file)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.2.5/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-12-12 11:35:28.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/authlogin.fc 2007-12-19 05:38:09.000000000 -0500
@@ -12043,7 +13660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.5/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/authlogin.if 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/authlogin.if 2008-01-03 11:25:12.000000000 -0500
@@ -99,7 +99,7 @@
template(`authlogin_per_role_template',`
@@ -12861,7 +14478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.5/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/libraries.te 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/libraries.te 2008-01-02 15:02:58.000000000 -0500
@@ -23,6 +23,9 @@
init_system_domain(ldconfig_t,ldconfig_exec_t)
role system_r types ldconfig_t;
@@ -12898,16 +14515,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_search_tmp(ldconfig_t)
-@@ -79,6 +87,8 @@
+@@ -79,6 +87,9 @@
logging_send_syslog_msg(ldconfig_t)
userdom_use_all_users_fds(ldconfig_t)
+userdom_dontaudit_write_unpriv_user_home_content_files(ldconfig_t)
+userdom_manage_unpriv_users_tmp_files(ldconfig_t)
++userdom_manage_unpriv_users_tmp_symlinks(ldconfig_t)
ifdef(`hide_broken_symptoms',`
optional_policy(`
-@@ -96,4 +106,6 @@
+@@ -96,4 +107,6 @@
# and executes ldconfig on it. If you dont allow this kernel installs
# blow up.
rpm_manage_script_tmp_files(ldconfig_t)
@@ -13304,7 +14922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.2.5/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/modutils.te 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/modutils.te 2008-01-03 10:41:38.000000000 -0500
@@ -42,7 +42,7 @@
# insmod local policy
#
@@ -13390,7 +15008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
fs_getattr_xattr_fs(depmod_t)
-@@ -202,12 +221,14 @@
+@@ -202,16 +221,19 @@
# Read System.map from home directories.
files_list_home(depmod_t)
@@ -13407,6 +15025,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
')
optional_policy(`
+ rpm_rw_pipes(depmod_t)
++ rpm_manage_script_tmp_files(depmod_t)
+ ')
+
+ #################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.2.5/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2006-11-16 17:15:24.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/mount.fc 2007-12-19 05:38:09.000000000 -0500
@@ -13418,7 +15041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.5/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/mount.te 2007-12-21 02:36:38.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/mount.te 2008-01-02 13:29:31.000000000 -0500
@@ -8,7 +8,7 @@
## <desc>
@@ -13450,7 +15073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
########################################
#
-@@ -36,20 +37,22 @@
+@@ -36,23 +37,26 @@
#
# setuid/setgid needed to mount cifs
@@ -13476,7 +15099,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
-@@ -62,6 +65,7 @@
++dev_read_usbfs(mount_t)
+ dev_rw_lvm_control(mount_t)
+ dev_dontaudit_getattr_all_chr_files(mount_t)
+ dev_dontaudit_getattr_memory_dev(mount_t)
+@@ -62,6 +66,7 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -13484,7 +15111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
fs_getattr_xattr_fs(mount_t)
fs_getattr_cifs(mount_t)
-@@ -100,6 +104,8 @@
+@@ -100,6 +105,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -13493,7 +15120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
auth_use_nsswitch(mount_t)
-@@ -161,6 +167,8 @@
+@@ -161,6 +168,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -13502,7 +15129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -175,6 +183,11 @@
+@@ -175,6 +184,11 @@
')
')
@@ -13514,7 +15141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -192,4 +205,26 @@
+@@ -192,4 +206,26 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -14903,7 +16530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2007-12-24 06:19:27.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-03 16:34:20.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -15147,7 +16774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##############################
#
-@@ -262,43 +235,43 @@
+@@ -262,43 +235,44 @@
#
# full control of the home directory
@@ -15165,16 +16792,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- filetrans_pattern($1_t,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
- files_list_home($1_t)
+ allow $1_t user_home_t:file entrypoint;
-+ manage_dirs_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t)
-+ manage_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t)
-+ manage_lnk_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t)
-+ manage_sock_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t)
-+ manage_fifo_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t)
-+ relabel_dirs_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t)
