diff --git a/policy-20071130.patch b/policy-20071130.patch index 7db428e..8340803 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -2730,7 +2730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.2.5/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/apps/java.if 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/apps/java.if 2008-01-22 12:52:42.000000000 -0500 @@ -32,7 +32,7 @@ ## ## @@ -2824,7 +2824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if userdom_manage_user_home_content_dirs($1,$1_javaplugin_t) userdom_manage_user_home_content_files($1,$1_javaplugin_t) userdom_manage_user_home_content_symlinks($1,$1_javaplugin_t) -@@ -156,15 +162,63 @@ +@@ -156,15 +162,65 @@ ') optional_policy(` @@ -2879,6 +2879,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if + + allow $1_java_t self:process { getsched sigkill execheap execmem execstack }; + ++ allow $2 $1_java_t:process { getattr ptrace signal_perms }; ++ + domtrans_pattern($2, java_exec_t, $1_java_t) + + dev_read_urand($1_java_t) @@ -2892,7 +2894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ') ') -@@ -219,3 +273,67 @@ +@@ -219,3 +275,67 @@ corecmd_search_bin($1) domtrans_pattern($1, java_exec_t, java_t) ') @@ -3019,7 +3021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys +userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.5/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/apps/mono.if 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/apps/mono.if 2008-01-22 12:53:01.000000000 -0500 @@ -18,3 +18,105 @@ corecmd_search_bin($1) domtrans_pattern($1, mono_exec_t, mono_t) @@ -3116,7 +3118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if + userdom_unpriv_usertype($1, $1_mono_t) + + allow $1_mono_t self:process { execheap execmem }; -+ allow $2 $1_mono_t:process noatsecure; ++ allow $2 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; + + domtrans_pattern($2, mono_exec_t, $1_mono_t) + @@ -3740,8 +3742,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.5/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if 2008-01-21 18:22:21.000000000 -0500 -@@ -0,0 +1,290 @@ ++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if 2008-01-22 13:24:31.000000000 -0500 +@@ -0,0 +1,330 @@ + +## policy for nsplugin + @@ -3887,27 +3889,67 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +## +## +# -+template(`nsplugin_per_role_template',` ++template(`nsplugin_use',` + gen_require(` + type nsplugin_t; + type nsplugin_config_t; + type nsplugin_rw_t; + ') -+ nsplugin_domtrans($2) -+ role $3 types nsplugin_t; ++ nsplugin_domtrans($1) + -+ nsplugin_config_domtrans($2) -+ role $3 types nsplugin_config_t; ++ nsplugin_config_domtrans($1) + -+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) -+ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) -+ can_exec($2, nsplugin_rw_t) ++ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) ++ read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) ++ can_exec($1, nsplugin_rw_t) + ++ allow nsplugin_t $1:udp_socket { read write }; + -+ allow nsplugin_t $2:udp_socket { read write }; ++ allow $1 nsplugin_t:process { getattr ptrace signal_perms }; ++ allow $1 nsplugin_t:unix_stream_socket connectto; ++') + -+ allow $2 nsplugin_t:process { signal sigkill }; -+ allow $2 nsplugin_t:unix_stream_socket connectto; ++####################################### ++## ++## The per role template for the nsplugin module. ++## ++## ++##

++## This template creates a derived domains which are used ++## for nsplugin web browser. ++##

++##

++## This template is invoked automatically for each user, and ++## generally does not need to be invoked directly ++## by policy writers. ++##

++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++## ++## ++## The role associated with the user domain. ++## ++## ++# ++template(`nsplugin_per_role_template',` ++ gen_require(` ++ type nsplugin_t; ++ type nsplugin_config_t; ++ type nsplugin_rw_t; ++ ') ++ nsplugin_use($2) ++ role $3 types nsplugin_t; ++ role $3 types nsplugin_config_t; +') + +######################################## @@ -9201,7 +9243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2008-01-21 14:38:27.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2008-01-22 12:53:47.000000000 -0500 @@ -53,6 +53,7 @@ gen_require(` type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; @@ -9231,9 +9273,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; read_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t) -@@ -104,8 +110,7 @@ +@@ -102,10 +108,9 @@ + files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir }) + domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t) - allow $2 $1_dbusd_t:process { sigkill signal }; +- allow $2 $1_dbusd_t:process { sigkill signal }; ++ allow $2 $1_dbusd_t:process { getattr ptrace signal_perms }; - # cjp: this seems very broken - corecmd_bin_domtrans($1_dbusd_t, $2) @@ -20511,7 +20556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.5/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/authlogin.te 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/authlogin.te 2008-01-22 12:59:23.000000000 -0500 @@ -59,6 +59,9 @@ type utempter_exec_t; application_domain(utempter_t,utempter_exec_t) @@ -20960,7 +21005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.5/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/init.te 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/init.te 2008-01-22 14:45:36.000000000 -0500 @@ -10,6 +10,20 @@ # Declarations # @@ -23052,8 +23097,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-18 12:40:46.000000000 -0500 -@@ -9,32 +9,48 @@ ++++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-22 13:25:12.000000000 -0500 +@@ -6,35 +6,58 @@ + # Declarations + # + ++## ++##

