diff --git a/execmem.patch b/execmem.patch index d51b616..4d578e5 100644 --- a/execmem.patch +++ b/execmem.patch @@ -1,2589 +1,377 @@ -diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te -index 17b5426..a485d76 100644 ---- a/policy/modules/admin/rpm.te -+++ b/policy/modules/admin/rpm.te -@@ -419,7 +419,6 @@ optional_policy(` - optional_policy(` - unconfined_domain_noaudit(rpm_script_t) - unconfined_domtrans(rpm_script_t) -- unconfined_execmem_domtrans(rpm_script_t) - - optional_policy(` - java_domtrans_unconfined(rpm_script_t) -diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if -index 634c47a..748db5b 100644 ---- a/policy/modules/admin/sudo.if -+++ b/policy/modules/admin/sudo.if -@@ -47,6 +47,7 @@ template(`sudo_role_template',` - domain_role_change_exemption($1_sudo_t) - ubac_constrained($1_sudo_t) - role $2 types $1_sudo_t; -+ userdom_home_manager($1_sudo_t) - - type $1_sudo_tmp_t; - files_tmp_file($1_sudo_tmp_t) -diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te -index 71bf5e8..9ce39dd 100644 ---- a/policy/modules/admin/sudo.te -+++ b/policy/modules/admin/sudo.te -@@ -101,14 +101,6 @@ userdom_search_user_home_content(sudodomain) - userdom_search_admin_dir(sudodomain) - userdom_manage_all_users_keys(sudodomain) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_files(sudodomain) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_files(sudodomain) --') -- - optional_policy(` - dbus_system_bus_client(sudodomain) - ') -diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te -index f7183ef..49ce279 100644 ---- a/policy/modules/apps/cdrecord.te -+++ b/policy/modules/apps/cdrecord.te -@@ -109,11 +109,7 @@ tunable_policy(`cdrecord_read_content',` - userdom_dontaudit_read_user_home_content_files(cdrecord_t) - ') - --tunable_policy(`use_nfs_home_dirs',` -- files_search_mnt(cdrecord_t) -- fs_read_nfs_files(cdrecord_t) -- fs_read_nfs_symlinks(cdrecord_t) --') -+userdom_home_manager(cdrecord_t) - - optional_policy(` - resmgr_stream_connect(cdrecord_t) -diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te -index 6c642a2..acb325c 100644 ---- a/policy/modules/apps/chrome.te -+++ b/policy/modules/apps/chrome.te -@@ -92,11 +92,6 @@ miscfiles_read_fonts(chrome_sandbox_t) - sysnet_dns_name_resolve(chrome_sandbox_t) - - optional_policy(` -- execmem_exec(chrome_sandbox_t) -- execmem_execmod(chrome_sandbox_t) --') -- --optional_policy(` - gnome_rw_inherited_config(chrome_sandbox_t) - gnome_read_home_config(chrome_sandbox_t) - ') -diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc -deleted file mode 100644 -index 5e09952..0000000 ---- a/policy/modules/apps/execmem.fc -+++ /dev/null -@@ -1,49 +0,0 @@ -- --/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/bin/dosbox -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/bin/plasma-desktop -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -- --ifdef(`distro_gentoo',` --/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) --') --/usr/lib/chromium-browser/chromium-browser gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) -- --/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/libexec/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/lib/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/lib/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0) -- --/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) --/opt/secondlife-install/bin/SLPlugin -- gen_context(system_u:object_r:execmem_exec_t,s0) -- --/opt/real/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -- --/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -- --/usr/lib/gimp/[^/]+/plug-ins/help-browser -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/lib/thunderbird-[^/]+/thunderbird-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -- --/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0) --/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application -- gen_context(system_u:object_r:execmem_exec_t,s0) -- --/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0) -- --/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) --/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) --/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) --/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0) --/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0) -diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if -deleted file mode 100644 -index e23f640..0000000 ---- a/policy/modules/apps/execmem.if -+++ /dev/null -@@ -1,132 +0,0 @@ --## execmem domain -- --######################################## --## --## Execute the execmem program --## in the caller domain. --## --## --## --## Domain allowed access. --## --## --# --interface(`execmem_exec',` -- gen_require(` -- type execmem_exec_t; -- ') -- -- can_exec($1, execmem_exec_t) --') -- --####################################### --## --## The role template for the execmem module. --## --## --##

--## This template creates a derived domains which are used --## for execmem applications. --##

--##
--## --## --## The prefix of the user domain (e.g., user --## is the prefix for user_t). --## --## --## --## --## The role associated with the user domain. --## --## --## --## --## The type of the user domain. --## --## --# --template(`execmem_role_template',` -- gen_require(` -- type execmem_exec_t; -- ') -- -- type $1_execmem_t; -- domain_type($1_execmem_t) -- domain_entry_file($1_execmem_t, execmem_exec_t) -- role $2 types $1_execmem_t; -- -- userdom_unpriv_usertype($1, $1_execmem_t) -- userdom_manage_tmp_role($2, $1_execmem_t) -- userdom_manage_tmpfs_role($2, $1_execmem_t) -- -- allow $1_execmem_t self:process { execmem execstack }; -- allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms }; -- domtrans_pattern($3, execmem_exec_t, $1_execmem_t) -- -- files_execmod_tmp($1_execmem_t) -- -- allow $3 execmem_exec_t:file execmod; -- allow $1_execmem_t execmem_exec_t:file execmod; -- -- # needed by plasma-desktop -- optional_policy(` -- gnome_read_usr_config($1_execmem_t) -- ') -- -- optional_policy(` -- mozilla_execmod_user_home_files($1_execmem_t) -- ') -- -- optional_policy(` -- nsplugin_rw_shm($1_execmem_t) -- nsplugin_rw_semaphores($1_execmem_t) -- ') -- -- optional_policy(` -- xserver_role($2, $1_execmem_t) -- ') --') -- --######################################## --## --## Execute a execmem_exec file --## in the specified domain. --## --## --## --## Domain allowed access. --## --## --## --## --## The type of the new process. --## --## --# --interface(`execmem_domtrans',` -- gen_require(` -- type execmem_exec_t; -- ') -- -- domtrans_pattern($1, execmem_exec_t, $2) --') -- --######################################## --## --## Execmod the execmem_exec applications --## --## --## --## Domain allowed access. --## --## --# --interface(`execmem_execmod',` -- gen_require(` -- type execmem_exec_t; -- ') -- -- allow $1 execmem_exec_t:file execmod; --') -- -diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te -deleted file mode 100644 -index a7d37e2..0000000 ---- a/policy/modules/apps/execmem.te -+++ /dev/null -@@ -1,10 +0,0 @@ --policy_module(execmem, 1.0.0) -- --######################################## --# --# Declarations --# -- --type execmem_exec_t alias unconfined_execmem_exec_t; --application_executable_file(execmem_exec_t) -- -diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te -index 10a2ce4..5c81832 100644 ---- a/policy/modules/apps/gift.te -+++ b/policy/modules/apps/gift.te -@@ -70,17 +70,7 @@ sysnet_read_config(gift_t) - # giftui looks in .icons, .themes. - userdom_dontaudit_read_user_home_content_files(gift_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(gift_t) -- fs_manage_nfs_files(gift_t) -- fs_manage_nfs_symlinks(gift_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(gift_t) -- fs_manage_cifs_files(gift_t) -- fs_manage_cifs_symlinks(gift_t) --') -+userdom_home_manager(gift_t) - - optional_policy(` - nscd_socket_use(gift_t) -@@ -133,15 +123,4 @@ miscfiles_read_localization(giftd_t) - sysnet_read_config(giftd_t) - - userdom_use_inherited_user_terminals(giftd_t) -- --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(giftd_t) -- fs_manage_nfs_files(giftd_t) -- fs_manage_nfs_symlinks(giftd_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(giftd_t) -- fs_manage_cifs_files(giftd_t) -- fs_manage_cifs_symlinks(giftd_t) --') -+userdom_home_manager(gitd_t) -diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index deab06c..00762c5 100644 ---- a/policy/modules/apps/gnome.if -+++ b/policy/modules/apps/gnome.if -@@ -70,6 +70,8 @@ interface(`gnome_role_gkeyringd',` - ubac_constrained($1_gkeyringd_t) - domain_user_exemption_target($1_gkeyringd_t) - -+ userdom_home_manager($1_gkeyringd_t) -+ - role $2 types $1_gkeyringd_t; - - domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) -diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te -index 45b4ca9..14d7e30 100644 ---- a/policy/modules/apps/gnome.te -+++ b/policy/modules/apps/gnome.te -@@ -153,15 +153,7 @@ optional_policy(` - policykit_read_reload(gconfdefaultsm_t) - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(gconfdefaultsm_t) -- fs_manage_nfs_files(gconfdefaultsm_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(gconfdefaultsm_t) -- fs_manage_cifs_files(gconfdefaultsm_t) --') -+userdom_home_manager(gconfdefaultsm_t) - - ####################################### - # -@@ -233,6 +225,7 @@ corecmd_search_bin(gkeyringd_domain) - - dev_read_rand(gkeyringd_domain) - dev_read_urand(gkeyringd_domain) -+dev_read_sysfs(gkeyringd_domain) - - files_read_etc_files(gkeyringd_domain) - files_read_usr_files(gkeyringd_domain) -@@ -268,13 +261,3 @@ domain_use_interactive_fds(gnome_domain) - - userdom_use_inherited_user_terminals(gnome_domain) - --tunable_policy(`use_nfs_home_dirs',` -- fs_getattr_nfs(gkeyringd_domain) -- fs_manage_nfs_dirs(gkeyringd_domain) -- fs_manage_nfs_files(gkeyringd_domain) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(gkeyringd_domain) -- fs_manage_cifs_files(gkeyringd_domain) --') -diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te -index 401a4ec..80f8c31 100644 ---- a/policy/modules/apps/gpg.te -+++ b/policy/modules/apps/gpg.te -@@ -150,15 +150,7 @@ userdom_stream_connect(gpg_t) - - mta_write_config(gpg_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(gpg_t) -- fs_manage_nfs_files(gpg_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(gpg_t) -- fs_manage_cifs_files(gpg_t) --') -+userdom_home_manager(gpg_t) - - optional_policy(` - gnome_read_config(gpg_t) -@@ -290,17 +282,7 @@ tunable_policy(`gpg_agent_env_file',` - userdom_manage_user_home_content_files(gpg_agent_t) - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(gpg_agent_t) -- fs_manage_nfs_files(gpg_agent_t) -- fs_manage_nfs_symlinks(gpg_agent_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(gpg_agent_t) -- fs_manage_cifs_files(gpg_agent_t) -- fs_manage_cifs_symlinks(gpg_agent_t) --') -+userdom_home_manager(gpg_agent_t) - - optional_policy(` - mozilla_dontaudit_rw_user_home_files(gpg_agent_t) -@@ -371,13 +353,7 @@ allow gpg_pinentry_t user_tmpfs_t:file unlink; - userdom_signull_unpriv_users(gpg_pinentry_t) - userdom_use_user_terminals(gpg_pinentry_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(gpg_pinentry_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(gpg_pinentry_t) --') -+userdom_home_reader(gpg_pinentry_t) - - optional_policy(` - gnome_read_home_config(gpg_pinentry_t) -diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te -index b69a628..4bc18b6 100644 ---- a/policy/modules/apps/irc.te -+++ b/policy/modules/apps/irc.te -@@ -110,17 +110,7 @@ sysnet_read_config(irc_t) - # Write to the user domain tty. - userdom_use_inherited_user_terminals(irc_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(irc_t) -- fs_manage_nfs_files(irc_t) -- fs_manage_nfs_symlinks(irc_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(irc_t) -- fs_manage_cifs_files(irc_t) -- fs_manage_cifs_symlinks(irc_t) --') -+userdom_home_manager(irc_t) - - optional_policy(` - nis_use_ypbind(irc_t) -@@ -185,17 +175,7 @@ tunable_policy(`irssi_use_full_network', ` - corenet_sendrecv_all_client_packets(irssi_t) - ') - --tunable_policy(`use_nfs_home_dirs', ` -- fs_manage_nfs_dirs(irssi_t) -- fs_manage_nfs_files(irssi_t) -- fs_manage_nfs_symlinks(irssi_t) --') -- --tunable_policy(`use_samba_home_dirs', ` -- fs_manage_cifs_dirs(irssi_t) -- fs_manage_cifs_files(irssi_t) -- fs_manage_cifs_symlinks(irssi_t) --') -+userdom_home_manager(irssi_t) - - optional_policy(` - automount_dontaudit_getattr_tmp_dirs(irssi_t) -diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc -index 5d2130c..86c1768 100644 ---- a/policy/modules/apps/java.fc -+++ b/policy/modules/apps/java.fc -@@ -5,13 +5,10 @@ - /opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) - /opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - /opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) --/opt/local/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) --/opt/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - - # - # /usr - # --/usr/Aptana[^/]*/AptanaStudio -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) -@@ -30,14 +27,12 @@ - /usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0) -+/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) - - /usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - - /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - --/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) --/opt/ibm(/.*)?/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) -- - ifdef(`distro_redhat',` - /usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) - ') -diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if -index 7c398c0..e6d84e8 100644 ---- a/policy/modules/apps/java.if -+++ b/policy/modules/apps/java.if -@@ -72,8 +72,7 @@ template(`java_role_template',` - - domain_interactive_fd($1_java_t) - -- userdom_unpriv_usertype($1, $1_java_t) -- userdom_manage_tmpfs_role($2, $1_java_t) -+ userdom_manage_user_tmpfs_files($1_java_t) - - allow $1_java_t self:process { ptrace signal getsched execmem execstack }; - -@@ -83,7 +82,7 @@ template(`java_role_template',` - - domtrans_pattern($3, java_exec_t, $1_java_t) - -- corecmd_bin_domtrans($1_java_t, $1_t) -+ corecmd_bin_domtrans($1_java_t, $3) - - dev_dontaudit_append_rand($1_java_t) - -@@ -106,7 +105,7 @@ template(`java_role_template',` - ## - ## - # --interface(`java_domtrans',` -+template(`java_domtrans',` - gen_require(` - type java_t, java_exec_t; - ') -@@ -180,10 +179,6 @@ interface(`java_run_unconfined',` - - java_domtrans_unconfined($1) - role $2 types unconfined_java_t; -- -- optional_policy(` -- nsplugin_role_notrans($2, unconfined_java_t) -- ') - ') - - ######################################## -diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te -index 27d37b0..167950d 100644 ---- a/policy/modules/apps/java.te -+++ b/policy/modules/apps/java.te -@@ -82,20 +82,18 @@ dev_read_urand(java_t) - dev_read_rand(java_t) - dev_dontaudit_append_rand(java_t) - --files_read_etc_files(java_t) - files_read_usr_files(java_t) - files_search_home(java_t) - files_search_var_lib(java_t) - files_read_etc_runtime_files(java_t) - # Read global fonts and font config -+files_read_etc_files(java_t) - - fs_getattr_xattr_fs(java_t) - fs_dontaudit_rw_tmpfs_files(java_t) - - logging_send_syslog_msg(java_t) - --auth_use_nsswitch(java_t) -- - miscfiles_read_localization(java_t) - # Read global fonts and font config - miscfiles_read_fonts(java_t) -@@ -125,6 +123,14 @@ tunable_policy(`allow_java_execstack',` - ') - - optional_policy(` -+ nis_use_ypbind(java_t) -+') -+ -+optional_policy(` -+ nscd_socket_use(java_t) -+') -+ -+optional_policy(` - xserver_user_x_domain_template(java, java_t, java_tmpfs_t) - ') - -@@ -137,21 +143,14 @@ optional_policy(` - # execheap is needed for itanium/BEA jrocket - allow unconfined_java_t self:process { execstack execmem execheap }; - -- init_dbus_chat_script(unconfined_java_t) -- - files_execmod_all_files(unconfined_java_t) - - init_dbus_chat_script(unconfined_java_t) - - unconfined_domain_noaudit(unconfined_java_t) - unconfined_dbus_chat(unconfined_java_t) -- userdom_unpriv_usertype(unconfined, unconfined_java_t) - - optional_policy(` - rpm_domtrans(unconfined_java_t) - ') -- -- optional_policy(` -- wine_domtrans(unconfined_java_t) -- ') - ') -diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if -index b2b83ad..7b08e13 100644 ---- a/policy/modules/apps/mono.if -+++ b/policy/modules/apps/mono.if -@@ -40,16 +40,16 @@ template(`mono_role_template',` - domain_interactive_fd($1_mono_t) - application_type($1_mono_t) - -- allow $1_mono_t self:process { signal getsched execheap execmem execstack }; -- allow $3 $1_mono_t:process { getattr noatsecure signal_perms }; -+ allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; -+ -+ allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; - - domtrans_pattern($3, mono_exec_t, $1_mono_t) - - fs_dontaudit_rw_tmpfs_files($1_mono_t) - corecmd_bin_domtrans($1_mono_t, $1_t) - -- userdom_unpriv_usertype($1, $1_mono_t) -- userdom_manage_tmpfs_role($2, $1_mono_t) -+ userdom_manage_user_tmpfs_files($1_mono_t) - - optional_policy(` - xserver_role($1_r, $1_mono_t) -diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te -index ecab36d..dff0f12 100644 ---- a/policy/modules/apps/mono.te -+++ b/policy/modules/apps/mono.te -@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t) - # Local policy - # - --allow mono_t self:process { signal getsched execheap execmem execstack }; -+allow mono_t self:process { ptrace signal getsched execheap execmem execstack }; - - init_dbus_chat_script(mono_t) - -diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 69e2534..3654ad3 100644 ---- a/policy/modules/apps/mozilla.te -+++ b/policy/modules/apps/mozilla.te -@@ -186,17 +186,7 @@ tunable_policy(`deny_execmem',`',` - allow mozilla_t self:process execmem; - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(mozilla_t) -- fs_manage_nfs_files(mozilla_t) -- fs_manage_nfs_symlinks(mozilla_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(mozilla_t) -- fs_manage_cifs_files(mozilla_t) -- fs_manage_cifs_symlinks(mozilla_t) --') -+userdom_home_manager(mozilla_t) - - # Uploads, local html - tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` -@@ -426,17 +416,7 @@ tunable_policy(`allow_execstack',` - allow mozilla_plugin_t self:process execstack; - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(mozilla_plugin_t) -- fs_manage_nfs_files(mozilla_plugin_t) -- fs_manage_nfs_symlinks(mozilla_plugin_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(mozilla_plugin_t) -- fs_manage_cifs_files(mozilla_plugin_t) -- fs_manage_cifs_symlinks(mozilla_plugin_t) --') -+userdom_home_manager(mozilla_plugin_t) - - optional_policy(` - alsa_read_rw_config(mozilla_plugin_t) -diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te -index 8b1fa1b..320963b 100644 ---- a/policy/modules/apps/mplayer.te -+++ b/policy/modules/apps/mplayer.te -@@ -84,6 +84,7 @@ userdom_read_user_tmp_files(mencoder_t) - userdom_read_user_tmp_symlinks(mencoder_t) - userdom_read_user_home_content_files(mencoder_t) - userdom_read_user_home_content_symlinks(mencoder_t) -+userdom_home_manager(mencoder_t) - - # Read content to encode - ifndef(`enable_mls',` -@@ -104,46 +105,6 @@ tunable_policy(`allow_mplayer_execstack',` - allow mencoder_t self:process { execmem execstack }; - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(mencoder_t) -- fs_manage_nfs_files(mencoder_t) -- fs_manage_nfs_symlinks(mencoder_t) -- --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(mencoder_t) -- fs_manage_cifs_files(mencoder_t) -- fs_manage_cifs_symlinks(mencoder_t) -- --') -- --# Read content to encode --tunable_policy(`use_nfs_home_dirs',` -- fs_list_auto_mountpoints(mencoder_t) -- files_list_home(mencoder_t) -- fs_read_nfs_files(mencoder_t) -- fs_read_nfs_symlinks(mencoder_t) -- --',` -- files_dontaudit_list_home(mencoder_t) -- fs_dontaudit_list_auto_mountpoints(mencoder_t) -- fs_dontaudit_read_nfs_files(mencoder_t) -- fs_dontaudit_list_nfs(mencoder_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_list_auto_mountpoints(mencoder_t) -- files_list_home(mencoder_t) -- fs_read_cifs_files(mencoder_t) -- fs_read_cifs_symlinks(mencoder_t) --',` -- files_dontaudit_list_home(mencoder_t) -- fs_dontaudit_list_auto_mountpoints(mencoder_t) -- fs_dontaudit_read_cifs_files(mencoder_t) -- fs_dontaudit_list_cifs(mencoder_t) --') -- - ######################################## - # - # mplayer