-+ relabel_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t)
-+ relabel_lnk_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t)
-+ relabel_sock_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t)
-+ relabel_fifo_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t)
++ allow $1_usertype user_home_type:dir_file_class_set { relabelto relabelfrom };
++ manage_dirs_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
++ manage_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
++ manage_lnk_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
++ manage_sock_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
++ manage_fifo_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
++ relabel_dirs_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
++ relabel_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
++ relabel_lnk_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
++ relabel_sock_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
++ relabel_fifo_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
+ filetrans_pattern($1_usertype,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file })
+ files_list_home($1_usertype)
@@ -15219,7 +16847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -316,14 +289,20 @@
+@@ -316,14 +290,20 @@
## <rolebase/>
#
template(`userdom_exec_home_template',`
@@ -15245,7 +16873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -341,11 +320,10 @@
+@@ -341,11 +321,10 @@
## <rolebase/>
#
template(`userdom_poly_home_template',`
@@ -15261,7 +16889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -369,18 +347,18 @@
+@@ -369,18 +348,18 @@
#
template(`userdom_manage_tmp_template',`
gen_require(`
@@ -15290,7 +16918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -396,7 +374,13 @@
+@@ -396,7 +375,13 @@
## <rolebase/>
#
template(`userdom_exec_tmp_template',`
@@ -15305,7 +16933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -510,10 +494,6 @@
+@@ -510,10 +495,6 @@
## <rolebase/>
#
template(`userdom_exec_generic_pgms_template',`
@@ -15316,7 +16944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
corecmd_exec_bin($1_t)
')
-@@ -531,9 +511,6 @@
+@@ -531,9 +512,6 @@
## <rolebase/>
#
template(`userdom_basic_networking_template',`
@@ -15326,7 +16954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
-@@ -548,10 +525,6 @@
+@@ -548,10 +526,6 @@
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t)
@@ -15337,7 +16965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -568,30 +541,29 @@
+@@ -568,30 +542,29 @@
#
template(`userdom_xwindows_client_template',`
gen_require(`
@@ -15384,7 +17012,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -728,7 +700,6 @@
+@@ -717,6 +690,12 @@
+ # Stat lost+found.
+ files_getattr_lost_found_dirs($1_t)
+
++ logging_send_syslog_msg($1_usertype)
++ logging_dontaudit_send_audit_msgs($1_t)
++ # Need to to this just so screensaver will work. Should be moved to screensaver domain
++ logging_send_audit_msgs($1_t)
++ selinux_get_enforce_mode($1_t)
++
+ # cjp: some of this probably can be removed
+ selinux_get_fs_mount($1_t)
+ selinux_validate_context($1_t)
+@@ -728,11 +707,11 @@
# for eject
storage_getattr_fixed_disk_dev($1_t)
@@ -15392,7 +17033,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
auth_read_login_records($1_t)
auth_search_pam_console_data($1_t)
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-@@ -758,10 +729,6 @@
+ auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
++ authlogin_per_role_template($1, $1_t, $1_r)
+
+ init_read_utmp($1_t)
+
+@@ -758,10 +737,6 @@
dev_read_mouse($1_t)
')
@@ -15403,7 +17049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
alsa_read_rw_config($1_t)
')
-@@ -783,20 +750,20 @@
+@@ -783,20 +758,20 @@
')
optional_policy(`
@@ -15429,7 +17075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -824,11 +791,18 @@
+@@ -824,11 +799,18 @@
mta_rw_spool($1_t)
')
@@ -15452,7 +17098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
optional_policy(`
-@@ -842,13 +816,6 @@
+@@ -842,13 +824,6 @@
')
optional_policy(`
@@ -15466,7 +17112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
resmgr_stream_connect($1_t)
')
-@@ -889,6 +856,8 @@
+@@ -889,6 +864,8 @@
## </param>
#
template(`userdom_login_user_template', `
@@ -15475,7 +17121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_base_user_template($1)
userdom_manage_home_template($1)
-@@ -917,26 +886,26 @@
+@@ -917,26 +894,26 @@
allow $1_t self:context contains;
@@ -15516,7 +17162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
auth_dontaudit_write_login_records($1_t)
-@@ -944,43 +913,43 @@
+@@ -944,43 +921,43 @@
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
@@ -15578,7 +17224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -1014,9 +983,6 @@
+@@ -1014,9 +991,6 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
@@ -15588,7 +17234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
