diff --git a/policy-20080710.patch b/policy-20080710.patch index afa5c31..5d8bb6e 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -1691,8 +1691,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.5.1/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/admin/tmpreaper.te 2008-07-28 08:40:54.000000000 -0400 -@@ -22,12 +22,16 @@ ++++ serefpolicy-3.5.1/policy/modules/admin/tmpreaper.te 2008-07-31 07:13:29.000000000 -0400 +@@ -22,12 +22,18 @@ dev_read_urand(tmpreaper_t) fs_getattr_xattr_fs(tmpreaper_t) @@ -1706,10 +1706,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap +files_getattr_lost_found_dirs(tmpreaper_t) +files_getattr_all_dirs(tmpreaper_t) +files_getattr_all_files(tmpreaper_t) ++files_delete_usr_dirs(tmpreaper_t) ++files_delete_usr_files(tmpreaper_t) mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) -@@ -42,6 +46,26 @@ +@@ -42,6 +48,23 @@ cron_system_entry(tmpreaper_t,tmpreaper_exec_t) @@ -1717,9 +1719,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap +userdom_delete_all_users_home_content_files(tmpreaper_t) +userdom_delete_all_users_home_content_symlinks(tmpreaper_t) + -+files_manage_isid_type_dirs(tmpreaper_t) -+files_delete_isid_type_files(tmpreaper_t) -+ +optional_policy(` + amavis_manage_spool_files(tmpreaper_t) +') @@ -5195,7 +5194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.1/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2008-07-10 14:13:44.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/qemu.if 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.1/policy/modules/apps/qemu.if 2008-08-01 08:42:09.000000000 -0400 @@ -104,7 +104,71 @@ ######################################## @@ -5306,91 +5305,94 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if ## Creates types and rules for a basic ## qemu process domain. ## -@@ -133,24 +227,23 @@ +@@ -132,86 +226,91 @@ + ## # template(`qemu_domain_template',` ++ gen_require(` ++ attribute qemutype; ++ ') - ############################## - # - # Local Policy - # - - type $1_t; +- type $1_t; ++ type $1_t, qemutype; domain_type($1_t) type $1_tmp_t; files_tmp_file($1_tmp_t) +- ############################## +- # +- # Local Policy +- # +- +- allow $1_t self:capability { dac_read_search dac_override }; +- allow $1_t self:process { execstack execmem signal getsched }; +- allow $1_t self:fifo_file rw_file_perms; +- allow $1_t self:shm create_shm_perms; +- allow $1_t self:unix_stream_socket create_stream_socket_perms; +- allow $1_t self:tcp_socket create_stream_socket_perms; + type $1_tmpfs_t; + files_tmpfs_file($1_tmpfs_t) + - ############################## - # - # Local Policy - # - - allow $1_t self:capability { dac_read_search dac_override }; -- allow $1_t self:process { execstack execmem signal getsched }; -+ allow $1_t self:process { execstack execmem signal getsched signull }; ++ type $1_image_t; ++ virt_image($1_image_t) + - allow $1_t self:fifo_file rw_file_perms; - allow $1_t self:shm create_shm_perms; - allow $1_t self:unix_stream_socket create_stream_socket_perms; -@@ -160,6 +253,11 @@ ++ manage_dirs_pattern($1, $1_image_t, $1_image_t) ++ manage_files_pattern($1, $1_image_t, $1_image_t) ++ read_lnk_files_pattern($1, $1_image_t, $1_image_t) ++ rw_blk_files_pattern($1, $1_image_t, $1_image_t) + + manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) +- kernel_read_system_state($1_t) +- +- corenet_all_recvfrom_unlabeled($1_t) +- corenet_all_recvfrom_netlabel($1_t) +- corenet_tcp_sendrecv_all_if($1_t) +- corenet_tcp_sendrecv_all_nodes($1_t) +- corenet_tcp_sendrecv_all_ports($1_t) +- corenet_tcp_bind_all_nodes($1_t) +- corenet_tcp_bind_vnc_port($1_t) +- corenet_rw_tun_tap_dev($1_t) +- +-# dev_rw_kvm($1_t) +- +- domain_use_interactive_fds($1_t) +- +- files_read_etc_files($1_t) +- files_read_usr_files($1_t) +- files_read_var_files($1_t) +- files_search_all($1_t) +- +- fs_list_inotifyfs($1_t) +- fs_rw_anon_inodefs_files($1_t) +- fs_rw_tmpfs_files($1_t) +- +- storage_raw_write_removable_device($1_t) +- storage_raw_read_removable_device($1_t) +- +- term_use_ptmx($1_t) +- term_getattr_pty_fs($1_t) +- term_use_generic_ptys($1_t) +- +- libs_use_ld_so($1_t) +- libs_use_shared_libs($1_t) +- +- miscfiles_read_localization($1_t) + manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) -+ - kernel_read_system_state($1_t) - - corenet_all_recvfrom_unlabeled($1_t) -@@ -171,7 +269,10 @@ - corenet_tcp_bind_vnc_port($1_t) - corenet_rw_tun_tap_dev($1_t) - --# dev_rw_kvm($1_t) -+ dev_read_sound($1_t) -+ dev_write_sound($1_t) -+ dev_rw_kvm($1_t) -+ dev_rw_qemu($1_t) - - domain_use_interactive_fds($1_t) - -@@ -191,6 +292,8 @@ - term_getattr_pty_fs($1_t) - term_use_generic_ptys($1_t) - -+ auth_use_nsswitch($1_t) -+ - libs_use_ld_so($1_t) - libs_use_shared_libs($1_t) - -@@ -198,9 +301,9 @@ - - sysnet_read_config($1_t) - --# optional_policy(` --# samba_domtrans_smb($1_t) --# ') -+ optional_policy(` -+ samba_domtrans_smb($1_t) -+ ') ++') - optional_policy(` - virt_manage_images($1_t) -@@ -212,6 +315,24 @@ - xserver_stream_connect_xdm_xserver($1_t) - xserver_read_xdm_tmp_files($1_t) - xserver_read_xdm_pid($1_t) --# xserver_xdm_rw_shm($1_t) -+ xserver_xdm_rw_shm($1_t) - ') - ') -+ +- sysnet_read_config($1_t) +######################################## +## +## Set the schedule on qemu. @@ -5405,13 +5407,75 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if + gen_require(` + type qemu_t; + ') -+ + +-# optional_policy(` +-# samba_domtrans_smb($1_t) +-# ') + allow $1 qemu_t:process setsched; +') + +- optional_policy(` +- virt_manage_images($1_t) +- virt_read_config($1_t) +- virt_read_lib_files($1_t) ++######################################## ++## ++## Execute qemu_exec_t ++## in the specified domain but do not ++## do it automatically. This is an explicit ++## transition, requiring the caller to use setexeccon(). ++## ++## ++##

++## Execute qemu_exec_t ++## in the specified domain. This allows ++## the specified domain to qemu programs ++## on these filesystems in the specified ++## domain. ++##

++##
++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`qemu_spec_domtrans',` ++ gen_require(` ++ type qemu_exec_t; + ') + +- optional_policy(` +- xserver_stream_connect_xdm_xserver($1_t) +- xserver_read_xdm_tmp_files($1_t) +- xserver_read_xdm_pid($1_t) +-# xserver_xdm_rw_shm($1_t) +- ') ++ read_lnk_files_pattern($1,qemu_exec_t,qemu_exec_t) ++ domain_transition_pattern($1,qemu_exec_t,$2) ++ ++ allow $3 $1:fd use; ++ allow $3 $1:fifo_file rw_fifo_file_perms; ++ allow $3 $1:process sigchld; + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.1/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2008-07-10 11:38:45.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/apps/qemu.te 2008-07-25 12:35:13.000000000 -0400 -@@ -13,6 +13,20 @@ ++++ serefpolicy-3.5.1/policy/modules/apps/qemu.te 2008-08-01 08:11:51.000000000 -0400 +@@ -6,6 +6,8 @@ + # Declarations + # + ++attribute qemutype; ++ + ## + ##

