diff --git a/Changelog b/Changelog
index 0fa7738..17d4d04 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Move user roles into individual modules.
- Make hald_log_t a log file.
- Cryptsetup runs shell scripts. Patch from Martin Orr.
- Add file for enabling policy capabilities.
diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te
index 87dc0c1..1fb5445 100644
--- a/policy/modules/admin/acct.te
+++ b/policy/modules/admin/acct.te
@@ -1,5 +1,5 @@
-policy_module(acct,1.1.0)
+policy_module(acct,1.1.1)
########################################
#
@@ -66,9 +66,10 @@ logging_send_syslog_msg(acct_t)
miscfiles_read_localization(acct_t)
-userdom_dontaudit_search_sysadm_home_dirs(acct_t)
userdom_dontaudit_use_unpriv_user_fds(acct_t)
+sysadm_dontaudit_search_home_dirs(acct_t)
+
optional_policy(`
optional_policy(`
# for monthly cron job
diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index ffe916b..914f757 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -1,5 +1,5 @@
-policy_module(alsa,1.4.0)
+policy_module(alsa,1.4.1)
########################################
#
@@ -60,8 +60,10 @@ miscfiles_read_localization(alsa_t)
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
-userdom_search_generic_user_home_dirs(alsa_t)
-userdom_dontaudit_search_sysadm_home_dirs(alsa_t)
+
+sysadm_dontaudit_search_home_dirs(alsa_t)
+
+unprivuser_search_home_dirs(alsa_t)
optional_policy(`
hal_use_fds(alsa_t)
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index 025da73..a5f6f45 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@@ -1,5 +1,5 @@
-policy_module(amanda,1.8.0)
+policy_module(amanda,1.8.1)
#######################################
#
@@ -181,7 +181,7 @@ manage_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
manage_lnk_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
manage_fifo_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
manage_sock_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
-userdom_sysadm_home_dir_filetrans(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file })
+sysadm_home_dir_filetrans(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
manage_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
@@ -228,4 +228,4 @@ logging_search_logs(amanda_recover_t)
miscfiles_read_localization(amanda_recover_t)
-userdom_search_sysadm_home_content_dirs(amanda_recover_t)
+sysadm_search_home_content_dirs(amanda_recover_t)
diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
index 9684a0e..34255f0 100644
--- a/policy/modules/admin/anaconda.te
+++ b/policy/modules/admin/anaconda.te
@@ -1,5 +1,5 @@
-policy_module(anaconda,1.2.0)
+policy_module(anaconda,1.2.1)
########################################
#
@@ -34,7 +34,7 @@ seutil_domtrans_semanage(anaconda_t)
unconfined_domain(anaconda_t)
-userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
+unprivuser_home_dir_filetrans_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
optional_policy(`
dmesg_domtrans(anaconda_t)
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index b430249..be26bcb 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -1,5 +1,5 @@
-policy_module(bootloader,1.7.0)
+policy_module(bootloader,1.7.1)
########################################
#
@@ -212,6 +212,9 @@ optional_policy(`
')
optional_policy(`
- userdom_dontaudit_search_staff_home_dirs(bootloader_t)
- userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
+ staff_dontaudit_search_home_dirs(bootloader_t)
+')
+
+optional_policy(`
+ sysadm_dontaudit_search_home_dirs(bootloader_t)
')
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 91b0e98..7a74094 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -1,5 +1,5 @@
-policy_module(dmesg,1.1.0)
+policy_module(dmesg,1.1.1)
########################################
#
@@ -50,9 +50,10 @@ logging_write_generic_logs(dmesg_t)
miscfiles_read_localization(dmesg_t)
-userdom_use_sysadm_terms(dmesg_t)
userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
+sysadm_use_terms(dmesg_t)
+
optional_policy(`
seutil_sigchld_newrole(dmesg_t)
')
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index 1a2a66a..ec7cf5c 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -1,5 +1,5 @@
-policy_module(firstboot,1.6.0)
+policy_module(firstboot,1.6.1)
gen_require(`
class passwd rootok;
@@ -88,13 +88,13 @@ modutils_read_module_config(firstboot_t)
modutils_read_module_deps(firstboot_t)
# Add/remove user home directories
-userdom_manage_generic_user_home_content_dirs(firstboot_t)
-userdom_manage_generic_user_home_content_files(firstboot_t)
-userdom_manage_generic_user_home_content_symlinks(firstboot_t)
-userdom_manage_generic_user_home_content_pipes(firstboot_t)
-userdom_manage_generic_user_home_content_sockets(firstboot_t)
-userdom_home_filetrans_generic_user_home_dir(firstboot_t)
-userdom_generic_user_home_dir_filetrans_generic_user_home_content(firstboot_t,{ dir file lnk_file fifo_file sock_file })
+unprivuser_manage_home_content_dirs(firstboot_t)
+unprivuser_manage_home_content_files(firstboot_t)
+unprivuser_manage_home_content_symlinks(firstboot_t)
+unprivuser_manage_home_content_pipes(firstboot_t)
+unprivuser_manage_home_content_sockets(firstboot_t)
+unprivuser_home_filetrans_home_dir(firstboot_t)
+unprivuser_home_dir_filetrans_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
hal_dbus_chat(firstboot_t)
diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
index 6b7f12f..47e98f7 100644
--- a/policy/modules/admin/kudzu.te
+++ b/policy/modules/admin/kudzu.te
@@ -1,5 +1,5 @@
-policy_module(kudzu,1.5.0)
+policy_module(kudzu,1.5.1)
########################################
#
@@ -122,9 +122,10 @@ modutils_domtrans_insmod(kudzu_t)
sysnet_read_config(kudzu_t)
-userdom_search_sysadm_home_dirs(kudzu_t)
userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
+sysadm_search_home_dirs(kudzu_t)
+
optional_policy(`
gpm_getattr_gpmctl(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 313298b..ff27e33 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -1,5 +1,5 @@
-policy_module(logrotate,1.8.0)
+policy_module(logrotate,1.8.1)
########################################
#
@@ -115,7 +115,6 @@ miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
-userdom_dontaudit_search_sysadm_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
cron_system_entry(logrotate_t, logrotate_exec_t)
@@ -123,6 +122,8 @@ cron_search_spool(logrotate_t)
mta_send_mail(logrotate_t)
+sysadm_dontaudit_search_home_dirs(logrotate_t)
+
ifdef(`distro_debian', `
allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
# for savelog
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
index 7fd7487..59c4a4e 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -1,5 +1,5 @@
-policy_module(logwatch,1.7.0)
+policy_module(logwatch,1.7.1)
#################################
#
@@ -88,11 +88,10 @@ selinux_dontaudit_getattr_dir(logwatch_t)
sysnet_dns_name_resolve(logwatch_t)
-userdom_dontaudit_search_sysadm_home_dirs(logwatch_t)
-userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t)
-
mta_send_mail(logwatch_t)
+sysadm_dontaudit_search_home_dirs(logwatch_t)
+
optional_policy(`
apache_read_log(logwatch_t)
')
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index 4cfd88a..c13c762 100644
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
@@ -1,5 +1,5 @@
-policy_module(mrtg,1.3.0)
+policy_module(mrtg,1.3.1)
########################################
#
@@ -115,7 +115,8 @@ selinux_dontaudit_getattr_dir(mrtg_t)
sysnet_read_config(mrtg_t)
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
-userdom_use_sysadm_terms(mrtg_t)
+
+sysadm_use_terms(mrtg_t)
ifdef(`enable_mls',`
corenet_udp_sendrecv_lo_if(mrtg_t)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 401120a..2c06304 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -272,7 +272,7 @@ interface(`portage_fetch_domain',`
sysnet_read_config($1)
sysnet_dns_name_resolve($1)
- userdom_dontaudit_read_sysadm_home_content_files($1)
+ sysadm_dontaudit_read_home_content_files($1)
ifdef(`hide_broken_symptoms',`
dontaudit $1 portage_cache_t:file read;
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 49476ac..151828a 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -1,5 +1,5 @@
-policy_module(portage,1.5.0)
+policy_module(portage,1.5.1)
########################################
#
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index b8227d4..fde1608 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -1,5 +1,5 @@
-policy_module(readahead,1.5.0)
+policy_module(readahead,1.5.1)
########################################
#
@@ -79,7 +79,8 @@ logging_dontaudit_search_audit_config(readahead_t)
miscfiles_read_localization(readahead_t)
userdom_dontaudit_use_unpriv_user_fds(readahead_t)
-userdom_dontaudit_search_sysadm_home_dirs(readahead_t)
+
+sysadm_dontaudit_search_home_dirs(readahead_t)
optional_policy(`
cron_system_entry(readahead_t, readahead_exec_t)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 6495325..1d6fa25 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
-policy_module(usermanage,1.10.0)
+policy_module(usermanage,1.10.1)
########################################
#
@@ -159,7 +159,7 @@ libs_use_shared_libs(crack_t)
logging_send_syslog_msg(crack_t)
-userdom_dontaudit_search_sysadm_home_dirs(crack_t)
+sysadm_dontaudit_search_home_dirs(crack_t)
ifdef(`distro_debian',`
# the package cracklib-runtime on Debian contains a daily maintenance
@@ -236,8 +236,9 @@ auth_use_nsswitch(groupadd_t)
seutil_read_config(groupadd_t)
userdom_use_unpriv_users_fds(groupadd_t)
+
# for when /root is the cwd
-userdom_dontaudit_search_sysadm_home_dirs(groupadd_t)
+sysadm_dontaudit_search_home_dirs(groupadd_t)
optional_policy(`
dpkg_use_fds(groupadd_t)
@@ -501,13 +502,11 @@ seutil_domtrans_semanage(useradd_t)
seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
-# for when /root is the cwd
-userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
# Add/remove user home directories
-userdom_home_filetrans_generic_user_home_dir(useradd_t)
userdom_manage_all_users_home_content_dirs(useradd_t)
userdom_manage_all_users_home_content_files(useradd_t)
-userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
+unprivuser_home_filetrans_home_dir(useradd_t)
+unprivuser_home_dir_filetrans_home_content(useradd_t,notdevfile_class_set)
mta_manage_spool(useradd_t)
diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te
index 7d10435..d48ff4b 100644
--- a/policy/modules/apps/calamaris.te
+++ b/policy/modules/apps/calamaris.te
@@ -1,5 +1,5 @@
-policy_module(calamaris,1.2.0)
+policy_module(calamaris,1.2.1)
########################################
#
@@ -67,7 +67,7 @@ miscfiles_read_localization(calamaris_t)
sysnet_read_config(calamaris_t)
-userdom_dontaudit_list_sysadm_home_dirs(calamaris_t)
+sysadm_dontaudit_list_home_dirs(calamaris_t)
squid_read_log(calamaris_t)
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index 3a02cc7..9bbd43f 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -1,5 +1,5 @@
-policy_module(games,1.6.0)
+policy_module(games,1.6.1)
########################################
#
@@ -58,7 +58,8 @@ logging_send_syslog_msg(games_t)
miscfiles_read_localization(games_t)
userdom_dontaudit_use_unpriv_user_fds(games_t)
-userdom_dontaudit_search_sysadm_home_dirs(games_t)
+
+sysadm_dontaudit_search_home_dirs(games_t)
optional_policy(`
seutil_sigchld_newrole(games_t)
diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
index 47b711a..ee29a1f 100644
--- a/policy/modules/apps/mono.te
+++ b/policy/modules/apps/mono.te
@@ -1,5 +1,5 @@
-policy_module(mono,1.4.0)
+policy_module(mono,1.4.1)
########################################
#
@@ -17,7 +17,7 @@ init_system_domain(mono_t,mono_exec_t)
allow mono_t self:process { execheap execmem };
-userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
+unprivuser_home_dir_filetrans_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
init_dbus_chat_script(mono_t)
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index aae9a1b..7be910c 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -1,5 +1,5 @@
-policy_module(uml,1.5.0)
+policy_module(uml,1.5.1)
########################################
#
@@ -57,7 +57,8 @@ logging_send_syslog_msg(uml_switch_t)
miscfiles_read_localization(uml_switch_t)
userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
-userdom_dontaudit_search_sysadm_home_dirs(uml_switch_t)
+
+sysadm_dontaudit_search_home_dirs(uml_switch_t)
optional_policy(`
seutil_sigchld_newrole(uml_switch_t)
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
index ccc3d2c..4a6c6a8 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -161,8 +161,8 @@ template(`userhelper_per_role_template',`
tunable_policy(`! secure_mode',`
#if we are not in secure mode then we can transition to sysadm_t
- userdom_bin_spec_domtrans_sysadm($1_userhelper_t)
- userdom_entry_spec_domtrans_sysadm($1_userhelper_t)
+ sysadm_bin_spec_domtrans($1_userhelper_t)
+ sysadm_entry_spec_domtrans($1_userhelper_t)
')
optional_policy(`
diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
index f84c4e4..69fa2e1 100644
--- a/policy/modules/apps/userhelper.te
+++ b/policy/modules/apps/userhelper.te
@@ -1,5 +1,5 @@
-policy_module(userhelper,1.3.0)
+policy_module(userhelper,1.3.1)
########################################
#
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 69e988a..d239b8d 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -1,5 +1,5 @@
-policy_module(vmware,1.5.0)
+policy_module(vmware,1.5.1)
########################################
#
@@ -87,7 +87,8 @@ miscfiles_read_localization(vmware_host_t)
sysnet_dns_name_resolve(vmware_host_t)
userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
-userdom_dontaudit_search_sysadm_home_dirs(vmware_host_t)
+
+sysadm_dontaudit_search_home_dirs(vmware_host_t)
optional_policy(`
seutil_sigchld_newrole(vmware_host_t)
diff --git a/policy/modules/roles/auditadm.fc b/policy/modules/roles/auditadm.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/auditadm.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/auditadm.if b/policy/modules/roles/auditadm.if
new file mode 100644
index 0000000..532cb5a
--- /dev/null
+++ b/policy/modules/roles/auditadm.if
@@ -0,0 +1,45 @@
+## <summary>Audit administrator role</summary>
+
+########################################
+## <summary>
+## Change to the generic user role.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <rolecap/>
+#
+template(`auditadm_role_change_template',`
+ userdom_role_change_template($1, auditadm)
+')
+
+########################################
+## <summary>
+## Change from the generic user role.
+## </summary>
+## <desc>
+## <p>
+## Change from the generic user role to
+## the specified role.
+## </p>
+## <p>
+## This is a template to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <rolecap/>
+#
+template(`auditadm_role_change_to_template',`
+ userdom_role_change_template(auditadm, $1)
+')
+
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
new file mode 100644
index 0000000..29d389a
--- /dev/null
+++ b/policy/modules/roles/auditadm.te
@@ -0,0 +1,50 @@
+
+policy_module(auditadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role auditadm_r;
+
+userdom_unpriv_user_template(auditadm)
+
+########################################
+#
+# Local policy
+#
+
+allow auditadm_t self:capability { dac_read_search dac_override };
+
+corecmd_exec_shell(auditadm_t)
+
+domain_kill_all_domains(auditadm_t)
+
+logging_send_syslog_msg(auditadm_t)
+logging_read_generic_logs(auditadm_t)
+logging_manage_audit_log(auditadm_t)
+logging_manage_audit_config(auditadm_t)
+logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+
+seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+seutil_read_bin_policy(auditadm_t)
+
+optional_policy(`
+ consoletype_exec(auditadm_t)
+')
+
+optional_policy(`
+ dmesg_exec(auditadm_t)
+')
+
+optional_policy(`
+ secadm_role_change_template(auditadm)
+')
+
+optional_policy(`
+ sysadm_role_change_template(auditadm)
+ sysadm_dontaudit_read_home_content_files(auditadm_t)
+')
+
diff --git a/policy/modules/roles/metadata.xml b/policy/modules/roles/metadata.xml
new file mode 100644
index 0000000..ba002e8
--- /dev/null
+++ b/policy/modules/roles/metadata.xml
@@ -0,0 +1 @@
+<summary>Policy modules for user roles.</summary>
diff --git a/policy/modules/roles/secadm.fc b/policy/modules/roles/secadm.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/secadm.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/secadm.if b/policy/modules/roles/secadm.if
new file mode 100644
index 0000000..a5148b0
--- /dev/null
+++ b/policy/modules/roles/secadm.if
@@ -0,0 +1,45 @@
+## <summary>Security administrator role</summary>
+
+########################################
+## <summary>
+## Change to the generic user role.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <rolecap/>
+#
+template(`secadm_role_change_template',`
+ userdom_role_change_template($1, secadm)
+')
+
+########################################
+## <summary>
+## Change from the generic user role.
+## </summary>
+## <desc>
+## <p>
+## Change from the generic user role to
+## the specified role.
+## </p>
+## <p>
+## This is a template to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <rolecap/>
+#
+template(`secadm_role_change_to_template',`
+ userdom_role_change_template(secadm, $1)
+')
+
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
new file mode 100644
index 0000000..1831961
--- /dev/null
+++ b/policy/modules/roles/secadm.te
@@ -0,0 +1,62 @@
+
+policy_module(secadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role secadm_r;
+
+userdom_unpriv_user_template(secadm)
+userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+
+########################################
+#
+# Local policy
+#
+
+allow secadm_t self:capability { dac_read_search dac_override };
+
+corecmd_exec_shell(secadm_t)
+
+dev_relabel_all_dev_nodes(secadm_t)
+
+domain_obj_id_change_exemption(secadm_t)
+
+mls_process_read_up(secadm_t)
+mls_file_read_all_levels(secadm_t)
+mls_file_write_all_levels(secadm_t)
+mls_file_upgrade(secadm_t)
+mls_file_downgrade(secadm_t)
+
+auth_relabel_all_files_except_shadow(secadm_t)
+auth_relabel_shadow(secadm_t)
+
+init_exec(secadm_t)
+
+logging_read_audit_log(secadm_t)
+logging_read_generic_logs(secadm_t)
+logging_read_audit_config(secadm_t)
+
+optional_policy(`
+ aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+')
+
+optional_policy(`
+ auditadm_role_change_template(secadm)
+')
+
+optional_policy(`
+ netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+')
+
+optional_policy(`
+ staff_dontaudit_append_home_content_files(secadm_t)
+')
+
+optional_policy(`
+ sysadm_role_change_template(secadm)
+ sysadm_dontaudit_read_home_content_files(secadm_t)
+')
+
diff --git a/policy/modules/roles/staff.fc b/policy/modules/roles/staff.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/staff.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if
new file mode 100644
index 0000000..6e0bc69
--- /dev/null
+++ b/policy/modules/roles/staff.if
@@ -0,0 +1,162 @@
+## <summary>Administrator's unprivileged user role</summary>
+
+########################################
+## <summary>
+## Change to the staff role.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <rolecap/>
+#
+template(`staff_role_change_template',`
+ userdom_role_change_template($1, staff)
+')
+
+########################################
+## <summary>
+## Change from the staff role.