typeattribute $1_tty_device_t user_ttynode;
##############################
-@@ -1025,16 +991,29 @@
+@@ -1025,16 +999,32 @@
#
# privileged home directory writers
@@ -15621,10 +17267,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
loadkeys_run($1_t,$1_r,$1_tty_device_t)
')
+
++ optional_policy(`
++ nsplugin_per_role_template($1, $1_usertype, $1_r)
++ ')
')
#######################################
-@@ -1062,6 +1041,13 @@
+@@ -1062,6 +1052,13 @@
userdom_restricted_user_template($1)
@@ -15638,7 +17287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_xwindows_client_template($1)
##############################
-@@ -1070,14 +1056,14 @@
+@@ -1070,14 +1067,14 @@
#
authlogin_per_role_template($1, $1_t, $1_r)
@@ -15658,7 +17307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1085,33 +1071,14 @@
+@@ -1085,33 +1082,14 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -15698,7 +17347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -1121,10 +1088,10 @@
+@@ -1121,10 +1099,10 @@
## </summary>
## <desc>
## <p>
@@ -15713,7 +17362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1187,12 +1154,11 @@
+@@ -1187,12 +1165,11 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -15728,7 +17377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
# Run pppd in pppd_t by default for user
-@@ -1278,8 +1244,6 @@
+@@ -1278,8 +1255,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -15737,7 +17386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1416,6 +1380,7 @@
+@@ -1416,6 +1391,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -15745,7 +17394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1781,10 +1746,14 @@
+@@ -1781,10 +1757,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -15761,7 +17410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1880,11 +1849,11 @@
+@@ -1880,11 +1860,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -15775,7 +17424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1914,11 +1883,11 @@
+@@ -1914,11 +1894,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -15789,7 +17438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1962,12 +1931,12 @@
+@@ -1962,12 +1942,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -15805,7 +17454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1997,10 +1966,10 @@
+@@ -1997,10 +1977,10 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -15818,7 +17467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2032,11 +2001,47 @@
+@@ -2032,11 +2012,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -15868,7 +17517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2068,10 +2073,10 @@
+@@ -2068,10 +2084,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -15881,7 +17530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2101,11 +2106,11 @@
+@@ -2101,11 +2117,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -15895,7 +17544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2135,11 +2140,11 @@
+@@ -2135,11 +2151,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -15910,7 +17559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2169,10 +2174,10 @@
+@@ -2169,10 +2185,10 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -15923,7 +17572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2202,11 +2207,11 @@
+@@ -2202,11 +2218,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -15937,7 +17586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2236,11 +2241,11 @@
+@@ -2236,11 +2252,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -15951,7 +17600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2270,10 +2275,10 @@
+@@ -2270,10 +2286,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -15964,7 +17613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2305,12 +2310,12 @@
+@@ -2305,12 +2321,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -15980,7 +17629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2342,10 +2347,10 @@
+@@ -2342,10 +2358,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -15993,7 +17642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2377,12 +2382,12 @@
+@@ -2377,12 +2393,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -16009,7 +17658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2414,12 +2419,12 @@
+@@ -2414,12 +2430,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -16025,7 +17674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2451,12 +2456,12 @@
+@@ -2451,12 +2467,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -16041,7 +17690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2501,11 +2506,11 @@
+@@ -2501,11 +2517,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -16055,7 +17704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2550,11 +2555,11 @@
+@@ -2550,11 +2566,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -16069,7 +17718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2594,11 +2599,11 @@