+ ## Allow qemu to connect fully to the network +@@ -13,6 +15,20 @@ ## gen_tunable(qemu_full_network, false) @@ -5432,7 +5496,82 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te type qemu_exec_t; qemu_domain_template(qemu) application_domain(qemu_t, qemu_exec_t) -@@ -35,6 +49,22 @@ +@@ -20,9 +36,74 @@ + + ######################################## + # ++# qemu common policy ++# ++allow qemutype self:capability { dac_read_search dac_override }; ++allow qemutype self:process { execstack execmem signal getsched signull }; ++ ++allow qemutype self:fifo_file rw_file_perms; ++allow qemutype self:shm create_shm_perms; ++allow qemutype self:unix_stream_socket create_stream_socket_perms; ++allow qemutype self:tcp_socket create_stream_socket_perms; ++ ++kernel_read_system_state(qemutype) ++ ++corenet_all_recvfrom_unlabeled(qemutype) ++corenet_all_recvfrom_netlabel(qemutype) ++corenet_tcp_sendrecv_all_if(qemutype) ++corenet_tcp_sendrecv_all_nodes(qemutype) ++corenet_tcp_sendrecv_all_ports(qemutype) ++corenet_tcp_bind_all_nodes(qemutype) ++corenet_tcp_bind_vnc_port(qemutype) ++corenet_rw_tun_tap_dev(qemutype) ++ ++dev_read_sound(qemutype) ++dev_write_sound(qemutype) ++dev_rw_kvm(qemutype) ++dev_rw_qemu(qemutype) ++ ++domain_use_interactive_fds(qemutype) ++ ++files_read_etc_files(qemutype) ++files_read_usr_files(qemutype) ++files_read_var_files(qemutype) ++files_search_all(qemutype) ++ ++fs_list_inotifyfs(qemutype) ++fs_rw_anon_inodefs_files(qemutype) ++fs_rw_tmpfs_files(qemutype) ++ ++term_use_ptmx(qemutype) ++term_getattr_pty_fs(qemutype) ++term_use_generic_ptys(qemutype) ++ ++auth_use_nsswitch(qemutype) ++ ++libs_use_ld_so(qemutype) ++libs_use_shared_libs(qemutype) ++ ++miscfiles_read_localization(qemutype) ++ ++optional_policy(` ++ virt_read_config(qemutype) ++ virt_read_lib_files(qemutype) ++') ++ ++optional_policy(` ++ xserver_stream_connect_xdm_xserver(qemutype) ++ xserver_read_xdm_tmp_files(qemutype) ++ xserver_read_xdm_pid(qemutype) ++ xserver_xdm_rw_shm(qemutype) ++') ++ ++######################################## ++# + # qemu local policy + # + ++storage_raw_write_removable_device(qemu_t) ++storage_raw_read_removable_device(qemu_t) ++ + tunable_policy(`qemu_full_network',` + allow qemu_t self:udp_socket create_socket_perms; + +@@ -35,6 +116,30 @@ corenet_tcp_connect_all_ports(qemu_t) ') @@ -5445,6 +5584,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te +') + +optional_policy(` ++ samba_domtrans_smb(qemu_t) ++') ++ ++optional_policy(` ++ virt_manage_images(qemu_t) ++') ++ ++optional_policy(` + xen_rw_image_files(qemu_t) +') + @@ -6050,7 +6197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshar fs_manage_nfs_dirs($1_wireshark_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.1/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-07-10 11:38:44.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/corecommands.fc 2008-07-29 15:02:20.000000000 -0400 ++++ serefpolicy-3.5.1/policy/modules/kernel/corecommands.fc 2008-07-30 15:57:01.000000000 -0400 @@ -7,11 +7,11 @@ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -6090,15 +6237,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -190,6 +189,7 @@ - /usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) +@@ -184,12 +183,11 @@ + /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) + + /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) +-/usr/local/Brother(/.*)?/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/local/Brother(/.*)?/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -231,7 +231,6 @@ +@@ -231,7 +229,6 @@ /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) @@ -6106,7 +6261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -292,3 +291,13 @@ +@@ -292,3 +289,13 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -6122,7 +6277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.5.1/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/corecommands.if 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.1/policy/modules/kernel/corecommands.if 2008-08-01 08:34:00.000000000 -0400 @@ -894,6 +894,7 @@ read_lnk_files_pattern($1,bin_t,bin_t) @@ -6133,7 +6288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.1/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-06-12 23:25:03.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/kernel/corenetwork.te.in 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.1/policy/modules/kernel/corenetwork.te.in 2008-08-01 11:17:33.000000000 -0400 @@ -75,6 +75,7 @@ network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) network_port(apcupsd, tcp,3551,s0, udp,3551,s0) @@ -6211,7 +6366,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) network_port(spamd, tcp,783,s0) -@@ -170,7 +181,12 @@ +@@ -165,12 +176,17 @@ + network_port(syslogd, udp,514,s0) + network_port(telnetd, tcp,23,s0) + network_port(tftp, udp,69,s0) +-network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0) ++network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) + network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0) network_port(transproxy, tcp,8081,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -12371,18 +12532,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cann # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.5.1/policy/modules/services/clamav.fc --- nsaserefpolicy/policy/modules/services/clamav.fc 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/clamav.fc 2008-07-25 12:35:13.000000000 -0400 -@@ -5,16 +5,20 @@ ++++ serefpolicy-3.5.1/policy/modules/services/clamav.fc 2008-07-30 15:27:51.000000000 -0400 +@@ -5,16 +5,18 @@ /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) +/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) - /var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) - /var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0) - /var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0) -+/var/run/clamav-milter(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) +-/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) +-/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0) +-/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0) ++/var/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0) ++/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) @@ -12545,7 +12707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.5.1/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2008-06-12 23:25:05.