diff --git a/policy-F14.patch b/policy-F14.patch index 5df9114..11cdb34 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -9046,18 +9046,9 @@ index 252913b..a1bbe8f 100644 consoletype_exec(auditadm_t) ') diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te -index 1875064..a3ddd43 100644 +index 1875064..20d9333 100644 --- a/policy/modules/roles/dbadm.te +++ b/policy/modules/roles/dbadm.te -@@ -21,7 +21,7 @@ gen_tunable(dbadm_read_user_files, false) - - role dbadm_r; - --userdom_base_user_template(dbadm) -+userdom_unpriv_user_template(dbadm) - - ######################################## - # @@ -58,3 +58,7 @@ optional_policy(` optional_policy(` postgresql_admin(dbadm_t, dbadm_r) @@ -26171,7 +26162,7 @@ index 6f1e3c7..39c2bb3 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index da2601a..8696a6e 100644 +index da2601a..6ff8f25 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -26229,15 +26220,13 @@ index da2601a..8696a6e 100644 # Client read xserver shm allow $2 xserver_t:fd use; -@@ -89,14 +99,19 @@ interface(`xserver_restricted_role',` +@@ -89,14 +99,17 @@ interface(`xserver_restricted_role',` dev_write_misc($2) # open office is looking for the following dev_getattr_agp_dev($2) - dev_dontaudit_rw_dri($2) + tunable_policy(`user_direct_dri',` + dev_rw_dri($2) -+ ',` -+ dev_dontaudit_rw_dri($2) + ') + # GNOME checks for usb and other devices: @@ -26251,7 +26240,7 @@ index da2601a..8696a6e 100644 xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) -@@ -148,6 +163,7 @@ interface(`xserver_role',` +@@ -148,6 +161,7 @@ interface(`xserver_role',` allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; @@ -26259,7 +26248,7 @@ index da2601a..8696a6e 100644 manage_dirs_pattern($2, user_fonts_t, user_fonts_t) manage_files_pattern($2, user_fonts_t, user_fonts_t) relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) -@@ -197,7 +213,7 @@ interface(`xserver_ro_session',` +@@ -197,7 +211,7 @@ interface(`xserver_ro_session',` allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -26268,7 +26257,7 @@ index da2601a..8696a6e 100644 # Client read xserver shm allow $1 xserver_t:fd use; -@@ -291,12 +307,12 @@ interface(`xserver_user_client',` +@@ -291,12 +305,12 @@ interface(`xserver_user_client',` allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -26284,7 +26273,7 @@ index da2601a..8696a6e 100644 allow $1 xdm_tmp_t:dir search; allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -355,6 +371,12 @@ template(`xserver_common_x_domain_template',` +@@ -355,6 +369,12 @@ template(`xserver_common_x_domain_template',` class x_property all_x_property_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; @@ -26297,7 +26286,7 @@ index da2601a..8696a6e 100644 ') ############################## -@@ -386,6 +408,15 @@ template(`xserver_common_x_domain_template',` +@@ -386,6 +406,15 @@ template(`xserver_common_x_domain_template',` allow $2 xevent_t:{ x_event x_synthetic_event } receive; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; @@ -26313,7 +26302,7 @@ index da2601a..8696a6e 100644 ') ####################################### -@@ -476,6 +507,7 @@ template(`xserver_user_x_domain_template',` +@@ -476,6 +505,7 @@ template(`xserver_user_x_domain_template',` xserver_use_user_fonts($2) xserver_read_xdm_tmp_files($2) @@ -26321,7 +26310,7 @@ index da2601a..8696a6e 100644 # X object manager xserver_object_types_template($1) -@@ -545,6 +577,27 @@ interface(`xserver_domtrans_xauth',` +@@ -545,6 +575,27 @@ interface(`xserver_domtrans_xauth',` ') domtrans_pattern($1, xauth_exec_t, xauth_t) @@ -26349,7 +26338,7 @@ index da2601a..8696a6e 100644 ') ######################################## -@@ -598,6 +651,7 @@ interface(`xserver_read_user_xauth',` +@@ -598,6 +649,7 @@ interface(`xserver_read_user_xauth',` allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -26357,7 +26346,7 @@ index da2601a..8696a6e 100644 ') ######################################## -@@ -725,10 +779,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` +@@ -725,10 +777,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` interface(`xserver_stream_connect_xdm',` gen_require(` type xdm_t, xdm_tmp_t; @@ -26370,7 +26359,7 @@ index da2601a..8696a6e 100644 ') ######################################## -@@ -805,7 +861,7 @@ interface(`xserver_read_xdm_pid',` +@@ -805,7 +859,7 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -26379,7 +26368,7 @@ index da2601a..8696a6e 100644 ') ######################################## -@@ -916,7 +972,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -916,7 +970,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -26388,7 +26377,7 @@ index da2601a..8696a6e 100644 ') ######################################## -@@ -963,6 +1019,44 @@ interface(`xserver_read_xkb_libs',` +@@ -963,6 +1017,44 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -26433,7 +26422,7 @@ index da2601a..8696a6e 100644 ## Read xdm temporary files. ## ## -@@ -1224,9 +1318,20 @@ interface(`xserver_manage_core_devices',` +@@ -1224,9 +1316,20 @@ interface(`xserver_manage_core_devices',` class x_device all_x_device_perms; class x_pointer all_x_pointer_perms; class x_keyboard all_x_keyboard_perms; @@ -26454,7 +26443,7 @@ index da2601a..8696a6e 100644 ') ######################################## -@@ -1250,3 +1355,329 @@ interface(`xserver_unconfined',` +@@ -1250,3 +1353,329 @@ interface(`xserver_unconfined',` typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') @@ -29001,7 +28990,7 @@ index f6aafe7..7da8294 100644 + allow $1 init_t:unix_stream_socket rw_stream_socket_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index bd45076..a1b6d56 100644 +index bd45076..a100eb6 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,27 @@ gen_require(` @@ -29115,7 +29104,7 @@ index bd45076..a1b6d56 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -185,15 +216,80 @@ tunable_policy(`init_upstart',` +@@ -185,23 +216,92 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -29164,11 +29153,6 @@ index bd45076..a1b6d56 100644 + init_read_script_state(init_t) + + seutil_read_file_contexts(init_t) -+ -+ optional_policy(` -+ plymouthd_stream_connect(init_t) -+ plymouthd_exec_plymouth(init_t) -+ ') +') + optional_policy(` @@ -29196,7 +29180,13 @@ index bd45076..a1b6d56 100644 nscd_socket_use(init_t) ') -@@ -202,6 +298,10 @@ optional_policy(` + optional_policy(` ++ plymouthd_stream_connect(init_t) ++ plymouthd_exec_plymouth(init_t) ++') ++ ++optional_policy(` + sssd_stream_connect(init_t) ') optional_policy(`