local policy -@@ -242,6 +203,7 @@ userdom_read_user_tmp_symlinks(mplayer_t) - userdom_read_user_home_content_files(mplayer_t) - userdom_read_user_home_content_symlinks(mplayer_t) - userdom_write_user_tmp_sockets(mplayer_t) -+userdom_home_manager(mplayer_t) - - xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t) - -@@ -264,47 +226,12 @@ tunable_policy(`allow_mplayer_execstack',` - allow mplayer_t self:process { execmem execstack }; - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(mplayer_t) -- fs_manage_nfs_files(mplayer_t) -- fs_manage_nfs_symlinks(mplayer_t) --') --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(mplayer_t) -- fs_manage_cifs_files(mplayer_t) -- fs_manage_cifs_symlinks(mplayer_t) --') -- - # Legacy domain issues - tunable_policy(`allow_mplayer_execstack',` - allow mplayer_t mplayer_tmpfs_t:file execute; - ') - --# Read songs --tunable_policy(`use_nfs_home_dirs',` -- fs_list_auto_mountpoints(mplayer_t) -- files_list_home(mplayer_t) -- fs_read_nfs_files(mplayer_t) -- fs_read_nfs_symlinks(mplayer_t) -- --',` -- files_dontaudit_list_home(mplayer_t) -- fs_dontaudit_list_auto_mountpoints(mplayer_t) -- fs_dontaudit_read_nfs_files(mplayer_t) -- fs_dontaudit_list_nfs(mplayer_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_list_auto_mountpoints(mplayer_t) -- files_list_home(mplayer_t) -- fs_read_cifs_files(mplayer_t) -- fs_read_cifs_symlinks(mplayer_t) --',` -- files_dontaudit_list_home(mplayer_t) -- fs_dontaudit_list_auto_mountpoints(mplayer_t) -- fs_dontaudit_read_cifs_files(mplayer_t) -- fs_dontaudit_list_cifs(mplayer_t) --') -+userdom_home_manager(mplayer_t) - - optional_policy(` - alsa_read_rw_config(mplayer_t) -diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te -index 3b6b4cb..cc6b555 100644 ---- a/policy/modules/apps/nsplugin.te -+++ b/policy/modules/apps/nsplugin.te -@@ -208,10 +208,6 @@ optional_policy(` - ') - - optional_policy(` -- unconfined_execmem_signull(nsplugin_t) --') -- --optional_policy(` - sandbox_read_tmpfs_files(nsplugin_t) - ') - -@@ -329,7 +325,3 @@ optional_policy(` - pulseaudio_manage_home_files(nsplugin_t) - pulseaudio_setattr_home_dir(nsplugin_t) - ') -- --optional_policy(` -- unconfined_execmem_exec(nsplugin_t) --') -diff --git a/policy/modules/apps/openoffice.fc b/policy/modules/apps/openoffice.fc -deleted file mode 100644 -index 4428be4..0000000 ---- a/policy/modules/apps/openoffice.fc -+++ /dev/null -@@ -1,3 +0,0 @@ --/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) --/opt/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) -- -diff --git a/policy/modules/apps/openoffice.if b/policy/modules/apps/openoffice.if -deleted file mode 100644 -index 792bf9c..0000000 ---- a/policy/modules/apps/openoffice.if -+++ /dev/null -@@ -1,124 +0,0 @@ --## Openoffice -- --####################################### --## --## The per role template for the openoffice module. --## --## --## --## The type of the user domain. --## --## --# --interface(`openoffice_plugin_role',` -- gen_require(` -- type openoffice_exec_t; -- type openoffice_t; -- ') -- -- ######################################## -- # -- # Local policy -- # -- -- domtrans_pattern($1, openoffice_exec_t, openoffice_t) -- allow $1 openoffice_t:process { signal sigkill }; --') -- --####################################### --## --## role for openoffice --## --## --##

--## This template creates a derived domains which are used --## for java applications. --##

--##
--## --## --## The prefix of the user domain (e.g., user --## is the prefix for user_t). --## --## --## --## --## The role associated with the user domain. --## --## --## --## --## The type of the user domain. --## --## --# --interface(`openoffice_role_template',` -- gen_require(` -- type openoffice_exec_t; -- ') -- -- role $2 types $1_openoffice_t; -- -- type $1_openoffice_t; -- domain_type($1_openoffice_t) -- domain_entry_file($1_openoffice_t, openoffice_exec_t) -- domain_interactive_fd($1_openoffice_t) -- -- userdom_unpriv_usertype($1, $1_openoffice_t) -- userdom_exec_user_home_content_files($1_openoffice_t) -- -- allow $1_openoffice_t self:process { getsched sigkill execmem execstack }; -- -- allow $3 $1_openoffice_t:process { getattr signal_perms noatsecure siginh rlimitinh }; -- allow $1_openoffice_t $3:tcp_socket { read write }; -- -- domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t) -- -- dev_read_urand($1_openoffice_t) -- dev_read_rand($1_openoffice_t) -- -- fs_dontaudit_rw_tmpfs_files($1_openoffice_t) -- -- allow $3 $1_openoffice_t:process { signal sigkill }; -- allow $1_openoffice_t $3:unix_stream_socket connectto; -- -- optional_policy(` -- xserver_role($2, $1_openoffice_t) -- ') --') -- --######################################## --## --## Execute openoffice_exec_t --## in the specified domain. --## --## --##

--## Execute a openoffice_exec_t --## in the specified domain. --##

--##

--## No interprocess communication (signals, pipes, --## etc.) is provided by this interface since --## the domains are not owned by this module. --##

--##
--## --## --## Domain allowed access. --## --## --## --## --## The type of the new process. --## --## --# --interface(`openoffice_exec_domtrans',` -- gen_require(` -- type openoffice_exec_t; -- ') -- -- allow $2 openoffice_exec_t:file entrypoint; -- domtrans_pattern($1, openoffice_exec_t, $2) --') -diff --git a/policy/modules/apps/openoffice.te b/policy/modules/apps/openoffice.te -deleted file mode 100644 -index a842371..0000000 ---- a/policy/modules/apps/openoffice.te -+++ /dev/null -@@ -1,16 +0,0 @@ --policy_module(openoffice, 1.0.0) -- --######################################## --# --# Declarations --# -- --type openoffice_t; --type openoffice_exec_t; --application_domain(openoffice_t, openoffice_exec_t) -- --######################################## --# --# Unconfined java local policy --# -- -diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te -index 5314e57..a4f8158 100644 ---- a/policy/modules/apps/pulseaudio.te -+++ b/policy/modules/apps/pulseaudio.te -@@ -43,6 +43,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; - - manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) - manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) -+manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) - userdom_search_user_home_dirs(pulseaudio_t) - userdom_search_admin_dir(pulseaudio_t) - -diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if -index f9fbc60..b0b3ce6 100644 ---- a/policy/modules/apps/screen.if -+++ b/policy/modules/apps/screen.if -@@ -39,6 +39,8 @@ template(`screen_role_template',` - ubac_constrained($1_screen_t) - role $2 types $1_screen_t; - -+ userdom_home_reader($1_screen_t) -+ - domtrans_pattern($3, screen_exec_t, $1_screen_t) - allow $3 $1_screen_t:process { signal sigchld }; - dontaudit $3 $1_screen_t:unix_stream_socket { read write }; -diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te -index b3b144c..0bd13e3 100644 ---- a/policy/modules/apps/screen.te -+++ b/policy/modules/apps/screen.te -@@ -115,12 +115,3 @@ userdom_create_user_pty(screen_domain) - userdom_setattr_user_ptys(screen_domain) - userdom_setattr_user_ttys(screen_domain) - --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_symlinks(screen_domain) -- fs_list_cifs(screen_domain) --') -- --tunable_policy(`use_nfs_home_dirs',` -- fs_list_nfs(screen_domain) -- fs_read_nfs_symlinks(screen_domain) --') -diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te -index 546f5a5..7942965 100644 ---- a/policy/modules/apps/telepathy.te -+++ b/policy/modules/apps/telepathy.te -@@ -116,15 +116,7 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` - corenet_sendrecv_generic_client_packets(telepathy_gabble_t) - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(telepathy_gabble_t) -- fs_manage_nfs_files(telepathy_gabble_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(telepathy_gabble_t) -- fs_manage_cifs_files(telepathy_gabble_t) --') -+userdom_home_manager(telepathy_gabble_t) - - optional_policy(` - dbus_system_bus_client(telepathy_gabble_t) -@@ -183,15 +175,7 @@ files_search_pids(telepathy_logger_t) - - fs_getattr_all_fs(telepathy_logger_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(telepathy_logger_t) -- fs_manage_nfs_files(telepathy_logger_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(telepathy_logger_t) -- fs_manage_cifs_files(telepathy_logger_t) --') -+userdom_home_manager(telepathy_logger_t) - - optional_policy(` - # ~/.config/dconf/user -@@ -220,15 +204,7 @@ fs_getattr_all_fs(telepathy_mission_control_t) - files_read_etc_files(telepathy_mission_control_t) - files_read_usr_files(telepathy_mission_control_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(telepathy_mission_control_t) -- fs_manage_nfs_files(telepathy_mission_control_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(telepathy_mission_control_t) -- fs_manage_cifs_files(telepathy_mission_control_t) --') -+userdom_home_manager(telepathy_mission_control_t) - - optional_policy(` - dbus_system_bus_client(telepathy_mission_control_t) -diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te -index f50789e..9ba6da8 100644 ---- a/policy/modules/apps/thunderbird.te -+++ b/policy/modules/apps/thunderbird.te -@@ -114,17 +114,7 @@ xserver_read_xdm_tmp_files(thunderbird_t) - xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t) - - # Access ~/.thunderbird --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(thunderbird_t) -- fs_manage_nfs_files(thunderbird_t) -- fs_manage_nfs_symlinks(thunderbird_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(thunderbird_t) -- fs_manage_cifs_files(thunderbird_t) -- fs_manage_cifs_symlinks(thunderbird_t) --') -+userdom_home_manager(thunderbird_t) - - tunable_policy(`mail_read_content && use_nfs_home_dirs',` - files_list_home(thunderbird_t) -diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te -index 98bfbf3..38318b9 100644 ---- a/policy/modules/apps/tvtime.te -+++ b/policy/modules/apps/tvtime.te -@@ -77,16 +77,7 @@ userdom_use_inherited_user_terminals(tvtime_t) - userdom_read_user_home_content_files(tvtime_t) - - # X access, Home files --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(tvtime_t) -- fs_manage_nfs_files(tvtime_t) -- fs_manage_nfs_symlinks(tvtime_t) --') --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(tvtime_t) -- fs_manage_cifs_files(tvtime_t) -- fs_manage_cifs_symlinks(tvtime_t) --') -+userdom_home_manager(tvtime_t) - - optional_policy(` - xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t) -diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te -index 95a3d06..356e2a1 100644 ---- a/policy/modules/apps/wireshark.te -+++ b/policy/modules/apps/wireshark.te -@@ -97,17 +97,7 @@ sysnet_read_config(wireshark_t) - - userdom_manage_user_home_content_files(wireshark_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(wireshark_t) -- fs_manage_nfs_files(wireshark_t) -- fs_manage_nfs_symlinks(wireshark_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(wireshark_t) -- fs_manage_cifs_files(wireshark_t) -- fs_manage_cifs_symlinks(wireshark_t) --') -+userdom_home_manager(wireshark_t) - - # Manual transition from userhelper - optional_policy(` -diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 7bcafea..0b0896b 100644 ---- a/policy/modules/kernel/corecommands.fc -+++ b/policy/modules/kernel/corecommands.fc -@@ -302,6 +302,7 @@ ifdef(`distro_gentoo',` - /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0) - /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/tucan.