+## </summary>
+## <desc>
+## <p>
+## Change from the staff role to
+## the specified role.
+## </p>
+## <p>
+## This is a template to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <rolecap/>
+#
+template(`staff_role_change_to_template',`
+ userdom_role_change_template(staff, $1)
+')
+
+########################################
+## <summary>
+## Search the staff users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`staff_search_home_dirs',`
+ gen_require(`
+ type staff_home_dir_t;
+ ')
+
+ files_search_home($1)
+ allow $1 staff_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the staff
+## users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`staff_dontaudit_search_home_dirs',`
+ gen_require(`
+ type staff_home_dir_t;
+ ')
+
+ dontaudit $1 staff_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete staff
+## home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`staff_manage_home_dirs',`
+ gen_require(`
+ type staff_home_dir_t;
+ ')
+
+ files_search_home($1)
+ allow $1 staff_home_dir_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Relabel to staff home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`staff_relabelto_home_dirs',`
+ gen_require(`
+ type staff_home_dir_t;
+ ')
+
+ files_search_home($1)
+ allow $1 staff_home_dir_t:dir relabelto;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to append to the staff
+## users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`staff_dontaudit_append_home_content_files',`
+ gen_require(`
+ type staff_home_t;
+ ')
+
+ dontaudit $1 staff_home_t:file append;
+')
+
+########################################
+## <summary>
+## Read files in the staff users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`staff_read_home_content_files',`
+ gen_require(`
+ type staff_home_dir_t, staff_home_t;
+ ')
+
+ files_search_home($1)
+ allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms;
+ read_files_pattern($1, { staff_home_dir_t staff_home_t }, staff_home_t)
+ read_lnk_files_pattern($1, { staff_home_dir_t staff_home_t }, staff_home_t)
+')
+
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
new file mode 100644
index 0000000..9d68d0b
--- /dev/null
+++ b/policy/modules/roles/staff.te
@@ -0,0 +1,30 @@
+
+policy_module(staff, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role staff_r;
+
+userdom_unpriv_user_template(staff)
+
+########################################
+#
+# Local policy
+#
+
+optional_policy(`
+ auditadm_role_change_template(staff)
+')
+
+optional_policy(`
+ secadm_role_change_template(staff)
+')
+
+optional_policy(`
+ sysadm_role_change_template(staff)
+ sysadm_dontaudit_use_terms(staff_t)
+')
+
diff --git a/policy/modules/roles/sysadm.fc b/policy/modules/roles/sysadm.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/sysadm.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
new file mode 100644
index 0000000..8c4ad00
--- /dev/null
+++ b/policy/modules/roles/sysadm.if
@@ -0,0 +1,547 @@
+## <summary>General system administration role</summary>
+
+########################################
+## <summary>
+## Change to the generic user role.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <rolecap/>
+#
+template(`sysadm_role_change_template',`
+ userdom_role_change_template($1, sysadm)
+')
+
+########################################
+## <summary>
+## Change from the generic user role.
+## </summary>
+## <desc>
+## <p>
+## Change from the generic user role to
+## the specified role.
+## </p>
+## <p>
+## This is a template to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <rolecap/>
+#
+template(`sysadm_role_change_to_template',`
+ userdom_role_change_template(sysadm, $1)
+')
+
+########################################
+## <summary>
+## Execute a shell in the sysadm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_shell_domtrans',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ corecmd_shell_domtrans($1, sysadm_t)
+ allow sysadm_t $1:fd use;
+ allow sysadm_t $1:fifo_file rw_file_perms;
+ allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute a generic bin program in the sysadm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_bin_spec_domtrans',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ corecmd_bin_spec_domtrans($1, sysadm_t)
+ allow sysadm_t $1:fd use;
+ allow sysadm_t $1:fifo_file rw_file_perms;
+ allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute all entrypoint files in the sysadm domain. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_entry_spec_domtrans',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ domain_entry_file_spec_domtrans($1, sysadm_t)
+ allow sysadm_t $1:fd use;
+ allow sysadm_t $1:fifo_file rw_file_perms;
+ allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow sysadm to execute a generic bin program in
+## a specified domain. This is an explicit transition,
+## requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+## <p>
+## Allow sysadm to execute a generic bin program in
+## a specified domain.
+## </p>
+## <p>
+## This is a interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to execute in.
+## </summary>
+## </param>
+#
+interface(`sysadm_bin_spec_domtrans_to',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ corecmd_bin_spec_domtrans(sysadm_t, $1)
+ allow $1 sysadm_t:fd use;
+ allow $1 sysadm_t:fifo_file rw_file_perms;
+ allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to sysadm users.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_sigchld',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Inherit and use sysadm file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_use_fds',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ allow $1 sysadm_t:fd use;
+')
+
+########################################
+## <summary>
+## Read and write sysadm user unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_rw_pipes',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attepts to get the attributes
+## of sysadm ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_dontaudit_getattr_ttys',`
+ gen_require(`
+ type sysadm_tty_device_t;
+ ')
+
+ dontaudit $1 sysadm_tty_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Read and write sysadm ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_use_ttys',`
+ gen_require(`
+ type sysadm_tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ term_list_ptys($1)
+ allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use sysadm ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysadm_dontaudit_use_ttys',`
+ gen_require(`
+ type sysadm_tty_device_t;
+ ')
+
+ dontaudit $1 sysadm_tty_device_t:chr_file { read write };
+')
+
+########################################
+## <summary>
+## Read and write sysadm ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_use_ptys',`
+ gen_require(`
+ type sysadm_devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ term_list_ptys($1)
+ allow $1 sysadm_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Dont audit attempts to read and write sysadm ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysadm_dontaudit_use_ptys',`
+ gen_require(`
+ type sysadm_devpts_t;
+ ')
+
+ dontaudit $1 sysadm_devpts_t:chr_file { read write };
+')
+
+########################################
+## <summary>
+## Read and write sysadm ttys and ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_use_terms',`
+ sysadm_use_ttys($1)
+ sysadm_use_ptys($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use sysadm ttys and ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysadm_dontaudit_use_terms',`
+ sysadm_dontaudit_use_ttys($1)
+ sysadm_dontaudit_use_ptys($1)
+')
+
+########################################
+## <summary>
+## Get the attributes of the sysadm users
+## home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_getattr_home_dirs',`
+ gen_require(`
+ type sysadm_home_dir_t;
+ ')
+
+ allow $1 sysadm_home_dir_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of the sysadm users
+## home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysadm_dontaudit_getattr_home_dirs',`
+ gen_require(`
+ type sysadm_home_dir_t;
+ ')
+
+ dontaudit $1 sysadm_home_dir_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search the sysadm users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysadm_search_home_dirs',`
+ gen_require(`
+ type sysadm_home_dir_t;
+ ')
+
+ allow $1 sysadm_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the sysadm
+## users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysadm_dontaudit_search_home_dirs',`
+ gen_require(`
+ type sysadm_home_dir_t;
+ ')
+
+ dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the sysadm users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_list_home_dirs',`
+ gen_require(`
+ type sysadm_home_dir_t;
+ ')
+
+ allow $1 sysadm_home_dir_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list the sysadm
+## users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysadm_dontaudit_list_home_dirs',`
+ gen_require(`
+ type sysadm_home_dir_t;
+ ')
+
+ dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Create objects in sysadm home directories
+## with automatic file type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## If not specified, file is used.
+## </summary>
+## </param>
+#
+interface(`sysadm_home_dir_filetrans',`
+ gen_require(`
+ type sysadm_home_dir_t;
+ ')
+
+ filetrans_pattern($1, sysadm_home_dir_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Search the sysadm users home sub directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysadm_search_home_content_dirs',`
+ gen_require(`
+ type sysadm_home_dir_t, sysadm_home_t;
+ ')
+
+ allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read files in the sysadm home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_read_home_content_files',`
+ gen_require(`
+ type sysadm_home_dir_t, sysadm_home_t;
+ ')
+
+ files_search_home($1)
+ allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
+ read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
+ read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read files in the sysadm
+## home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysadm_dontaudit_read_home_content_files',`
+ gen_require(`
+ type sysadm_home_dir_t, sysadm_home_t;
+ ')
+
+ dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+ dontaudit $1 sysadm_home_t:dir search_dir_perms;
+ dontaudit $1 sysadm_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read sysadm temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_read_tmp_files',`
+ gen_require(`
+ type sysadm_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 sysadm_tmp_t:dir list_dir_perms;
+ read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
+ read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
+')
+
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
new file mode 100644
index 0000000..186b2a6
--- /dev/null
+++ b/policy/modules/roles/sysadm.te
@@ -0,0 +1,330 @@
+
+policy_module(sysadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow sysadm to debug or ptrace all processes.
+## </p>
+## </desc>
+gen_tunable(allow_ptrace,false)
+
+role sysadm_r;
+
+userdom_admin_user_template(sysadm)
+
+ifndef(`enable_mls',`
+ userdom_security_admin_template(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+########################################
+#
+# Local policy
+#
+
+corecmd_exec_shell(sysadm_t)
+
+mls_process_read_up(sysadm_t)
+
+init_exec(sysadm_t)
+
+# For sending reboot and wall messages
+userdom_use_unpriv_users_ptys(sysadm_t)
+userdom_use_unpriv_users_ttys(sysadm_t)
+
+ifdef(`direct_sysadm_daemon',`
+ optional_policy(`
+ init_run_daemon(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ ')
+',`
+ ifdef(`distro_gentoo',`
+ optional_policy(`
+ seutil_init_script_run_runinit(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ ')
+ ')
+')
+
+ifndef(`enable_mls',`
+ logging_manage_audit_log(sysadm_t)
+ logging_manage_audit_config(sysadm_t)
+ logging_run_auditctl(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+tunable_policy(`allow_ptrace',`
+ domain_ptrace_all_domains(sysadm_t)
+')
+
+optional_policy(`
+ amanda_run_recover(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ apache_run_helper(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ #apache_run_all_scripts(sysadm_t, sysadm_r)
+ #apache_domtrans_sys_script(sysadm_t)
+')
+
+optional_policy(`
+ # cjp: why is this not apm_run_client
+ apm_domtrans_client(sysadm_t)
+')
+
+optional_policy(`
+ apt_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ auditadm_role_change_template(sysadm)
+')
+
+optional_policy(`
+ backup_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ bind_run_ndc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ bootloader_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ certwatch_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ clock_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ clockspeed_run_cli(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ consoletype_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ cron_admin_template(sysadm, sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cvs_exec(sysadm_t)
+')
+
+optional_policy(`
+ dcc_run_cdcc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ dcc_run_client(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ dcc_run_dbclean(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ ddcprobe_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ dmesg_exec(sysadm_t)
+')
+
+optional_policy(`
+ dmidecode_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ dpkg_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ ethereal_run_tethereal(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ ethereal_admin_template(sysadm, sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ firstboot_run(sysadm_t, sysadm_r, sysadm_tty_device_t)
+')
+
+optional_policy(`
+ fstools_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ hostname_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ # allow system administrator to use the ipsec script to look
+ # at things (e.g., ipsec auto --status)
+ # probably should create an ipsec_admin role for this kind of thing
+ ipsec_exec_mgmt(sysadm_t)
+ ipsec_stream_connect(sysadm_t)
+ # for lsof
+ ipsec_getattr_key_sockets(sysadm_t)
+')
+
+optional_policy(`
+ iptables_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ kudzu_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ libs_run_ldconfig(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ logrotate_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ lpd_run_checkpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ lpr_admin_template(sysadm, sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ lvm_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ modutils_run_depmod(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ modutils_run_insmod(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ modutils_run_update_mods(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ mount_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ mta_admin_template(sysadm, sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ munin_stream_connect(sysadm_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(sysadm_t)
+')
+
+optional_policy(`
+ netutils_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ netutils_run_ping(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ netutils_run_traceroute(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ ntp_stub()
+ corenet_udp_bind_ntp_port(sysadm_t)
+')
+
+optional_policy(`
+ oav_run_update(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ pcmcia_run_cardctl(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ portage_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ portage_run_gcc_config(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ portmap_run_helper(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ quota_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ raid_domtrans_mdadm(sysadm_t)
+')
+
+optional_policy(`
+ rpc_domtrans_nfsd(sysadm_t)
+')
+
+optional_policy(`
+ rpm_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ rsync_exec(sysadm_t)
+')
+
+optional_policy(`
+ samba_run_net(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ samba_run_winbind_helper(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ secadm_role_change_template(sysadm)
+')
+
+optional_policy(`
+ seutil_run_setfiles(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ seutil_run_runinit(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ staff_role_change_template(sysadm)
+')
+
+optional_policy(`
+ sysnet_run_ifconfig(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ sysnet_run_dhcpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ tripwire_run_siggen(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ tripwire_run_tripwire(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ tripwire_run_twadmin(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ tripwire_run_twprint(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ tzdata_domtrans(sysadm_t)
+')
+
+optional_policy(`
+ unconfined_domtrans(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ # Add/remove user home directories
+ unprivuser_manage_home_dirs(sysadm_t)
+ unprivuser_home_filetrans_home_dir(sysadm_t)
+
+ unprivuser_role_change_template(sysadm)
+')
+
+optional_policy(`
+ usbmodules_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ usermanage_run_admin_passwd(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ usermanage_run_groupadd(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ usermanage_run_useradd(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ vpn_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ webalizer_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+ yam_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
diff --git a/policy/modules/roles/unprivuser.fc b/policy/modules/roles/unprivuser.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/unprivuser.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if
new file mode 100644
index 0000000..1b55153
--- /dev/null
+++ b/policy/modules/roles/unprivuser.if
@@ -0,0 +1,325 @@
+## <summary>Generic unprivileged user role</summary>
+
+########################################
+## <summary>
+## Change to the generic user role.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <rolecap/>
+#
+template(`unprivuser_role_change_template',`
+ userdom_role_change_template($1, user)
+')
+
+########################################
+## <summary>
+## Change from the generic user role.
+## </summary>
+## <desc>
+## <p>
+## Change from the generic user role to
+## the specified role.
+## </p>
+## <p>
+## This is a template to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <rolecap/>
+#
+template(`unprivuser_role_change_to_template',`
+ userdom_role_change_template(user, $1)
+')
+
+########################################
+## <summary>
+## Create generic user home directories
+## with automatic file type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unprivuser_home_filetrans_home_dir',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ files_home_filetrans($1,user_home_dir_t,dir)
+')
+
+########################################
+## <summary>
+## Search generic user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unprivuser_search_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ allow $1 user_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create objects in generic user home directories
+## with automatic file type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## If not specified, file is used.
+## </summary>
+## </param>
+#
+interface(`unprivuser_home_dir_filetrans_home_content',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ files_search_home($1)
+ filetrans_pattern($1,user_home_dir_t,user_home_t,$2)
+')
+
+########################################
+## <summary>
+## Don't audit search on the user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unprivuser_dontaudit_search_home_dirs',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete generic user
+## home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unprivuser_manage_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_dir_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## subdirectories of generic user
+## home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unprivuser_manage_home_content_dirs',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ files_search_home($1)
+ manage_dirs_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+')
+
+########################################
+## <summary>
+## Relabel to generic user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unprivuser_relabelto_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_dir_t:dir relabelto;
+')
+
+########################################
+## <summary>
+## Read files in generic user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unprivuser_read_home_content_files',`
+ gen_require(`
+ type user_home_t, user_home_dir_t;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_t:dir list_dir_perms;
+ read_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+')
+
+########################################
+## <summary>
+## Mmap of generic user
+## home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unprivuser_mmap_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_t:file execute;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files
+## in generic user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unprivuser_manage_home_content_files',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ files_search_home($1)
+ manage_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to relabel generic user
+## home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unprivuser_dontaudit_relabel_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:file { relabelto relabelfrom };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic
+## links in generic user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unprivuser_manage_home_content_symlinks',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ files_search_home($1)
+ manage_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete named
+## pipes in generic user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unprivuser_manage_home_content_pipes',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ files_search_home($1)
+ manage_fifo_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete named
+## sockets in generic user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unprivuser_manage_home_content_sockets',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ files_search_home($1)
+ manage_sock_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+')
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
new file mode 100644
index 0000000..6a1254b
--- /dev/null
+++ b/policy/modules/roles/unprivuser.te
@@ -0,0 +1,15 @@
+
+policy_module(unprivuser, 1.0.0)
+
+# this module should be named user, but that is
+# a compile error since user is a keyword.
