diff --git a/policy-20071130.patch b/policy-20071130.patch index 37f1595..7db428e 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -3165,7 +3165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # /bin diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.5/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2008-01-21 12:59:29.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2008-01-21 18:10:10.000000000 -0500 @@ -35,7 +35,10 @@ template(`mozilla_per_role_template',` gen_require(` @@ -3732,20 +3732,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc 2008-01-21 09:27:08.000000000 -0500 -@@ -0,0 +1,3 @@ ++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc 2008-01-21 17:31:09.000000000 -0500 +@@ -0,0 +1,4 @@ + -+/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_exec_t,s0) ++/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) ++/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.5/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if 2008-01-18 12:40:46.000000000 -0500 -@@ -0,0 +1,227 @@ ++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if 2008-01-21 18:22:21.000000000 -0500 +@@ -0,0 +1,290 @@ + +## policy for nsplugin + +######################################## +## ++## Execute a domain transition to run nsplugin_config. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`nsplugin_config_domtrans',` ++ gen_require(` ++ type nsplugin_config_t; ++ type nsplugin_config_exec_t; ++ ') ++ ++ domtrans_pattern($1,nsplugin_config_exec_t,nsplugin_config_t) ++') ++ ++######################################## ++## +## Execute a domain transition to run nsplugin. +## +## @@ -3763,10 +3783,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + domtrans_pattern($1,nsplugin_exec_t,nsplugin_t) +') + -+ +######################################## +## -+## Search nsplugin rw directories. ++## Create, read, write, and delete ++## nsplugin rw files. +## +## +## @@ -3774,17 +3794,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +## +## +# -+interface(`nsplugin_search_rw_dir',` ++interface(`nsplugin_manage_rw_files',` + gen_require(` + type nsplugin_rw_t; + ') + -+ allow $1 nsplugin_rw_t:dir search_dir_perms; ++ allow $1 nsplugin_rw_t:file manage_file_perms; ++ allow $1 nsplugin_rw_t:dir rw_dir_perms; +') + +######################################## +## -+## Read nsplugin rw files. ++## Manage nsplugin rw files. +## +## +## @@ -3792,36 +3813,106 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +## +## +# -+interface(`nsplugin_read_rw_files',` ++interface(`nsplugin_manage_rw',` + gen_require(` + type nsplugin_rw_t; + ') + -+ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) ++ manage_dirs_pattern($1,nsplugin_rw_t,nsplugin_rw_t) ++ manage_files_pattern($1,nsplugin_rw_t,nsplugin_rw_t) ++ manage_lnk_files_pattern($1,nsplugin_rw_t,nsplugin_rw_t) +') + ++ +######################################## +## -+## Exec nsplugin rw files. ++## Execute plugin_config in the nsplugin_config domain, and ++## allow the specified role the nsplugin_config domain. +## +## +## -+## Domain allowed access. ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the nsplugin domain. ++## ++## ++## ++## ++## The type of the role's terminal. +## +## +# -+interface(`nsplugin_rw_exec',` ++interface(`nsplugin_run_config',` ++ gen_require(` ++ type nsplugin_config_t; ++ ') ++ ++ nsplugin_config_domtrans($1) ++ role $2 types nsplugin_config_t; ++ dontaudit nsplugin_config_t $3:chr_file rw_term_perms; ++') ++ ++####################################### ++## ++## The per role template for the nsplugin module. ++## ++## ++##

++## This template creates a derived domains which are used ++## for nsplugin web browser. ++##

++##

++## This template is invoked automatically for each user, and ++## generally does not need to be invoked directly ++## by policy writers. ++##

++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++## ++## ++## The role associated with the user domain. ++## ++## ++# ++template(`nsplugin_per_role_template',` + gen_require(` ++ type nsplugin_t; ++ type nsplugin_config_t; + type nsplugin_rw_t; + ') ++ nsplugin_domtrans($2) ++ role $3 types nsplugin_t; + -+ can_exec($1, nsplugin_rw_t) ++ nsplugin_config_domtrans($2) ++ role $3 types nsplugin_config_t; ++ ++ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) ++ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) ++ can_exec($2, nsplugin_rw_t) ++ ++ ++ allow nsplugin_t $2:udp_socket { read write }; ++ ++ allow $2 nsplugin_t:process { signal sigkill }; ++ allow $2 nsplugin_t:unix_stream_socket connectto; +') + +######################################## +## -+## Create, read, write, and delete -+## nsplugin rw files. ++## Search nsplugin rw directories. +## +## +## @@ -3829,18 +3920,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +## +## +# -+interface(`nsplugin_manage_rw_files',` ++interface(`nsplugin_search_rw_dir',` + gen_require(` + type nsplugin_rw_t; + ') + -+ allow $1 nsplugin_rw_t:file manage_file_perms; -+ allow $1 nsplugin_rw_t:dir rw_dir_perms; ++ allow $1 nsplugin_rw_t:dir search_dir_perms; +') + +######################################## +## -+## Manage nsplugin rw files. ++## Read nsplugin rw files. +## +## +## @@ -3848,16 +3938,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +## +## +# -+interface(`nsplugin_manage_rw',` ++interface(`nsplugin_read_rw_files',` + gen_require(` + type nsplugin_rw_t; + ') + -+ manage_dirs_pattern($1,nsplugin_rw_t,nsplugin_rw_t) -+ manage_files_pattern($1,nsplugin_rw_t,nsplugin_rw_t) -+ manage_lnk_files_pattern($1,nsplugin_rw_t,nsplugin_rw_t) ++ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) +') + ++######################################## ++## ++## Exec nsplugin rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_rw_exec',` ++ gen_require(` ++ type nsplugin_rw_t; ++ ') ++ ++ can_exec($1, nsplugin_rw_t) ++') + +######################################## +## @@ -3890,7 +3995,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + dontaudit nsplugin_t $3:chr_file rw_term_perms; +') + -+ +######################################## +## +## All of the rules required to administrate @@ -3916,62 +4020,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +interface(`nsplugin_admin',` + gen_require(` + type nsplugin_t; ++ type nsplugin_config_t; + ') + + allow $1 nsplugin_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, nsplugin_t, nsplugin_t) -+ nsplugin_manage_rw($1) + -+') ++ allow $1 nsplugin_config_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, nsplugin_config_t, nsplugin_config_t) + -+####################################### -+## -+## The per role template for the nsplugin module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for nsplugin web browser. -+##

-+##

-+## This template is invoked automatically for each user, and -+## generally does not need to be invoked directly -+## by policy writers. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+# -+template(`nsplugin_per_role_template',` -+ gen_require(` -+ type nsplugin_t; -+ type nsplugin_rw_t; -+ ') -+ nsplugin_domtrans($2) -+ role $3 types nsplugin_t; ++ nsplugin_manage_rw($1) + -+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) -+ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) -+ can_exec($2, nsplugin_rw_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.5/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-18 12:40:46.000000000 -0500 -@@ -0,0 +1,47 @@ ++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-21 18:20:27.000000000 -0500 +@@ -0,0 +1,100 @@ +policy_module(nsplugin,1.0.0) + +######################################## @@ -3984,6 +4048,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +application_domain(nsplugin_t, nsplugin_exec_t) +role system_r types nsplugin_t; + ++type nsplugin_config_t; ++type nsplugin_config_exec_t; ++application_domain(nsplugin_config_t, nsplugin_config_exec_t) ++role system_r types nsplugin_config_t; ++ + +type nsplugin_rw_t; +files_type(nsplugin_rw_t) @@ -3992,33 +4061,81 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +# +# nsplugin local policy +# -+ -+## internal communication is often done using fifo and unix sockets. -+allow nsplugin_t self:capability { setuid setgid }; +allow nsplugin_t self:fifo_file rw_file_perms; -+allow nsplugin_t self:unix_stream_socket create_stream_socket_perms; ++allow nsplugin_t self:process getsched; + -+can_exec(nsplugin_t, nsplugin_rw_t) -+manage_dirs_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) -+manage_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) -+manage_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) ++corecmd_exec_bin(nsplugin_config_t) ++corecmd_exec_shell(nsplugin_config_t) + -+corecmd_exec_bin(nsplugin_t) -+corecmd_exec_shell(nsplugin_t) ++domain_dontaudit_read_all_domains_state(nsplugin_t) + ++dev_read_rand(nsplugin_t) ++ ++kernel_read_kernel_sysctls(nsplugin_t) +kernel_read_system_state(nsplugin_t) + ++files_read_usr_files(nsplugin_t) +files_read_etc_files(nsplugin_t) -+files_dontaudit_search_home(nsplugin_t) ++ ++fs_list_inotifyfs(nsplugin_t) ++ ++auth_use_nsswitch(nsplugin_t) + +libs_use_ld_so(nsplugin_t) +libs_use_shared_libs(nsplugin_t) + +miscfiles_read_localization(nsplugin_t) + -+userdom_dontaudit_search_all_users_home_content(nsplugin_t) ++optional_policy(` ++ userdom_read_user_home_content_files(user, nsplugin_t) ++') ++ ++optional_policy(` ++ mozilla_read_user_home_files(user, nsplugin_t) ++ mozilla_write_user_home_files(user, nsplugin_t) ++') ++ ++optional_policy(` ++ xserver_stream_connect_xdm_xserver(nsplugin_t) ++ xserver_xdm_rw_shm(nsplugin_t) ++ xserver_read_xdm_tmp_files(nsplugin_t) ++') ++ ++######################################## ++# ++# nsplugin_config local policy ++# ++ ++## internal communication is often done using fifo and unix sockets. ++allow nsplugin_config_t self:capability { sys_nice setuid setgid }; ++allow nsplugin_config_t self:process { setsched getsched }; ++ ++allow nsplugin_config_t self:fifo_file rw_file_perms; ++allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; ++ ++can_exec(nsplugin_config_t, nsplugin_rw_t) ++manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) ++manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) ++manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) + ++corecmd_exec_bin(nsplugin_config_t) ++corecmd_exec_shell(nsplugin_config_t) + ++kernel_read_system_state(nsplugin_config_t) ++ ++files_read_etc_files(nsplugin_config_t) ++files_dontaudit_search_home(nsplugin_config_t) ++ ++auth_use_nsswitch(nsplugin_config_t) ++ ++libs_use_ld_so(nsplugin_config_t) ++libs_use_shared_libs(nsplugin_config_t) ++ ++miscfiles_read_localization(nsplugin_config_t) ++ ++userdom_dontaudit_search_all_users_home_content(nsplugin_config_t) ++ ++nsplugin_domtrans(nsplugin_config_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.5/policy/modules/apps/screen.fc --- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/apps/screen.fc 2008-01-18 12:40:46.000000000 -0500 @@ -4502,7 +4619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc 2008-01-21 09:29:13.