*/tucan.py -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/virtualbox/.*\.sh gen_context(system_u:object_r:bin_t,s0) - /usr/share/wicd/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0) -diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te -index 9527971..23a1c3c 100644 ---- a/policy/modules/kernel/corecommands.te -+++ b/policy/modules/kernel/corecommands.te -@@ -13,7 +13,7 @@ attribute exec_type; - # - # bin_t is the type of files in the system bin/sbin directories. - # --type bin_t alias { ls_exec_t sbin_t java_exec_t execmem_exec_t mono_exec_t }; -+type bin_t alias { ls_exec_t sbin_t }; - corecmd_executable_file(bin_t) - dev_associate(bin_t) #For /dev/MAKEDEV - -diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index 12bd6fc..b48524e 100644 ---- a/policy/modules/kernel/devices.fc -+++ b/policy/modules/kernel/devices.fc -@@ -137,6 +137,7 @@ ifdef(`distro_suse', ` - - /dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) - -+/dev/ati/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) - -diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index e5652a1..6342520 100644 ---- a/policy/modules/kernel/filesystem.if -+++ b/policy/modules/kernel/filesystem.if -@@ -2167,6 +2167,24 @@ interface(`fs_read_fusefs_symlinks',` - - ######################################## - ## -+## Manage symbolic links on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_manage_fusefs_symlinks',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ manage_lnk_files_pattern($1, fusefs_t, fusefs_t) -+') -+ -+######################################## -+## - ## Get the attributes of an hugetlbfs - ## filesystem. - ## -diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index cfea862..de3c13e 100644 ---- a/policy/modules/roles/staff.te -+++ b/policy/modules/roles/staff.te -@@ -66,6 +66,10 @@ optional_policy(` - ') - - optional_policy(` -+ blueman_dbus_chat(staff_t) -+') -+ -+optional_policy(` - dbadm_role_change(staff_r) - ') - -@@ -234,10 +238,6 @@ ifndef(`distro_redhat',` - ') - - optional_policy(` -- blueman_dbus_chat(staff_t) -- ') -- -- optional_policy(` - bluetooth_role(staff_r, staff_t) - ') - -diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if -index 8b2cdf3..bac0dc0 100644 ---- a/policy/modules/roles/unconfineduser.if -+++ b/policy/modules/roles/unconfineduser.if -@@ -220,42 +220,6 @@ interface(`unconfined_signull',` - - ######################################## - ## --## Send a SIGNULL signal to the unconfined execmem domain. --## --## --## --## Domain allowed access. --## --## --# --interface(`unconfined_execmem_signull',` -- gen_require(` -- type unconfined_execmem_t; -- ') -- -- allow $1 unconfined_execmem_t:process signull; --') -- --######################################## --## --## Send a signal to the unconfined execmem domain. --## --## --## --## Domain allowed access. --## --## --# --interface(`unconfined_execmem_signal',` -- gen_require(` -- type unconfined_execmem_t; -- ') -- -- allow $1 unconfined_execmem_t:process signal; --') -- --######################################## --## - ## Send generic signals to the unconfined domain. - ## - ## -@@ -557,62 +521,6 @@ interface(`unconfined_rw_shm',` - - ######################################## - ## --## Read and write to unconfined execmem shared memory. --## --## --## --## The type of the process performing this action. --## --## --# --interface(`unconfined_execmem_rw_shm',` -- gen_require(` -- type unconfined_execmem_t; -- ') -- -- allow $1 unconfined_execmem_t:shm rw_shm_perms; --') -- --######################################## --## --## Transition to the unconfined_execmem domain. --## --## --## --## Domain allowed access. --## --## --# --interface(`unconfined_execmem_domtrans',` -- -- gen_require(` -- type unconfined_execmem_t; -- ') -- -- execmem_domtrans($1, unconfined_execmem_t) --') -- --######################################## --## --## execute the execmem applications --## --## --## --## Domain allowed access. --## --## --# --interface(`unconfined_execmem_exec',` -- -- gen_require(` -- type execmem_exec_t; -- ') -- -- can_exec($1, execmem_exec_t) --') -- --######################################## --## - ## Allow apps to set rlimits on userdomain - ## - ## -diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te -index 4ce2685..11ad8fb 100644 ---- a/policy/modules/roles/unconfineduser.te -+++ b/policy/modules/roles/unconfineduser.te -@@ -320,13 +320,6 @@ optional_policy(` - ') - - optional_policy(` -- mono_role_template(unconfined, unconfined_r, unconfined_t) -- unconfined_domain_noaudit(unconfined_mono_t) -- role system_r types unconfined_mono_t; --') -- -- --optional_policy(` - mozilla_role_plugin(unconfined_r) - - tunable_policy(`unconfined_mozilla_plugin_transition', ` -diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index 9db5ebd..454e627 100644 ---- a/policy/modules/roles/unprivuser.te -+++ b/policy/modules/roles/unprivuser.te -@@ -31,6 +31,10 @@ optional_policy(` - ') - - optional_policy(` -+ blueman_dbus_chat(user_t) -+') -+ -+optional_policy(` - colord_dbus_chat(user_t) - ') - -@@ -116,10 +120,6 @@ ifndef(`distro_redhat',` - ') - - optional_policy(` -- blueman_dbus_chat(staff_t) -- ') -- -- optional_policy(` - bluetooth_role(user_r, user_t) - ') - -diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te -index b1ea76e..6f176f9 100644 ---- a/policy/modules/roles/xguest.te -+++ b/policy/modules/roles/xguest.te -@@ -86,6 +86,13 @@ optional_policy(` - ') - - optional_policy(` -+ tunable_policy(`xguest_use_bluetooth',` -+ blueman_dbus_chat(xguest_t) -+ ') -+') -+ -+ -+optional_policy(` - chrome_role(xguest_r, xguest_usertype) - ') - -@@ -106,10 +113,6 @@ optional_policy(` - ') - - optional_policy(` -- mono_role_template(xguest, xguest_r, xguest_t) --') -- --optional_policy(` - mozilla_run_plugin(xguest_usertype, xguest_r) - ') - -diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 7cb2fe5..2ef8fef 100644 ---- a/policy/modules/services/apache.te -+++ b/policy/modules/services/apache.te -@@ -1401,5 +1401,3 @@ tunable_policy(`httpd_builtin_scripting',` - read_files_pattern(httpd_t, httpd_content_type, httpd_content_type) - read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type) - ') -- -- -diff --git a/policy/modules/services/blueman.te b/policy/modules/services/blueman.te -index fde1531..12ef44c 100644 ---- a/policy/modules/services/blueman.te -+++ b/policy/modules/services/blueman.te -@@ -26,6 +26,7 @@ domain_use_interactive_fds(blueman_t) - files_read_etc_files(blueman_t) - files_read_usr_files(blueman_t) - -+auth_use_nsswitch(blueman_t) - auth_read_passwd(blueman_t) - - logging_send_syslog_msg(blueman_t) -diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te -index 5c0c84f..83fc37d 100644 ---- a/policy/modules/services/cloudform.te -+++ b/policy/modules/services/cloudform.te -@@ -137,12 +137,7 @@ corenet_tcp_connect_all_ports(iwhd_t) - dev_read_rand(iwhd_t) - dev_read_urand(iwhd_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_list_auto_mountpoints(iwhd_t) -- fs_manage_nfs_dirs(iwhd_t) -- fs_manage_nfs_files(iwhd_t) -- fs_manage_nfs_symlinks(iwhd_t) --') -+userdom_home_manager(iwhd_t) - - ######################################## - # -diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te -index 6ff206b..74f1baa 100644 ---- a/policy/modules/services/colord.te -+++ b/policy/modules/services/colord.te -@@ -91,15 +91,7 @@ sysnet_dns_name_resolve(colord_t) - - userdom_rw_user_tmpfs_files(colord_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_getattr_nfs(colord_t) -- fs_read_nfs_files(colord_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_getattr_cifs(colord_t) -- fs_read_cifs_files(colord_t) --') -+userdom_home_reader(colord_t) - - optional_policy(` - cups_read_config(colord_t) -diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te -index 5b322ca..d45381d 100644 ---- a/policy/modules/services/consolekit.te -+++ b/policy/modules/services/consolekit.te -@@ -82,13 +82,7 @@ userdom_dontaudit_read_user_home_content_files(consolekit_t) - userdom_dontaudit_getattr_admin_home_files(consolekit_t) - userdom_read_user_tmp_files(consolekit_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(consolekit_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(consolekit_t) --') -+userdom_home_reader(consolekit_t) - - optional_policy(` - cron_read_system_job_lib_files(consolekit_t) -diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index 258a3d7..a2e960c 100644 ---- a/policy/modules/services/cron.te -+++ b/policy/modules/services/cron.te -@@ -300,10 +300,6 @@ optional_policy(` - ') - - optional_policy(` -- mono_domtrans(crond_t) --') -- --optional_policy(` - amanda_search_var_lib(crond_t) - ') - -@@ -553,10 +549,6 @@ optional_policy(` - ') - - optional_policy(` -- mono_domtrans(system_cronjob_t) --') -- --optional_policy(` - mrtg_append_create_logs(system_cronjob_t) - ') - -diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 