+
+########################################
+#
+# Declarations
+#
+
+role user_r;
+
+userdom_unpriv_user_template(user)
+
diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
index f77f14c..462cb20 100644
--- a/policy/modules/services/afs.te
+++ b/policy/modules/services/afs.te
@@ -1,5 +1,5 @@
-policy_module(afs,1.2.0)
+policy_module(afs,1.2.1)
########################################
#
@@ -186,8 +186,7 @@ seutil_read_config(afs_fsserver_t)
sysnet_read_config(afs_fsserver_t)
-userdom_dontaudit_use_sysadm_ttys(afs_fsserver_t)
-userdom_dontaudit_use_sysadm_ptys(afs_fsserver_t)
+sysadm_dontaudit_use_terms(afs_fsserver_t)
########################################
#
@@ -235,8 +234,7 @@ seutil_read_config(afs_kaserver_t)
sysnet_read_config(afs_kaserver_t)
-userdom_dontaudit_use_sysadm_ttys(afs_kaserver_t)
-userdom_dontaudit_use_sysadm_ptys(afs_kaserver_t)
+sysadm_dontaudit_use_terms(afs_kaserver_t)
########################################
#
@@ -277,8 +275,7 @@ miscfiles_read_localization(afs_ptserver_t)
sysnet_read_config(afs_ptserver_t)
-userdom_dontaudit_use_sysadm_ttys(afs_ptserver_t)
-userdom_dontaudit_use_sysadm_ptys(afs_ptserver_t)
+sysadm_dontaudit_use_terms(afs_ptserver_t)
########################################
#
@@ -319,5 +316,4 @@ miscfiles_read_localization(afs_vlserver_t)
sysnet_read_config(afs_vlserver_t)
-userdom_dontaudit_use_sysadm_ttys(afs_vlserver_t)
-userdom_dontaudit_use_sysadm_ptys(afs_vlserver_t)
+sysadm_dontaudit_use_terms(afs_vlserver_t)
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index b8b475c..c8f4bbc 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -1,5 +1,5 @@
-policy_module(amavis,1.6.0)
+policy_module(amavis,1.6.1)
########################################
#
@@ -143,8 +143,6 @@ miscfiles_read_localization(amavis_t)
sysnet_dns_name_resolve(amavis_t)
sysnet_use_ldap(amavis_t)
-userdom_dontaudit_search_sysadm_home_dirs(amavis_t)
-
# Cron handling
cron_use_fds(amavis_t)
cron_use_system_job_fds(amavis_t)
@@ -152,6 +150,8 @@ cron_rw_pipes(amavis_t)
mta_read_config(amavis_t)
+sysadm_dontaudit_search_home_dirs(amavis_t)
+
optional_policy(`
clamav_stream_connect(amavis_t)
clamav_domtrans_clamscan(amavis_t)
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 74accd1..b263dbb 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.9.0)
+policy_module(apache,1.9.1)
#
# NOTES:
@@ -419,9 +419,9 @@ tunable_policy(`httpd_tty_comm',`
# cjp: this is redundant:
term_use_controlling_term(httpd_t)
- userdom_use_sysadm_terms(httpd_t)
+ sysadm_use_terms(httpd_t)
',`
- userdom_dontaudit_use_sysadm_terms(httpd_t)
+ sysadm_dontaudit_use_terms(httpd_t)
')
optional_policy(`
@@ -515,10 +515,7 @@ libs_use_shared_libs(httpd_helper_t)
logging_send_syslog_msg(httpd_helper_t)
tunable_policy(`httpd_tty_comm',`
- # cjp: this is redundant:
- term_use_controlling_term(httpd_helper_t)
-
- userdom_use_sysadm_terms(httpd_helper_t)
+ sysadm_use_terms(httpd_helper_t)
')
########################################
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
index 44a1a00..3aaf5bd 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -1,5 +1,5 @@
-policy_module(apm,1.6.0)
+policy_module(apm,1.6.1)
########################################
#
@@ -139,9 +139,10 @@ modutils_read_module_config(apmd_t)
seutil_dontaudit_read_config(apmd_t)
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
-userdom_dontaudit_search_sysadm_home_dirs(apmd_t)
userdom_dontaudit_search_all_users_home_content(apmd_t) # Excessive?
+sysadm_dontaudit_search_home_dirs(apmd_t)
+
ifdef(`distro_redhat',`
allow apmd_t apmd_lock_t:file manage_file_perms;
files_lock_filetrans(apmd_t,apmd_lock_t,file)
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
index 63afd6f..f09cbdd 100644
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
@@ -1,5 +1,5 @@
-policy_module(arpwatch,1.5.0)
+policy_module(arpwatch,1.5.1)
########################################
#
@@ -81,10 +81,11 @@ logging_send_syslog_msg(arpwatch_t)
miscfiles_read_localization(arpwatch_t)
userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
-userdom_dontaudit_search_sysadm_home_dirs(arpwatch_t)
mta_send_mail(arpwatch_t)
+sysadm_dontaudit_search_home_dirs(arpwatch_t)
+
optional_policy(`
seutil_sigchld_newrole(arpwatch_t)
')
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
index b9e5d01..d1ba555 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -1,5 +1,5 @@
-policy_module(asterisk,1.4.0)
+policy_module(asterisk,1.4.1)
########################################
#
@@ -126,7 +126,8 @@ miscfiles_read_localization(asterisk_t)
sysnet_read_config(asterisk_t)
userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
-userdom_dontaudit_search_sysadm_home_dirs(asterisk_t)
+
+sysadm_dontaudit_search_home_dirs(asterisk_t)
optional_policy(`
nis_use_ypbind(asterisk_t)
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
index 63de93c..9005dde 100644
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@@ -1,5 +1,5 @@
-policy_module(audio_entropy,1.3.0)
+policy_module(audio_entropy,1.3.1)
########################################
#
@@ -49,7 +49,8 @@ logging_send_syslog_msg(entropyd_t)
miscfiles_read_localization(entropyd_t)
userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
-userdom_dontaudit_search_sysadm_home_dirs(entropyd_t)
+
+sysadm_dontaudit_search_home_dirs(entropyd_t)
optional_policy(`
seutil_sigchld_newrole(entropyd_t)
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index 03aaa9e..e62ae70 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
-policy_module(automount,1.8.0)
+policy_module(automount,1.8.1)
########################################
#
@@ -145,7 +145,8 @@ sysnet_use_ldap(automount_t)
sysnet_read_config(automount_t)
userdom_dontaudit_use_unpriv_user_fds(automount_t)
-userdom_dontaudit_search_sysadm_home_dirs(automount_t)
+
+sysadm_dontaudit_search_home_dirs(automount_t)
optional_policy(`
bind_search_cache(automount_t)
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index 726d403..01404f6 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -1,5 +1,5 @@
-policy_module(avahi,1.8.0)
+policy_module(avahi,1.8.1)
########################################
#
@@ -78,7 +78,8 @@ logging_send_syslog_msg(avahi_t)
miscfiles_read_localization(avahi_t)
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
-userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
+
+sysadm_dontaudit_search_home_dirs(avahi_t)
optional_policy(`
dbus_system_bus_client_template(avahi,avahi_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index f330f16..d35fe06 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -1,5 +1,5 @@
-policy_module(bind,1.6.0)
+policy_module(bind,1.6.1)
########################################
#
@@ -147,7 +147,8 @@ miscfiles_read_certs(named_t)
sysnet_read_config(named_t)
userdom_dontaudit_use_unpriv_user_fds(named_t)
-userdom_dontaudit_search_sysadm_home_dirs(named_t)
+
+sysadm_dontaudit_search_home_dirs(named_t)
tunable_policy(`named_write_master_zones',`
manage_dirs_pattern(named_t,named_zone_t,named_zone_t)
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index c80a6ff..f4db88c 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -1,5 +1,5 @@
-policy_module(bluetooth,2.1.0)
+policy_module(bluetooth,2.1.1)
########################################
#
@@ -121,8 +121,9 @@ miscfiles_read_fonts(bluetooth_t)
sysnet_read_config(bluetooth_t)
userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
-userdom_dontaudit_use_sysadm_ptys(bluetooth_t)
-userdom_dontaudit_search_sysadm_home_dirs(bluetooth_t)
+
+sysadm_dontaudit_use_ptys(bluetooth_t)
+sysadm_dontaudit_search_home_dirs(bluetooth_t)
optional_policy(`
dbus_system_bus_client_template(bluetooth,bluetooth_t)
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
index e94d4d7..ea586b6 100644
--- a/policy/modules/services/canna.te
+++ b/policy/modules/services/canna.te
@@ -1,5 +1,5 @@
-policy_module(canna,1.6.0)
+policy_module(canna,1.6.1)
########################################
#
@@ -78,7 +78,8 @@ miscfiles_read_localization(canna_t)
sysnet_read_config(canna_t)
userdom_dontaudit_use_unpriv_user_fds(canna_t)
-userdom_dontaudit_search_sysadm_home_dirs(canna_t)
+
+sysadm_dontaudit_search_home_dirs(canna_t)
optional_policy(`
nis_use_ypbind(canna_t)
diff --git a/policy/modules/services/comsat.te b/policy/modules/services/comsat.te
index 6f9defd..d8ae246 100644
--- a/policy/modules/services/comsat.te
+++ b/policy/modules/services/comsat.te
@@ -1,5 +1,5 @@
-policy_module(comsat,1.4.0)
+policy_module(comsat,1.4.1)
########################################
#
@@ -69,10 +69,10 @@ logging_send_syslog_msg(comsat_t)
miscfiles_read_localization(comsat_t)
-userdom_dontaudit_getattr_sysadm_ttys(comsat_t)
-
mta_getattr_spool(comsat_t)
+sysadm_dontaudit_getattr_ttys(comsat_t)
+
optional_policy(`
kerberos_use(comsat_t)
')
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index e9205ab..9c1006d 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -1,5 +1,5 @@
-policy_module(courier,1.4.0)
+policy_module(courier,1.4.1)
########################################
#
@@ -65,10 +65,11 @@ miscfiles_read_localization(courier_authdaemon_t)
# should not be needed!
userdom_search_unpriv_users_home_dirs(courier_authdaemon_t)
-userdom_dontaudit_search_sysadm_home_dirs(courier_authdaemon_t)
courier_domtrans_pop(courier_authdaemon_t)
+sysadm_dontaudit_search_home_dirs(courier_authdaemon_t)
+
########################################
#
# Calendar (PCP) local policy
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 2c648c2..5a00230 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
-policy_module(cups,1.9.0)
+policy_module(cups,1.9.1)
########################################
#
@@ -357,11 +357,12 @@ miscfiles_read_localization(cupsd_config_t)
seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
-userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t)
+
+cups_stream_connect(cupsd_config_t)
lpd_read_config(cupsd_config_t)
-cups_stream_connect(cupsd_config_t)
+sysadm_dontaudit_search_home_dirs(cupsd_config_t)
ifdef(`distro_redhat',`
init_getattr_script_files(cupsd_config_t)
@@ -561,11 +562,12 @@ miscfiles_read_localization(hplip_t)
sysnet_read_config(hplip_t)
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
-userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
lpd_read_config(cupsd_t)
+sysadm_dontaudit_search_home_dirs(hplip_t)
+
optional_policy(`
seutil_sigchld_newrole(hplip_t)
')
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index c3c926c..0460925 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -1,5 +1,5 @@
-policy_module(cyrus,1.5.0)
+policy_module(cyrus,1.5.1)
########################################
#
@@ -108,12 +108,13 @@ miscfiles_read_certs(cyrus_t)
sysnet_read_config(cyrus_t)
userdom_dontaudit_use_unpriv_user_fds(cyrus_t)
-userdom_dontaudit_search_sysadm_home_dirs(cyrus_t)
userdom_use_unpriv_users_fds(cyrus_t)
mta_manage_spool(cyrus_t)
mta_send_mail(cyrus_t)
+sysadm_dontaudit_search_home_dirs(cyrus_t)
+
optional_policy(`
cron_system_entry(cyrus_t,cyrus_exec_t)
')
diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te
index ebf3ecf..fd1fbfe 100644
--- a/policy/modules/services/dante.te
+++ b/policy/modules/services/dante.te
@@ -1,5 +1,5 @@
-policy_module(dante,1.4.0)
+policy_module(dante,1.4.1)
########################################
#
@@ -72,7 +72,8 @@ miscfiles_read_localization(dante_t)
sysnet_read_config(dante_t)
userdom_dontaudit_use_unpriv_user_fds(dante_t)
-userdom_dontaudit_search_sysadm_home_dirs(dante_t)
+
+sysadm_dontaudit_search_home_dirs(dante_t)
optional_policy(`
seutil_sigchld_newrole(dante_t)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 1e2b2bf..3d7eb76 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -1,5 +1,5 @@
-policy_module(dbus,1.8.0)
+policy_module(dbus,1.8.1)
gen_require(`
class dbus all_dbus_perms;
@@ -106,7 +106,8 @@ seutil_read_default_contexts(system_dbusd_t)
seutil_sigchld_newrole(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
-userdom_dontaudit_search_sysadm_home_dirs(system_dbusd_t)
+
+sysadm_dontaudit_search_home_dirs(system_dbusd_t)
tunable_policy(`read_default_t',`
files_list_default(system_dbusd_t)
diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
index f019c25..e92766a 100644
--- a/policy/modules/services/dcc.te
+++ b/policy/modules/services/dcc.te
@@ -1,5 +1,5 @@
-policy_module(dcc,1.5.0)
+policy_module(dcc,1.5.1)
########################################
#
@@ -273,7 +273,8 @@ sysnet_read_config(dccd_t)
sysnet_dns_name_resolve(dccd_t)
userdom_dontaudit_use_unpriv_user_fds(dccd_t)
-userdom_dontaudit_search_sysadm_home_dirs(dccd_t)
+
+sysadm_dontaudit_search_home_dirs(dccd_t)
optional_policy(`
nscd_socket_use(dccd_t)
@@ -346,7 +347,8 @@ sysnet_read_config(dccifd_t)
sysnet_dns_name_resolve(dccifd_t)
userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
-userdom_dontaudit_search_sysadm_home_dirs(dccifd_t)
+
+sysadm_dontaudit_search_home_dirs(dccifd_t)
optional_policy(`
nscd_socket_use(dccifd_t)
@@ -418,7 +420,8 @@ sysnet_read_config(dccm_t)
sysnet_dns_name_resolve(dccm_t)
userdom_dontaudit_use_unpriv_user_fds(dccm_t)
-userdom_dontaudit_search_sysadm_home_dirs(dccm_t)
+
+sysadm_dontaudit_search_home_dirs(dccm_t)
optional_policy(`
nscd_socket_use(dccm_t)
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
index f94e134..aef76b6 100644
--- a/policy/modules/services/ddclient.te
+++ b/policy/modules/services/ddclient.te
@@ -1,5 +1,5 @@
-policy_module(ddclient,1.4.0)
+policy_module(ddclient,1.4.1)
########################################
#
@@ -98,7 +98,8 @@ sysnet_exec_ifconfig(ddclient_t)
sysnet_read_config(ddclient_t)
userdom_dontaudit_use_unpriv_user_fds(ddclient_t)
-userdom_dontaudit_search_sysadm_home_dirs(ddclient_t)
+
+sysadm_dontaudit_search_home_dirs(ddclient_t)
optional_policy(`
seutil_sigchld_newrole(ddclient_t)
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index 901635a..bfbcaed 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -1,5 +1,5 @@
-policy_module(dhcp,1.5.0)
+policy_module(dhcp,1.5.1)
########################################
#
@@ -99,7 +99,8 @@ sysnet_read_config(dhcpd_t)
sysnet_read_dhcp_config(dhcpd_t)
userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
-userdom_dontaudit_search_sysadm_home_dirs(dhcpd_t)
+
+sysadm_dontaudit_search_home_dirs(dhcpd_t)
ifdef(`distro_gentoo',`
allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te
index 3bfd4aa..660b169 100644
--- a/policy/modules/services/distcc.te
+++ b/policy/modules/services/distcc.te
@@ -1,5 +1,5 @@
-policy_module(distcc,1.5.0)
+policy_module(distcc,1.5.1)
########################################
#
@@ -81,7 +81,8 @@ miscfiles_read_localization(distccd_t)
sysnet_read_config(distccd_t)
userdom_dontaudit_use_unpriv_user_fds(distccd_t)
-userdom_dontaudit_search_sysadm_home_dirs(distccd_t)
+
+sysadm_dontaudit_search_home_dirs(distccd_t)
optional_policy(`
nis_use_ypbind(distccd_t)
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index 4999098..bf6c334 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -1,5 +1,5 @@
-policy_module(dnsmasq,1.5.0)
+policy_module(dnsmasq,1.5.1)
########################################
#
@@ -81,7 +81,8 @@ miscfiles_read_localization(dnsmasq_t)
sysnet_read_config(dnsmasq_t)
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
-userdom_dontaudit_search_sysadm_home_dirs(dnsmasq_t)
+
+sysadm_dontaudit_search_home_dirs(dnsmasq_t)
optional_policy(`
nis_use_ypbind(dnsmasq_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 34deb41..9471e99 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -1,5 +1,5 @@
-policy_module(dovecot,1.8.0)
+policy_module(dovecot,1.8.1)
########################################
#
@@ -113,11 +113,12 @@ miscfiles_read_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
-userdom_dontaudit_search_sysadm_home_dirs(dovecot_t)
userdom_priveleged_home_dir_manager(dovecot_t)
mta_manage_spool(dovecot_t)
+sysadm_dontaudit_search_home_dirs(dovecot_t)
+
optional_policy(`
kerberos_use(dovecot_t)
')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index b43336e..9e97e84 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -1,5 +1,5 @@
-policy_module(exim,1.1.0)
+policy_module(exim,1.1.1)
########################################
#
@@ -102,12 +102,13 @@ miscfiles_read_localization(exim_t)
sysnet_dns_name_resolve(exim_t)
-userdom_dontaudit_search_sysadm_home_dirs(exim_t)
-userdom_dontaudit_search_generic_user_home_dirs(exim_t)
+unprivuser_dontaudit_search_home_dirs(exim_t)
mta_read_aliases(exim_t)
mta_rw_spool(exim_t)
+sysadm_dontaudit_search_home_dirs(exim_t)
+
tunable_policy(`exim_read_user_files',`
userdom_read_unpriv_users_home_content_files(exim_t)
userdom_read_unpriv_users_tmp_files(exim_t)
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
index 0f58ecd..4106bbb 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@@ -1,5 +1,5 @@
-policy_module(fetchmail,1.5.1)
+policy_module(fetchmail,1.5.2)
########################################
#
@@ -83,7 +83,8 @@ miscfiles_read_certs(fetchmail_t)
sysnet_read_config(fetchmail_t)
userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
-userdom_dontaudit_search_sysadm_home_dirs(fetchmail_t)
+
+sysadm_dontaudit_search_home_dirs(fetchmail_t)
optional_policy(`
procmail_domtrans(fetchmail_t)
diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
index 7bea8af..b69b8aa 100644
--- a/policy/modules/services/finger.te
+++ b/policy/modules/services/finger.te
@@ -1,5 +1,5 @@
-policy_module(finger,1.6.0)
+policy_module(finger,1.6.1)
########################################
#
@@ -91,12 +91,12 @@ sysnet_read_config(fingerd_t)
miscfiles_read_localization(fingerd_t)
-userdom_read_unpriv_users_home_content_files(fingerd_t)
-userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