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc 2008-01-21 17:36:36.000000000 -0500 @@ -7,11 +7,11 @@ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -4554,13 +4671,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) -@@ -284,3 +291,7 @@ +@@ -284,3 +291,6 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') +/usr/lib(64)?/nspluginwrapper/npconfig gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/nspluginwrapper/npviewer gen_context(system_u:object_r:bin_t,s0) -+/usr/lib(64)?/nspluginwrapper/npviewer.bin gen_context(system_u:object_r:bin_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.5/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500 @@ -4575,7 +4691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-11-29 13:29:34.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in 2008-01-22 09:05:42.000000000 -0500 @@ -82,6 +82,7 @@ network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) @@ -4601,6 +4717,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postgresql, tcp,5432,s0) +@@ -148,7 +152,7 @@ + network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) + network_port(rlogind, tcp,513,s0) + network_port(rndc, tcp,953,s0) +-network_port(router, udp,520,s0) ++network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0) + network_port(rsh, tcp,514,s0) + network_port(rsync, tcp,873,s0, udp,873,s0) + network_port(rwho, udp,513,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in.cyphesis serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in.cyphesis --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in.cyphesis 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in.cyphesis 2008-01-18 12:40:46.000000000 -0500 @@ -5114,7 +5239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.5/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/kernel/files.if 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/kernel/files.if 2008-01-21 17:43:20.000000000 -0500 @@ -1266,6 +1266,24 @@ ######################################## @@ -10755,7 +10880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.2.5/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2007-09-05 15:24:44.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/hal.if 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/hal.if 2008-01-22 09:23:09.000000000 -0500 @@ -302,3 +302,42 @@ files_search_pids($1) allow $1 hald_var_run_t:file rw_file_perms; @@ -12631,7 +12756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.5/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2008-01-22 09:23:46.000000000 -0500 @@ -13,6 +13,9 @@ type NetworkManager_var_run_t; files_pid_file(NetworkManager_var_run_t) @@ -12678,7 +12803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw libs_use_ld_so(NetworkManager_t) libs_use_shared_libs(NetworkManager_t) -@@ -129,8 +138,11 @@ +@@ -129,21 +138,25 @@ ') optional_policy(` @@ -12690,14 +12815,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -138,12 +150,9 @@ +- howl_signal(NetworkManager_t) ++ hal_write_log(NetworkManager_t) ') optional_policy(` - nis_use_ypbind(NetworkManager_t) --') -- --optional_policy(` ++ howl_signal(NetworkManager_t) + ') + + optional_policy(` - nscd_socket_use(NetworkManager_t) nscd_signal(NetworkManager_t) + nscd_script_domtrans(NetworkManager_t) @@ -12705,7 +12832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -155,6 +164,7 @@ +@@ -155,6 +168,7 @@ ppp_domtrans(NetworkManager_t) ppp_read_pid_files(NetworkManager_t) ppp_signal(NetworkManager_t) @@ -12713,7 +12840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -166,11 +176,6 @@ +@@ -166,11 +180,6 @@ ') optional_policy(` @@ -22639,9 +22766,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.2.5/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-12-12 11:35:28.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/unconfined.fc 2008-01-18 12:40:46.000000000 -0500 -@@ -10,7 +10,11 @@ - /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++++ serefpolicy-3.2.5/policy/modules/system/unconfined.fc 2008-01-22 09:28:42.000000000 -0500 +@@ -7,10 +7,14 @@ + /usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) + + /usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++/usr/lib(64)?