+@@ -2594,11 +2610,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -16083,7 +17732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2628,11 +2633,11 @@
+@@ -2628,11 +2644,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -16097,7 +17746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2662,11 +2667,11 @@
+@@ -2662,11 +2678,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -16111,7 +17760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2698,10 +2703,10 @@
+@@ -2698,10 +2714,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -16124,7 +17773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2733,10 +2738,10 @@
+@@ -2733,10 +2749,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -16137,7 +17786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2766,12 +2771,12 @@
+@@ -2766,12 +2782,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -16153,7 +17802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2803,10 +2808,10 @@
+@@ -2803,10 +2819,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -16166,7 +17815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2838,10 +2843,48 @@
+@@ -2838,10 +2854,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -16217,7 +17866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2871,12 +2914,12 @@
+@@ -2871,12 +2925,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -16233,7 +17882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2908,10 +2951,10 @@
+@@ -2908,10 +2962,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -16246,7 +17895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2943,12 +2986,12 @@
+@@ -2943,12 +2997,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -16262,7 +17911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2980,11 +3023,11 @@
+@@ -2980,11 +3034,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -16276,7 +17925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3016,11 +3059,11 @@
+@@ -3016,11 +3070,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -16290,7 +17939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3052,11 +3095,11 @@
+@@ -3052,11 +3106,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -16304,7 +17953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3088,11 +3131,11 @@
+@@ -3088,11 +3142,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -16318,7 +17967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3124,11 +3167,11 @@
+@@ -3124,11 +3178,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -16332,7 +17981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3173,10 +3216,10 @@
+@@ -3173,10 +3227,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -16345,7 +17994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($2)
')
-@@ -3217,10 +3260,10 @@
+@@ -3217,10 +3271,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -16358,7 +18007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3248,6 +3291,42 @@
+@@ -3248,6 +3302,42 @@
## </summary>
## </param>
#
@@ -16401,7 +18050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
type $1_tmpfs_t;
-@@ -4225,11 +4304,11 @@
+@@ -4225,11 +4315,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -16415,7 +18064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4245,10 +4324,10 @@
+@@ -4245,10 +4335,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -16428,7 +18077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4264,11 +4343,11 @@
+@@ -4264,11 +4354,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -16442,7 +18091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4283,16 +4362,16 @@
+@@ -4283,16 +4373,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -16462,7 +18111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## users home directory.
## </summary>
## <param name="domain">
-@@ -4301,33 +4380,48 @@
+@@ -4301,12 +4391,27 @@
## </summary>
## </param>
#
@@ -16475,40 +18124,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- dontaudit $1 staff_home_t:file append;
+ dontaudit $1 user_home_t:file append_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Read files in the staff users home directory.
-+## Do not audit attempts to append to the staff
-+## users home directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`userdom_read_staff_home_content_files',`
-- gen_require(`
-- type staff_home_dir_t, staff_home_t;
-+interface(`userdom_dontaudit_append_staff_home_content_files',`
-+ userdom_dontaudit_append_unpriv_home_content_files($1)
+')
+
+########################################
+## <summary>
-+## Read files in the staff users home directory.
++## Do not audit attempts to append to the staff
++## users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`userdom_read_staff_home_content_files',`
-+ gen_require(`
++interface(`userdom_dontaudit_append_staff_home_content_files',`
++ userdom_dontaudit_append_unpriv_home_content_files($1)
+ ')
+
+ ########################################
+@@ -4321,13 +4426,13 @@
+ #