-userdom_dontaudit_search_sysadm_home_dirs(fingerd_t)
# stop it accessing sub-directories, prevents checking a Maildir for new mail,
# have to change this when we create a type for Maildir
-userdom_dontaudit_search_generic_user_home_dirs(fingerd_t)
+userdom_read_unpriv_users_home_content_files(fingerd_t)
+userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
+
+sysadm_dontaudit_search_home_dirs(fingerd_t)
optional_policy(`
cron_system_entry(fingerd_t, fingerd_exec_t)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 02c5ea5..26d43ef 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -1,5 +1,5 @@
-policy_module(ftp,1.7.0)
+policy_module(ftp,1.7.1)
########################################
#
@@ -179,9 +179,10 @@ seutil_dontaudit_search_config(ftpd_t)
sysnet_read_config(ftpd_t)
sysnet_use_ldap(ftpd_t)
-userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
+sysadm_dontaudit_search_home_dirs(ftpd_t)
+
tunable_policy(`allow_ftpd_anon_write',`
miscfiles_manage_public_files(ftpd_t)
')
diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
index 118dfa5..a7ce0db 100644
--- a/policy/modules/services/gatekeeper.te
+++ b/policy/modules/services/gatekeeper.te
@@ -1,5 +1,5 @@
-policy_module(gatekeeper,1.4.0)
+policy_module(gatekeeper,1.4.1)
########################################
#
@@ -88,7 +88,8 @@ miscfiles_read_localization(gatekeeper_t)
sysnet_read_config(gatekeeper_t)
userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
-userdom_dontaudit_search_sysadm_home_dirs(gatekeeper_t)
+
+sysadm_dontaudit_search_home_dirs(gatekeeper_t)
optional_policy(`
nis_use_ypbind(gatekeeper_t)
diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te
index 185d96f..ad75558 100644
--- a/policy/modules/services/gpm.te
+++ b/policy/modules/services/gpm.te
@@ -1,5 +1,5 @@
-policy_module(gpm,1.4.0)
+policy_module(gpm,1.4.1)
########################################
#
@@ -69,7 +69,8 @@ logging_send_syslog_msg(gpm_t)
miscfiles_read_localization(gpm_t)
userdom_dontaudit_use_unpriv_user_fds(gpm_t)
-userdom_dontaudit_search_sysadm_home_dirs(gpm_t)
+
+sysadm_dontaudit_search_home_dirs(gpm_t)
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index 6170da5..bb0da44 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal,1.9.1)
+policy_module(hal,1.9.2)
########################################
#
@@ -193,7 +193,8 @@ seutil_read_file_contexts(hald_t)
sysnet_read_config(hald_t)
userdom_dontaudit_use_unpriv_user_fds(hald_t)
-userdom_dontaudit_search_sysadm_home_dirs(hald_t)
+
+sysadm_dontaudit_search_home_dirs(hald_t)
optional_policy(`
alsa_domtrans(hald_t)
diff --git a/policy/modules/services/howl.te b/policy/modules/services/howl.te
index 9b7d99e..3466646 100644
--- a/policy/modules/services/howl.te
+++ b/policy/modules/services/howl.te
@@ -1,5 +1,5 @@
-policy_module(howl,1.5.0)
+policy_module(howl,1.5.1)
########################################
#
@@ -69,7 +69,8 @@ miscfiles_read_localization(howl_t)
sysnet_read_config(howl_t)
userdom_dontaudit_use_unpriv_user_fds(howl_t)
-userdom_dontaudit_search_sysadm_home_dirs(howl_t)
+
+sysadm_dontaudit_search_home_dirs(howl_t)
optional_policy(`
nis_use_ypbind(howl_t)
diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te
index 08d28b8..50774e6 100644
--- a/policy/modules/services/i18n_input.te
+++ b/policy/modules/services/i18n_input.te
@@ -1,5 +1,5 @@
-policy_module(i18n_input,1.5.0)
+policy_module(i18n_input,1.5.1)
########################################
#
@@ -77,9 +77,10 @@ miscfiles_read_localization(i18n_input_t)
sysnet_read_config(i18n_input_t)
userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
-userdom_dontaudit_search_sysadm_home_dirs(i18n_input_t)
userdom_read_unpriv_users_home_content_files(i18n_input_t)
+sysadm_dontaudit_search_home_dirs(i18n_input_t)
+
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(i18n_input_t)
fs_read_nfs_symlinks(i18n_input_t)
diff --git a/policy/modules/services/imaze.te b/policy/modules/services/imaze.te
index ff3be76..c481d8b 100644
--- a/policy/modules/services/imaze.te
+++ b/policy/modules/services/imaze.te
@@ -1,5 +1,5 @@
-policy_module(imaze,1.4.0)
+policy_module(imaze,1.4.1)
########################################
#
@@ -88,7 +88,8 @@ miscfiles_read_localization(imazesrv_t)
sysnet_read_config(imazesrv_t)
userdom_use_unpriv_users_fds(imazesrv_t)
-userdom_dontaudit_search_sysadm_home_dirs(imazesrv_t)
+
+sysadm_dontaudit_search_home_dirs(imazesrv_t)
optional_policy(`
nis_use_ypbind(imazesrv_t)
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index 90663bd..9e30dba 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -1,5 +1,5 @@
-policy_module(inetd,1.6.0)
+policy_module(inetd,1.6.1)
########################################
#
@@ -145,7 +145,8 @@ mls_process_set_level(inetd_t)
sysnet_read_config(inetd_t)
userdom_dontaudit_use_unpriv_user_fds(inetd_t)
-userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
+
+sysadm_dontaudit_search_home_dirs(inetd_t)
ifdef(`enable_mls',`
corenet_tcp_recvfrom_netlabel(inetd_t)
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index bbe2b97..6c6db78 100644
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@@ -1,5 +1,5 @@
-policy_module(inn,1.5.0)
+policy_module(inn,1.5.1)
########################################
#
@@ -105,7 +105,8 @@ seutil_dontaudit_search_config(innd_t)
sysnet_read_config(innd_t)
userdom_dontaudit_use_unpriv_user_fds(innd_t)
-userdom_dontaudit_search_sysadm_home_dirs(innd_t)
+
+sysadm_dontaudit_search_home_dirs(innd_t)
mta_send_mail(innd_t)
diff --git a/policy/modules/services/ircd.te b/policy/modules/services/ircd.te
index 27dab6b..2bd2d52 100644
--- a/policy/modules/services/ircd.te
+++ b/policy/modules/services/ircd.te
@@ -1,5 +1,5 @@
-policy_module(ircd,1.4.0)
+policy_module(ircd,1.4.1)
########################################
#
@@ -82,7 +82,8 @@ miscfiles_read_localization(ircd_t)
sysnet_read_config(ircd_t)
userdom_dontaudit_use_unpriv_user_fds(ircd_t)
-userdom_dontaudit_search_sysadm_home_dirs(ircd_t)
+
+sysadm_dontaudit_search_home_dirs(ircd_t)
optional_policy(`
nis_use_ypbind(ircd_t)
diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te
index 4913ef7..ef5e961 100644
--- a/policy/modules/services/irqbalance.te
+++ b/policy/modules/services/irqbalance.te
@@ -1,5 +1,5 @@
-policy_module(irqbalance,1.2.0)
+policy_module(irqbalance,1.2.1)
########################################
#
@@ -50,7 +50,8 @@ logging_send_syslog_msg(irqbalance_t)
miscfiles_read_localization(irqbalance_t)
userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
-userdom_dontaudit_search_sysadm_home_dirs(irqbalance_t)
+
+sysadm_dontaudit_search_home_dirs(irqbalance_t)
optional_policy(`
seutil_sigchld_newrole(irqbalance_t)
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index cd02124..a232bec 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -1,5 +1,5 @@
-policy_module(jabber,1.4.0)
+policy_module(jabber,1.4.1)
########################################
#
@@ -80,7 +80,8 @@ miscfiles_read_localization(jabberd_t)
sysnet_read_config(jabberd_t)
userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
-userdom_dontaudit_search_sysadm_home_dirs(jabberd_t)
+
+sysadm_dontaudit_search_home_dirs(jabberd_t)
optional_policy(`
nis_use_ypbind(jabberd_t)
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index efdc334..d158886 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -1,5 +1,5 @@
-policy_module(kerberos,1.6.0)
+policy_module(kerberos,1.6.1)
########################################
#
@@ -129,7 +129,8 @@ miscfiles_read_localization(kadmind_t)
sysnet_read_config(kadmind_t)
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
-userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
+
+sysadm_dontaudit_search_home_dirs(kadmind_t)
optional_policy(`
nis_use_ypbind(kadmind_t)
@@ -225,7 +226,8 @@ miscfiles_read_localization(krb5kdc_t)
sysnet_read_config(krb5kdc_t)
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
-userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
+
+sysadm_dontaudit_search_home_dirs(krb5kdc_t)
optional_policy(`
nis_use_ypbind(krb5kdc_t)
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index e90f4f9..560717c 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -1,5 +1,5 @@
-policy_module(ldap,1.6.0)
+policy_module(ldap,1.6.1)
########################################
#
@@ -114,7 +114,8 @@ miscfiles_read_certs(slapd_t)
miscfiles_read_localization(slapd_t)
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
-userdom_dontaudit_search_sysadm_home_dirs(slapd_t)
+
+sysadm_dontaudit_search_home_dirs(slapd_t)
optional_policy(`
kerberos_use(slapd_t)
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 03e8d29..eb9f364 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -1,5 +1,5 @@
-policy_module(lpd,1.9.0)
+policy_module(lpd,1.9.1)
########################################
#
@@ -200,7 +200,8 @@ miscfiles_read_localization(lpd_t)
sysnet_read_config(lpd_t)
userdom_dontaudit_use_unpriv_user_fds(lpd_t)
-userdom_dontaudit_search_sysadm_home_dirs(lpd_t)
+
+sysadm_dontaudit_search_home_dirs(lpd_t)
optional_policy(`
nis_use_ypbind(lpd_t)
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index 30c65b0..874805a 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -1,5 +1,5 @@
-policy_module(mailman,1.4.0)
+policy_module(mailman,1.4.1)
########################################
#
@@ -99,12 +99,11 @@ files_dontaudit_search_pids(mailman_queue_t)
# for su
seutil_dontaudit_search_config(mailman_queue_t)
+su_exec(mailman_queue_t)
+
# some of the following could probably be changed to dontaudit, someone who
# knows mailman well should test this out and send the changes
-userdom_search_sysadm_home_dirs(mailman_queue_t)
-userdom_getattr_sysadm_home_dirs(mailman_queue_t)
-
-su_exec(mailman_queue_t)
+sysadm_search_home_dirs(mailman_queue_t)
optional_policy(`
cron_system_entry(mailman_queue_t,mailman_queue_exec_t)
diff --git a/policy/modules/services/monop.te b/policy/modules/services/monop.te
index a1bed0f..99fce61 100644
--- a/policy/modules/services/monop.te
+++ b/policy/modules/services/monop.te
@@ -1,5 +1,5 @@
-policy_module(monop,1.4.0)
+policy_module(monop,1.4.1)
########################################
#
@@ -74,7 +74,8 @@ miscfiles_read_localization(monopd_t)
sysnet_read_config(monopd_t)
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
-userdom_dontaudit_search_sysadm_home_dirs(monopd_t)
+
+sysadm_dontaudit_search_home_dirs(monopd_t)
optional_policy(`
nis_use_ypbind(monopd_t)
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index d313f4c..bd4c6cd 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
-policy_module(mta,1.9.0)
+policy_module(mta,1.9.1)
########################################
#
@@ -49,8 +49,8 @@ dev_read_urand(system_mail_t)
init_use_script_ptys(system_mail_t)
-userdom_use_sysadm_terms(system_mail_t)
-userdom_dontaudit_search_sysadm_home_dirs(system_mail_t)
+sysadm_use_terms(system_mail_t)
+sysadm_dontaudit_search_home_dirs(system_mail_t)
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index 023d05d..e8bd9f2 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -1,5 +1,5 @@
-policy_module(munin,1.4.0)
+policy_module(munin,1.4.1)
########################################
#
@@ -96,7 +96,8 @@ miscfiles_read_localization(munin_t)
sysnet_read_config(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
-userdom_dontaudit_search_sysadm_home_dirs(munin_t)
+
+sysadm_dontaudit_search_home_dirs(munin_t)
optional_policy(`
# for accessing the output directory
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index c1207fe..3cc3de1 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -1,5 +1,5 @@
-policy_module(mysql,1.7.0)
+policy_module(mysql,1.7.1)
########################################
#
@@ -100,8 +100,9 @@ miscfiles_read_localization(mysqld_t)
sysnet_read_config(mysqld_t)
userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+
# for /root/.my.cnf - should not be needed:
-userdom_read_sysadm_home_content_files(mysqld_t)
+sysadm_read_home_content_files(mysqld_t)
ifdef(`distro_redhat',`
# because Fedora has the sock_file in the database directory
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index fa8e8d9..2846858 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -1,5 +1,5 @@
-policy_module(nagios,1.5.0)
+policy_module(nagios,1.5.1)
########################################
#
@@ -103,10 +103,11 @@ logging_send_syslog_msg(nagios_t)
miscfiles_read_localization(nagios_t)
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
-userdom_dontaudit_search_sysadm_home_dirs(nagios_t)
mta_send_mail(nagios_t)
+sysadm_dontaudit_search_home_dirs(nagios_t)
+
optional_policy(`
netutils_domtrans_ping(nagios_t)
netutils_signal_ping(nagios_t)
diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te
index 160489d..727ddce 100644
--- a/policy/modules/services/nessus.te
+++ b/policy/modules/services/nessus.te
@@ -1,5 +1,5 @@
-policy_module(nessus,1.4.0)
+policy_module(nessus,1.4.1)
########################################
#
@@ -94,7 +94,8 @@ miscfiles_read_localization(nessusd_t)
sysnet_read_config(nessusd_t)
userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
-userdom_dontaudit_search_sysadm_home_dirs(nessusd_t)
+
+sysadm_dontaudit_search_home_dirs(nessusd_t)
optional_policy(`
nis_use_ypbind(nessusd_t)
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index fa17c58..36188cc 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.9.0)
+policy_module(networkmanager,1.9.1)
########################################
#
@@ -109,11 +109,12 @@ sysnet_manage_config(NetworkManager_t)
sysnet_etc_filetrans_config(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
-userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t)
userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
# Read gnome-keyring
userdom_read_unpriv_users_home_content_files(NetworkManager_t)
+sysadm_dontaudit_search_home_dirs(NetworkManager_t)
+
optional_policy(`
bind_domtrans(NetworkManager_t)
bind_manage_cache(NetworkManager_t)
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
index ed2d601..e8a7cac 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -1,5 +1,5 @@
-policy_module(nis,1.6.0)
+policy_module(nis,1.6.1)
########################################
#
@@ -111,7 +111,8 @@ miscfiles_read_localization(ypbind_t)
sysnet_read_config(ypbind_t)
userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
-userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
+
+sysadm_dontaudit_search_home_dirs(ypbind_t)
optional_policy(`
seutil_sigchld_newrole(ypbind_t)
@@ -192,7 +193,8 @@ miscfiles_read_localization(yppasswdd_t)
sysnet_read_config(yppasswdd_t)
userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
-userdom_dontaudit_search_sysadm_home_dirs(yppasswdd_t)
+
+sysadm_dontaudit_search_home_dirs(yppasswdd_t)
optional_policy(`
hostname_exec(yppasswdd_t)
@@ -275,7 +277,8 @@ nis_domtrans_ypxfr(ypserv_t)
sysnet_read_config(ypserv_t)
userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
-userdom_dontaudit_search_sysadm_home_dirs(ypserv_t)
+
+sysadm_dontaudit_search_home_dirs(ypserv_t)
optional_policy(`
seutil_sigchld_newrole(ypserv_t)
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index 89baef0..c727db1 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,5 +1,5 @@
-policy_module(nscd,1.6.0)
+policy_module(nscd,1.6.1)
gen_require(`
class nscd all_nscd_perms;
@@ -104,7 +104,8 @@ seutil_sigchld_newrole(nscd_t)
sysnet_read_config(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
-userdom_dontaudit_search_sysadm_home_dirs(nscd_t)
+
+sysadm_dontaudit_search_home_dirs(nscd_t)
optional_policy(`
udev_read_db(nscd_t)
diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te
index eff9ee6..675e2e1 100644
--- a/policy/modules/services/nsd.te
+++ b/policy/modules/services/nsd.te
@@ -1,5 +1,5 @@
-policy_module(nsd,1.4.0)
+policy_module(nsd,1.4.1)
########################################
#
@@ -96,7 +96,8 @@ miscfiles_read_localization(nsd_t)
sysnet_read_config(nsd_t)
userdom_dontaudit_use_unpriv_user_fds(nsd_t)
-userdom_dontaudit_search_sysadm_home_dirs(nsd_t)
+
+sysadm_dontaudit_search_home_dirs(nsd_t)
optional_policy(`
nis_use_ypbind(nsd_t)
@@ -172,7 +173,7 @@ miscfiles_read_localization(nsd_crond_t)
sysnet_read_config(nsd_crond_t)
-userdom_dontaudit_search_sysadm_home_dirs(nsd_crond_t)
+sysadm_dontaudit_search_home_dirs(nsd_crond_t)
optional_policy(`
cron_system_entry(nsd_crond_t,nsd_exec_t)
diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te
index 47893f7..dff5d4a 100644
--- a/policy/modules/services/ntop.te
+++ b/policy/modules/services/ntop.te
@@ -1,5 +1,5 @@
-policy_module(ntop,1.5.0)
+policy_module(ntop,1.5.1)
########################################
#
@@ -92,7 +92,8 @@ miscfiles_read_localization(ntop_t)
sysnet_read_config(ntop_t)
userdom_dontaudit_use_unpriv_user_fds(ntop_t)
-userdom_dontaudit_search_sysadm_home_dirs(ntop_t)
+
+sysadm_dontaudit_search_home_dirs(ntop_t)
optional_policy(`
seutil_sigchld_newrole(ntop_t)
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 91814a2..86ef2b0 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,5 +1,5 @@
-policy_module(ntp,1.5.0)
+policy_module(ntp,1.5.1)
########################################
#
@@ -106,8 +106,8 @@ logging_send_syslog_msg(ntpd_t)
miscfiles_read_localization(ntpd_t)
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
-userdom_list_sysadm_home_dirs(ntpd_t)
-userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
+
+sysadm_list_home_dirs(ntpd_t)
optional_policy(`
# for cron jobs
diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te
index c10ccda..8ef4f1b 100644
--- a/policy/modules/services/oav.te
+++ b/policy/modules/services/oav.te
@@ -1,5 +1,5 @@
-policy_module(oav,1.5.0)
+policy_module(oav,1.5.1)
########################################