825cafb..3bc4cfd 100644 ---- a/policy/modules/services/cups.te -+++ b/policy/modules/services/cups.te -@@ -625,16 +625,7 @@ optional_policy(` - lpd_manage_spool(cups_pdf_t) - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_search_auto_mountpoints(cups_pdf_t) -- fs_manage_nfs_dirs(cups_pdf_t) -- fs_manage_nfs_files(cups_pdf_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(cups_pdf_t) -- fs_manage_cifs_files(cups_pdf_t) --') -+userdom_home_manager(cups_pdf_t) - - optional_policy(` - gnome_read_config(cups_pdf_t) -diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if -index 3558f18..115133d 100644 ---- a/policy/modules/services/dbus.if -+++ b/policy/modules/services/dbus.if -@@ -56,6 +56,8 @@ template(`dbus_role_template',` - ubac_constrained($1_dbusd_t) - role $2 types $1_dbusd_t; - -+ userdom_home_manager($1_dbusd_t) -+ - ############################## - # - # Local policy -diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te -index f0266a9..c9396db 100644 ---- a/policy/modules/services/dbus.te -+++ b/policy/modules/services/dbus.te -@@ -143,13 +143,7 @@ seutil_sigchld_newrole(system_dbusd_t) - userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) - userdom_dontaudit_search_user_home_dirs(system_dbusd_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(system_dbusd_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(system_dbusd_t) --') -+userdom_home_reader(system_dbusd_t) - - optional_policy(` - bind_domtrans(system_dbusd_t) -@@ -309,16 +303,6 @@ userdom_manage_user_home_content_dirs(session_bus_type) - userdom_manage_user_home_content_files(session_bus_type) - userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file }) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(session_bus_type) -- fs_manage_nfs_files(session_bus_type) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(session_bus_type) -- fs_manage_cifs_files(session_bus_type) --') -- - optional_policy(` - gnome_read_gconf_home_files(session_bus_type) - ') -diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te -index 2fbb869..194f170 100644 ---- a/policy/modules/services/dovecot.te -+++ b/policy/modules/services/dovecot.te -@@ -142,6 +142,7 @@ files_dontaudit_list_default(dovecot_t) - # Dovecot now has quota support and it uses getmntent() to find the mountpoints. - files_read_etc_runtime_files(dovecot_t) - files_search_all_mountpoints(dovecot_t) -+files_read_var_lib_files(dovecot_t) - - init_getattr_utmp(dovecot_t) - -@@ -152,6 +153,7 @@ logging_send_syslog_msg(dovecot_t) - miscfiles_read_generic_certs(dovecot_t) - miscfiles_read_localization(dovecot_t) - -+userdom_home_manager(dovecot_t) - userdom_dontaudit_use_unpriv_user_fds(dovecot_t) - userdom_manage_user_home_content_dirs(dovecot_t) - userdom_manage_user_home_content_files(dovecot_t) -@@ -238,7 +240,6 @@ files_read_usr_files(dovecot_auth_t) - files_read_usr_symlinks(dovecot_auth_t) - files_read_var_lib_files(dovecot_auth_t) - files_search_tmp(dovecot_auth_t) --files_read_var_lib_files(dovecot_t) - - fs_getattr_xattr_fs(dovecot_auth_t) - -@@ -330,23 +331,7 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t) - userdom_manage_user_home_content_sockets(dovecot_deliver_t) - userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(dovecot_deliver_t) -- fs_manage_nfs_files(dovecot_deliver_t) -- fs_manage_nfs_symlinks(dovecot_deliver_t) -- fs_manage_nfs_dirs(dovecot_t) -- fs_manage_nfs_files(dovecot_t) -- fs_manage_nfs_symlinks(dovecot_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(dovecot_deliver_t) -- fs_manage_cifs_files(dovecot_deliver_t) -- fs_manage_cifs_symlinks(dovecot_deliver_t) -- fs_manage_cifs_dirs(dovecot_t) -- fs_manage_cifs_files(dovecot_t) -- fs_manage_cifs_symlinks(dovecot_t) --') -+userdom_home_manager(dovecot_deliver_t) - - optional_policy(` - gnome_manage_data(dovecot_deliver_t) -diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te -index 2599f96..c7a0911 100644 ---- a/policy/modules/services/fail2ban.te -+++ b/policy/modules/services/fail2ban.te -@@ -98,6 +98,9 @@ miscfiles_read_localization(fail2ban_t) - - mta_send_mail(fail2ban_t) - -+sysnet_manage_config(fail2ban_t) -+sysnet_filetrans_named_content(fail2ban_t) -+ - optional_policy(` - apache_read_log(fail2ban_t) - ') -diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te -index 3bc14c3..6c4a30d 100644 ---- a/policy/modules/services/ftp.te -+++ b/policy/modules/services/ftp.te -@@ -458,16 +458,4 @@ tunable_policy(`sftpd_full_access',` - files_manage_non_security_files(sftpd_t) - ') - --tunable_policy(`use_samba_home_dirs',` -- # allow read access to /home by default -- fs_list_cifs(sftpd_t) -- fs_read_cifs_files(sftpd_t) -- fs_read_cifs_symlinks(sftpd_t) --') -- --tunable_policy(`use_nfs_home_dirs',` -- # allow read access to /home by default -- fs_list_nfs(sftpd_t) -- fs_read_nfs_files(sftpd_t) -- fs_read_nfs_symlinks(ftpd_t) --') -+userdom_home_reader(sftpd_t) -diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if -index 27945d1..9077b2d 100644 ---- a/policy/modules/services/git.if -+++ b/policy/modules/services/git.if -@@ -209,17 +209,7 @@ interface(`git_rwx_all_content',` - userdom_search_user_home_dirs($1) - files_search_var_lib($1) - -- tunable_policy(`use_nfs_home_dirs',` -- fs_exec_nfs_files($1) -- fs_manage_nfs_dirs($1) -- fs_manage_nfs_files($1) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) -- fs_manage_cifs_dirs($1) -- fs_manage_cifs_files($1) -- ') -+ userdom_home_manager($1) - - tunable_policy(`git_system_use_cifs',` - fs_exec_cifs_files($1) -@@ -323,15 +313,7 @@ interface(`git_read_all_content_files',` - userdom_search_user_home_dirs($1) - files_search_var_lib($1) - -- tunable_policy(`use_nfs_home_dirs',` -- fs_list_nfs($1) -- fs_read_nfs_files($1) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_list_cifs($1) -- fs_read_cifs_files($1) -- ') -+ userdom_home_reader($1) - - tunable_policy(`git_system_use_cifs',` - fs_list_cifs($1) -@@ -363,16 +345,7 @@ interface(`git_read_session_content_files',` - list_dirs_pattern($1, git_session_content_t, git_session_content_t) - read_files_pattern($1, git_session_content_t, git_session_content_t) - userdom_search_user_home_dirs($1) -- -- tunable_policy(`use_nfs_home_dirs',` -- fs_list_nfs($1) -- fs_read_nfs_files($1) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_list_cifs($1) -- fs_read_cifs_files($1) -- ') -+ userdom_home_reader($1) - ') - - ####################################### -diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te -index 2ef543c..fa32fcf 100644 ---- a/policy/modules/services/git.te -+++ b/policy/modules/services/git.te -@@ -166,15 +166,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',` - corenet_sendrecv_generic_server_packets(git_session_t) - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_list_nfs(git_session_t) -- fs_read_nfs_files(git_session_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_list_cifs(git_session_t) -- fs_read_cifs_files(git_session_t) --') -+userdom_home_reader(git_session_t) - - ######################################## - # -diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te -index 5fc89c4..738c3e2 100644 ---- a/policy/modules/services/i18n_input.te -+++ b/policy/modules/services/i18n_input.te -@@ -74,16 +74,7 @@ sysnet_read_config(i18n_input_t) - - userdom_dontaudit_use_unpriv_user_fds(i18n_input_t) - userdom_read_user_home_content_files(i18n_input_t) -- --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(i18n_input_t) -- fs_read_nfs_symlinks(i18n_input_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(i18n_input_t) -- fs_read_cifs_symlinks(i18n_input_t) --') -+userdom_home_reader(i18n_input_t) - - optional_policy(` - canna_stream_connect(i18n_input_t) -diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te -index f28acd2..27d96e1 100644 ---- a/policy/modules/services/lpd.te -+++ b/policy/modules/services/lpd.te -@@ -308,19 +308,7 @@ tunable_policy(`use_lpd_server',` - read_lnk_files_pattern(lpr_t, printconf_t, printconf_t) - ') - --tunable_policy(`use_nfs_home_dirs',` -- files_list_home(lpr_t) -- fs_list_auto_mountpoints(lpr_t) -- fs_read_nfs_files(lpr_t) -- fs_read_nfs_symlinks(lpr_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- files_list_home(lpr_t) -- fs_list_auto_mountpoints(lpr_t) -- fs_read_cifs_files(lpr_t) -- fs_read_cifs_symlinks(lpr_t) --') -+userdom_home_reader(lpr_t) - - optional_policy(` - cups_read_config(lpr_t) -diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te -index b1107b5..4389219 100644 ---- a/policy/modules/services/mock.te -+++ b/policy/modules/services/mock.te -@@ -127,6 +127,7 @@ userdom_use_user_ptys(mock_t) - files_search_home(mock_t) - - tunable_policy(`mock_enable_homedirs',` -+ userdom_manage_user_home_content_dirs(mock_t) - userdom_manage_user_home_content_files(mock_t) - ') - -diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te -index e4ac35e..36ff69d 100644 ---- a/policy/modules/services/mpd.te -+++ b/policy/modules/services/mpd.te -@@ -108,16 +108,7 @@ miscfiles_read_localization(mpd_t) - - userdom_read_home_audio_files(mpd_t) - userdom_read_user_tmpfs_files(mpd_t) -- --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(mpd_t) -- fs_read_cifs_symlinks(mpd_t) --') -- --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(mpd_t) -- fs_read_nfs_symlinks(mpd_t) --') -+userdom_home_reader(mpd_t) - - optional_policy(` - alsa_read_rw_config(mpd_t) -diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if -index e5519fd..867dfac 100644 ---- a/policy/modules/services/mta.if -+++ b/policy/modules/services/mta.if -@@ -340,6 +340,8 @@ interface(`mta_mailserver_delivery',` - ') - - typeattribute $1 mailserver_delivery; -+ -+ userdom_home_manager($1) - ') - - ####################################### -diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 65fd01f..7f55b85 100644 ---- a/policy/modules/services/mta.te -+++ b/policy/modules/services/mta.te -@@ -233,18 +233,6 @@ read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t) - - read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(mailserver_delivery) -- fs_manage_cifs_files(mailserver_delivery) -- fs_manage_cifs_symlinks(mailserver_delivery) --') -- --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(mailserver_delivery) -- fs_manage_nfs_files(mailserver_delivery) -- fs_manage_nfs_symlinks(mailserver_delivery) --') -- - optional_policy(` - dovecot_manage_spool(mailserver_delivery) - dovecot_domtrans_deliver(mailserver_delivery) -diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te -index 98f541f..58148ed 100644 ---- a/policy/modules/services/oident.te -+++ b/policy/modules/services/oident.te -@@ -59,17 +59,8 @@ miscfiles_read_localization(oidentd_t) - sysnet_read_config(oidentd_t) - - oident_read_user_content(oidentd_t) -+userdom_home_reader(oidentd_t) - - optional_policy(` - nis_use_ypbind(oidentd_t) - ') -- --tunable_policy(`use_samba_home_dirs', ` -- fs_list_cifs(oidentd_t) -- fs_read_cifs_files(oidentd_t) --') -- --tunable_policy(`use_nfs_home_dirs', ` -- fs_list_nfs(oidentd_t) -- fs_read_nfs_files(oidentd_t) --') -diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te -index 89ab1b6..d958b53 100644 ---- a/policy/modules/services/polipo.te -+++ b/policy/modules/services/polipo.te -@@ -146,14 +146,4 @@ tunable_policy(`polipo_session_send_syslog_msg',` - logging_send_syslog_msg(polipo_session_t) - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_files(polipo_session_t) --',` -- fs_dontaudit_manage_nfs_files(polipo_session_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_files(polipo_session_t) --',` -- fs_dontaudit_manage_cifs_files(polipo_session_t) --') -+userdom_home_manager(polipo_session_t) -diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te -index 6451f82..4c188f9 100644 ---- a/policy/modules/services/procmail.te -+++ b/policy/modules/services/procmail.te -@@ -110,17 +110,7 @@ ifdef(`hide_broken_symptoms',` - mta_dontaudit_rw_queue(procmail_t) - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(procmail_t) -- fs_manage_nfs_files(procmail_t) -- fs_manage_nfs_symlinks(procmail_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(procmail_t) -- fs_manage_cifs_files(procmail_t) -- fs_manage_cifs_symlinks(procmail_t) --') -+userdom_home_manager(procmail_t) - - optional_policy(` - clamav_domtrans_clamscan(procmail_t) -diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te -index cc1775e..9405f78 100644 ---- a/policy/modules/services/razor.te -+++ b/policy/modules/services/razor.te -@@ -121,17 +121,7 @@ ifdef(`distro_redhat',` - userdom_search_user_home_dirs(razor_t) - userdom_use_inherited_user_terminals(razor_t) - -- tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(razor_t) -- fs_manage_nfs_files(razor_t) -- fs_manage_nfs_symlinks(razor_t) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(razor_t) -- fs_manage_cifs_files(razor_t) -- fs_manage_cifs_symlinks(razor_t) -- ') -+ userdom_home_manager(razor_t) - - optional_policy(` - milter_manage_spamass_state(razor_t) -diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te -index adc198d..a475797 100644 ---- a/policy/modules/services/remotelogin.te -+++ b/policy/modules/services/remotelogin.te -@@ -88,15 +88,7 @@ userdom_manage_user_tmp_dirs(remote_login_t) - userdom_manage_user_tmp_files(remote_login_t) - userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir }) - --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(remote_login_t) -- fs_read_nfs_symlinks(remote_login_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(remote_login_t) -- fs_read_cifs_symlinks(remote_login_t) --') -+userdom_home_reader(remote_login_t) - - optional_policy(` - alsa_domtrans(remote_login_t) -diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te -index 4bcaacc..91c8ee8 100644 ---- a/policy/modules/services/rlogin.te -+++ b/policy/modules/services/rlogin.te -@@ -92,21 +92,10 @@ userdom_search_admin_dir(rlogind_t) - userdom_manage_user_tmp_files(rlogind_t) - userdom_tmp_filetrans_user_tmp(rlogind_t, file) - userdom_use_user_terminals(rlogind_t) -+userdom_home_reader(rlogind_t) - - rlogin_read_home_content(rlogind_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_list_nfs(rlogind_t) -- fs_read_nfs_files(rlogind_t) -- fs_read_nfs_symlinks(rlogind_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_list_cifs(rlogind_t) -- fs_read_cifs_files(rlogind_t) -- fs_read_cifs_symlinks(rlogind_t) --') -- - optional_policy(` - kerberos_keytab_template(rlogind, rlogind_t) - kerberos_manage_host_rcache(rlogind_t) -diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te -index 49a4283..cdf9184 100644 ---- a/policy/modules/services/rshd.te -+++ b/policy/modules/services/rshd.te -@@ -68,15 +68,7 @@ seutil_read_default_contexts(rshd_t) - userdom_search_user_home_content(rshd_t) - userdom_manage_tmp_role(system_r, rshd_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(rshd_t) -- fs_read_nfs_symlinks(rshd_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(rshd_t) -- fs_read_cifs_symlinks(rshd_t) --') -+userdom_home_reader(rshd_t) +diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te +index ec838bd..5d940f8 100644 +--- a/policy/modules/admin/prelink.te ++++ b/policy/modules/admin/prelink.te +@@ -126,7 +126,7 @@ optional_policy(` + ') optional_policy(` - kerberos_keytab_template(rshd, rshd_t) -diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te -index a370364..32019d8 100644 ---- a/policy/modules/services/spamassassin.te -+++ b/policy/modules/services/spamassassin.te -@@ -147,6 +147,7 @@ manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) - manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) - manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) - userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) -+userdom_home_manager(spamassassin_t) - - kernel_read_kernel_sysctls(spamassassin_t) - -@@ -207,18 +208,6 @@ tunable_policy(`spamd_enable_home_dirs',` - userdom_manage_user_home_content_symlinks(spamd_t) +- nsplugin_manage_rw_files(prelink_t) ++ mozilla_plugin_manage_rw_files(prelink_t) ') --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(spamassassin_t) -- fs_manage_nfs_files(spamassassin_t) -- fs_manage_nfs_symlinks(spamassassin_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(spamassassin_t) -- fs_manage_cifs_files(spamassassin_t) -- fs_manage_cifs_symlinks(spamassassin_t) --') -- optional_policy(` - # Write pid file and socket in ~/.evolution/cache/tmp - evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) -@@ -328,18 +317,7 @@ seutil_read_config(spamc_t) +diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc +index 35b51ab..800b5c8 100644 +--- a/policy/modules/apps/mozilla.fc ++++ b/policy/modules/apps/mozilla.fc +@@ -4,6 +4,11 @@ HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) + HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) + HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) + HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) - sysnet_read_config(spamc_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(spamc_t) -- fs_manage_nfs_files(spamc_t) -- fs_manage_nfs_symlinks(spamc_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(spamc_t) -- fs_manage_cifs_files(spamc_t) -- fs_manage_cifs_symlinks(spamc_t) --') -- -+userdom_home_manager(spamc_t) - - optional_policy(` - abrt_stream_connect(spamc_t) -@@ -479,22 +457,13 @@ miscfiles_read_localization(spamd_t) + # + # /bin +@@ -15,6 +20,9 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) + /usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) + /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) + /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) ++/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) ++/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) - userdom_use_unpriv_users_fds(spamd_t) - userdom_search_user_home_dirs(spamd_t) -+userdom_home_manager(spamd_t) + # + # /lib +@@ -27,4 +35,9 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) + /usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) + /usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) + /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++ + /usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) ++ ++/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0) ++ ++/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if +index b9b8ac2..aa15d05 100644 +--- a/policy/modules/apps/mozilla.if ++++ b/policy/modules/apps/mozilla.if +@@ -208,10 +208,12 @@ interface(`mozilla_domtrans',` + interface(`mozilla_domtrans_plugin',` + gen_require(` + type mozilla_plugin_t, mozilla_plugin_exec_t; ++ type mozilla_plugin_config_t, mozilla_plugin_config_exec_t; + class dbus send_msg; + ') - optional_policy(` - exim_manage_spool_dirs(spamd_t) - exim_manage_spool_files(spamd_t) - ') + domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) ++ domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) + allow mozilla_plugin_t $1:process signull; + allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms }; + allow $1 mozilla_plugin_t:fd use; +@@ -247,6 +249,7 @@ interface(`mozilla_run_plugin',` --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(spamd_t) -- fs_manage_nfs_files(spamd_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(spamd_t) -- fs_manage_cifs_files(spamd_t) --') -- - optional_policy(` - amavis_manage_lib_files(spamd_t) + mozilla_domtrans_plugin($1) + role $2 types mozilla_plugin_t; ++ role $2 types mozilla_plugin_config_t; ') -diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 5439f7e..126255f 100644 ---- a/policy/modules/services/ssh.if -+++ b/policy/modules/services/ssh.if -@@ -277,19 +277,7 @@ template(`ssh_server_template',` - # Allow checking users mail at login - mta_getattr_spool($1_t) - -- tunable_policy(`use_fusefs_home_dirs',` -- fs_manage_fusefs_dirs($1_t) -- fs_manage_fusefs_files($1_t) -- ') -- -- tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files($1_t) -- fs_read_nfs_symlinks($1_t) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files($1_t) -- ') -+ userdom_home_manager($1_t) - - optional_policy(` - kerberos_use($1_t) -@@ -443,19 +431,7 @@ template(`ssh_role_template',` - ssh_exec_keygen($3) + ####################################### +@@ -266,6 +269,7 @@ interface(`mozilla_role_plugin',` + ') -- tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_files($1_ssh_agent_t) -- -- # transition