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/clamav.te 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.1/policy/modules/services/clamav.te 2008-07-30 15:31:06.000000000 -0400 @@ -13,7 +13,7 @@ # configuration files @@ -12596,6 +12758,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam ######################################## # # Freshclam local policy +@@ -197,7 +210,7 @@ + allow clamscan_t self:fifo_file rw_file_perms; + allow clamscan_t self:unix_stream_socket create_stream_socket_perms; + allow clamscan_t self:unix_dgram_socket create_socket_perms; +-allow clamscan_t self:tcp_socket { listen accept }; ++allow clamscan_t self:tcp_socket create_stream_socket_perms; + + # configuration files + allow clamscan_t clamd_etc_t:dir list_dir_perms; @@ -233,3 +246,7 @@ optional_policy(` apache_read_sys_content(clamscan_t) @@ -13545,7 +13716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron -') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.1/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/cups.fc 2008-07-29 15:03:16.000000000 -0400 ++++ serefpolicy-3.5.1/policy/modules/services/cups.fc 2008-07-30 11:32:44.000000000 -0400 @@ -8,24 +8,28 @@ /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -13589,12 +13760,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -@@ -50,3 +54,12 @@ +@@ -50,3 +54,13 @@ /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) + +/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/local/Brother/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/etc/rc.d/init.d/cups -- gen_context(system_u:object_r:cups_script_exec_t,s0) @@ -15744,7 +15916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove +/etc/rc.d/init.d/dovecot -- gen_context(system_u:object_r:dovecot_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.5.1/policy/modules/services/dovecot.if --- nsaserefpolicy/policy/modules/services/dovecot.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/dovecot.if 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.1/policy/modules/services/dovecot.if 2008-07-30 16:47:19.000000000 -0400 @@ -21,7 +21,46 @@ ######################################## @@ -18504,7 +18676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ##

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.5.1/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/mta.te 2008-07-28 08:30:18.000000000 -0400 ++++ serefpolicy-3.5.1/policy/modules/services/mta.te 2008-07-30 09:59:10.000000000 -0400 @@ -6,6 +6,8 @@ # Declarations # @@ -18514,7 +18686,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. attribute mta_user_agent; attribute mailserver_delivery; attribute mailserver_domain; -@@ -27,6 +29,7 @@ +@@ -20,13 +22,14 @@ + files_config_file(etc_mail_t) + + type mqueue_spool_t; +-files_type(mqueue_spool_t) ++files_mountpoint(mqueue_spool_t) + + type mail_spool_t; +-files_type(mail_spool_t) ++files_mountpoint(mail_spool_t) type sendmail_exec_t; application_executable_file(sendmail_exec_t) @@ -22298,7 +22479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.5.1/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/procmail.te 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.1/policy/modules/services/procmail.te 2008-07-30 16:18:46.000000000 -0400 @@ -14,6 +14,10 @@ type procmail_tmp_t; files_tmp_file(procmail_tmp_t) @@ -22343,7 +22524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc mta_manage_spool(procmail_t) ifdef(`hide_broken_symptoms',` -@@ -103,6 +111,10 @@ +@@ -103,6 +111,14 @@ ') optional_policy(` @@ -22351,10 +22532,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc +') + +optional_policy(` ++ dovecot_domtrans_deliver(procmail_t) ++') ++ ++optional_policy(` munin_dontaudit_search_lib(procmail_t) ') -@@ -117,11 +129,13 @@ +@@ -117,11 +133,13 @@ optional_policy(` pyzor_domtrans(procmail_t) @@ -22368,7 +22553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc sendmail_rw_tcp_sockets(procmail_t) sendmail_rw_unix_stream_sockets(procmail_t) ') -@@ -130,7 +144,16 @@ +@@ -130,7 +148,16 @@ corenet_udp_bind_generic_port(procmail_t) corenet_dontaudit_udp_bind_all_ports(procmail_t) @@ -23139,6 +23324,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdis + + init_script_domtrans_spec($1,rdisc_script_exec_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.te serefpolicy-3.5.1/policy/modules/services/rdisc.te +--- nsaserefpolicy/policy/modules/services/rdisc.te 2008-06-12 23:25:05.000000000 -0400 ++++ serefpolicy-3.5.1/policy/modules/services/rdisc.te 2008-08-01 12:03:39.000000000 -0400 +@@ -45,6 +45,8 @@ + libs_use_ld_so(rdisc_t) + libs_use_shared_libs(rdisc_t) + ++miscfiles_read_localization(rdisc_t) ++ + logging_send_syslog_msg(rdisc_t) + + sysnet_read_config(rdisc_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.5.1/policy/modules/services/remotelogin.te --- nsaserefpolicy/policy/modules/services/remotelogin.te 2008-06-12 23:25:05.000000000 -0400 +++ serefpolicy-3.5.1/policy/modules/services/remotelogin.te 2008-07-25 12:35:13.000000000 -0400 @@ -25667,8 +25864,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +/etc/rc.d/init.d/spamd -- gen_context(system_u:object_r:spamd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.5.1/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/spamassassin.if 2008-07-30 09:34:32.000000000 -0400 -@@ -34,10 +34,11 @@ ++++ serefpolicy-3.5.1/policy/modules/services/spamassassin.if 2008-08-01 12:25:22.000000000 -0400 +@@ -34,10 +34,10 @@ # cjp: when tunables are available, spamc stuff should be # toggled on activation of spamc, and similarly for spamd. template(`spamassassin_per_role_template',` @@ -25677,12 +25874,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam type spamc_exec_t, spamassassin_exec_t; - type spamd_t, spamd_tmp_t; + type spamc_t, spamd_t, spamassassin_t, spamd_tmp_t; -+ type spamassassin_home_t, spamassassin_tmp_t; -+ type spamc_tmp_t; ++ type spamc_home_t, spamc_tmp_t; ') ############################## -@@ -45,278 +46,26 @@ +@@ -45,278 +45,24 @@ # Declarations # @@ -25868,33 +26064,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam - corecmd_read_bin_sockets($1_spamassassin_t) - - domain_use_interactive_fds($1_spamassassin_t) -+ typealias spamc_t alias $1_spamc_t; -+ role $3 types spamc_t; - +- - files_read_etc_files($1_spamassassin_t) - files_read_etc_runtime_files($1_spamassassin_t) - files_list_home($1_spamassassin_t) - files_read_usr_files($1_spamassassin_t) - files_dontaudit_search_var($1_spamassassin_t) -+ typealias spamassassin_t alias $1_spamassassin_t; -+ role $3 types spamassassin_t; ++ typealias spamc_t alias $1_spamc_t; ++ role $3 types spamc_t; - libs_use_ld_so($1_spamassassin_t) - libs_use_shared_libs($1_spamassassin_t) -+ typealias spamassassin_home_t alias $1_spamassassin_home_t; -+ typealias spamassassin_tmp_t alias $1_spamassassin_tmp_t; -+ typealias spamc_tmp_t alias $1_spamc_tmp_t; -+ -+ manage_dirs_pattern($2, spamassassin_home_t,spamassassin_home_t) -+ manage_files_pattern($2, spamassassin_home_t,spamassassin_home_t) -+ manage_lnk_files_pattern($2, spamassassin_home_t,spamassassin_home_t) -+ relabel_dirs_pattern($2, spamassassin_home_t,spamassassin_home_t) -+ relabel_files_pattern($2, spamassassin_home_t,spamassassin_home_t) -+ relabel_lnk_files_pattern($2, spamassassin_home_t,spamassassin_home_t) ++ typealias spamassassin_t alias $1_spamassassin_t; ++ role $3 types spamassassin_t; - logging_send_syslog_msg($1_spamassassin_t) -+ domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) -+ domtrans_pattern($2, spamc_exec_t, spamc_t) ++ typealias spamc_home_t alias $1_spamassassin_home_t; ++ typealias spamc_tmp_t alias $1_spamassassin_tmp_t; ++ typealias spamc_tmp_t alias $1_spamc_tmp_t; ++ ++ manage_dirs_pattern($2, spamc_home_t,spamc_home_t) ++ manage_files_pattern($2, spamc_home_t,spamc_home_t) ++ manage_lnk_files_pattern($2, spamc_home_t,spamc_home_t) ++ relabel_dirs_pattern($2, spamc_home_t,spamc_home_t) ++ relabel_files_pattern($2, spamc_home_t,spamc_home_t) ++ relabel_lnk_files_pattern($2, spamc_home_t,spamc_home_t) - miscfiles_read_localization($1_spamassassin_t) - @@ -25974,10 +26168,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam - mta_read_config($1_spamassassin_t) - sendmail_stub($1_spamassassin_t) - ') ++ domtrans_pattern($2, spamc_exec_t, spamc_t) ') ######################################## -@@ -370,7 +119,7 @@ +@@ -332,10 +78,10 @@ + # + interface(`spamassassin_exec',` + gen_require(` +- type spamassassin_exec_t; ++ type spamc_exec_t; + ') + +- can_exec($1,spamassassin_exec_t) ++ can_exec($1,spamc_exec_t) + + ') + +@@ -370,7 +116,7 @@ # interface(`spamassassin_exec_spamd',` gen_require(` @@ -25986,7 +26194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') can_exec($1,spamd_exec_t) -@@ -398,11 +147,66 @@ +@@ -398,11 +144,66 @@ ## # template(`spamassassin_domtrans_user_client',` @@ -26010,10 +26218,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +## +# +interface(`spamassassin_domtrans_spamc',` -+ gen_require(` + gen_require(` +- type $1_spamc_t, spamc_exec_t; + type spamc_t, spamc_exec_t; -+ ') -+ + ') + +- domtrans_pattern($2,spamc_exec_t,$1_spamc_t) + domtrans_pattern($1,spamc_exec_t,spamc_t) + allow $1 spamc_exec_t:file ioctl; +') @@ -26044,24 +26254,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +## +# +template(`spamassassin_read_user_home_files',` - gen_require(` -- type $1_spamc_t, spamc_exec_t; ++ gen_require(` + type spamassassin_home_t; - ') - -- domtrans_pattern($2,spamc_exec_t,$1_spamc_t) ++ ') ++ + allow $1 spamassassin_home_t:dir list_dir_perms; + allow $1 spamassassin_home_t:file read_file_perms; ') ######################################## -@@ -446,11 +250,32 @@ +@@ -446,11 +247,27 @@ ## # template(`spamassassin_domtrans_user_local_client',` +- gen_require(` +- type $1_spamassassin_t, spamassassin_exec_t; +- ') + spamassassin_domtrans($2) +') -+ + +- domtrans_pattern($2,spamassassin_exec_t,$1_spamassassin_t) +######################################## +## +## Execute spamassassin in the user spamassassin domain. @@ -26079,18 +26291,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +## +# +interface(`spamassassin_domtrans',` - gen_require(` -- type $1_spamassassin_t, spamassassin_exec_t; -+ type spamassassin_t, spamassassin_exec_t; - ') - -- domtrans_pattern($2,spamassassin_exec_t,$1_spamassassin_t) -+ domtrans_pattern($1,spamassassin_exec_t,spamassassin_t) -+ allow $1 spamassassin_exec_t:file ioctl; ++ spamassassin_domtrans_spamc($1) ') ######################################## -@@ -469,6 +294,7 @@ +@@ -469,6 +286,7 @@ ') files_search_var_lib($1) @@ -26098,7 +26303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t) ') -@@ -528,3 +354,133 @@ +@@ -528,3 +346,133 @@ dontaudit $1 spamd_tmp_t:sock_file getattr; ') @@ -26234,7 +26439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.1/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/spamassassin.te 2008-07-30 09:37:58.000000000 -0400 ++++ serefpolicy-3.5.1/policy/modules/services/spamassassin.te 2008-08-01 12:22:03.000000000 -0400 @@ -21,8 +21,10 @@ gen_tunable(spamd_enable_home_dirs,true) @@ -26257,7 +26462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam type spamd_tmp_t; files_tmp_file(spamd_tmp_t) -@@ -41,8 +46,22 @@ +@@ -41,8 +46,23 @@ type spamd_var_run_t; files_pid_file(spamd_var_run_t) @@ -26275,6 +26480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +type spamc_home_t; +userdom_user_home_content(user,spamc_home_t) +typealias spamc_home_t alias spamassassin_home_t; ++typealias spamc_home_t alias user_spamassassin_home_t; + +type spamc_tmp_t; +files_tmp_file(spamc_tmp_t) @@ -26282,7 +26488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ######################################## # -@@ -53,7 +72,7 @@ +@@ -53,7 +73,7 @@ # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -26291,7 +26497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -71,6 +90,9 @@ +@@ -71,6 +91,9 @@ allow spamd_t self:udp_socket create_socket_perms; allow spamd_t self:netlink_route_socket r_netlink_socket_perms; @@ -26301,7 +26507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam manage_dirs_pattern(spamd_t,spamd_spool_t,spamd_spool_t) manage_files_pattern(spamd_t,spamd_spool_t,spamd_spool_t) files_spool_filetrans(spamd_t,spamd_spool_t, { file dir }) -@@ -81,10 +103,11 @@ +@@ -81,10 +104,11 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -26314,7 +26520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) kernel_read_all_sysctls(spamd_t) -@@ -147,14 +170,33 @@ +@@ -147,14 +171,33 @@ userdom_use_unpriv_users_fds(spamd_t) userdom_search_unpriv_users_home_dirs(spamd_t) @@ -26349,7 +26555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam fs_manage_cifs_files(spamd_t) ') -@@ -172,6 +214,7 @@ +@@ -172,6 +215,7 @@ optional_policy(` dcc_domtrans_client(spamd_t) @@ -26357,7 +26563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam dcc_stream_connect_dccifd(spamd_t) ') -@@ -199,6 +242,10 @@ +@@ -199,6 +243,10 @@ optional_policy(` razor_domtrans(spamd_t) @@ -26368,7 +26574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') optional_policy(` -@@ -213,3 +260,121 @@ +@@ -213,3 +261,121 @@ optional_policy(` udev_read_db(spamd_t) ') @@ -27226,7 +27432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.5.1/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/virt.if 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.1/policy/modules/services/virt.if 2008-08-01 08:40:25.000000000 -0400 @@ -68,12 +68,30 @@ ## ## @@ -27282,7 +27488,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ######################################## ## ## Allow the specified domain to read virt's log files. -@@ -214,6 +232,7 @@ +@@ -196,6 +214,35 @@ + + ######################################## + ## ++## Make the specified type usable as a virt image ++## ++## ++##