#
@@ -142,7 +142,8 @@ miscfiles_read_localization(scannerdaemon_t)
sysnet_read_config(scannerdaemon_t)
userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t)
-userdom_dontaudit_search_sysadm_home_dirs(scannerdaemon_t)
+
+sysadm_dontaudit_search_home_dirs(scannerdaemon_t)
optional_policy(`
seutil_sigchld_newrole(scannerdaemon_t)
diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
index 2650a8b..3c4717f 100644
--- a/policy/modules/services/oddjob.te
+++ b/policy/modules/services/oddjob.te
@@ -1,5 +1,5 @@
-policy_module(oddjob,1.4.0)
+policy_module(oddjob,1.4.1)
########################################
#
@@ -78,10 +78,12 @@ libs_use_shared_libs(oddjob_mkhomedir_t)
miscfiles_read_localization(oddjob_mkhomedir_t)
+staff_manage_home_dirs(oddjob_mkhomedir_t)
+
# Add/remove user home directories
-userdom_home_filetrans_generic_user_home_dir(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_content_dirs(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_content_files(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_dirs(oddjob_mkhomedir_t)
-userdom_manage_staff_home_dirs(oddjob_mkhomedir_t)
-userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set)
+unprivuser_home_filetrans_home_dir(oddjob_mkhomedir_t)
+unprivuser_manage_home_content_dirs(oddjob_mkhomedir_t)
+unprivuser_manage_home_content_files(oddjob_mkhomedir_t)
+unprivuser_manage_home_dirs(oddjob_mkhomedir_t)
+unprivuser_home_dir_filetrans_home_content(oddjob_mkhomedir_t,notdevfile_class_set)
+
diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te
index 7908ac8..351cfe6 100644
--- a/policy/modules/services/openct.te
+++ b/policy/modules/services/openct.te
@@ -1,5 +1,5 @@
-policy_module(openct,1.2.1)
+policy_module(openct,1.2.2)
########################################
#
@@ -51,7 +51,8 @@ logging_send_syslog_msg(openct_t)
miscfiles_read_localization(openct_t)
userdom_dontaudit_use_unpriv_user_fds(openct_t)
-userdom_dontaudit_search_sysadm_home_dirs(openct_t)
+
+sysadm_dontaudit_search_home_dirs(openct_t)
openct_exec(openct_t)
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
index 3cb9992..9c163ed 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -1,5 +1,5 @@
-policy_module(pegasus,1.5.1)
+policy_module(pegasus,1.5.2)
########################################
#
@@ -122,7 +122,8 @@ sysnet_read_config(pegasus_t)
sysnet_domtrans_ifconfig(pegasus_t)
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
-userdom_dontaudit_search_sysadm_home_dirs(pegasus_t)
+
+sysadm_dontaudit_search_home_dirs(pegasus_t)
optional_policy(`
rpm_exec(pegasus_t)
diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te
index 2020b03..edc1a04 100644
--- a/policy/modules/services/perdition.te
+++ b/policy/modules/services/perdition.te
@@ -1,5 +1,5 @@
-policy_module(perdition,1.4.0)
+policy_module(perdition,1.4.1)
########################################
#
@@ -68,7 +68,8 @@ miscfiles_read_localization(perdition_t)
sysnet_read_config(perdition_t)
userdom_dontaudit_use_unpriv_user_fds(perdition_t)
-userdom_dontaudit_search_sysadm_home_dirs(perdition_t)
+
+sysadm_dontaudit_search_home_dirs(perdition_t)
optional_policy(`
seutil_sigchld_newrole(perdition_t)
diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
index 0a0e50a..4c66018 100644
--- a/policy/modules/services/portmap.te
+++ b/policy/modules/services/portmap.te
@@ -1,5 +1,5 @@
-policy_module(portmap,1.6.0)
+policy_module(portmap,1.6.1)
########################################
#
@@ -87,7 +87,8 @@ miscfiles_read_localization(portmap_t)
sysnet_read_config(portmap_t)
userdom_dontaudit_use_unpriv_user_fds(portmap_t)
-userdom_dontaudit_search_sysadm_home_dirs(portmap_t)
+
+sysadm_dontaudit_search_home_dirs(portmap_t)
optional_policy(`
nis_use_ypbind(portmap_t)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index bd90404..1c5416f 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,5 +1,5 @@
-policy_module(postgresql,1.5.0)
+policy_module(postgresql,1.5.1)
#################################
#
@@ -128,12 +128,13 @@ miscfiles_read_localization(postgresql_t)
seutil_dontaudit_search_config(postgresql_t)
-userdom_dontaudit_search_sysadm_home_dirs(postgresql_t)
-userdom_dontaudit_use_sysadm_ttys(postgresql_t)
userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
mta_getattr_spool(postgresql_t)
+sysadm_dontaudit_search_home_dirs(postgresql_t)
+sysadm_dontaudit_use_ttys(postgresql_t)
+
tunable_policy(`allow_execmem',`
allow postgresql_t self:process execmem;
')
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
index b6cda43..04458ed 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -1,5 +1,5 @@
-policy_module(postgrey,1.4.0)
+policy_module(postgrey,1.4.1)
########################################
#
@@ -78,7 +78,8 @@ miscfiles_read_localization(postgrey_t)
sysnet_read_config(postgrey_t)
userdom_dontaudit_use_unpriv_user_fds(postgrey_t)
-userdom_dontaudit_search_sysadm_home_dirs(postgrey_t)
+
+sysadm_dontaudit_search_home_dirs(postgrey_t)
optional_policy(`
nis_use_ypbind(postgrey_t)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 9f60fd9..a7c890a 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -1,5 +1,5 @@
-policy_module(ppp,1.7.0)
+policy_module(ppp,1.7.1)
########################################
#
@@ -176,14 +176,15 @@ sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
-userdom_dontaudit_search_sysadm_home_dirs(pppd_t)
# for ~/.ppprc - if it actually exists then you need some policy to read it
#allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
-userdom_search_sysadm_home_dirs(pppd_t)
userdom_search_unpriv_users_home_dirs(pppd_t)
ppp_exec(pppd_t)
+sysadm_dontaudit_search_home_dirs(pppd_t)
+sysadm_search_home_dirs(pppd_t)
+
optional_policy(`
ddclient_domtrans(pppd_t)
')
@@ -280,7 +281,8 @@ miscfiles_read_localization(pptp_t)
sysnet_read_config(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
-userdom_dontaudit_search_sysadm_home_dirs(pptp_t)
+
+sysadm_dontaudit_search_home_dirs(pptp_t)
optional_policy(`
consoletype_exec(pppd_t)
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
index 26d2b16..9dbbebc 100644
--- a/policy/modules/services/privoxy.te
+++ b/policy/modules/services/privoxy.te
@@ -1,5 +1,5 @@
-policy_module(privoxy,1.6.0)
+policy_module(privoxy,1.6.1)
########################################
#
@@ -76,9 +76,10 @@ miscfiles_read_localization(privoxy_t)
sysnet_dns_name_resolve(privoxy_t)
userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
-userdom_dontaudit_search_sysadm_home_dirs(privoxy_t)
+
+sysadm_dontaudit_search_home_dirs(privoxy_t)
# cjp: this should really not be needed
-userdom_use_sysadm_terms(privoxy_t)
+sysadm_use_terms(privoxy_t)
optional_policy(`
nis_use_ypbind(privoxy_t)
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index d334245..f104fa7 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -1,5 +1,5 @@
-policy_module(procmail,1.8.0)
+policy_module(procmail,1.8.1)
########################################
#
@@ -74,9 +74,10 @@ miscfiles_read_localization(procmail_t)
# only works until we define a different type for maildir
userdom_priveleged_home_dir_manager(procmail_t)
+
# Do not audit attempts to access /root.
-userdom_dontaudit_search_sysadm_home_dirs(procmail_t)
-userdom_dontaudit_search_staff_home_dirs(procmail_t)
+staff_dontaudit_search_home_dirs(procmail_t)
+sysadm_dontaudit_search_home_dirs(procmail_t)
mta_manage_spool(procmail_t)
diff --git a/policy/modules/services/pxe.te b/policy/modules/services/pxe.te
index ce9b865..910cad0 100644
--- a/policy/modules/services/pxe.te
+++ b/policy/modules/services/pxe.te
@@ -1,5 +1,5 @@
-policy_module(pxe,1.2.0)
+policy_module(pxe,1.2.1)
# cjp: policy seems incomplete
@@ -56,7 +56,8 @@ logging_send_syslog_msg(pxe_t)
miscfiles_read_localization(pxe_t)
userdom_dontaudit_use_unpriv_user_fds(pxe_t)
-userdom_dontaudit_search_sysadm_home_dirs(pxe_t)
+
+sysadm_dontaudit_search_home_dirs(pxe_t)
optional_policy(`
seutil_sigchld_newrole(pxe_t)
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index 05ca327..36f71f2 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -1,5 +1,5 @@
-policy_module(pyzor,1.5.0)
+policy_module(pyzor,1.5.1)
########################################
#
@@ -68,7 +68,7 @@ libs_use_shared_libs(pyzor_t)
miscfiles_read_localization(pyzor_t)
-userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
+sysadm_dontaudit_search_home_dirs(pyzor_t)
optional_policy(`
amavis_manage_lib_files(pyzor_t)
@@ -127,12 +127,12 @@ locallogin_dontaudit_use_fds(pyzord_t)
miscfiles_read_localization(pyzord_t)
-# Do not audit attempts to access /root.
-userdom_dontaudit_search_sysadm_home_dirs(pyzord_t)
-userdom_dontaudit_search_staff_home_dirs(pyzord_t)
-
mta_manage_spool(pyzord_t)
+# Do not audit attempts to access /root.
+staff_dontaudit_search_home_dirs(pyzord_t)
+sysadm_dontaudit_search_home_dirs(pyzord_t)
+
optional_policy(`
logging_send_syslog_msg(pyzord_t)
')
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index ed0a0e4..60e1525 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -1,5 +1,5 @@
-policy_module(radius,1.7.0)
+policy_module(radius,1.7.1)
########################################
#
@@ -110,8 +110,9 @@ miscfiles_read_certs(radiusd_t)
sysnet_read_config(radiusd_t)
userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
-userdom_dontaudit_search_sysadm_home_dirs(radiusd_t)
-userdom_dontaudit_getattr_sysadm_home_dirs(radiusd_t)
+
+sysadm_dontaudit_search_home_dirs(radiusd_t)
+sysadm_dontaudit_getattr_home_dirs(radiusd_t)
optional_policy(`
cron_system_entry(radiusd_t,radiusd_exec_t)
diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te
index 027da47..b08b7ad 100644
--- a/policy/modules/services/radvd.te
+++ b/policy/modules/services/radvd.te
@@ -1,5 +1,5 @@
-policy_module(radvd,1.7.0)
+policy_module(radvd,1.7.1)
########################################
#
@@ -69,7 +69,8 @@ miscfiles_read_localization(radvd_t)
sysnet_read_config(radvd_t)
userdom_dontaudit_use_unpriv_user_fds(radvd_t)
-userdom_dontaudit_search_sysadm_home_dirs(radvd_t)
+
+sysadm_dontaudit_search_home_dirs(radvd_t)
optional_policy(`
nis_use_ypbind(radvd_t)
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index 433ba9e..e096a06 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -1,5 +1,5 @@
-policy_module(rhgb,1.6.0)
+policy_module(rhgb,1.6.1)
########################################
#
@@ -111,9 +111,10 @@ sysnet_read_config(rhgb_t)
sysnet_domtrans_ifconfig(rhgb_t)
userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
-userdom_dontaudit_search_sysadm_home_dirs(rhgb_t)
userdom_dontaudit_search_all_users_home_content(rhgb_t)
+sysadm_dontaudit_search_home_dirs(rhgb_t)
+
xserver_read_xdm_xserver_tmp_files(rhgb_t)
xserver_kill_xdm_xserver(rhgb_t)
# for running setxkbmap
diff --git a/policy/modules/services/roundup.te b/policy/modules/services/roundup.te
index b9a6f89..c1add20 100644
--- a/policy/modules/services/roundup.te
+++ b/policy/modules/services/roundup.te
@@ -1,5 +1,5 @@
-policy_module(roundup,1.4.0)
+policy_module(roundup,1.4.1)
########################################
#
@@ -81,7 +81,8 @@ miscfiles_read_localization(roundup_t)
sysnet_read_config(roundup_t)
userdom_dontaudit_use_unpriv_user_fds(roundup_t)
-userdom_dontaudit_search_sysadm_home_dirs(roundup_t)
+
+sysadm_dontaudit_search_home_dirs(roundup_t)
optional_policy(`
mysql_stream_connect(roundup_t)
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index e25ec57..a523f68 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -1,5 +1,5 @@
-policy_module(samba,1.8.0)
+policy_module(samba,1.8.1)
#################################
#
@@ -193,7 +193,7 @@ logging_send_syslog_msg(samba_net_t)
miscfiles_read_localization(samba_net_t)
-userdom_dontaudit_search_sysadm_home_dirs(samba_net_t)
+sysadm_dontaudit_search_home_dirs(samba_net_t)
optional_policy(`
kerberos_use(samba_net_t)
@@ -316,10 +316,11 @@ logging_send_syslog_msg(smbd_t)
miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
-userdom_dontaudit_search_sysadm_home_dirs(smbd_t)
userdom_dontaudit_use_unpriv_user_fds(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
+sysadm_dontaudit_search_home_dirs(smbd_t)
+
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
@@ -375,7 +376,7 @@ tunable_policy(`samba_export_all_rw',`
auth_manage_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_manage_all_files_except_shadow(nmbd_t)
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(nmbd_t, { file dir })
+ unprivuser_home_dir_filetrans_home_content(nmbd_t, { file dir })
')
########################################
@@ -457,10 +458,11 @@ logging_send_syslog_msg(nmbd_t)
miscfiles_read_localization(nmbd_t)
-userdom_dontaudit_search_sysadm_home_dirs(nmbd_t)
userdom_dontaudit_use_unpriv_user_fds(nmbd_t)
userdom_use_unpriv_users_fds(nmbd_t)
+sysadm_dontaudit_search_home_dirs(nmbd_t)
+
optional_policy(`
seutil_sigchld_newrole(nmbd_t)
')
@@ -718,9 +720,10 @@ logging_send_syslog_msg(winbind_t)
miscfiles_read_localization(winbind_t)
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
-userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
userdom_priveleged_home_dir_manager(winbind_t)
+sysadm_dontaudit_search_home_dirs(winbind_t)
+
optional_policy(`
kerberos_use(winbind_t)
')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index 8c7abe3..528f8ae 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -1,5 +1,5 @@
-policy_module(sasl,1.8.0)
+policy_module(sasl,1.8.1)
########################################
#
@@ -89,7 +89,8 @@ seutil_dontaudit_read_config(saslauthd_t)
sysnet_read_config(saslauthd_t)
userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
-userdom_dontaudit_search_sysadm_home_dirs(saslauthd_t)
+
+sysadm_dontaudit_search_home_dirs(saslauthd_t)
# cjp: typeattribute doesnt work in conditionals
auth_can_read_shadow_passwords(saslauthd_t)
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index 8a66c3c..f6ae7ec 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -1,5 +1,5 @@
-policy_module(sendmail,1.7.0)
+policy_module(sendmail,1.7.1)
########################################
#
@@ -96,7 +96,6 @@ miscfiles_read_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
-userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
@@ -106,6 +105,8 @@ mta_rw_aliases(sendmail_t)
mta_manage_queue(sendmail_t)
mta_manage_spool(sendmail_t)
+sysadm_dontaudit_search_home_dirs(sendmail_t)
+
optional_policy(`
clamav_search_lib(sendmail_t)
')
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index 96d1caa..0a801f7 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -1,5 +1,5 @@
-policy_module(setroubleshoot,1.6.0)
+policy_module(setroubleshoot,1.6.1)
########################################
#
@@ -105,7 +105,7 @@ seutil_read_file_contexts(setroubleshootd_t)
sysnet_read_config(setroubleshootd_t)
-userdom_dontaudit_read_sysadm_home_content_files(setroubleshootd_t)
+sysadm_dontaudit_read_home_content_files(setroubleshootd_t)
optional_policy(`
dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te
index de7deeb..d05d9ac 100644
--- a/policy/modules/services/slrnpull.te
+++ b/policy/modules/services/slrnpull.te
@@ -1,5 +1,5 @@
-policy_module(slrnpull,1.2.0)
+policy_module(slrnpull,1.2.1)
########################################
#
@@ -59,7 +59,8 @@ logging_send_syslog_msg(slrnpull_t)
miscfiles_read_localization(slrnpull_t)
userdom_dontaudit_use_unpriv_user_fds(slrnpull_t)
-userdom_dontaudit_search_sysadm_home_dirs(slrnpull_t)
+
+sysadm_dontaudit_search_home_dirs(slrnpull_t)
optional_policy(`
cron_system_entry(slrnpull_t,slrnpull_exec_t)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index 24ed53b..30c9ec2 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -1,5 +1,5 @@
-policy_module(smartmon,1.5.0)
+policy_module(smartmon,1.5.1)
########################################
#
@@ -81,7 +81,8 @@ miscfiles_read_localization(fsdaemon_t)
sysnet_read_config(fsdaemon_t)
userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
-userdom_dontaudit_search_sysadm_home_dirs(fsdaemon_t)
+
+sysadm_dontaudit_search_home_dirs(fsdaemon_t)
optional_policy(`
mta_send_mail(fsdaemon_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index 0e8d8d5..5eceb5f 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -1,5 +1,5 @@
-policy_module(snmp,1.7.0)
+policy_module(snmp,1.7.1)
########################################
#
@@ -106,7 +106,8 @@ seutil_dontaudit_search_config(snmpd_t)
sysnet_read_config(snmpd_t)
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
-userdom_dontaudit_search_sysadm_home_dirs(snmpd_t)
+
+sysadm_dontaudit_search_home_dirs(snmpd_t)
ifdef(`distro_redhat', `
optional_policy(`
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
index a1ec586..1bad55d 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
@@ -1,5 +1,5 @@
-policy_module(snort,1.4.0)
+policy_module(snort,1.4.1)
########################################
#
@@ -86,7 +86,8 @@ miscfiles_read_localization(snort_t)
sysnet_read_config(snort_t)
userdom_dontaudit_use_unpriv_user_fds(snort_t)
-userdom_dontaudit_search_sysadm_home_dirs(snort_t)
+
+sysadm_dontaudit_search_home_dirs(snort_t)
optional_policy(`
seutil_sigchld_newrole(snort_t)
diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te
index e5e4910..5015510 100644
--- a/policy/modules/services/soundserver.te
+++ b/policy/modules/services/soundserver.te
@@ -1,5 +1,5 @@
-policy_module(soundserver,1.4.0)
+policy_module(soundserver,1.4.1)
########################################
#
@@ -96,7 +96,8 @@ miscfiles_read_localization(soundd_t)
sysnet_read_config(soundd_t)
userdom_dontaudit_use_unpriv_user_fds(soundd_t)
-userdom_dontaudit_search_sysadm_home_dirs(soundd_t)
+
+sysadm_dontaudit_search_home_dirs(soundd_t)
optional_policy(`
seutil_sigchld_newrole(soundd_t)