+ interface(`userdom_read_staff_home_content_files',`
+ gen_require(`
+- type staff_home_dir_t, staff_home_t;
+ type user_home_dir_t, user_home_t;
')
@@ -16522,7 +18160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4525,10 +4619,10 @@
+@@ -4525,10 +4630,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -16535,7 +18173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4545,10 +4639,10 @@
+@@ -4545,10 +4650,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -16548,7 +18186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4563,10 +4657,10 @@
+@@ -4563,10 +4668,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -16561,7 +18199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4582,10 +4676,10 @@
+@@ -4582,10 +4687,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -16574,7 +18212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4600,10 +4694,10 @@
+@@ -4600,10 +4705,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -16587,7 +18225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4619,10 +4713,10 @@
+@@ -4619,10 +4724,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -16600,7 +18238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4638,12 +4732,11 @@
+@@ -4638,12 +4743,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -16616,7 +18254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4670,10 +4763,10 @@
+@@ -4670,10 +4774,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -16629,7 +18267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4688,10 +4781,10 @@
+@@ -4688,10 +4792,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -16642,7 +18280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4706,13 +4799,13 @@
+@@ -4706,13 +4810,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -16660,7 +18298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4748,11 +4841,48 @@
+@@ -4748,11 +4852,48 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -16710,7 +18348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4772,6 +4902,14 @@
+@@ -4772,6 +4913,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -16725,7 +18363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5109,7 +5247,7 @@
+@@ -5109,7 +5258,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -16734,7 +18372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_search_home($1)
-@@ -5298,6 +5436,49 @@
+@@ -5298,6 +5447,49 @@
########################################
## <summary>
@@ -16784,7 +18422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5503,6 +5684,24 @@
+@@ -5503,6 +5695,42 @@
########################################
## <summary>
@@ -16806,10 +18444,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+########################################
+## <summary>
++## Write all unprivileged users lnk_files in /tmp
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_manage_unpriv_users_tmp_symlinks',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
++')
++
++########################################
++## <summary>
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5668,6 +5867,42 @@
+@@ -5668,6 +5896,42 @@
########################################
## <summary>
@@ -16852,7 +18508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5698,3 +5933,277 @@
+@@ -5698,3 +5962,277 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -17132,8 +18788,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.2.5/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.te 2007-12-19 05:38:09.000000000 -0500
-@@ -17,20 +17,13 @@
++++ serefpolicy-3.2.5/policy/modules/system/userdomain.te 2008-01-02 14:18:19.000000000 -0500
+@@ -2,12 +2,7 @@
+ policy_module(userdomain,2.5.0)
+
+ gen_require(`
+- role sysadm_r, staff_r, user_r;
+-
+- ifdef(`enable_mls',`
+- role secadm_r;
+- role auditadm_r;
+- ')
++ role sysadm_r;
+ ')
+
+ ########################################
+@@ -17,20 +12,13 @@
## <desc>
## <p>
@@ -17155,7 +18825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Allow users to connect to PostgreSQL
## </p>
## </desc>
-@@ -74,6 +67,9 @@
+@@ -74,6 +62,9 @@
# users home directory contents
attribute home_type;
@@ -17165,10 +18835,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
-@@ -101,6 +97,43 @@
+@@ -101,40 +92,49 @@
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
+-########################################
+-#
+-# Local policy
+-#
+type admin_home_t, home_type;
+files_type(admin_home_t)
+files_associate_tmp(admin_home_t)
@@ -17192,24 +18866,54 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+files_poly(user_home_dir_t)
+files_poly_member(user_home_dir_t)
+files_poly_parent(user_home_dir_t)
-+
+
+-userdom_admin_user_template(sysadm)
+-userdom_unpriv_user_template(staff)
+-userdom_unpriv_user_template(user)
+type user_tmp_t, user_file_type, user_tmpfile;
+files_tmp_file(user_tmp_t)
-+
+
+-# user role change rules:
+-# sysadm_r can change to user roles
+-userdom_role_change_template(sysadm, user)