++## Transition to confined nsplugin domains from unconfined user ++##

++## ++gen_tunable(allow_unconfined_nsplugin_transition,false) ++ # usage in this module of types created by these # calls is not correct, however we dont currently # have another method to add access to these types @@ -23106,7 +23161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -@@ -42,7 +58,10 @@ +@@ -42,7 +65,10 @@ logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) @@ -23117,9 +23172,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -@@ -51,13 +70,13 @@ +@@ -50,14 +76,28 @@ + userdom_priveleged_home_dir_manager(unconfined_t) ++ ++optional_policy(` ++ gen_require(` ++ type nsplugin_t; ++ type nsplugin_config_t; ++ ') ++ role unconfined_r types nsplugin_t; ++ role unconfined_r types nsplugin_config_t; ++ tunable_policy(`allow_unconfined_nsplugin_transition', ` ++ ++ nsplugin_use(unconfined_t) ++ ') ++') ++ optional_policy(` - ada_domtrans(unconfined_t) + ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) @@ -23133,7 +23203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf unconfined_domain(httpd_unconfined_script_t) ') -@@ -69,11 +88,11 @@ +@@ -69,11 +109,11 @@ bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') @@ -23150,7 +23220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf optional_policy(` init_dbus_chat_script(unconfined_t) -@@ -107,6 +126,10 @@ +@@ -107,6 +147,10 @@ optional_policy(` oddjob_dbus_chat(unconfined_t) ') @@ -23161,7 +23231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -118,11 +141,7 @@ +@@ -118,11 +162,7 @@ ') optional_policy(` @@ -23174,7 +23244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -134,14 +153,6 @@ +@@ -134,14 +174,6 @@ ') optional_policy(` @@ -23189,7 +23259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf oddjob_domtrans_mkhomedir(unconfined_t) ') -@@ -154,38 +165,27 @@ +@@ -154,38 +186,27 @@ ') optional_policy(` @@ -23234,16 +23304,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -205,11 +205,30 @@ +@@ -205,11 +226,30 @@ ') optional_policy(` - wine_domtrans(unconfined_t) + wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - ') - - optional_policy(` -- xserver_domtrans_xdm_xserver(unconfined_t) ++') ++ ++optional_policy(` + java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +') + @@ -23255,9 +23324,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + mozilla_per_role_template(unconfined, unconfined_t, unconfined_r) + unconfined_domain(unconfined_mozilla_t) + allow unconfined_mozilla_t self:process { execstack execmem }; -+') -+ -+optional_policy(` + ') + + optional_policy(` +- xserver_domtrans_xdm_xserver(unconfined_t) + kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) +') + @@ -23267,7 +23337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -219,14 +238,34 @@ +@@ -219,14 +259,34 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -23287,7 +23357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - ') +optional_policy(` + avahi_dbus_chat(unconfined_execmem_t) -+') + ') + +optional_policy(` + hal_dbus_chat(unconfined_execmem_t) @@ -23295,7 +23365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + +optional_policy(` + xserver_xdm_rw_shm(unconfined_execmem_t) - ') ++') + +######################################## +# @@ -23322,8 +23392,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-21 17:18:31.000000000 -0500 -@@ -29,8 +29,9 @@ ++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-22 14:46:10.000000000 -0500 +@@ -29,9 +29,14 @@ ') attribute $1_file_type; @@ -23332,9 +23402,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - type $1_t, userdomain; + type $1_t, userdomain, $1_usertype; domain_type($1_t) ++ ifdef(`targeted_policy',` ++ # ignore user componant labeling on homedir entry ++ domain_obj_id_change_exemption($1_t) ++ ') corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) -@@ -45,66 +46,71 @@ + domain_user_exemption_target($1_t) +@@ -45,66 +50,71 @@ type $1_tty_device_t; term_user_tty($1_t,$1_tty_device_t) @@ -23434,9 +23509,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - libs_use_ld_so($1_t) - libs_use_shared_libs($1_t) - libs_exec_ld_so($1_t) -- -- miscfiles_read_localization($1_t) -- miscfiles_read_certs($1_t) + files_dontaudit_getattr_all_dirs($1_usertype) + files_dontaudit_list_non_security($1_usertype) + files_dontaudit_getattr_non_security_files($1_usertype) @@ -23453,13 +23525,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + libs_use_shared_libs($1_usertype) + libs_exec_ld_so($1_usertype) +- miscfiles_read_localization($1_t) +- miscfiles_read_certs($1_t) +- - sysnet_read_config($1_t) + miscfiles_read_localization($1_usertype) + miscfiles_read_certs($1_usertype) tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -115,6 +121,10 @@ +@@ -115,6 +125,10 @@ # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -23470,7 +23545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -141,33 +151,13 @@ +@@ -141,33 +155,13 @@ # template(`userdom_ro_home_template',` gen_require(` @@ -23509,7 +23584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -175,13 +165,13 @@ +@@ -175,13 +169,13 @@ # # read-only home directory @@ -23530,7 +23605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_list_home($1_t) tunable_policy(`use_nfs_home_dirs',` -@@ -231,30 +221,14 @@ +@@ -231,30 +225,14 @@ # template(`userdom_manage_home_template',` gen_require(` @@ -23567,7 +23642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -262,43 +236,44 @@ +@@ -262,43 +240,44 @@ # # full control of the home directory @@ -23640,7 +23715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -316,14 +291,20 @@ +@@ -316,14 +295,20 @@ ## # template(`userdom_exec_home_template',` @@ -23666,7 +23741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -341,11 +322,10 @@ +@@ -341,11 +326,10 @@ ## # template(`userdom_poly_home_template',` @@ -23682,7 +23757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -369,18 +349,18 @@ +@@ -369,18 +353,18 @@ # template(`userdom_manage_tmp_template',` gen_require(` @@ -23711,7 +23786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -396,7 +376,13 @@ +@@ -396,7 +380,13 @@ ## # template(`userdom_exec_tmp_template',` @@ -23726,7 +23801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -510,10 +496,6 @@ +@@ -510,10 +500,6 @@ ## # template(`userdom_exec_generic_pgms_template',` @@ -23737,7 +23812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corecmd_exec_bin($1_t) ') -@@ -531,9 +513,6 @@ +@@ -531,9 +517,6 @@ ## # template(`userdom_basic_networking_template',` @@ -23747,7 +23822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; -@@ -548,10 +527,6 @@ +@@ -548,10 +531,6 @@ corenet_udp_sendrecv_all_ports($1_t) corenet_tcp_connect_all_ports($1_t) corenet_sendrecv_all_client_packets($1_t) @@ -23758,7 +23833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -568,30 +543,29 @@ +@@ -568,30 +547,29 @@ # template(`userdom_xwindows_client_template',` gen_require(` @@ -23805,7 +23880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -717,6 +691,12 @@ +@@ -717,6 +695,12 @@ # Stat lost+found. files_getattr_lost_found_dirs($1_t) @@ -23818,7 +23893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) selinux_validate_context($1_t) -@@ -728,11 +708,11 @@ +@@ -728,11 +712,11 @@ # for eject storage_getattr_fixed_disk_dev($1_t) @@ -23831,7 +23906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo init_read_utmp($1_t) -@@ -758,10 +738,6 @@ +@@ -758,10 +742,6 @@ dev_read_mouse($1_t) ') @@ -23842,7 +23917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` alsa_read_rw_config($1_t) ') -@@ -783,20 +759,20 @@ +@@ -783,20 +763,20 @@ ') optional_policy(` @@ -23868,7 +23943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -824,11 +800,18 @@ +@@ -824,11 +804,18 @@ mta_rw_spool($1_t) ') @@ -23891,7 +23966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -842,13 +825,6 @@ +@@ -842,13 +829,6 @@ ') optional_policy(` @@ -23905,7 +23980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo resmgr_stream_connect($1_t) ') -@@ -889,6 +865,8 @@ +@@ -889,6 +869,8 @@ ## # template(`userdom_login_user_template', ` @@ -23914,7 +23989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_base_user_template($1) userdom_manage_home_template($1) -@@ -917,26 +895,26 @@ +@@ -917,26 +899,26 @@ allow $1_t self:context contains; @@ -23955,7 +24030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo auth_dontaudit_write_login_records($1_t) -@@ -944,43 +922,43 @@ +@@ -944,43 +926,43 @@ # The library functions always try to open read-write first, # then fall back to read-only if it fails. @@ -24017,7 +24092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1014,9 +992,6 @@ +@@ -1014,9 +996,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -24027,7 +24102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1025,16 +1000,32 @@ +@@ -1025,16 +1004,32 @@ # # privileged home directory writers @@ -24066,7 +24141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1062,6 +1053,13 @@ +@@ -1062,6 +1057,13 @@ userdom_restricted_user_template($1) @@ -24080,7 +24155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_xwindows_client_template($1) ############################## -@@ -1070,14 +1068,14 @@ +@@ -1070,14 +1072,14 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -24100,7 +24175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1085,33 +1083,14 @@ +@@ -1085,33 +1087,14 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -24122,14 +24197,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - - optional_policy(` - java_per_role_template($1, $1_t, $1_r) +- ') +- +- optional_policy(` +- mono_per_role_template($1, $1_t, $1_r) + alsa_read_rw_config($1_usertype) ') - optional_policy(` -- mono_per_role_template($1, $1_t, $1_r) -- ') -- -- optional_policy(` - setroubleshoot_dontaudit_stream_connect($1_t) - ') + # Broken Cover up bugzilla #345921 Should be removed when this is fixed @@ -24140,7 +24215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1121,10 +1100,10 @@ +@@ -1121,10 +1104,10 @@ ## ## ##