back to normal privs upon exec -- fs_nfs_domtrans($1_ssh_agent_t, $3) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_files($1_ssh_agent_t) -- -- # transition back to normal privs upon exec -- fs_cifs_domtrans($1_ssh_agent_t, $3) -- ') -+ userdom_home_manager($1_ssh_agent_t) + role $1 types mozilla_plugin_t; ++ role $1 types mozilla_plugin_config_t; + ') - optional_policy(` - nis_use_ypbind($1_ssh_agent_t) -diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 02e70c9..e93db05 100644 ---- a/policy/modules/services/ssh.te -+++ b/policy/modules/services/ssh.te -@@ -200,6 +200,7 @@ userdom_read_user_tmp_files(ssh_t) - userdom_write_user_tmp_files(ssh_t) - userdom_read_user_home_content_symlinks(ssh_t) - userdom_read_home_certs(ssh_t) -+userdom_home_manager(ssh_t) + ######################################## +@@ -360,3 +364,23 @@ interface(`mozilla_plugin_dontaudit_leaks',` - tunable_policy(`allow_ssh_keysign',` - domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) -@@ -210,16 +211,6 @@ tunable_policy(`use_fusefs_home_dirs',` - fs_manage_fusefs_files(ssh_t) + dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(ssh_t) -- fs_manage_nfs_files(ssh_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(ssh_t) -- fs_manage_cifs_files(ssh_t) --') -- - # for port forwarding - tunable_policy(`user_tcp_server',` - corenet_tcp_bind_ssh_port(ssh_t) -@@ -498,14 +489,7 @@ tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_symlinks(chroot_user_t) ++ ++######################################## ++## ++## Create, read, write, and delete ++## mozilla_plugin rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mozilla_plugin_manage_rw_files',` ++ gen_require(` ++ type mozilla_plugin_rw_t; ++ ') ++ ++ allow $1 mozilla_plugin_rw_t:file manage_file_perms; ++ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms; ++') +diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te +index 75d0b62..344f2e4 100644 +--- a/policy/modules/apps/mozilla.te ++++ b/policy/modules/apps/mozilla.te +@@ -23,7 +23,7 @@ type mozilla_conf_t; + files_config_file(mozilla_conf_t) + + type mozilla_home_t; +-typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; ++typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t nsplugin_home_t }; + typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; + files_poly_member(mozilla_home_t) + userdom_user_home_content(mozilla_home_t) +@@ -43,6 +43,13 @@ userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t) + files_tmpfs_file(mozilla_plugin_tmpfs_t) + ubac_constrained(mozilla_plugin_tmpfs_t) + ++type mozilla_plugin_rw_t alias nsplugin_rw_t; ++files_type(mozilla_plugin_rw_t) ++ ++type mozilla_plugin_config_t; ++type mozilla_plugin_config_exec_t; ++application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) ++ + type mozilla_tmp_t; + files_tmp_file(mozilla_tmp_t) + ubac_constrained(mozilla_tmp_t) +@@ -280,11 +287,6 @@ optional_policy(` ') --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(chroot_user_t) -- fs_read_nfs_symlinks(chroot_user_t) --') -- --tunable_policy(`use_fusefs_home_dirs',` -- fs_read_fusefs_files(chroot_user_t) --') -+userdom_home_manager(chroot_user_t) - optional_policy(` - ssh_rw_dgram_sockets(chroot_user_t) -diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te -index 5c32a99..eb8979d 100644 ---- a/policy/modules/services/sssd.te -+++ b/policy/modules/services/sssd.te -@@ -117,17 +117,7 @@ optional_policy(` - ldap_stream_connect(sssd_t) - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(sssd_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(sssd_t) +- nsplugin_manage_rw(mozilla_t) +- nsplugin_manage_home_files(mozilla_t) -') - --tunable_policy(`use_fusefs_home_dirs',` -- fs_read_fusefs_files(sssd_t) --') -+userdom_home_reader(sssd_t) - - - -diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3619ec3..629863f 100644 ---- a/policy/modules/services/virt.te -+++ b/policy/modules/services/virt.te -@@ -842,10 +842,6 @@ miscfiles_read_localization(virtd_lxc_t) - - sysnet_domtrans_ifconfig(virtd_lxc_t) - -optional_policy(` -- execmem_exec(virtd_lxc_t) --') -- - #optional_policy(` - # unconfined_shell_domtrans(virtd_lxc_t) - # unconfined_signal(virtd_t) -diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 743ea2b..ab908aa 100644 ---- a/policy/modules/services/xserver.te -+++ b/policy/modules/services/xserver.te -@@ -286,18 +286,7 @@ fs_search_auto_mountpoints(iceauth_t) - userdom_use_inherited_user_terminals(iceauth_t) - userdom_read_user_tmp_files(iceauth_t) - userdom_read_all_users_state(iceauth_t) -- --tunable_policy(`use_fusefs_home_dirs',` -- fs_manage_fusefs_files(iceauth_t) --') -- --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_files(iceauth_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_files(iceauth_t) --') -+userdom_home_manager(iceauth_t) + pulseaudio_exec(mozilla_t) + pulseaudio_stream_connect(mozilla_t) + pulseaudio_manage_home_files(mozilla_t) +@@ -330,6 +332,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug + manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) + fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) + ++allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; ++read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++ + can_exec(mozilla_plugin_t, mozilla_exec_t) - ifdef(`hide_broken_symptoms',` - dev_dontaudit_read_urand(iceauth_t) -@@ -388,14 +377,7 @@ tunable_policy(`use_fusefs_home_dirs',` - fs_manage_fusefs_files(xauth_t) + kernel_read_kernel_sysctls(mozilla_plugin_t) +@@ -452,17 +458,6 @@ optional_policy(` ') --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_files(xauth_t) -- fs_read_nfs_symlinks(xauth_t) + optional_policy(` +- nsplugin_domtrans(mozilla_plugin_t) +- nsplugin_rw_exec(mozilla_plugin_t) +- nsplugin_manage_home_dirs(mozilla_plugin_t) +- nsplugin_manage_home_files(mozilla_plugin_t) +- nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir) +- nsplugin_user_home_filetrans(mozilla_plugin_t, file) +- nsplugin_read_rw_files(mozilla_plugin_t); +- nsplugin_signal(mozilla_plugin_t) -') - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_files(xauth_t) --') -+userdom_home_manager(xauth_t) - - ifdef(`hide_broken_symptoms',` - term_dontaudit_use_unallocated_ttys(xauth_t) -@@ -614,6 +596,7 @@ files_dontaudit_access_check_etc(xdm_t) - files_dontaudit_getattr_all_dirs(xdm_t) - files_dontaudit_getattr_all_symlinks(xdm_t) - files_dontaudit_getattr_all_tmp_sockets(xdm_t) -+files_dontaudit_all_access_check(xdm_t) - - fs_getattr_all_fs(xdm_t) - fs_search_auto_mountpoints(xdm_t) -@@ -678,6 +661,7 @@ userdom_manage_user_tmp_dirs(xdm_t) - userdom_manage_user_tmp_files(xdm_t) - userdom_manage_user_tmp_sockets(xdm_t) - userdom_manage_tmpfs_role(system_r, xdm_t) -+userdom_home_manager(xdm_t) - - application_signal(xdm_t) - -@@ -699,16 +683,10 @@ tunable_policy(`use_fusefs_home_dirs',` - ') - - tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(xdm_t) -- fs_manage_nfs_files(xdm_t) -- fs_manage_nfs_symlinks(xdm_t) - fs_exec_nfs_files(xdm_t) - ') - - tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(xdm_t) -- fs_manage_cifs_files(xdm_t) -- fs_manage_cifs_symlinks(xdm_t) - fs_exec_cifs_files(xdm_t) +-optional_policy(` + pulseaudio_exec(mozilla_plugin_t) + pulseaudio_stream_connect(mozilla_plugin_t) + pulseaudio_setattr_home_dir(mozilla_plugin_t) +@@ -491,3 +486,61 @@ optional_policy(` + xserver_append_xdm_home_files(mozilla_plugin_t); ') -@@ -1227,26 +1205,10 @@ init_use_fds(xserver_t) - # (xauth?) - userdom_read_user_home_content_files(xserver_t) - userdom_read_all_users_state(xserver_t) -+userdom_home_manager(xserver_t) ++######################################## ++# ++# mozilla_plugin_config local policy ++# ++ ++allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; ++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem }; ++ ++allow mozilla_plugin_config_t self:fifo_file rw_file_perms; ++allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) ++ ++dev_search_sysfs(mozilla_plugin_config_t) ++dev_read_urand(mozilla_plugin_config_t) ++dev_dontaudit_read_rand(mozilla_plugin_config_t) ++dev_dontaudit_rw_dri(mozilla_plugin_config_t) ++ ++fs_search_auto_mountpoints(mozilla_plugin_config_t) ++fs_list_inotifyfs(mozilla_plugin_config_t) ++ ++can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t) ++manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++ ++manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) ++manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) ++manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) ++ ++corecmd_exec_bin(mozilla_plugin_config_t) ++corecmd_exec_shell(mozilla_plugin_config_t) ++ ++kernel_read_system_state(mozilla_plugin_config_t) ++kernel_request_load_module(mozilla_plugin_config_t) ++ ++domain_use_interactive_fds(mozilla_plugin_config_t) ++ ++files_read_etc_files(mozilla_plugin_config_t) ++files_read_usr_files(mozilla_plugin_config_t) ++files_dontaudit_search_home(mozilla_plugin_config_t) ++files_list_tmp(mozilla_plugin_config_t) ++ ++auth_use_nsswitch(mozilla_plugin_config_t) ++ ++miscfiles_read_localization(mozilla_plugin_config_t) ++miscfiles_read_fonts(mozilla_plugin_config_t) ++ ++userdom_search_user_home_content(mozilla_plugin_config_t) ++userdom_read_user_home_content_symlinks(mozilla_plugin_config_t) ++userdom_read_user_home_content_files(mozilla_plugin_config_t) ++userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t) ++ ++domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t) ++ ++optional_policy(` ++ xserver_use_user_fonts(mozilla_plugin_config_t) ++') +diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if +index 39b1056..cc3f02e 100644 +--- a/policy/modules/kernel/devices.if ++++ b/policy/modules/kernel/devices.if +@@ -4176,6 +4176,30 @@ interface(`dev_dontaudit_write_sysfs_dirs',` - xserver_use_user_fonts(xserver_t) + ######################################## + ## ++## Read cpu online hardware state information. ++## ++## ++##

++## Allow the specified domain to read /sys/devices/system/cpu/online file. ++##

++##