/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) - @@ -23191,7 +23322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-21 17:18:31.000000000 -0500 @@ -29,8 +29,9 @@ ') @@ -23203,7 +23334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) -@@ -45,66 +46,70 @@ +@@ -45,66 +46,71 @@ type $1_tty_device_t; term_user_tty($1_t,$1_tty_device_t) @@ -23306,6 +23437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - - miscfiles_read_localization($1_t) - miscfiles_read_certs($1_t) ++ files_dontaudit_getattr_all_dirs($1_usertype) + files_dontaudit_list_non_security($1_usertype) + files_dontaudit_getattr_non_security_files($1_usertype) + files_dontaudit_getattr_non_security_symlinks($1_usertype) @@ -23327,7 +23459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -115,6 +120,10 @@ +@@ -115,6 +121,10 @@ # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -23338,7 +23470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -141,33 +150,13 @@ +@@ -141,33 +151,13 @@ # template(`userdom_ro_home_template',` gen_require(` @@ -23377,7 +23509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -175,13 +164,13 @@ +@@ -175,13 +165,13 @@ # # read-only home directory @@ -23398,7 +23530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_list_home($1_t) tunable_policy(`use_nfs_home_dirs',` -@@ -231,30 +220,14 @@ +@@ -231,30 +221,14 @@ # template(`userdom_manage_home_template',` gen_require(` @@ -23435,7 +23567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -262,43 +235,44 @@ +@@ -262,43 +236,44 @@ # # full control of the home directory @@ -23508,7 +23640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -316,14 +290,20 @@ +@@ -316,14 +291,20 @@ ## # template(`userdom_exec_home_template',` @@ -23534,7 +23666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -341,11 +321,10 @@ +@@ -341,11 +322,10 @@ ## # template(`userdom_poly_home_template',` @@ -23550,7 +23682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -369,18 +348,18 @@ +@@ -369,18 +349,18 @@ # template(`userdom_manage_tmp_template',` gen_require(` @@ -23579,7 +23711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -396,7 +375,13 @@ +@@ -396,7 +376,13 @@ ## # template(`userdom_exec_tmp_template',` @@ -23594,7 +23726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -510,10 +495,6 @@ +@@ -510,10 +496,6 @@ ## # template(`userdom_exec_generic_pgms_template',` @@ -23605,7 +23737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corecmd_exec_bin($1_t) ') -@@ -531,9 +512,6 @@ +@@ -531,9 +513,6 @@ ## # template(`userdom_basic_networking_template',` @@ -23615,7 +23747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; -@@ -548,10 +526,6 @@ +@@ -548,10 +527,6 @@ corenet_udp_sendrecv_all_ports($1_t) corenet_tcp_connect_all_ports($1_t) corenet_sendrecv_all_client_packets($1_t) @@ -23626,7 +23758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -568,30 +542,29 @@ +@@ -568,30 +543,29 @@ # template(`userdom_xwindows_client_template',` gen_require(` @@ -23673,7 +23805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -717,6 +690,12 @@ +@@ -717,6 +691,12 @@ # Stat lost+found. files_getattr_lost_found_dirs($1_t) @@ -23686,7 +23818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) selinux_validate_context($1_t) -@@ -728,11 +707,11 @@ +@@ -728,11 +708,11 @@ # for eject storage_getattr_fixed_disk_dev($1_t) @@ -23699,7 +23831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo init_read_utmp($1_t) -@@ -758,10 +737,6 @@ +@@ -758,10 +738,6 @@ dev_read_mouse($1_t) ') @@ -23710,7 +23842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` alsa_read_rw_config($1_t) ') -@@ -783,20 +758,20 @@ +@@ -783,20 +759,20 @@ ') optional_policy(` @@ -23736,7 +23868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -824,11 +799,18 @@ +@@ -824,11 +800,18 @@ mta_rw_spool($1_t) ') @@ -23759,7 +23891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -842,13 +824,6 @@ +@@ -842,13 +825,6 @@ ') optional_policy(` @@ -23773,7 +23905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo resmgr_stream_connect($1_t) ') -@@ -889,6 +864,8 @@ +@@ -889,6 +865,8 @@ ## # template(`userdom_login_user_template', ` @@ -23782,7 +23914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_base_user_template($1) userdom_manage_home_template($1) -@@ -917,26 +894,26 @@ +@@ -917,26 +895,26 @@ allow $1_t self:context contains; @@ -23823,7 +23955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo auth_dontaudit_write_login_records($1_t) -@@ -944,43 +921,43 @@ +@@ -944,43 +922,43 @@ # The library functions always try to open read-write first, # then fall back to read-only if it fails. @@ -23885,7 +24017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1014,9 +991,6 @@ +@@ -1014,9 +992,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -23895,7 +24027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1025,16 +999,32 @@ +@@ -1025,16 +1000,32 @@ # # privileged home directory writers @@ -23934,7 +24066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1062,6 +1052,13 @@ +@@ -1062,6 +1053,13 @@ userdom_restricted_user_template($1) @@ -23948,7 +24080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_xwindows_client_template($1) ############################## -@@ -1070,14 +1067,14 @@ +@@ -1070,14 +1068,14 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -23968,7 +24100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1085,33 +1082,14 @@ +@@ -1085,33 +1083,14 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -24008,7 +24140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1121,10 +1099,10 @@ +@@ -1121,10 +1100,10 @@ ## ## ##