+-userdom_role_change_template(sysadm, staff)
+-
+-# only staff_r can change to sysadm_r
+-userdom_role_change_template(staff, sysadm)
+-dontaudit staff_t admin_terminal:chr_file { read write };
+-
+-ifdef(`enable_mls',`
+- userdom_unpriv_user_template(secadm)
+- userdom_unpriv_user_template(auditadm)
+##############################
+#
+# User home directory file rules
+#
-+
+
+- userdom_role_change_template(staff, auditadm)
+- userdom_role_change_template(staff, secadm)
+allow user_file_type user_home_t:filesystem associate;
-+
+
+- userdom_role_change_template(sysadm, secadm)
+- userdom_role_change_template(sysadm, auditadm)
+# Rules used to associate a homedir as a mountpoint
+allow user_home_t self:filesystem associate;
-+
+
+- userdom_role_change_template(auditadm, secadm)
+- userdom_role_change_template(auditadm, sysadm)
++########################################
++#
++# Local policy
++#
+
+- userdom_role_change_template(secadm, auditadm)
+- userdom_role_change_template(secadm, sysadm)
+-')
++userdom_admin_user_template(sysadm)
+
########################################
#
- # Local policy
-@@ -154,6 +187,11 @@
+@@ -154,6 +154,11 @@
init_exec(sysadm_t)
@@ -17221,7 +18925,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Following for sending reboot and wall messages
userdom_use_unpriv_users_ptys(sysadm_t)
userdom_use_unpriv_users_ttys(sysadm_t)
-@@ -224,6 +262,10 @@
+@@ -170,46 +175,7 @@
+ ')
+ ')
+
+-ifdef(`enable_mls',`
+- allow auditadm_t self:capability { dac_read_search dac_override };
+- seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+- domain_kill_all_domains(auditadm_t)
+- seutil_read_bin_policy(auditadm_t)
+- corecmd_exec_shell(auditadm_t)
+- logging_send_syslog_msg(auditadm_t)
+- logging_read_generic_logs(auditadm_t)
+- logging_manage_audit_log(auditadm_t)
+- logging_manage_audit_config(auditadm_t)
+- logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+- logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+- userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
+-
+- allow secadm_t self:capability { dac_read_search dac_override };
+- corecmd_exec_shell(secadm_t)
+- domain_obj_id_change_exemption(secadm_t)
+- mls_process_read_up(secadm_t)
+- mls_file_read_all_levels(secadm_t)
+- mls_file_write_all_levels(secadm_t)
+- mls_file_upgrade(secadm_t)
+- mls_file_downgrade(secadm_t)
+- auth_relabel_all_files_except_shadow(secadm_t)
+- dev_relabel_all_dev_nodes(secadm_t)
+- auth_relabel_shadow(secadm_t)
+- init_exec(secadm_t)
+- logging_read_audit_log(secadm_t)
+- logging_read_generic_logs(secadm_t)
+- logging_read_audit_config(secadm_t)
+- userdom_dontaudit_append_staff_home_content_files(secadm_t)
+- userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+-
+- optional_policy(`
+- aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+- ')
+-
+- optional_policy(`
+- netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+- ')
+-',`
++ifdef(`enable_mls',`',`
+ logging_manage_audit_log(sysadm_t)
+ logging_manage_audit_config(sysadm_t)
+ logging_run_auditctl(sysadm_t, sysadm_r, admin_terminal)
+@@ -224,6 +190,10 @@
')
optional_policy(`
@@ -17232,7 +18984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
apache_run_helper(sysadm_t, sysadm_r, admin_terminal)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
-@@ -279,14 +321,6 @@
+@@ -279,14 +249,6 @@
')
optional_policy(`
@@ -17247,7 +18999,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
cron_admin_template(sysadm, sysadm_t, sysadm_r)
')
-@@ -352,6 +386,10 @@
+@@ -302,12 +264,9 @@
+
+ optional_policy(`
+ dmesg_exec(sysadm_t)
+-
+- ifdef(`enable_mls',`
+- dmesg_exec(auditadm_t)
+- ')
+ ')
+
++
+ optional_policy(`
+ dmidecode_run(sysadm_t, sysadm_r, admin_terminal)
+ ')
+@@ -352,6 +311,10 @@
')
optional_policy(`
@@ -17258,7 +19024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
lvm_run(sysadm_t, sysadm_r, admin_terminal)
')
-@@ -387,6 +425,10 @@
+@@ -387,6 +350,10 @@
')
optional_policy(`
@@ -17269,7 +19035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
netutils_run(sysadm_t, sysadm_r, admin_terminal)
netutils_run_ping(sysadm_t, sysadm_r, admin_terminal)
netutils_run_traceroute(sysadm_t, sysadm_r, admin_terminal)
-@@ -436,15 +478,20 @@
+@@ -436,15 +403,19 @@
optional_policy(`
samba_run_net(sysadm_t, sysadm_r, admin_terminal)
@@ -17283,14 +19049,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
seutil_run_runinit(sysadm_t, sysadm_r, admin_terminal)
ifdef(`enable_mls',`
- userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t sysadm_devpts_t })
+- userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t sysadm_devpts_t })
+# tunable_policy(`allow_sysadm_manage_security',`
+ userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal)
+# ')
', `
userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal)
')
-@@ -487,3 +534,15 @@
+@@ -487,3 +458,8 @@
optional_policy(`
yam_run(sysadm_t, sysadm_r, admin_terminal)