++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_cpu_online',` ++ gen_require(` ++ type cpu_online_t; ++ ') ++ ++ dev_search_sysfs($1) ++ read_files_pattern($1, cpu_online_t, cpu_online_t) ++') ++ ++######################################## ++## + ## Read hardware state information. + ## + ## +diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te +index 1c2562c..112bebb 100644 +--- a/policy/modules/kernel/devices.te ++++ b/policy/modules/kernel/devices.te +@@ -225,6 +225,10 @@ files_mountpoint(sysfs_t) + fs_type(sysfs_t) + genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) + ++type cpu_online_t; ++allow cpu_online_t sysfs_t:filesystem associate; ++genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0) ++ + # + # Type for /dev/tpm + # +diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te +index f9a1bcc..a478431 100644 +--- a/policy/modules/kernel/domain.te ++++ b/policy/modules/kernel/domain.te +@@ -115,6 +115,7 @@ kernel_dontaudit_search_debugfs(domain) + allow domain self:process { fork getsched sigchld }; + + # Use trusted objects in /dev ++dev_read_cpu_online(domain) + dev_rw_null(domain) + dev_rw_zero(domain) + term_use_controlling_term(domain) +diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te +index 11ad8fb..35524d6 100644 +--- a/policy/modules/roles/unconfineduser.te ++++ b/policy/modules/roles/unconfineduser.te +@@ -8,13 +8,6 @@ attribute unconfined_login_domain; --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(xserver_t) -- fs_manage_nfs_files(xserver_t) -- fs_manage_nfs_symlinks(xserver_t) --') -- --tunable_policy(`use_fusefs_home_dirs',` -- fs_manage_fusefs_dirs(xserver_t) -- fs_manage_fusefs_files(xserver_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(xserver_t) -- fs_manage_cifs_files(xserver_t) -- fs_manage_cifs_symlinks(xserver_t) --') + ## + ##

+-## allow unconfined users to transition to the nsplugin domains when running nspluginviewer +-##

+-##
+-gen_tunable(allow_unconfined_nsplugin_transition, false) - - optional_policy(` - dbus_system_bus_client(xserver_t) - -@@ -1434,7 +1396,6 @@ tunable_policy(`use_nfs_home_dirs',` - - optional_policy(` - unconfined_rw_shm(xserver_t) -- unconfined_execmem_rw_shm(xserver_t) - - # xserver signals unconfined user on startx - unconfined_signal(xserver_t) -diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 5a963ef..2409206 100644 ---- a/policy/modules/system/init.if -+++ b/policy/modules/system/init.if -@@ -650,7 +650,7 @@ interface(`init_dontaudit_rw_stream_socket',` - type init_t; - ') - -- dontaudit $1 init_t:unix_stream_socket { read write }; -+ dontaudit $1 init_t:unix_stream_socket { getattr read write }; - ') +-## +-##

+ ## allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox + ##

+ ##
+@@ -128,14 +121,6 @@ optional_policy(` + attribute unconfined_usertype; + ') - ######################################## -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 75f6d6b..f44bdae 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -1206,13 +1206,6 @@ optional_policy(` - rpm_transition_script(initrc_t) - - optional_policy(` -- gen_require(` -- type unconfined_execmem_t, execmem_exec_t; +- nsplugin_role_notrans(unconfined_r, unconfined_usertype) +- optional_policy(` +- tunable_policy(`allow_unconfined_nsplugin_transition',` +- nsplugin_domtrans(unconfined_usertype) +- nsplugin_domtrans_config(unconfined_usertype) - ') -- init_system_domain(unconfined_execmem_t, execmem_exec_t) - ') - -- optional_policy(` - rtkit_scheduled(initrc_t) - ') - ') -diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 37a5bb4..2291a13 100644 ---- a/policy/modules/system/locallogin.te -+++ b/policy/modules/system/locallogin.te -@@ -154,15 +154,7 @@ tunable_policy(`console_login',` - term_relabel_console(local_login_t) + optional_policy(` + abrt_dbus_chat(unconfined_usertype) + abrt_run_helper(unconfined_usertype, unconfined_r) +diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te +index 6f176f9..0258e24 100644 +--- a/policy/modules/roles/xguest.te ++++ b/policy/modules/roles/xguest.te +@@ -117,10 +117,6 @@ optional_policy(` ') --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(local_login_t) -- fs_read_nfs_symlinks(local_login_t) + optional_policy(` +- nsplugin_role(xguest_r, xguest_t) -') - --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(local_login_t) -- fs_read_cifs_symlinks(local_login_t) --') -+userdom_home_reader(local_login_t) - - tunable_policy(`allow_console_login',` - term_use_console(local_login_t) -diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 2273e1a..6b39756 100644 ---- a/policy/modules/system/modutils.te -+++ b/policy/modules/system/modutils.te -@@ -78,6 +78,7 @@ userdom_use_inherited_user_terminals(depmod_t) - files_list_home(depmod_t) - userdom_read_user_home_content_files(depmod_t) - userdom_manage_user_tmp_files(depmod_t) -+userdom_home_reader(depmod_t) - - ifdef(`distro_ubuntu',` - optional_policy(` -@@ -85,14 +86,6 @@ ifdef(`distro_ubuntu',` - ') +-optional_policy(` + pcscd_read_pub_files(xguest_usertype) + pcscd_stream_connect(xguest_usertype) + ') +diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te +index d5a9038..a1cbdb4 100644 +--- a/policy/modules/services/abrt.te ++++ b/policy/modules/services/abrt.te +@@ -208,11 +208,6 @@ optional_policy(` ') --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(depmod_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(depmod_t) --') -- optional_policy(` - bootloader_rw_tmp_files(insmod_t) - ') -diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 3ee9ea8..ac8b214 100644 ---- a/policy/modules/system/selinuxutil.te -+++ b/policy/modules/system/selinuxutil.te -@@ -492,14 +492,7 @@ seutil_manage_default_contexts(semanage_t) - # Handle pp files created in homedir and /tmp - userdom_read_user_home_content_files(semanage_t) - userdom_read_user_tmp_files(semanage_t) -- --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(semanage_t) +- nsplugin_read_rw_files(abrt_t) +- nsplugin_read_home(abrt_t) -') - --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(semanage_t) --') -+userdom_home_reader(semanage_t) - - ifdef(`distro_debian',` - files_read_var_lib_files(semanage_t) +-optional_policy(` + policykit_dbus_chat(abrt_t) + policykit_domtrans_auth(abrt_t) + policykit_read_lib(abrt_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 31047e8..0bb4d1e 100644 +index 0b3811d..0281618 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if -@@ -1144,10 +1144,6 @@ template(`userdom_restricted_xwindows_user_template',` - ') - - optional_policy(` -- openoffice_role_template($1, $1_r, $1_usertype) -- ') -- -- optional_policy(` - policykit_role($1_r, $1_usertype) - ') - -@@ -1282,10 +1278,6 @@ template(`userdom_unpriv_user_template', ` +@@ -787,10 +787,6 @@ template(`userdom_common_user_template',` ') optional_policy(` -- mono_role_template($1, $1_r, $1_t) +- nsplugin_role($1_r, $1_usertype) - ') - - optional_policy(` - mount_run_fusermount($1_t, $1_r) - mount_read_pid_files($1_t) - ') -@@ -5065,3 +5057,41 @@ interface(`userdom_filetrans_home_content',` - # gnome_admin_home_gconf_filetrans($1, home_bin_t, dir, "bin") - #') - ') -+ -+######################################## -+## -+## Make the specified type able to read content in user home dirs -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_home_reader',` -+ gen_require(` -+ attribute userdom_home_reader_type; -+ ') -+ -+ typeattribute $1 userdom_home_reader_type; -+') -+ -+ -+######################################## -+## -+## Make the specified type able to manage content in user home dirs -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_home_manager',` -+ gen_require(` -+ attribute userdom_home_manager_type; -+ ') -+ -+ typeattribute $1 userdom_home_manager_type; -+') -+ -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index d6c3860..ced52ff 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -73,6 +73,9 @@ attribute unpriv_userdomain; - attribute untrusted_content_type; - attribute untrusted_content_tmp_type; - -+attribute userdom_home_reader_type; -+attribute userdom_home_manager_type; -+ - # unprivileged user domains - attribute user_home_type; - attribute user_tmp_type; -@@ -172,3 +175,36 @@ optional_policy(` - optional_policy(` - xserver_filetrans_home_content(userdomain) - ') -+ -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_read_nfs_files(userdom_home_reader_type) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_read_cifs_files(userdom_home_reader_type) -+') -+ -+tunable_policy(`use_fusefs_home_dirs',` -+ fs_read_fusefs_files(userdom_home_reader_type) -+') -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_list_auto_mountpoints(userdom_home_manager_type) -+ fs_manage_nfs_dirs(userdom_home_manager_type) -+ fs_manage_nfs_files(userdom_home_manager_type) -+ fs_manage_nfs_symlinks(userdom_home_manager_type) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(userdom_home_manager_type) -+ fs_manage_cifs_files(userdom_home_manager_type) -+ fs_manage_cifs_symlinks(userdom_home_manager_type) -+') -+ -+tunable_policy(`use_fusefs_home_dirs',` -+ fs_manage_fusefs_dirs(userdom_home_manager_type) -+ fs_manage_fusefs_files(userdom_home_manager_type) -+ fs_manage_fusefs_symlinks(userdom_home_manager_type) -+') -+ + tunable_policy(`allow_user_mysql_connect',` + mysql_stream_connect($1_t) + ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 87aba5a..2b1ae32 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -24,7 +24,6 @@ Source: serefpolicy-%{version}.tgz patch: policy-F16.patch patch1: unconfined_permissive.patch patch2: thumb.patch -patch3: execmem.patch Source1: modules-targeted.conf Source2: booleans-targeted.conf Source3: Makefile.devel @@ -216,7 +215,7 @@ if [ -e /etc/selinux/%2/.rebuild ]; then \ if [ %1 -ne 1 ]; then \ /usr/sbin/semodule -n -s %2 -r execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \ fi \ - rm -f /etc/selinux/%2/modules/active/modules/qemu.pp \ + rm -f /etc/selinux/%2/modules/active/modules/qemu.pp /etc/selinux/%2/modules/active/modules/nsplugin.pp \ /usr/sbin/semodule -B -n -s %2; \ fi; \ [ "${SELINUXTYPE}" == "%2" ] && [ selinuxenabled ] && load_policy; \ @@ -240,7 +239,6 @@ Based off of reference policy: Checked out revision 2.20091117 %patch -p1 %patch1 -p1 -b .unconfined %patch2 -p1 -b .thumb -%patch3 -p1 -b .execmem %install mkdir selinux_config