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 4197b9e..bb4c27a 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
-policy_module(spamassassin,1.9.0)
+policy_module(spamassassin,1.9.1)
########################################
#
@@ -147,7 +147,8 @@ sysnet_dns_name_resolve(spamd_t)
userdom_use_unpriv_users_fds(spamd_t)
userdom_search_unpriv_users_home_dirs(spamd_t)
-userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
+
+sysadm_dontaudit_search_home_dirs(spamd_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(spamd_t)
diff --git a/policy/modules/services/speedtouch.te b/policy/modules/services/speedtouch.te
index cb81891..624358a 100644
--- a/policy/modules/services/speedtouch.te
+++ b/policy/modules/services/speedtouch.te
@@ -1,5 +1,5 @@
-policy_module(speedtouch,1.2.0)
+policy_module(speedtouch,1.2.1)
#######################################
#
@@ -54,7 +54,8 @@ logging_send_syslog_msg(speedmgmt_t)
miscfiles_read_localization(speedmgmt_t)
userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t)
-userdom_dontaudit_search_sysadm_home_dirs(speedmgmt_t)
+
+sysadm_dontaudit_search_home_dirs(speedmgmt_t)
optional_policy(`
seutil_sigchld_newrole(speedmgmt_t)
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index b8ae177..af457b9 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -1,5 +1,5 @@
-policy_module(squid,1.5.0)
+policy_module(squid,1.5.1)
########################################
#
@@ -141,7 +141,8 @@ miscfiles_read_localization(squid_t)
userdom_use_unpriv_users_fds(squid_t)
userdom_dontaudit_use_unpriv_user_fds(squid_t)
-userdom_dontaudit_search_sysadm_home_dirs(squid_t)
+
+sysadm_dontaudit_search_home_dirs(squid_t)
tunable_policy(`squid_connect_any',`
corenet_tcp_connect_all_ports(squid_t)
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index a14c521..69f02a8 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -1,5 +1,5 @@
-policy_module(stunnel,1.5.0)
+policy_module(stunnel,1.5.1)
########################################
#
@@ -89,7 +89,8 @@ ifdef(`distro_gentoo', `
domain_use_interactive_fds(stunnel_t)
userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
- userdom_dontaudit_search_sysadm_home_dirs(stunnel_t)
+
+ sysadm_dontaudit_search_home_dirs(stunnel_t)
optional_policy(`
daemontools_service_domain(stunnel_t, stunnel_exec_t)
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
index 411fc8d..ff83525 100644
--- a/policy/modules/services/sysstat.te
+++ b/policy/modules/services/sysstat.te
@@ -1,5 +1,5 @@
-policy_module(sysstat,1.2.0)
+policy_module(sysstat,1.2.1)
########################################
#
@@ -60,7 +60,7 @@ locallogin_use_fds(sysstat_t)
miscfiles_read_localization(sysstat_t)
-userdom_dontaudit_list_sysadm_home_dirs(sysstat_t)
+sysadm_dontaudit_list_home_dirs(sysstat_t)
optional_policy(`
cron_system_entry(sysstat_t,sysstat_exec_t)
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index 99370f1..6fca7a2 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -1,5 +1,5 @@
-policy_module(tftp,1.7.0)
+policy_module(tftp,1.7.1)
########################################
#
@@ -92,8 +92,9 @@ sysnet_read_config(tftpd_t)
sysnet_use_ldap(tftpd_t)
userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
-userdom_dontaudit_use_sysadm_ttys(tftpd_t)
-userdom_dontaudit_search_sysadm_home_dirs(tftpd_t)
+
+sysadm_dontaudit_use_ttys(tftpd_t)
+sysadm_dontaudit_search_home_dirs(tftpd_t)
tunable_policy(`tftp_anon_write',`
miscfiles_manage_public_files(tftpd_t)
diff --git a/policy/modules/services/timidity.te b/policy/modules/services/timidity.te
index 55b65f4..336b4d3 100644
--- a/policy/modules/services/timidity.te
+++ b/policy/modules/services/timidity.te
@@ -1,5 +1,5 @@
-policy_module(timidity,1.6.0)
+policy_module(timidity,1.6.1)
# Note: You only need this policy if you want to run timidity as a server
@@ -73,10 +73,11 @@ logging_send_syslog_msg(timidity_t)
sysnet_read_config(timidity_t)
userdom_dontaudit_use_unpriv_user_fds(timidity_t)
+
# stupid timidity won't start if it can't search its current directory.
# allow this so /etc/init.d/alsasound start works from /root
# cjp: this should be fixed if possible so this rule can be removed.
-userdom_search_sysadm_home_dirs(timidity_t)
+sysadm_search_home_dirs(timidity_t)
optional_policy(`
seutil_sigchld_newrole(timidity_t)
diff --git a/policy/modules/services/transproxy.te b/policy/modules/services/transproxy.te
index f90dc35..7eaf8fa 100644
--- a/policy/modules/services/transproxy.te
+++ b/policy/modules/services/transproxy.te
@@ -1,5 +1,5 @@
-policy_module(transproxy,1.4.0)
+policy_module(transproxy,1.4.1)
########################################
#
@@ -58,7 +58,8 @@ miscfiles_read_localization(transproxy_t)
sysnet_read_config(transproxy_t)
userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
-userdom_dontaudit_search_sysadm_home_dirs(transproxy_t)
+
+sysadm_dontaudit_search_home_dirs(transproxy_t)
optional_policy(`
seutil_sigchld_newrole(transproxy_t)
diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te
index f6449c2..ec773f0 100644
--- a/policy/modules/services/uptime.te
+++ b/policy/modules/services/uptime.te
@@ -1,5 +1,5 @@
-policy_module(uptime,1.2.0)
+policy_module(uptime,1.2.1)
########################################
#
@@ -62,7 +62,8 @@ logging_send_syslog_msg(uptimed_t)
miscfiles_read_localization(uptimed_t)
userdom_dontaudit_use_unpriv_user_fds(uptimed_t)
-userdom_dontaudit_search_sysadm_home_dirs(uptimed_t)
+
+sysadm_dontaudit_search_home_dirs(uptimed_t)
optional_policy(`
mta_send_mail(uptimed_t)
diff --git a/policy/modules/services/uwimap.te b/policy/modules/services/uwimap.te
index 6bf41f6..bfb01c7 100644
--- a/policy/modules/services/uwimap.te
+++ b/policy/modules/services/uwimap.te
@@ -1,5 +1,5 @@
-policy_module(uwimap,1.5.0)
+policy_module(uwimap,1.5.1)
########################################
#
@@ -75,11 +75,12 @@ miscfiles_read_localization(imapd_t)
sysnet_read_config(imapd_t)
userdom_dontaudit_use_unpriv_user_fds(imapd_t)
-userdom_dontaudit_search_sysadm_home_dirs(imapd_t)
# cjp: this is excessive, should be limited to the
# mail directories
userdom_priveleged_home_dir_manager(imapd_t)
+sysadm_dontaudit_search_home_dirs(imapd_t)
+
mta_rw_spool(imapd_t)
optional_policy(`
diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te
index d93f5a6..9523876 100644
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -1,5 +1,5 @@
-policy_module(watchdog,1.4.0)
+policy_module(watchdog,1.4.1)
#################################
#
@@ -90,7 +90,8 @@ miscfiles_read_localization(watchdog_t)
sysnet_read_config(watchdog_t)
userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
-userdom_dontaudit_search_sysadm_home_dirs(watchdog_t)
+
+sysadm_dontaudit_search_home_dirs(watchdog_t)
optional_policy(`
mta_send_mail(watchdog_t)
diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te
index 314175b..bbd0989 100644
--- a/policy/modules/services/xfs.te
+++ b/policy/modules/services/xfs.te
@@ -1,5 +1,5 @@
-policy_module(xfs,1.3.0)
+policy_module(xfs,1.3.1)
########################################
#
@@ -73,7 +73,8 @@ miscfiles_read_localization(xfs_t)
miscfiles_read_fonts(xfs_t)
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
-userdom_dontaudit_search_sysadm_home_dirs(xfs_t)
+
+sysadm_dontaudit_search_home_dirs(xfs_t)
xfs_exec(xfs_t)
diff --git a/policy/modules/services/xprint.te b/policy/modules/services/xprint.te
index fd2293a..e6ee53b 100644
--- a/policy/modules/services/xprint.te
+++ b/policy/modules/services/xprint.te
@@ -1,5 +1,5 @@
-policy_module(xprint,1.4.0)
+policy_module(xprint,1.4.1)
########################################
#
@@ -67,7 +67,8 @@ miscfiles_read_localization(xprint_t)
sysnet_read_config(xprint_t)
userdom_dontaudit_use_unpriv_user_fds(xprint_t)
-userdom_dontaudit_search_sysadm_home_dirs(xprint_t)
+
+sysadm_dontaudit_search_home_dirs(xprint_t)
optional_policy(`
cups_read_config(xprint_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index dcafdcf..22f436f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
-policy_module(xserver,2.0.0)
+policy_module(xserver,2.0.1)
########################################
#
@@ -308,7 +308,6 @@ miscfiles_read_fonts(xdm_t)
sysnet_read_config(xdm_t)
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
-userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
userdom_create_all_users_keys(xdm_t)
# for .dmrc
userdom_read_unpriv_users_home_content_files(xdm_t)
@@ -316,6 +315,8 @@ userdom_read_unpriv_users_home_content_files(xdm_t)
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
+sysadm_dontaudit_search_home_dirs(xdm_t)
+
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
xserver_unconfined(xdm_t)
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index 098d4bd..0e28477 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -1,5 +1,5 @@
-policy_module(zebra,1.6.0)
+policy_module(zebra,1.6.1)
########################################
#
@@ -112,7 +112,8 @@ miscfiles_read_localization(zebra_t)
sysnet_read_config(zebra_t)
userdom_dontaudit_use_unpriv_user_fds(zebra_t)
-userdom_dontaudit_search_sysadm_home_dirs(zebra_t)
+
+sysadm_dontaudit_search_home_dirs(zebra_t)
tunable_policy(`allow_zebra_write_config',`
manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 8aab5da..efab930 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
-policy_module(authlogin,1.10.0)
+policy_module(authlogin,1.10.1)
########################################
#
@@ -274,7 +274,8 @@ term_dontaudit_use_generic_ptys(system_chkpwd_t)
userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
-userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
+
+sysadm_dontaudit_use_terms(system_chkpwd_t)
ifdef(`distro_ubuntu',`
optional_policy(`
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index e9e4011..3789ea8 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -1,5 +1,5 @@
-policy_module(hotplug,1.8.0)
+policy_module(hotplug,1.8.1)
########################################
#
@@ -114,7 +114,8 @@ seutil_dontaudit_search_config(hotplug_t)
sysnet_read_config(hotplug_t)
userdom_dontaudit_use_unpriv_user_fds(hotplug_t)
-userdom_dontaudit_search_sysadm_home_dirs(hotplug_t)
+
+sysadm_dontaudit_search_home_dirs(hotplug_t)
ifdef(`distro_redhat', `
optional_policy(`
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d95575e..bc7d821 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.10.0)
+policy_module(init,1.10.1)
gen_require(`
class passwd rootok;
@@ -179,7 +179,7 @@ tunable_policy(`init_upstart',`
',`
# Run the shell in the sysadm role for single-user mode.
# causes problems with upstart
- userdom_shell_domtrans_sysadm(init_t)
+ sysadm_shell_domtrans(init_t)
')
optional_policy(`
@@ -381,10 +381,11 @@ modutils_domtrans_insmod(initrc_t)
seutil_read_config(initrc_t)
userdom_read_all_users_home_content_files(initrc_t)
+
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
-userdom_use_sysadm_terms(initrc_t)
+sysadm_use_terms(initrc_t)
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index f551e83..7020867 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,5 +1,5 @@
-policy_module(ipsec,1.6.0)
+policy_module(ipsec,1.6.1)
########################################
#
@@ -137,7 +137,8 @@ miscfiles_read_localization(ipsec_t)
sysnet_read_config(ipsec_t)
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
-userdom_dontaudit_search_sysadm_home_dirs(ipsec_t)
+
+sysadm_dontaudit_search_home_dirs(ipsec_t)
optional_policy(`
nis_use_ypbind(ipsec_t)
@@ -255,7 +256,7 @@ seutil_dontaudit_search_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
-userdom_use_sysadm_terms(ipsec_mgmt_t)
+sysadm_use_terms(ipsec_mgmt_t)
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 39ceb8d..8a3ca68 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -1,5 +1,5 @@
-policy_module(locallogin,1.6.0)
+policy_module(locallogin,1.6.1)
########################################
#
@@ -241,11 +241,13 @@ seutil_read_default_contexts(sulogin_t)
auth_read_shadow(sulogin_t)
-userdom_shell_domtrans_sysadm(sulogin_t)
userdom_use_unpriv_users_fds(sulogin_t)
-userdom_use_sysadm_ptys(sulogin_t)
-userdom_search_staff_home_dirs(sulogin_t)
-userdom_search_sysadm_home_dirs(sulogin_t)
+
+staff_search_home_dirs(sulogin_t)
+
+sysadm_shell_domtrans(sulogin_t)
+sysadm_use_ptys(sulogin_t)
+sysadm_search_home_dirs(sulogin_t)
# suse and debian do not use pam with sulogin...
ifdef(`distro_suse', `define(`sulogin_no_pam')')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 1b6dfbf..b9c618d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
-policy_module(logging,1.10.0)
+policy_module(logging,1.10.1)
########################################
#
@@ -162,7 +162,8 @@ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ dire
seutil_dontaudit_read_config(auditd_t)
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
-userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
+
+sysadm_dontaudit_search_home_dirs(auditd_t)
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -224,7 +225,7 @@ miscfiles_read_localization(klogd_t)
mls_file_read_all_levels(klogd_t)
-userdom_dontaudit_search_sysadm_home_dirs(klogd_t)
+sysadm_dontaudit_search_home_dirs(klogd_t)
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -355,7 +356,8 @@ sysnet_read_config(syslogd_t)
miscfiles_read_localization(syslogd_t)
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-userdom_dontaudit_search_sysadm_home_dirs(syslogd_t)
+
+sysadm_dontaudit_search_home_dirs(syslogd_t)
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 6be1bcd..f1fbb4b 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,5 +1,5 @@
-policy_module(lvm,1.8.1)
+policy_module(lvm,1.8.2)
########################################
#
@@ -117,7 +117,8 @@ seutil_dontaudit_search_config(clvmd_t)
seutil_sigchld_newrole(clvmd_t)
userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
-userdom_dontaudit_search_sysadm_home_dirs(clvmd_t)
+
+sysadm_dontaudit_search_home_dirs(clvmd_t)
lvm_domtrans(clvmd_t)
lvm_read_config(clvmd_t)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 53a0afc..245cea6 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,5 +1,5 @@
-policy_module(modutils,1.6.0)
+policy_module(modutils,1.6.1)
gen_require(`
bool secure_mode_insmod;
@@ -208,8 +208,8 @@ libs_use_shared_libs(depmod_t)
# Read System.map from home directories.
files_list_home(depmod_t)
-userdom_read_staff_home_content_files(depmod_t)
-userdom_read_sysadm_home_content_files(depmod_t)
+staff_read_home_content_files(depmod_t)
+sysadm_read_home_content_files(depmod_t)
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -283,7 +283,7 @@ logging_send_syslog_msg(update_modules_t)
miscfiles_read_localization(update_modules_t)
-userdom_dontaudit_search_sysadm_home_dirs(update_modules_t)
+sysadm_dontaudit_search_home_dirs(update_modules_t)
ifdef(`distro_gentoo',`
files_search_pids(update_modules_t)
diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te
index 2c41ad4..c9f8458 100644
--- a/policy/modules/system/pcmcia.te
+++ b/policy/modules/system/pcmcia.te
@@ -1,5 +1,5 @@
-policy_module(pcmcia,1.4.0)
+policy_module(pcmcia,1.4.1)
########################################
#
@@ -110,7 +110,8 @@ sysnet_etc_filetrans_config(cardmgr_t)
sysnet_manage_config(cardmgr_t)
userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
-userdom_dontaudit_search_sysadm_home_dirs(cardmgr_t)
+
+sysadm_dontaudit_search_home_dirs(cardmgr_t)
optional_policy(`
seutil_dontaudit_read_config(cardmgr_t)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 4e93909..7808c98 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -1,5 +1,5 @@
-policy_module(raid,1.5.0)
+policy_module(raid,1.5.1)
########################################
#
@@ -69,11 +69,12 @@ logging_send_syslog_msg(mdadm_t)
miscfiles_read_localization(mdadm_t)
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
-userdom_dontaudit_use_sysadm_ttys(mdadm_t)
userdom_dontaudit_search_all_users_home_content(mdadm_t)
mta_send_mail(mdadm_t)
+sysadm_dontaudit_use_ttys(mdadm_t)
+
optional_policy(`
gpm_dontaudit_getattr_gpmctl(mdadm_t)
')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 3ea965a..9597607 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
-policy_module(selinuxutil,1.9.0)
+policy_module(selinuxutil,1.9.1)
gen_require(`
bool secure_mode;
@@ -512,8 +512,8 @@ ifdef(`enable_mls',`
# read secadm tmp files
',`
# Handle pp files created in homedir and /tmp
- userdom_read_sysadm_home_content_files(semanage_t)
- userdom_read_sysadm_tmp_files(semanage_t)
+ sysadm_read_home_content_files(semanage_t)
+ sysadm_read_tmp_files(semanage_t)
optional_policy(`
unconfined_read_home_content_files(semanage_t)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 8ea1a85..1d175e1 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,5 +1,5 @@
-policy_module(sysnetwork,1.6.0)
+policy_module(sysnetwork,1.6.1)
########################################
#
@@ -136,7 +136,7 @@ miscfiles_read_localization(dhcpc_t)
modutils_domtrans_insmod(dhcpc_t)
-userdom_dontaudit_search_staff_home_dirs(dhcpc_t)
+staff_dontaudit_search_home_dirs(dhcpc_t)
ifdef(`distro_redhat', `
files_exec_etc_files(dhcpc_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 7b7d55a..91ef0a0 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1451,8 +1451,9 @@ template(`userdom_security_admin_template',`
seutil_run_semanage($1,$2,$3)
seutil_run_setfiles($1, $2, $3)
- userdom_dontaudit_append_staff_home_content_files($1)
- userdom_dontaudit_read_sysadm_home_content_files($1)
+ staff_dontaudit_append_home_content_files($1)
+
+ sysadm_dontaudit_read_home_content_files($1)
optional_policy(`
aide_run($1,$2, $3)
@@ -1479,16 +1480,6 @@ template(`userdom_security_admin_template',`
## <summary>
## Change to the generic user role.
## </summary>
-## <desc>
-## <p>
-## Change to the generic user role.