')
@@ -17299,13 +19065,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ term_use_console(userdomain)
+')
+
-+optional_policy(`
-+ netutils_run_ping_cond(user_t,user_r,{ user_tty_device_t user_devpts_t })
-+ netutils_run_ping_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t })
-+ netutils_run_traceroute_cond(user_t,user_r,{ user_tty_device_t user_devpts_t })
-+ netutils_run_traceroute_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t })
-+')
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.2.5/policy/modules/system/virt.fc
--- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/virt.fc 2007-12-19 05:38:09.000000000 -0500
@@ -17615,6 +19374,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
+ fs_read_nfs_symlinks(xend_t)
+ fstools_manage_nfs(xend_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.fc serefpolicy-3.2.5/policy/modules/users/auditadm.fc
+--- nsaserefpolicy/policy/modules/users/auditadm.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/auditadm.fc 2008-01-02 11:37:55.000000000 -0500
+@@ -0,0 +1 @@
++# No auditadm file contexts.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.if serefpolicy-3.2.5/policy/modules/users/auditadm.if
+--- nsaserefpolicy/policy/modules/users/auditadm.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/auditadm.if 2008-01-02 11:36:36.000000000 -0500
+@@ -0,0 +1 @@
++## <summary>Policy for auditadm user</summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.te serefpolicy-3.2.5/policy/modules/users/auditadm.te
+--- nsaserefpolicy/policy/modules/users/auditadm.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/auditadm.te 2008-01-02 11:38:04.000000000 -0500
+@@ -0,0 +1,25 @@
++policy_module(auditadm,1.0.1)
++gen_require(`
++ role staff_r;
++')
++
++userdom_unpriv_user_template(auditadm)
++
++userdom_role_change_template(staff, auditadm)
++
++allow auditadm_t self:capability { dac_read_search dac_override };
++seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
++domain_kill_all_domains(auditadm_t)
++seutil_read_bin_policy(auditadm_t)
++corecmd_exec_shell(auditadm_t)
++logging_send_syslog_msg(auditadm_t)
++logging_read_generic_logs(auditadm_t)
++logging_manage_audit_log(auditadm_t)
++logging_manage_audit_config(auditadm_t)
++logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
++logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
++userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
++
++optional_policy(`
++ dmesg_exec(auditadm_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.2.5/policy/modules/users/guest.fc
--- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/guest.fc 2007-12-19 05:38:09.000000000 -0500
@@ -17680,6 +19478,143 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/metadat
+++ serefpolicy-3.2.5/policy/modules/users/metadata.xml 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1 @@
+<summary>Policy modules for users</summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/secadm.fc serefpolicy-3.2.5/policy/modules/users/secadm.fc
+--- nsaserefpolicy/policy/modules/users/secadm.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/secadm.fc 2008-01-02 11:40:47.000000000 -0500
+@@ -0,0 +1 @@
++# No secadm file contexts.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/secadm.if serefpolicy-3.2.5/policy/modules/users/secadm.if
+--- nsaserefpolicy/policy/modules/users/secadm.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/secadm.if 2008-01-02 11:40:35.000000000 -0500
+@@ -0,0 +1 @@
++## <summary>Policy for secadm user</summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/secadm.te serefpolicy-3.2.5/policy/modules/users/secadm.te
+--- nsaserefpolicy/policy/modules/users/secadm.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/secadm.te 2008-01-02 14:52:04.000000000 -0500
+@@ -0,0 +1,39 @@
++policy_module(secadm,1.0.1)
++gen_require(`
++ role staff_r;
++')
++
++userdom_unpriv_user_template(secadm)
++userdom_role_change_template(staff, secadm)
++
++allow secadm_t self:capability { dac_read_search dac_override };
++corecmd_exec_shell(secadm_t)
++domain_obj_id_change_exemption(secadm_t)
++mls_process_read_up(secadm_t)
++mls_file_read_all_levels(secadm_t)
++mls_file_write_all_levels(secadm_t)
++mls_file_upgrade(secadm_t)
++mls_file_downgrade(secadm_t)
++auth_relabel_all_files_except_shadow(secadm_t)
++dev_relabel_all_dev_nodes(secadm_t)
++auth_relabel_shadow(secadm_t)
++init_exec(secadm_t)
++logging_read_audit_log(secadm_t)
++logging_read_generic_logs(secadm_t)
++logging_read_audit_config(secadm_t)
++userdom_dontaudit_append_staff_home_content_files(secadm_t)
++userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
++
++userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
++
++optional_policy(`
++ aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
++')
++
++optional_policy(`
++ netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