@@ -24155,7 +24230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1187,22 +1166,17 @@ +@@ -1187,22 +1170,17 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -24180,7 +24255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1278,8 +1252,6 @@ +@@ -1278,8 +1256,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -24189,7 +24264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1416,6 +1388,7 @@ +@@ -1416,6 +1392,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -24197,7 +24272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1781,10 +1754,14 @@ +@@ -1781,10 +1758,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -24213,7 +24288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1880,11 +1857,11 @@ +@@ -1880,11 +1861,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -24227,7 +24302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1914,11 +1891,11 @@ +@@ -1914,11 +1895,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -24241,7 +24316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1962,12 +1939,12 @@ +@@ -1962,12 +1943,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -24257,7 +24332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1997,10 +1974,10 @@ +@@ -1997,10 +1978,10 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -24270,7 +24345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2032,11 +2009,47 @@ +@@ -2032,11 +2013,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -24320,7 +24395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2068,10 +2081,10 @@ +@@ -2068,10 +2085,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -24333,7 +24408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2101,11 +2114,11 @@ +@@ -2101,11 +2118,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -24347,7 +24422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2135,11 +2148,11 @@ +@@ -2135,11 +2152,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -24362,7 +24437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2169,10 +2182,10 @@ +@@ -2169,10 +2186,10 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -24375,7 +24450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2202,11 +2215,11 @@ +@@ -2202,11 +2219,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -24389,7 +24464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2236,11 +2249,11 @@ +@@ -2236,11 +2253,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -24403,7 +24478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2270,10 +2283,10 @@ +@@ -2270,10 +2287,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -24416,7 +24491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2305,12 +2318,12 @@ +@@ -2305,12 +2322,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -24432,7 +24507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2342,10 +2355,10 @@ +@@ -2342,10 +2359,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -24445,7 +24520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2377,12 +2390,12 @@ +@@ -2377,12 +2394,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -24461,7 +24536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2414,12 +2427,12 @@ +@@ -2414,12 +2431,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -24477,7 +24552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2451,12 +2464,12 @@ +@@ -2451,12 +2468,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -24493,7 +24568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2501,11 +2514,11 @@ +@@ -2501,11 +2518,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -24507,7 +24582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2550,11 +2563,11 @@ +@@ -2550,11 +2567,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -24521,7 +24596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2594,11 +2607,11 @@ +@@ -2594,11 +2611,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -24535,7 +24610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2628,11 +2641,11 @@ +@@ -2628,11 +2645,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -24549,7 +24624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2662,11 +2675,11 @@ +@@ -2662,11 +2679,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -24563,7 +24638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2698,10 +2711,10 @@ +@@ -2698,10 +2715,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -24576,7 +24651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2733,10 +2746,10 @@ +@@ -2733,10 +2750,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -24589,7 +24664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2766,12 +2779,12 @@ +@@ -2766,12 +2783,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -24605,7 +24680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2803,10 +2816,10 @@ +@@ -2803,10 +2820,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -24618,7 +24693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2838,10 +2851,48 @@ +@@ -2838,10 +2855,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -24669,7 +24744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2871,12 +2922,12 @@ +@@ -2871,12 +2926,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -24685,7 +24760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2908,10 +2959,10 @@ +@@ -2908,10 +2963,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -24698,7 +24773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2943,12 +2994,12 @@ +@@ -2943,12 +2998,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -24714,7 +24789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2980,11 +3031,11 @@ +@@ -2980,11 +3035,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -24728,7 +24803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3016,11 +3067,11 @@ +@@ -3016,11 +3071,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -24742,7 +24817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3052,11 +3103,11 @@ +@@ -3052,11 +3107,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -24756,7 +24831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3088,11 +3139,11 @@ +@@ -3088,11 +3143,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -24770,7 +24845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3124,11 +3175,11 @@ +@@ -3124,11 +3179,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -24784,7 +24859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3173,10 +3224,10 @@ +@@ -3173,10 +3228,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -24797,7 +24872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3217,10 +3268,10 @@ +@@ -3217,10 +3272,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -24810,7 +24885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3248,6 +3299,42 @@ +@@ -3248,6 +3303,42 @@ ## ## # @@ -24853,7 +24928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo template(`userdom_rw_user_tmpfs_files',` gen_require(` type $1_tmpfs_t; -@@ -4225,11 +4312,11 @@ +@@ -4225,11 +4316,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -24867,7 +24942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4245,10 +4332,10 @@ +@@ -4245,10 +4336,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -24880,7 +24955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4264,11 +4351,11 @@ +@@ -4264,11 +4355,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -24894,7 +24969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4283,16 +4370,16 @@ +@@ -4283,16 +4374,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -24914,7 +24989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4301,12 +4388,27 @@ +@@ -4301,12 +4392,27 @@ ## ## # @@ -24945,7 +25020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4321,13 +4423,13 @@ +@@ -4321,13 +4427,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -24963,7 +25038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4525,10 +4627,10 @@ +@@ -4525,10 +4631,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -24976,7 +25051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4545,10 +4647,10 @@ +@@ -4545,10 +4651,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -24989,7 +25064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4563,10 +4665,10 @@ +@@ -4563,10 +4669,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -25002,7 +25077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4582,10 +4684,10 @@ +@@ -4582,10 +4688,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -25015,7 +25090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4600,10 +4702,10 @@ +@@ -4600,10 +4706,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -25028,7 +25103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4619,10 +4721,10 @@ +@@ -4619,10 +4725,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -25041,7 +25116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4638,12 +4740,11 @@ +@@ -4638,12 +4744,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -25057,7 +25132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4670,10 +4771,10 @@ +@@ -4670,10 +4775,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -25070,7 +25145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4688,10 +4789,10 @@ +@@ -4688,10 +4793,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -25083,7 +25158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4706,13 +4807,13 @@ +@@ -4706,13 +4811,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -25101,7 +25176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4748,11 +4849,49 @@ +@@ -4748,11 +4853,49 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -25152,7 +25227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4772,6 +4911,14 @@ +@@ -4772,6 +4915,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -25167,7 +25242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5109,7 +5256,7 @@ +@@ -5109,7 +5260,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -25176,7 +25251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5298,6 +5445,49 @@ +@@ -5298,6 +5449,49 @@ ######################################## ##

@@ -25226,7 +25301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5503,6 +5693,42 @@ +@@ -5503,6 +5697,42 @@ ######################################## ## @@ -25269,7 +25344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5668,6 +5894,42 @@ +@@ -5668,6 +5898,42 @@ ######################################## ## @@ -25312,7 +25387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5698,3 +5960,277 @@ +@@ -5698,3 +5964,277 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index f1445ad..4f2bf5b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.2.5 -Release: 16%{?dist} +Release: 17%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -387,6 +387,10 @@ exit 0 %endif %changelog +* Mon Jan 21 2008 Dan Walsh 3.2.5-17 +- Allow ptrace or user processes by users of same type +- Add boolean for transition to nsplugin + * Mon Jan 21 2008 Dan Walsh 3.2.5-16 - Allow nsplugin sys_nice, getsched, setsched