-## </p>
-## <p>
-## This is a template to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-## </p>
-## </desc>
## <param name="prefix">
## <summary>
## The prefix of the user role (e.g., user
@@ -1498,7 +1489,8 @@ template(`userdom_security_admin_template',`
## <rolecap/>
#
template(`userdom_role_change_generic_user',`
- userdom_role_change_template($1, user)
+ refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_role_change_template() instead.')
+ unprivuser_role_change_template($1)
')
########################################
@@ -1525,23 +1517,14 @@ template(`userdom_role_change_generic_user',`
## <rolecap/>
#
template(`userdom_role_change_from_generic_user',`
- userdom_role_change_template(user, $1)
+ refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_role_change_to_template() instead.')
+ unprivuser_role_change_to_template($1)
')
########################################
## <summary>
## Change to the staff user role.
## </summary>
-## <desc>
-## <p>
-## Change to the staff user role.
-## </p>
-## <p>
-## This is a template to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-## </p>
-## </desc>
## <param name="prefix">
## <summary>
## The prefix of the user role (e.g., user
@@ -1551,7 +1534,8 @@ template(`userdom_role_change_from_generic_user',`
## <rolecap/>
#
template(`userdom_role_change_staff',`
- userdom_role_change_template($1, staff)
+ refpolicywarn(`$0($*) has been deprecated. Please use staff_role_change_template() instead.')
+ staff_role_change_template($1)
')
########################################
@@ -1578,23 +1562,14 @@ template(`userdom_role_change_staff',`
## <rolecap/>
#
template(`userdom_role_change_from_staff',`
- userdom_role_change_template(staff, $1)
+ refpolicywarn(`$0($*) has been deprecated. Please use staff_role_change_to_template() instead.')
+ staff_role_change_to_template($1)
')
########################################
## <summary>
## Change to the sysadm user role.
## </summary>
-## <desc>
-## <p>
-## Change to the sysadm user role.
-## </p>
-## <p>
-## This is a template to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-## </p>
-## </desc>
## <param name="prefix">
## <summary>
## The prefix of the user role (e.g., user
@@ -1604,7 +1579,8 @@ template(`userdom_role_change_from_staff',`
## <rolecap/>
#
template(`userdom_role_change_sysadm',`
- userdom_role_change_template($1, sysadm)
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_role_change_template() instead.')
+ sysadm_role_change_template($1)
')
########################################
@@ -1631,23 +1607,14 @@ template(`userdom_role_change_sysadm',`
## <rolecap/>
#
template(`userdom_role_change_from_sysadm',`
- userdom_role_change_template(sysadm, $1)
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_role_change_to_template() instead.')
+ sysadm_role_change_to_template($1)
')
########################################
## <summary>
## Change to the secadm user role.
## </summary>
-## <desc>
-## <p>
-## Change to the secadm user role.
-## </p>
-## <p>
-## This is a template to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-## </p>
-## </desc>
## <param name="prefix">
## <summary>
## The prefix of the user role (e.g., user
@@ -1657,11 +1624,8 @@ template(`userdom_role_change_from_sysadm',`
## <rolecap/>
#
template(`userdom_role_change_secadm',`
- ifdef(`enable_mls',`
- userdom_role_change_template($1,secadm)
- ',`
- refpolicywarn(`$0($*) has no effect in non-MLS policy.')
- ')
+ refpolicywarn(`$0($*) has been deprecated. Please use secadm_role_change_template() instead.')
+ secadm_role_change_template($1)
')
########################################
@@ -1688,27 +1652,14 @@ template(`userdom_role_change_secadm',`
## <rolecap/>
#
template(`userdom_role_change_from_secadm',`
- ifdef(`enable_mls',`
- userdom_role_change_template(secadm,$1)
- ',`
- refpolicywarn(`$0($*) has no effect in non-MLS policy.')
- ')
+ refpolicywarn(`$0($*) has been deprecated. Please use secadm_role_change_to_template() instead.')
+ secadm_role_change_to_template($1)
')
########################################
## <summary>
## Change to the auditadm user role.
## </summary>
-## <desc>
-## <p>
-## Change to the auditadm user role.
-## </p>
-## <p>
-## This is a template to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-## </p>
-## </desc>
## <param name="prefix">
## <summary>
## The prefix of the auditadm role (e.g., user
@@ -1718,11 +1669,8 @@ template(`userdom_role_change_from_secadm',`
## <rolecap/>
#
template(`userdom_role_change_auditadm',`
- ifdef(`enable_mls',`
- userdom_role_change_template($1,auditadm)
- ',`
- refpolicywarn(`$0($*) has no effect in non-MLS policy.')
- ')
+ refpolicywarn(`$0($*) has been deprecated. Please use auditadm_role_change_template() instead.')
+ auditadm_role_change_template($1)
')
########################################
@@ -1749,11 +1697,8 @@ template(`userdom_role_change_auditadm',`
## <rolecap/>
#
template(`userdom_role_change_from_auditadm',`
- ifdef(`enable_mls',`
- userdom_role_change_template(auditadm,$1)
- ',`
- refpolicywarn(`$0($*) has no effect in non-MLS policy.')
- ')
+ refpolicywarn(`$0($*) has been deprecated. Please use auditadm_role_change_to_template() instead.')
+ auditadm_role_change_to_template($1)
')
########################################
@@ -4053,14 +3998,8 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
## </param>
#
interface(`userdom_shell_domtrans_sysadm',`
- gen_require(`
- type sysadm_t;
- ')
-
- corecmd_shell_domtrans($1, sysadm_t)
- allow sysadm_t $1:fd use;
- allow sysadm_t $1:fifo_file rw_file_perms;
- allow sysadm_t $1:process sigchld;
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_shell_domtrans() instead.')
+ sysadm_shell_domtrans($1)
')
########################################
@@ -4074,14 +4013,8 @@ interface(`userdom_shell_domtrans_sysadm',`
## </param>
#
interface(`userdom_bin_spec_domtrans_sysadm',`
- gen_require(`
- type sysadm_t;
- ')
-
- corecmd_bin_spec_domtrans($1,sysadm_t)
- allow sysadm_t $1:fd use;
- allow sysadm_t $1:fifo_file rw_file_perms;
- allow sysadm_t $1:process sigchld;
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_bin_spec_domtrans() instead.')
+ sysadm_bin_spec_domtrans($1)
')
########################################
@@ -4095,8 +4028,8 @@ interface(`userdom_bin_spec_domtrans_sysadm',`
## </param>
#
interface(`userdom_sbin_spec_domtrans_sysadm',`
- userdom_bin_spec_domtrans_sysadm($1)
- refpolicywarn(`$0() has been deprecated, please use userdom_bin_spec_domtrans_sysadm() instead.')
+ refpolicywarn(`$0() has been deprecated, please use sysadm_bin_spec_domtrans() instead.')
+ sysadm_bin_spec_domtrans($1)
')
########################################
@@ -4112,14 +4045,8 @@ interface(`userdom_sbin_spec_domtrans_sysadm',`
## </param>
#
interface(`userdom_entry_spec_domtrans_sysadm',`
- gen_require(`
- type sysadm_t;
- ')
-
- domain_entry_file_spec_domtrans($1,sysadm_t)
- allow sysadm_t $1:fd use;
- allow sysadm_t $1:fifo_file rw_file_perms;
- allow sysadm_t $1:process sigchld;
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_entry_spec_domtrans() instead.')
+ sysadm_entry_spec_domtrans($1)
')
########################################
@@ -4146,14 +4073,8 @@ interface(`userdom_entry_spec_domtrans_sysadm',`
## </param>
#
interface(`userdom_sysadm_bin_spec_domtrans_to',`
- gen_require(`
- type sysadm_t;
- ')
-
- corecmd_bin_spec_domtrans(sysadm_t,$1)
- allow $1 sysadm_t:fd use;
- allow $1 sysadm_t:fifo_file rw_file_perms;
- allow $1 sysadm_t:process sigchld;
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_bin_spec_domtrans_to() instead.')
+ sysadm_bin_spec_domtrans_to($1)
')
########################################
@@ -4180,8 +4101,8 @@ interface(`userdom_sysadm_bin_spec_domtrans_to',`
## </param>
#
interface(`userdom_sysadm_sbin_spec_domtrans_to',`
- userdom_sysadm_bin_spec_domtrans_to($1)
- refpolicywarn(`$0() has been deprecated, please use userdom_sysadm_bin_spec_domtrans_to() instead.')
+ refpolicywarn(`$0() has been deprecated, please use sysadm_bin_spec_domtrans_to() instead.')
+ sysadm_bin_spec_domtrans_to($1)
')
########################################
@@ -4209,14 +4130,8 @@ interface(`userdom_sysadm_sbin_spec_domtrans_to',`
## </param>
#
interface(`userdom_sysadm_entry_spec_domtrans_to',`
- gen_require(`
- type sysadm_t;
- ')
-
- domain_entry_file_spec_domtrans(sysadm_t, $1)
- allow $1 sysadm_t:fd use;
- allow $1 sysadm_t:fifo_file rw_file_perms;
- allow $1 sysadm_t:process sigchld;
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_entry_spec_domtrans_to() instead.')
+ sysadm_entry_spec_domtrans_to($1)
')
########################################
@@ -4230,12 +4145,8 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',`
## </param>
#
interface(`userdom_search_staff_home_dirs',`
- gen_require(`
- type staff_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 staff_home_dir_t:dir search_dir_perms;
+ refpolicywarn(`$0($*) has been deprecated. Please use staff_search_home_dirs() instead.')
+ staff_search_home_dirs($1)
')
########################################
@@ -4250,11 +4161,8 @@ interface(`userdom_search_staff_home_dirs',`
## </param>
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
- gen_require(`
- type staff_home_dir_t;
- ')
-
- dontaudit $1 staff_home_dir_t:dir search_dir_perms;
+ refpolicywarn(`$0($*) has been deprecated. Please use staff_dontaudit_search_home_dirs() instead.')
+ staff_dontaudit_search_home_dirs($1)
')
########################################
@@ -4269,12 +4177,8 @@ interface(`userdom_dontaudit_search_staff_home_dirs',`
## </param>
#
interface(`userdom_manage_staff_home_dirs',`
- gen_require(`
- type staff_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 staff_home_dir_t:dir manage_dir_perms;
+ refpolicywarn(`$0($*) has been deprecated. Please use staff_manage_home_dirs() instead.')
+ staff_manage_home_dirs($1)
')
########################################
@@ -4288,12 +4192,8 @@ interface(`userdom_manage_staff_home_dirs',`
## </param>
#
interface(`userdom_relabelto_staff_home_dirs',`
- gen_require(`
- type staff_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 staff_home_dir_t:dir relabelto;
+ refpolicywarn(`$0($*) has been deprecated. Please use staff_relabelto_home_dirs() instead.')
+ staff_relabelto_home_dirs($1)
')
########################################
@@ -4308,11 +4208,8 @@ interface(`userdom_relabelto_staff_home_dirs',`
## </param>
#
interface(`userdom_dontaudit_append_staff_home_content_files',`
- gen_require(`
- type staff_home_t;
- ')
-
- dontaudit $1 staff_home_t:file append;
+ refpolicywarn(`$0($*) has been deprecated. Please use staff_dontaudit_append_home_content_files() instead.')
+ staff_dontaudit_append_home_content_files($1)
')
########################################
@@ -4326,14 +4223,8 @@ interface(`userdom_dontaudit_append_staff_home_content_files',`
## </param>
#
interface(`userdom_read_staff_home_content_files',`
- gen_require(`
- type staff_home_dir_t, staff_home_t;
- ')
-
- files_search_home($1)
- allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms;
- read_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t)
- read_lnk_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t)
+ refpolicywarn(`$0($*) has been deprecated. Please use staff_read_home_content_files() instead.')
+ staff_read_home_content_files($1)
')
########################################
@@ -4347,11 +4238,8 @@ interface(`userdom_read_staff_home_content_files',`
## </param>
#
interface(`userdom_sigchld_sysadm',`
- gen_require(`
- type sysadm_t;
- ')
-
- allow $1 sysadm_t:process sigchld;
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_sigchld() instead.')
+ sysadm_sigchld($1)
')
########################################
@@ -4366,11 +4254,8 @@ interface(`userdom_sigchld_sysadm',`
## </param>
#
interface(`userdom_dontaudit_getattr_sysadm_ttys',`
- gen_require(`
- type sysadm_tty_device_t;
- ')
-
- dontaudit $1 sysadm_tty_device_t:chr_file getattr;
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_getattr_ttys() instead.')
+ sysadm_dontaudit_getattr_ttys($1)
')
########################################
@@ -4384,13 +4269,8 @@ interface(`userdom_dontaudit_getattr_sysadm_ttys',`
## </param>
#
interface(`userdom_use_sysadm_ttys',`
- gen_require(`
- type sysadm_tty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- term_list_ptys($1)
- allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_use_ttys() instead.')
+ sysadm_use_ttys($1)
')
########################################
@@ -4404,11 +4284,8 @@ interface(`userdom_use_sysadm_ttys',`
## </param>
#
interface(`userdom_dontaudit_use_sysadm_ttys',`
- gen_require(`
- type sysadm_tty_device_t;
- ')
-
- dontaudit $1 sysadm_tty_device_t:chr_file { read write };
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_use_ttys() instead.')
+ sysadm_dontaudit_use_ttys($1)
')
########################################
@@ -4422,13 +4299,8 @@ interface(`userdom_dontaudit_use_sysadm_ttys',`
## </param>
#
interface(`userdom_use_sysadm_ptys',`
- gen_require(`
- type sysadm_devpts_t;
- ')
-
- dev_list_all_dev_nodes($1)
- term_list_ptys($1)
- allow $1 sysadm_devpts_t:chr_file rw_term_perms;
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_use_ptys() instead.')
+ sysadm_use_ptys($1)
')
########################################
@@ -4442,11 +4314,8 @@ interface(`userdom_use_sysadm_ptys',`
## </param>
#
interface(`userdom_dontaudit_use_sysadm_ptys',`
- gen_require(`
- type sysadm_devpts_t;
- ')
-
- dontaudit $1 sysadm_devpts_t:chr_file { read write };
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_use_ptys() instead.')
+ sysadm_dontaudit_use_ptys($1)
')
########################################
@@ -4460,8 +4329,8 @@ interface(`userdom_dontaudit_use_sysadm_ptys',`
## </param>
#
interface(`userdom_use_sysadm_terms',`
- userdom_use_sysadm_ttys($1)
- userdom_use_sysadm_ptys($1)
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_use_terms() instead.')
+ sysadm_use_terms($1)
')
########################################
@@ -4475,11 +4344,8 @@ interface(`userdom_use_sysadm_terms',`
## </param>
#
interface(`userdom_dontaudit_use_sysadm_terms',`
- gen_require(`
- attribute admin_terminal;
- ')
-
- dontaudit $1 admin_terminal:chr_file { read write };
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_use_terms() instead.')
+ sysadm_dontaudit_use_terms($1)
')
########################################
@@ -4493,11 +4359,8 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
## </param>
#
interface(`userdom_use_sysadm_fds',`
- gen_require(`
- type sysadm_t;
- ')
-
- allow $1 sysadm_t:fd use;
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_use_fds() instead.')
+ sysadm_use_fds($1)
')
########################################
@@ -4511,11 +4374,8 @@ interface(`userdom_use_sysadm_fds',`
## </param>
#
interface(`userdom_rw_sysadm_pipes',`
- gen_require(`
- type sysadm_t;
- ')
-
- allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_rw_pipes() instead.')
+ sysadm_rw_pipes($1)
')
########################################
@@ -4530,11 +4390,8 @@ interface(`userdom_rw_sysadm_pipes',`
## </param>
#
interface(`userdom_getattr_sysadm_home_dirs',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- allow $1 sysadm_home_dir_t:dir getattr;
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_getattr_home_dirs() instead.')
+ sysadm_getattr_home_dirs($1)
')
########################################
@@ -4550,11 +4407,8 @@ interface(`userdom_getattr_sysadm_home_dirs',`
## </param>
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- dontaudit $1 sysadm_home_dir_t:dir getattr;
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_getattr_home_dirs() instead.')
+ sysadm_dontaudit_getattr_home_dirs($1)
')
########################################
@@ -4568,11 +4422,8 @@ interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
## </param>
#
interface(`userdom_search_sysadm_home_dirs',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- allow $1 sysadm_home_dir_t:dir search_dir_perms;
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_search_home_dirs() instead.')