++')
++
++optional_policy(`
++ dmesg_exec(secadm_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.fc serefpolicy-3.2.5/policy/modules/users/staff.fc
+--- nsaserefpolicy/policy/modules/users/staff.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/staff.fc 2008-01-02 11:12:56.000000000 -0500
+@@ -0,0 +1 @@
++# No staff file contexts.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.if serefpolicy-3.2.5/policy/modules/users/staff.if
+--- nsaserefpolicy/policy/modules/users/staff.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/staff.if 2008-01-02 11:13:02.000000000 -0500
+@@ -0,0 +1 @@
++## <summary>Policy for staff user</summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.5/policy/modules/users/staff.te
+--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/staff.te 2008-01-03 17:06:13.000000000 -0500
+@@ -0,0 +1,31 @@
++policy_module(staff,1.0.1)
++userdom_unpriv_user_template(staff)
++
++# only staff_r can change to sysadm_r
++userdom_role_change_template(staff, sysadm)
++userdom_dontaudit_use_sysadm_terms(staff_t)
++
++optional_policy(`
++ xserver_per_role_template(staff, staff_t, staff_r)
++')
++
++sudo_per_role_template(staff, staff_t, staff_r)
++seutil_run_newrole(staff_t, staff_r, { staff_tty_device_t staff_devpts_t })
++
++optional_policy(`
++ java_per_role_template(staff, staff_t, staff_r)
++')
++
++optional_policy(`
++ mono_per_role_template(staff, staff_t, staff_r)
++')
++
++optional_policy(`
++ gpg_per_role_template(staff, staff_usertype, staff_r)
++')
++
++optional_policy(`
++ netutils_run_ping_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t })
++ netutils_run_traceroute_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t })
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.fc serefpolicy-3.2.5/policy/modules/users/user.fc
+--- nsaserefpolicy/policy/modules/users/user.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/user.fc 2008-01-02 11:13:33.000000000 -0500
+@@ -0,0 +1 @@
++# No user file contexts.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.if serefpolicy-3.2.5/policy/modules/users/user.if
+--- nsaserefpolicy/policy/modules/users/user.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/user.if 2008-01-02 11:13:21.000000000 -0500
+@@ -0,0 +1 @@
++## <summary>Policy for user user</summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.te serefpolicy-3.2.5/policy/modules/users/user.te
+--- nsaserefpolicy/policy/modules/users/user.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/user.te 2008-01-03 13:17:42.000000000 -0500
+@@ -0,0 +1,25 @@
++policy_module(user,1.0.1)
++userdom_unpriv_user_template(user)
++
++optional_policy(`
++ java_per_role_template(user, user_t, user_r)
++')
++
++optional_policy(`
++ mono_per_role_template(user, user_t, user_r)
++')
++
++optional_policy(`
++ xserver_per_role_template(user, user_t, user_r)
++')
++
++optional_policy(`
++ gpg_per_role_template(user, user_usertype, user_r)
++')
++
++optional_policy(`
++ netutils_run_ping_cond(user_t,user_r,{ user_tty_device_t user_devpts_t })
++ netutils_run_traceroute_cond(user_t,user_r,{ user_tty_device_t user_devpts_t })
++')
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.2.5/policy/modules/users/webadm.fc
--- nsaserefpolicy/policy/modules/users/webadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/webadm.fc 2007-12-19 05:38:09.000000000 -0500
@@ -17692,7 +19627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
+## <summary>Policy for webadm user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.2.5/policy/modules/users/webadm.te
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/users/webadm.te 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/users/webadm.te 2008-01-02 11:22:34.000000000 -0500
@@ -0,0 +1,42 @@
+policy_module(webadm,1.0.0)
+
@@ -17732,10 +19667,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
+apache_admin(webadm_t, webadm_r, { webadm_devpts_t webadm_tty_device_t })
+
+gen_require(`
-+ type gadmin_t;
++ type staff_t;
+')
-+allow gadmin_t webadm_t:process transition;
-+allow webadm_t gadmin_t:dir getattr;
++allow staff_t webadm_t:process transition;
++allow webadm_t staff_t:dir getattr;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.2.5/policy/modules/users/xguest.fc
--- nsaserefpolicy/policy/modules/users/xguest.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/xguest.fc 2007-12-19 05:38:09.000000000 -0500
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 44830cd..a870114 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.2.5
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -386,6 +386,9 @@ exit 0
%endif
%changelog
+* Wed Jan 2 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-8
+- Change user and staff roles to work correctly with varied perms
+
* Mon Dec 31 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-7
- Fix munin log,
- Eliminate duplicate mozilla file context