@@ -24023,7 +24155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1187,22 +1165,17 @@ +@@ -1187,22 +1166,17 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -24048,7 +24180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1278,8 +1251,6 @@ +@@ -1278,8 +1252,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -24057,7 +24189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1416,6 +1387,7 @@ +@@ -1416,6 +1388,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -24065,7 +24197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1781,10 +1753,14 @@ +@@ -1781,10 +1754,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -24081,7 +24213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1880,11 +1856,11 @@ +@@ -1880,11 +1857,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -24095,7 +24227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1914,11 +1890,11 @@ +@@ -1914,11 +1891,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -24109,7 +24241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1962,12 +1938,12 @@ +@@ -1962,12 +1939,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -24125,7 +24257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1997,10 +1973,10 @@ +@@ -1997,10 +1974,10 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -24138,7 +24270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2032,11 +2008,47 @@ +@@ -2032,11 +2009,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -24188,7 +24320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2068,10 +2080,10 @@ +@@ -2068,10 +2081,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -24201,7 +24333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2101,11 +2113,11 @@ +@@ -2101,11 +2114,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -24215,7 +24347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2135,11 +2147,11 @@ +@@ -2135,11 +2148,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -24230,7 +24362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2169,10 +2181,10 @@ +@@ -2169,10 +2182,10 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -24243,7 +24375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2202,11 +2214,11 @@ +@@ -2202,11 +2215,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -24257,7 +24389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2236,11 +2248,11 @@ +@@ -2236,11 +2249,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -24271,7 +24403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2270,10 +2282,10 @@ +@@ -2270,10 +2283,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -24284,7 +24416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2305,12 +2317,12 @@ +@@ -2305,12 +2318,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -24300,7 +24432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2342,10 +2354,10 @@ +@@ -2342,10 +2355,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -24313,7 +24445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2377,12 +2389,12 @@ +@@ -2377,12 +2390,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -24329,7 +24461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2414,12 +2426,12 @@ +@@ -2414,12 +2427,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -24345,7 +24477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2451,12 +2463,12 @@ +@@ -2451,12 +2464,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -24361,7 +24493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2501,11 +2513,11 @@ +@@ -2501,11 +2514,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -24375,7 +24507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2550,11 +2562,11 @@ +@@ -2550,11 +2563,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -24389,7 +24521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2594,11 +2606,11 @@ +@@ -2594,11 +2607,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -24403,7 +24535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2628,11 +2640,11 @@ +@@ -2628,11 +2641,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -24417,7 +24549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2662,11 +2674,11 @@ +@@ -2662,11 +2675,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -24431,7 +24563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2698,10 +2710,10 @@ +@@ -2698,10 +2711,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -24444,7 +24576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2733,10 +2745,10 @@ +@@ -2733,10 +2746,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -24457,7 +24589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2766,12 +2778,12 @@ +@@ -2766,12 +2779,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -24473,7 +24605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2803,10 +2815,10 @@ +@@ -2803,10 +2816,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -24486,7 +24618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2838,10 +2850,48 @@ +@@ -2838,10 +2851,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -24537,7 +24669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2871,12 +2921,12 @@ +@@ -2871,12 +2922,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -24553,7 +24685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2908,10 +2958,10 @@ +@@ -2908,10 +2959,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -24566,7 +24698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2943,12 +2993,12 @@ +@@ -2943,12 +2994,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -24582,7 +24714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2980,11 +3030,11 @@ +@@ -2980,11 +3031,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -24596,7 +24728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3016,11 +3066,11 @@ +@@ -3016,11 +3067,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -24610,7 +24742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3052,11 +3102,11 @@ +@@ -3052,11 +3103,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -24624,7 +24756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3088,11 +3138,11 @@ +@@ -3088,11 +3139,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -24638,7 +24770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3124,11 +3174,11 @@ +@@ -3124,11 +3175,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -24652,7 +24784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3173,10 +3223,10 @@ +@@ -3173,10 +3224,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -24665,7 +24797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3217,10 +3267,10 @@ +@@ -3217,10 +3268,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -24678,7 +24810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3248,6 +3298,42 @@ +@@ -3248,6 +3299,42 @@ ##

## # @@ -24721,7 +24853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo template(`userdom_rw_user_tmpfs_files',` gen_require(` type $1_tmpfs_t; -@@ -4225,11 +4311,11 @@ +@@ -4225,11 +4312,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -24735,7 +24867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4245,10 +4331,10 @@ +@@ -4245,10 +4332,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -24748,7 +24880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4264,11 +4350,11 @@ +@@ -4264,11 +4351,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -24762,7 +24894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4283,16 +4369,16 @@ +@@ -4283,16 +4370,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -24782,7 +24914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4301,12 +4387,27 @@ +@@ -4301,12 +4388,27 @@ ## ## # @@ -24813,7 +24945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4321,13 +4422,13 @@ +@@ -4321,13 +4423,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -24831,7 +24963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4525,10 +4626,10 @@ +@@ -4525,10 +4627,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -24844,7 +24976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4545,10 +4646,10 @@ +@@ -4545,10 +4647,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -24857,7 +24989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4563,10 +4664,10 @@ +@@ -4563,10 +4665,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -24870,7 +25002,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4582,10 +4683,10 @@ +@@ -4582,10 +4684,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -24883,7 +25015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4600,10 +4701,10 @@ +@@ -4600,10 +4702,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -24896,7 +25028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4619,10 +4720,10 @@ +@@ -4619,10 +4721,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -24909,7 +25041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4638,12 +4739,11 @@ +@@ -4638,12 +4740,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -24925,7 +25057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4670,10 +4770,10 @@ +@@ -4670,10 +4771,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -24938,7 +25070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4688,10 +4788,10 @@ +@@ -4688,10 +4789,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -24951,7 +25083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4706,13 +4806,13 @@ +@@ -4706,13 +4807,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -24969,7 +25101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4748,11 +4848,49 @@ +@@ -4748,11 +4849,49 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -25020,7 +25152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4772,6 +4910,14 @@ +@@ -4772,6 +4911,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -25035,7 +25167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5109,7 +5255,7 @@ +@@ -5109,7 +5256,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -25044,7 +25176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5298,6 +5444,49 @@ +@@ -5298,6 +5445,49 @@ ######################################## ## @@ -25094,7 +25226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5503,6 +5692,42 @@ +@@ -5503,6 +5693,42 @@ ######################################## ## @@ -25137,7 +25269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5668,6 +5893,42 @@ +@@ -5668,6 +5894,42 @@ ######################################## ## @@ -25180,7 +25312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5698,3 +5959,277 @@ +@@ -5698,3 +5960,277 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 01defaf..f1445ad 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.2.5 -Release: 15%{?dist} +Release: 16%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -387,6 +387,9 @@ exit 0 %endif %changelog +* Mon Jan 21 2008 Dan Walsh 3.2.5-16 +- Allow nsplugin sys_nice, getsched, setsched + * Mon Jan 21 2008 Dan Walsh 3.2.5-15 - Allow login programs to talk dbus to oddjob