+ sysadm_search_home_dirs($1)
')
########################################
@@ -4587,11 +4438,8 @@ interface(`userdom_search_sysadm_home_dirs',`
## </param>
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_search_home_dirs() instead.')
+ sysadm_dontaudit_search_home_dirs($1)
')
########################################
@@ -4605,11 +4453,8 @@ interface(`userdom_dontaudit_search_sysadm_home_dirs',`
## </param>
#
interface(`userdom_list_sysadm_home_dirs',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- allow $1 sysadm_home_dir_t:dir list_dir_perms;
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_list_home_dirs() instead.')
+ sysadm_list_home_dirs($1)
')
########################################
@@ -4624,11 +4469,8 @@ interface(`userdom_list_sysadm_home_dirs',`
## </param>
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_list_home_dirs() instead.')
+ sysadm_dontaudit_list_home_dirs($1)
')
########################################
@@ -4643,13 +4485,8 @@ interface(`userdom_dontaudit_list_sysadm_home_dirs',`
## </param>
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
- gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
- ')
-
- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
- dontaudit $1 sysadm_home_t:dir search_dir_perms;
- dontaudit $1 sysadm_home_t:file read_file_perms;
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_read_home_content_files() instead.')
+ sysadm_dontaudit_read_home_content_files($1)
')
########################################
@@ -4675,11 +4512,8 @@ interface(`userdom_dontaudit_read_sysadm_home_content_files',`
## </param>
#
interface(`userdom_sysadm_home_dir_filetrans',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- filetrans_pattern($1,sysadm_home_dir_t,$2,$3)
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_home_dir_filetrans() instead.')
+ sysadm_home_dir_filetrans($1,$2,$3)
')
########################################
@@ -4693,11 +4527,8 @@ interface(`userdom_sysadm_home_dir_filetrans',`
## </param>
#
interface(`userdom_search_sysadm_home_content_dirs',`
- gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
- ')
-
- allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_search_home_content_dirs() instead.')
+ sysadm_search_home_content_dirs($1)
')
########################################
@@ -4711,14 +4542,8 @@ interface(`userdom_search_sysadm_home_content_dirs',`
## </param>
#
interface(`userdom_read_sysadm_home_content_files',`
- gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
- ')
-
- files_search_home($1)
- allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
- read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
- read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_read_home_content_files() instead.')
+ sysadm_read_home_content_files($1)
')
########################################
@@ -4732,14 +4557,8 @@ interface(`userdom_read_sysadm_home_content_files',`
## </param>
#
interface(`userdom_read_sysadm_tmp_files',`
- gen_require(`
- type sysadm_tmp_t;
- ')
-
- files_search_tmp($1)
- allow $1 sysadm_tmp_t:dir list_dir_perms;
- read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
- read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_read_tmp_files() instead.')
+ sysadm_read_tmp_files($1)
')
########################################
@@ -4993,11 +4812,8 @@ interface(`userdom_dontaudit_use_unpriv_user_fds',`
## </param>
#
interface(`userdom_home_filetrans_generic_user_home_dir',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- files_home_filetrans($1,user_home_dir_t,dir)
+ refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_home_filetrans_home_dir() instead.')
+ unprivuser_home_filetrans_home_dir($1)
')
########################################
@@ -5011,11 +4827,8 @@ interface(`userdom_home_filetrans_generic_user_home_dir',`
## </param>
#
interface(`userdom_search_generic_user_home_dirs',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- allow $1 user_home_dir_t:dir search_dir_perms;
+ refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_search_home_dirs() instead.')
+ unprivuser_search_home_dirs($1)
')
########################################
@@ -5036,12 +4849,8 @@ interface(`userdom_search_generic_user_home_dirs',`
## </param>
#
interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',`
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
-
- files_search_home($1)
- filetrans_pattern($1,user_home_dir_t,user_home_t,$2)
+ refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_home_dir_filetrans_home_content() instead.')
+ unprivuser_home_dir_filetrans_home_content($1)
')
########################################
@@ -5055,11 +4864,8 @@ interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',`
## </param>
#
interface(`userdom_dontaudit_search_generic_user_home_dirs',`
- gen_require(`
- type user_home_t;
- ')
-
- dontaudit $1 user_home_t:dir search_dir_perms;
+ refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_dontaudit_search_home_dirs() instead.')
+ unprivuser_dontaudit_search_home_dirs($1)
')
########################################
@@ -5074,12 +4880,8 @@ interface(`userdom_dontaudit_search_generic_user_home_dirs',`
## </param>
#
interface(`userdom_manage_generic_user_home_dirs',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 user_home_dir_t:dir manage_dir_perms;
+ refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_manage_home_dirs() instead.')
+ unprivuser_manage_home_dirs($1)
')
########################################
@@ -5095,17 +4897,13 @@ interface(`userdom_manage_generic_user_home_dirs',`
## </param>
#
interface(`userdom_manage_generic_user_home_content_dirs',`
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
-
- files_search_home($1)
- manage_dirs_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+ refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_manage_home_content_dirs() instead.')
+ unprivuser_manage_home_content_dirs($1)
')
########################################
## <summary>
-## Relabel to staff home directories.
+## Relabel to generic user home directories.
## </summary>
## <param name="domain">
## <summary>
@@ -5114,12 +4912,8 @@ interface(`userdom_manage_generic_user_home_content_dirs',`
## </param>
#
interface(`userdom_relabelto_generic_user_home_dirs',`
- gen_require(`
- type staff_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 user_home_dir_t:dir relabelto;
+ refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_relabelto_home_dirs() instead.')
+ unprivuser_relabelto_home_dirs($1)
')
########################################
@@ -5133,13 +4927,8 @@ interface(`userdom_relabelto_generic_user_home_dirs',`
## </param>
#
interface(`userdom_read_generic_user_home_content_files',`
- gen_require(`
- type user_home_t, user_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 user_home_t:dir list_dir_perms;
- read_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+ refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_read_home_content_files() instead.')
+ unprivuser_read_home_content_files($1)
')
########################################
@@ -5154,12 +4943,8 @@ interface(`userdom_read_generic_user_home_content_files',`
## </param>
#
interface(`userdom_mmap_generic_user_home_content_files',`
- gen_require(`
- type user_home_t;
- ')
-
- files_search_home($1)
- allow $1 user_home_t:file execute;
+ refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_mmap_home_content_files() instead.')
+ unprivuser_mmap_home_content_files($1)
')
########################################
@@ -5174,12 +4959,8 @@ interface(`userdom_mmap_generic_user_home_content_files',`
## </param>
#
interface(`userdom_manage_generic_user_home_content_files',`
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
-
- files_search_home($1)
- manage_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+ refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_manage_home_content_files() instead.')
+ unprivuser_manage_home_content_files($1)
')
########################################
@@ -5194,11 +4975,8 @@ interface(`userdom_manage_generic_user_home_content_files',`
## </param>
#
interface(`userdom_dontaudit_relabel_generic_user_home_content_files',`
- gen_require(`
- type user_home_t;
- ')
-
- dontaudit $1 user_home_t:file { relabelto relabelfrom };
+ refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_dontaudit_relabel_home_content_files() instead.')
+ unprivuser_dontaudit_relabel_home_content_files($1)
')
########################################
@@ -5213,12 +4991,8 @@ interface(`userdom_dontaudit_relabel_generic_user_home_content_files',`
## </param>
#
interface(`userdom_manage_generic_user_home_content_symlinks',`
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
-
- files_search_home($1)
- manage_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+ refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_manage_home_content_symlinks() instead.')
+ unprivuser_manage_home_content_symlinks($1)
')
########################################
@@ -5233,12 +5007,8 @@ interface(`userdom_manage_generic_user_home_content_symlinks',`
## </param>
#
interface(`userdom_manage_generic_user_home_content_pipes',`
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
-
- files_search_home($1)
- manage_fifo_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+ refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_manage_home_content_pipes() instead.')
+ unprivuser_manage_home_content_pipes($1)
')
########################################
@@ -5253,12 +5023,8 @@ interface(`userdom_manage_generic_user_home_content_pipes',`
## </param>
#
interface(`userdom_manage_generic_user_home_content_sockets',`
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
-
- files_search_home($1)
- manage_sock_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+ refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_manage_home_content_sockets() instead.')
+ unprivuser_manage_home_content_sockets($1)
')
########################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index ae66309..276640b 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,14 +1,5 @@
-policy_module(userdomain,2.5.0)
-
-gen_require(`
- role sysadm_r, staff_r, user_r;
-
- ifdef(`enable_mls',`
- role secadm_r;
- role auditadm_r;
- ')
-')
+policy_module(userdomain, 3.0.1)
########################################
#
@@ -17,13 +8,6 @@ gen_require(`
## <desc>
## <p>
-## Allow sysadm to debug or ptrace all processes.
-## </p>
-## </desc>
-gen_tunable(allow_ptrace,false)
-
-## <desc>
-## <p>
## Allow users to connect to mysql
## </p>
## </desc>
@@ -100,390 +84,3 @@ attribute unpriv_userdomain;
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
-
-########################################
-#
-# Local policy
-#
-
-userdom_admin_user_template(sysadm)
-userdom_unpriv_user_template(staff)
-userdom_unpriv_user_template(user)
-
-# user role change rules:
-# sysadm_r can change to user roles
-userdom_role_change_template(sysadm, user)
-userdom_role_change_template(sysadm, staff)
-
-# only staff_r can change to sysadm_r
-userdom_role_change_template(staff, sysadm)
-dontaudit staff_t admin_terminal:chr_file { read write };
-
-ifdef(`enable_mls',`
- userdom_unpriv_user_template(secadm)
- userdom_unpriv_user_template(auditadm)
-
- userdom_role_change_template(staff, auditadm)
- userdom_role_change_template(staff, secadm)
-
- userdom_role_change_template(sysadm, secadm)
- userdom_role_change_template(sysadm, auditadm)
-
- userdom_role_change_template(auditadm, secadm)
- userdom_role_change_template(auditadm, sysadm)
-
- userdom_role_change_template(secadm, auditadm)
- userdom_role_change_template(secadm, sysadm)
-')
-
-########################################
-#
-# Sysadm local policy
-#
-
-# for su
-allow sysadm_t userdomain:fd use;
-
-# Add/remove user home directories
-allow sysadm_t user_home_dir_t:dir manage_dir_perms;
-files_home_filetrans(sysadm_t, user_home_dir_t, dir)
-
-corecmd_exec_shell(sysadm_t)
-
-mls_process_read_up(sysadm_t)
-
-init_exec(sysadm_t)
-
-# Following for sending reboot and wall messages
-userdom_use_unpriv_users_ptys(sysadm_t)
-userdom_use_unpriv_users_ttys(sysadm_t)
-
-ifdef(`direct_sysadm_daemon',`
- optional_policy(`
- init_run_daemon(sysadm_t, sysadm_r, admin_terminal)
- ')
-',`
- ifdef(`distro_gentoo',`
- optional_policy(`
- seutil_init_script_run_runinit(sysadm_t, sysadm_r, admin_terminal)
- ')
- ')
-')
-
-ifdef(`enable_mls',`
- allow auditadm_t self:capability { dac_read_search dac_override };
- seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
- domain_kill_all_domains(auditadm_t)
- seutil_read_bin_policy(auditadm_t)
- corecmd_exec_shell(auditadm_t)
- logging_send_syslog_msg(auditadm_t)
- logging_read_generic_logs(auditadm_t)
- logging_manage_audit_log(auditadm_t)
- logging_manage_audit_config(auditadm_t)
- logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
- logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
- userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
-
- allow secadm_t self:capability { dac_read_search dac_override };
- corecmd_exec_shell(secadm_t)
- domain_obj_id_change_exemption(secadm_t)
- mls_process_read_up(secadm_t)
- mls_file_read_all_levels(secadm_t)
- mls_file_write_all_levels(secadm_t)
- mls_file_upgrade(secadm_t)
- mls_file_downgrade(secadm_t)
- auth_relabel_all_files_except_shadow(secadm_t)
- dev_relabel_all_dev_nodes(secadm_t)
- auth_relabel_shadow(secadm_t)
- init_exec(secadm_t)
- logging_read_audit_log(secadm_t)
- logging_read_generic_logs(secadm_t)
- logging_read_audit_config(secadm_t)
- userdom_dontaudit_append_staff_home_content_files(secadm_t)
- userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
-
- optional_policy(`
- aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
- ')
-
- optional_policy(`
- netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
- ')
-',`
- logging_manage_audit_log(sysadm_t)
- logging_manage_audit_config(sysadm_t)
- logging_run_auditctl(sysadm_t, sysadm_r, admin_terminal)
-')
-
-tunable_policy(`allow_ptrace',`
- domain_ptrace_all_domains(sysadm_t)
-')
-
-optional_policy(`
- amanda_run_recover(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- apache_run_helper(sysadm_t, sysadm_r, admin_terminal)
- #apache_run_all_scripts(sysadm_t, sysadm_r)
- #apache_domtrans_sys_script(sysadm_t)
-')
-
-optional_policy(`
- tzdata_domtrans(sysadm_t)
-')
-
-optional_policy(`
- raid_domtrans_mdadm(sysadm_t)
-')
-
-optional_policy(`
- # cjp: why is this not apm_run_client
- apm_domtrans_client(sysadm_t)
-')
-
-optional_policy(`
- apt_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- backup_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- bootloader_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- bind_run_ndc(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- certwatch_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- consoletype_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- clock_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- clockspeed_run_cli(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- cvs_exec(sysadm_t)
-')
-
-optional_policy(`
- consoletype_exec(sysadm_t)
-
- ifdef(`enable_mls',`
- consoletype_exec(auditadm_t)
- ')
-')
-
-optional_policy(`
- cron_admin_template(sysadm, sysadm_t, sysadm_r)
-')
-
-optional_policy(`
- dcc_run_cdcc(sysadm_t, sysadm_r, admin_terminal)
- dcc_run_client(sysadm_t, sysadm_r, admin_terminal)
- dcc_run_dbclean(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- ddcprobe_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- dmesg_exec(sysadm_t)
-
- ifdef(`enable_mls',`
- dmesg_exec(auditadm_t)
- ')
-')
-
-optional_policy(`
- dmidecode_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- dpkg_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- ethereal_run_tethereal(sysadm_t, sysadm_r, admin_terminal)
- ethereal_admin_template(sysadm, sysadm_t, sysadm_r)
-')
-
-optional_policy(`
- firstboot_run(sysadm_t, sysadm_r, sysadm_tty_device_t)
-')
-
-optional_policy(`
- fstools_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- hostname_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- # allow system administrator to use the ipsec script to look
- # at things (e.g., ipsec auto --status)
- # probably should create an ipsec_admin role for this kind of thing
- ipsec_exec_mgmt(sysadm_t)
- ipsec_stream_connect(sysadm_t)
- # for lsof
- ipsec_getattr_key_sockets(sysadm_t)
-')
-
-optional_policy(`
- iptables_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- libs_run_ldconfig(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- lvm_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- logrotate_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- lpd_run_checkpc(sysadm_t, sysadm_r, admin_terminal)
- lpr_admin_template(sysadm, sysadm_t, sysadm_r)
-')
-
-optional_policy(`
- kudzu_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- modutils_run_depmod(sysadm_t, sysadm_r, admin_terminal)
- modutils_run_insmod(sysadm_t, sysadm_r, admin_terminal)
- modutils_run_update_mods(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- mount_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- mta_admin_template(sysadm, sysadm_t, sysadm_r)
-')
-
-optional_policy(`
- mysql_stream_connect(sysadm_t)
-')
-
-optional_policy(`
- netutils_run(sysadm_t, sysadm_r, admin_terminal)
- netutils_run_ping(sysadm_t, sysadm_r, admin_terminal)
- netutils_run_traceroute(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- rpc_domtrans_nfsd(sysadm_t)
-')
-
-optional_policy(`
- munin_stream_connect(sysadm_t)
-')
-
-optional_policy(`
- ntp_stub()
- corenet_udp_bind_ntp_port(sysadm_t)
-')
-
-optional_policy(`
- oav_run_update(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- pcmcia_run_cardctl(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- portage_run(sysadm_t, sysadm_r, admin_terminal)
- portage_run_gcc_config(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- portmap_run_helper(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- quota_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- rpm_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- rsync_exec(sysadm_t)
-')
-
-optional_policy(`
- samba_run_net(sysadm_t, sysadm_r, admin_terminal)
- samba_run_winbind_helper(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- seutil_run_setfiles(sysadm_t, sysadm_r, admin_terminal)
- seutil_run_runinit(sysadm_t, sysadm_r, admin_terminal)
-
- ifdef(`enable_mls',`
- userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t sysadm_devpts_t })
- ', `
- userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal)
- ')
-')
-
-optional_policy(`
- sysnet_run_ifconfig(sysadm_t, sysadm_r, admin_terminal)
- sysnet_run_dhcpc(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- tripwire_run_siggen(sysadm_t, sysadm_r, admin_terminal)
- tripwire_run_tripwire(sysadm_t, sysadm_r, admin_terminal)
- tripwire_run_twadmin(sysadm_t, sysadm_r, admin_terminal)
- tripwire_run_twprint(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- unconfined_domtrans(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- usbmodules_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- usermanage_run_admin_passwd(sysadm_t, sysadm_r, admin_terminal)
- usermanage_run_groupadd(sysadm_t, sysadm_r, admin_terminal)
- usermanage_run_useradd(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- vpn_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- webalizer_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
- yam_run(sysadm_t, sysadm_r, admin_terminal)
-')
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 45e0a64..d58ca23 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
-policy_module(xen,1.6.0)
+policy_module(xen,1.6.1)
########################################
#
@@ -207,12 +207,12 @@ sysnet_delete_dhcpc_pid(xend_t)
sysnet_read_dhcpc_pid(xend_t)
sysnet_rw_dhcp_config(xend_t)
-userdom_dontaudit_search_sysadm_home_dirs(xend_t)
-
xen_stream_connect_xenstore(xend_t)
netutils_domtrans(xend_t)
+sysadm_dontaudit_search_home_dirs(xend_t)
+
optional_policy(`
consoletype_exec(xend_t)
')