++## Make the specified type usable as a virt image ++##

++##
++## ++## ++## Type to be used as a virtual image ++## ++## ++# ++# ++interface(`virt_image',` ++ gen_require(` ++ attribute virt_image_type; ++ ') ++ ++ typeattribute $1 virt_image_type; ++ ++ files_type($1) ++ ++ # virt images can be assigned to blk devices ++ dev_node($1) ++') ++ ++######################################## ++## + ## Allow domain to manage virt image files + ## + ## +@@ -214,6 +261,7 @@ manage_dirs_pattern($1, virt_image_t, virt_image_t) manage_files_pattern($1, virt_image_t, virt_image_t) read_lnk_files_pattern($1, virt_image_t, virt_image_t) @@ -27290,7 +27532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs($1) -@@ -243,10 +262,17 @@ +@@ -243,10 +291,17 @@ interface(`virt_admin',` gen_require(` type virtd_t; @@ -27310,7 +27552,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.5.1/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/virt.te 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.1/policy/modules/services/virt.te 2008-08-01 08:26:59.000000000 -0400 +@@ -1,6 +1,8 @@ + + policy_module(virt, 1.0.0) + ++attribute virt_image_type; ++ + ######################################## + # + # Declarations +@@ -28,9 +30,7 @@ + + # virt Image files + type virt_image_t; # customizable +-files_type(virt_image_t) +-# virt_image_t can be assigned to blk devices +-dev_node(virt_image_t) ++virt_image(virt_image_t) + + type virt_log_t; + logging_log_file(virt_log_t) @@ -45,13 +45,15 @@ type virtd_exec_t; init_daemon_domain(virtd_t, virtd_exec_t) @@ -27329,6 +27591,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt allow virtd_t self:fifo_file rw_file_perms; allow virtd_t self:unix_stream_socket create_stream_socket_perms; allow virtd_t self:tcp_socket create_stream_socket_perms; +@@ -64,7 +66,7 @@ + manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) + filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) + +-manage_files_pattern(virtd_t, virt_image_t, virt_image_t) ++manage_files_pattern(virtd_t, virt_image_type, virt_image_type) + + manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) + manage_files_pattern(virtd_t, virt_log_t, virt_log_t) @@ -82,6 +84,8 @@ kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -27532,7 +27803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.1/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-06-12 23:25:06.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/xserver.if 2008-07-29 15:12:59.000000000 -0400 ++++ serefpolicy-3.5.1/policy/modules/services/xserver.if 2008-07-31 17:44:32.000000000 -0400 @@ -16,7 +16,8 @@ gen_require(` type xkb_var_lib_t, xserver_exec_t, xserver_log_t; @@ -27832,7 +28103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -643,13 +624,175 @@ +@@ -643,11 +624,80 @@ xserver_read_xdm_tmp_files($2) @@ -27874,7 +28145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + attribute x_domain; + type $1_xserver_t; +# type $2_input_xevent_t; -+ ') + ') + +# typeattribute $2_input_xevent_t $1_input_xevent_type; + @@ -27914,20 +28185,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + + # setattr: metacity X11:InstallColormap + allow $3 $1_xserver_t:x_screen { getattr saver_setattr saver_getattr setattr }; -+') -+ -+####################################### -+## -+## Interface to provide X object permissions on a given X server to -+## an X client domain. Provides the minimal set required by a basic -+## X client application. -+## -+## -+## -+## The prefix of the X server domain (e.g., user -+## is the prefix for user_t). -+## -+## + ') + + ####################################### +@@ -662,6 +712,99 @@ + ## is the prefix for user_t). + ##
+ ## +## +## +## Client domain allowed access. @@ -27967,7 +28231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + type manage_xevent_t, output_xext_t, property_xevent_t; + type shmem_xext_t, xselection_t; + attribute xevent_type, xextension_type; - ') ++ ') + # can receive certain root window events + allow $2 self:x_cursor { destroy create use setattr }; + allow $2 self:x_drawable { write getattr read destroy create add_child }; @@ -28006,12 +28270,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + +# xserver_use($1,$1,$2) + xserver_use(xdm,$1,$2) - ') - ++') + - ####################################### - ## - ## Interface to provide X object permissions on a given X server to ++ ++####################################### ++## ++## Interface to provide X object permissions on a given X server to ++## an X client domain. Provides the minimal set required by a basic ++## X client application. ++## ++## ++## ++## The prefix of the X server domain (e.g., user ++## is the prefix for user_t). ++## ++## + ## + ## + ## The prefix of the X client domain (e.g., user @@ -676,7 +819,7 @@ # template(`xserver_common_x_domain_template',` @@ -28509,7 +28785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1686,8 +2039,87 @@ +@@ -1686,8 +2039,90 @@ # interface(`xserver_unconfined',` gen_require(` @@ -28572,11 +28848,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +interface(`xserver_manage_home_fonts',` + gen_require(` + type fonts_home_t; ++ type fonts_config_home_t; + ') + + manage_dirs_pattern($1, fonts_home_t, fonts_home_t) + manage_files_pattern($1, fonts_home_t, fonts_home_t) + manage_lnk_files_pattern($1, fonts_home_t, fonts_home_t) ++ ++ manage_files_pattern($1, fonts_config_home_t, fonts_config_home_t) +') + +######################################## @@ -31298,7 +31577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.1/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/libraries.fc 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.1/policy/modules/system/libraries.fc 2008-08-01 10:49:58.000000000 -0400 @@ -69,8 +69,10 @@ ifdef(`distro_gentoo',` # despite the extensions, they are actually libs @@ -31370,7 +31649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -@@ -308,3 +313,11 @@ +@@ -308,3 +313,13 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -31382,6 +31661,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib64/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.1/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2008-07-10 11:38:46.000000000 -0400 +++ serefpolicy-3.5.1/policy/modules/system/libraries.te 2008-07-25 12:35:13.000000000 -0400 @@ -34895,7 +35176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/system/userdomain.if 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.1/policy/modules/system/userdomain.if 2008-07-30 10:07:07.000000000 -0400 @@ -28,10 +28,14 @@ class context contains; ') @@ -34913,7 +35194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) -@@ -45,66 +49,80 @@ +@@ -45,66 +49,82 @@ type $1_tty_device_t; term_user_tty($1_t,$1_tty_device_t) @@ -35037,12 +35318,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + libs_use_shared_libs($1_usertype) + libs_exec_ld_so($1_usertype) + -+ miscfiles_read_localization($1_usertype) + miscfiles_read_certs($1_usertype) ++ miscfiles_read_localization($1_usertype) ++ miscfiles_read_man_pages($1_usertype) ++ miscfiles_read_public_files($1_usertype) tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -115,6 +133,10 @@ +@@ -115,6 +135,10 @@ # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -35053,7 +35336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -141,33 +163,13 @@ +@@ -141,33 +165,13 @@ # template(`userdom_ro_home_template',` gen_require(` @@ -35092,7 +35375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -175,13 +177,14 @@ +@@ -175,13 +179,14 @@ # # read-only home directory @@ -35114,7 +35397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_list_home($1_t) tunable_policy(`use_nfs_home_dirs',` -@@ -190,9 +193,6 @@ +@@ -190,9 +195,6 @@ fs_read_nfs_symlinks($1_t) fs_read_nfs_named_sockets($1_t) fs_read_nfs_named_pipes($1_t) @@ -35124,7 +35407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') tunable_policy(`use_samba_home_dirs',` -@@ -201,9 +201,6 @@ +@@ -201,9 +203,6 @@ fs_read_cifs_symlinks($1_t) fs_read_cifs_named_sockets($1_t) fs_read_cifs_named_pipes($1_t) @@ -35134,7 +35417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -231,30 +228,14 @@ +@@ -231,30 +230,14 @@ # template(`userdom_manage_home_template',` gen_require(` @@ -35171,7 +35454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -262,43 +243,44 @@ +@@ -262,43 +245,44 @@ # # full control of the home directory @@ -35246,7 +35529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -316,14 +298,20 @@ +@@ -316,14 +300,20 @@ ## # template(`userdom_exec_home_template',` @@ -35272,7 +35555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -341,11 +329,10 @@ +@@ -341,11 +331,10 @@ ## # template(`userdom_poly_home_template',` @@ -35288,7 +35571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -369,18 +356,18 @@ +@@ -369,18 +358,18 @@ # template(`userdom_manage_tmp_template',` gen_require(` @@ -35317,7 +35600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -396,7 +383,13 @@ +@@ -396,7 +385,13 @@ ## # template(`userdom_exec_tmp_template',` @@ -35332,7 +35615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -439,18 +432,18 @@ +@@ -439,18 +434,18 @@ # template(`userdom_manage_tmpfs_template',` gen_require(` @@ -35359,7 +35642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -468,17 +461,17 @@ +@@ -468,17 +463,17 @@ # template(`userdom_untrusted_content_template',` gen_require(` @@ -35380,7 +35663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_tmp_file($1_untrusted_content_tmp_t) # Allow user to relabel untrusted content -@@ -510,10 +503,6 @@ +@@ -510,10 +505,6 @@ ## # template(`userdom_exec_generic_pgms_template',` @@ -35391,18 +35674,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corecmd_exec_bin($1_t) ') -@@ -531,27 +520,20 @@ +@@ -531,27 +522,20 @@ ## # template(`userdom_basic_networking_template',` - gen_require(` - type $1_t; - ') - +- - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; -+ allow $1_usertype self:tcp_socket create_stream_socket_perms; -+ allow $1_usertype self:udp_socket create_socket_perms; - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) @@ -35414,7 +35695,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_all_client_packets($1_t) -- ++ allow $1_usertype self:tcp_socket create_stream_socket_perms; ++ allow $1_usertype self:udp_socket create_socket_perms; + - optional_policy(` - ipsec_match_default_spd($1_t) - ') @@ -35431,7 +35714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -568,30 +550,33 @@ +@@ -568,30 +552,33 @@ # template(`userdom_xwindows_client_template',` gen_require(` @@ -35481,7 +35764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -622,13 +607,7 @@ +@@ -622,13 +609,7 @@ ## ## The template for allowing the user to change roles. ## @@ -35496,7 +35779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). -@@ -692,188 +671,202 @@ +@@ -692,188 +673,202 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -35652,36 +35935,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + optional_policy(` + avahi_dbus_chat($1_usertype) + ') -+ -+ optional_policy(` -+ bluetooth_dbus_chat($1_usertype) -+ ') optional_policy(` - bluetooth_dbus_chat($1_t) -+ consolekit_dbus_chat($1_usertype) -+ consolekit_read_log($1_usertype) ++ bluetooth_dbus_chat($1_usertype) ') optional_policy(` - evolution_dbus_chat($1,$1_t) - evolution_alarm_dbus_chat($1,$1_t) -+ evolution_dbus_chat($1,$1_usertype) -+ evolution_alarm_dbus_chat($1,$1_usertype) ++ consolekit_dbus_chat($1_usertype) ++ consolekit_read_log($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ networkmanager_dbus_chat($1_usertype) ++ evolution_dbus_chat($1,$1_usertype) ++ evolution_alarm_dbus_chat($1,$1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ vpnc_dbus_chat($1_usertype) ++ networkmanager_dbus_chat($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) ++ vpnc_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` + hal_dbus_chat($1_usertype) ') ') @@ -35783,7 +36066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -895,9 +888,7 @@ +@@ -895,9 +890,7 @@ ## # template(`userdom_login_user_template', ` @@ -35794,7 +36077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_base_user_template($1) -@@ -927,70 +918,73 @@ +@@ -927,70 +920,72 @@ allow $1_t self:context contains; @@ -35855,7 +36138,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + logging_dontaudit_getattr_all_logs($1_usertype) - miscfiles_read_man_pages($1_t) -+ miscfiles_read_man_pages($1_usertype) # for running TeX programs - miscfiles_read_tetex_data($1_t) - miscfiles_exec_tetex_data($1_t) @@ -35901,7 +36183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1024,9 +1018,6 @@ +@@ -1024,9 +1019,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -35911,7 +36193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1035,16 +1026,29 @@ +@@ -1035,16 +1027,29 @@ # # privileged home directory writers @@ -35948,7 +36230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1071,7 +1075,6 @@ +@@ -1071,7 +1076,6 @@ template(`userdom_restricted_xwindows_user_template',` userdom_restricted_user_template($1) @@ -35956,7 +36238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_xwindows_client_template($1) ############################## -@@ -1080,14 +1083,16 @@ +@@ -1080,14 +1084,16 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -35978,7 +36260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1095,28 +1100,23 @@ +@@ -1095,28 +1101,23 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -36014,7 +36296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1127,10 +1127,9 @@ +@@ -1127,10 +1128,9 @@ ## ## ##

@@ -36027,7 +36309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1164,7 +1163,6 @@ +@@ -1164,7 +1164,6 @@ # Need the following rule to allow users to run vpnc corenet_tcp_bind_xserver_port($1_t) @@ -36035,7 +36317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1182,36 +1180,45 @@ +@@ -1182,36 +1181,45 @@ ') ') @@ -36070,9 +36352,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` - ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + mount_run($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- setroubleshoot_stream_connect($1_t) + nsplugin_per_role_template($1, $1_usertype, $1_r) + ') + @@ -36086,15 +36369,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + optional_policy(` + mono_per_role_template($1, $1_t, $1_r) - ') - - optional_policy(` -- setroubleshoot_stream_connect($1_t) ++ ') ++ ++ optional_policy(` + gpg_per_role_template($1, $1_usertype, $1_r) ') ') -@@ -1288,8 +1295,6 @@ +@@ -1288,8 +1296,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -36103,7 +36385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1311,8 +1316,6 @@ +@@ -1311,8 +1317,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -36112,7 +36394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1367,13 +1370,6 @@ +@@ -1367,13 +1371,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -36126,7 +36408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` postgresql_unconfined($1_t) ') -@@ -1425,6 +1421,7 @@ +@@ -1425,6 +1422,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -36134,7 +36416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1454,10 +1451,6 @@ +@@ -1454,10 +1452,6 @@ seutil_run_semanage($1,$2,$3) seutil_run_setfiles($1, $2, $3) @@ -36145,7 +36427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` aide_run($1,$2, $3) ') -@@ -1477,12 +1470,30 @@ +@@ -1477,12 +1471,30 @@ optional_policy(` netlabel_run_mgmt($1,$2, $3) ') @@ -36176,7 +36458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ##

## The prefix of the user role (e.g., user -@@ -1492,8 +1503,7 @@ +@@ -1492,8 +1504,7 @@ ## # template(`userdom_role_change_generic_user',` @@ -36186,7 +36468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1520,14 +1530,23 @@ +@@ -1520,14 +1531,23 @@ ## # template(`userdom_role_change_from_generic_user',` @@ -36212,7 +36494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## The prefix of the user role (e.g., user -@@ -1537,8 +1556,7 @@ +@@ -1537,8 +1557,7 @@ ## # template(`userdom_role_change_staff',` @@ -36222,7 +36504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1565,14 +1583,23 @@ +@@ -1565,14 +1584,23 @@ ## # template(`userdom_role_change_from_staff',` @@ -36248,7 +36530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## The prefix of the user role (e.g., user -@@ -1582,8 +1609,7 @@ +@@ -1582,8 +1610,7 @@ ## # template(`userdom_role_change_sysadm',` @@ -36258,7 +36540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1610,14 +1636,23 @@ +@@ -1610,14 +1637,23 @@ ## # template(`userdom_role_change_from_sysadm',` @@ -36284,7 +36566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## The prefix of the user role (e.g., user -@@ -1627,8 +1662,11 @@ +@@ -1627,8 +1663,11 @@ ## # template(`userdom_role_change_secadm',` @@ -36298,7 +36580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1655,14 +1693,27 @@ +@@ -1655,14 +1694,27 @@ ## # template(`userdom_role_change_from_secadm',` @@ -36328,7 +36610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## The prefix of the auditadm role (e.g., user -@@ -1672,8 +1723,11 @@ +@@ -1672,8 +1724,11 @@ ## # template(`userdom_role_change_auditadm',` @@ -36342,7 +36624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1700,8 +1754,11 @@ +@@ -1700,8 +1755,11 @@ ## # template(`userdom_role_change_from_auditadm',` @@ -36356,7 +36638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1734,11 +1791,15 @@ +@@ -1734,11 +1792,15 @@ # template(`userdom_user_home_content',` gen_require(` @@ -36375,7 +36657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1834,11 +1895,11 @@ +@@ -1834,11 +1896,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -36389,7 +36671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1868,11 +1929,11 @@ +@@ -1868,11 +1930,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -36403,7 +36685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1916,12 +1977,12 @@ +@@ -1916,12 +1978,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -36419,7 +36701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1951,10 +2012,11 @@ +@@ -1951,10 +2013,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -36433,7 +36715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1986,11 +2048,47 @@ +@@ -1986,11 +2049,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -36483,7 +36765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2022,10 +2120,10 @@ +@@ -2022,10 +2121,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -36496,7 +36778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2055,11 +2153,11 @@ +@@ -2055,11 +2154,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -36510,7 +36792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2089,11 +2187,11 @@ +@@ -2089,11 +2188,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -36525,7 +36807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2123,10 +2221,14 @@ +@@ -2123,10 +2222,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -36542,7 +36824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2156,11 +2258,11 @@ +@@ -2156,11 +2259,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -36556,7 +36838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2190,11 +2292,11 @@ +@@ -2190,11 +2293,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -36570,7 +36852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2224,10 +2326,10 @@ +@@ -2224,10 +2327,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -36583,7 +36865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2259,12 +2361,12 @@ +@@ -2259,12 +2362,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -36599,7 +36881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2296,10 +2398,10 @@ +@@ -2296,10 +2399,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -36612,7 +36894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2331,12 +2433,12 @@ +@@ -2331,12 +2434,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -36628,7 +36910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2368,12 +2470,12 @@ +@@ -2368,12 +2471,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -36644,7 +36926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2405,12 +2507,12 @@ +@@ -2405,12 +2508,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -36660,7 +36942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2455,11 +2557,11 @@ +@@ -2455,11 +2558,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -36674,7 +36956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2504,11 +2606,11 @@ +@@ -2504,11 +2607,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -36688,7 +36970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2548,11 +2650,11 @@ +@@ -2548,11 +2651,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -36702,7 +36984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2582,11 +2684,11 @@ +@@ -2582,11 +2685,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -36716,7 +36998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2616,11 +2718,11 @@ +@@ -2616,11 +2719,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -36730,7 +37012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2652,10 +2754,10 @@ +@@ -2652,10 +2755,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -36743,7 +37025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2687,10 +2789,10 @@ +@@ -2687,10 +2790,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -36756,7 +37038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2720,12 +2822,12 @@ +@@ -2720,12 +2823,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -36772,7 +37054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2757,10 +2859,10 @@ +@@ -2757,10 +2860,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -36785,7 +37067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2792,10 +2894,10 @@ +@@ -2792,10 +2895,10 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -36798,7 +37080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2825,12 +2927,12 @@ +@@ -2825,12 +2928,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -36814,7 +37096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2862,10 +2964,10 @@ +@@ -2862,10 +2965,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -36827,7 +37109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2897,12 +2999,12 @@ +@@ -2897,12 +3000,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -36843,7 +37125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2934,11 +3036,11 @@ +@@ -2934,11 +3037,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -36857,7 +37139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2970,11 +3072,11 @@ +@@ -2970,11 +3073,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -36871,7 +37153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3006,11 +3108,11 @@ +@@ -3006,11 +3109,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -36885,7 +37167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3042,11 +3144,11 @@ +@@ -3042,11 +3145,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -36899,7 +37181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3078,11 +3180,11 @@ +@@ -3078,11 +3181,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -36913,7 +37195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3127,10 +3229,10 @@ +@@ -3127,10 +3230,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -36926,7 +37208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3171,19 +3273,19 @@ +@@ -3171,19 +3274,19 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -36950,7 +37232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

##

## This is a templated interface, and should only -@@ -4609,11 +4711,11 @@ +@@ -4609,11 +4712,11 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -36964,13 +37246,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4633,9 +4735,17 @@ +@@ -4633,10 +4736,18 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; -') -######################################## +-##

+ tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs($1) + ') @@ -36981,10 +37264,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +') + +######################################## - ## ++## ## Search all users home directories. ## -@@ -4670,6 +4780,8 @@ + ## +@@ -4670,6 +4781,8 @@ ') dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; @@ -36993,7 +37277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4714,6 +4826,25 @@ +@@ -4714,6 +4827,25 @@ ######################################## ## @@ -37019,7 +37303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4939,7 +5070,7 @@ +@@ -4939,7 +5071,7 @@ ######################################## ## @@ -37028,7 +37312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5311,6 +5442,42 @@ +@@ -5311,6 +5443,42 @@ ######################################## ## @@ -37071,7 +37355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5361,7 +5528,7 @@ +@@ -5361,7 +5529,7 @@ attribute userdomain; ') @@ -37080,7 +37364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -5476,6 +5643,42 @@ +@@ -5476,6 +5644,42 @@ ######################################## ## @@ -37123,7 +37407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5506,3 +5709,525 @@ +@@ -5506,3 +5710,525 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -38089,7 +38373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.5.1/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-06-12 23:25:08.000000000 -0400 -+++ serefpolicy-3.5.1/policy/support/obj_perm_sets.spt 2008-07-25 12:35:13.000000000 -0400 ++++ serefpolicy-3.5.1/policy/support/obj_perm_sets.spt 2008-07-30 16:47:18.000000000 -0400 @@ -316,3 +316,13 @@ # define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')