- Define user_home_type as home_type

2007-09-06 15:00:00 +00:00 · 2007-09-06 15:00:00 +00:00 · 07b8680835
parent 601f0f04ee
commit 07b8680835
2 changed files with 69 additions and 25 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -368,6 +368,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
 +	hal_use_fds(alsa_t)
 +	hal_write_log(alsa_t)
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-3.0.7/policy/modules/admin/amanda.if
+--- nsaserefpolicy/policy/modules/admin/amanda.if	2007-05-29 14:10:59.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/admin/amanda.if	2007-09-06 10:18:35.000000000 -0400
+@@ -71,6 +71,26 @@
+ 
+ ########################################
+ ## <summary>
+##	Search amanda var library directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`amanda_search_var_lib',`
+	gen_require(`
+		type amanda_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 amanda_var_lib_t:dir search_dir_perms;
+
+')
+
+########################################
+## <summary>
+ ##	Do not audit attempts to read /etc/dumpdates.
+ ## </summary>
+ ## <param name="domain">
+@@ -141,3 +161,4 @@
+ 
+ 	allow $1 amanda_log_t:file { read_file_perms append_file_perms };
+ ')
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.0.7/policy/modules/admin/anaconda.te
 --- nsaserefpolicy/policy/modules/admin/anaconda.te	2007-05-29 14:10:59.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/admin/anaconda.te	2007-08-28 15:53:39.000000000 -0400
@ -4634,7 +4669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.7/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/cron.te	2007-08-28 15:53:39.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/cron.te	2007-09-06 10:19:10.000000000 -0400
@@ -50,6 +50,7 @@
 
 type crond_tmp_t;
@ -4724,7 +4759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 ifdef(`distro_debian',`
 	optional_policy(`
 		# Debian logcheck has the home dir set to its cache
-@@ -180,6 +201,15 @@
+@@ -180,11 +201,24 @@
 	locallogin_link_keys(crond_t)
 ')
 
@ -4740,7 +4775,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 tunable_policy(`fcron_crond', `
 	allow crond_t system_cron_spool_t:file manage_file_perms;
 ')
-@@ -239,7 +269,6 @@
+ 
+ optional_policy(`
+	amanda_search_var_lib(crond_t)
+')
+
+optional_policy(`
+ 	amavis_search_lib(crond_t)
+ ')
+ 
+@@ -239,7 +273,6 @@
 allow system_crond_t cron_var_lib_t:file manage_file_perms;
 files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file)
 
@ -4748,7 +4792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 # The entrypoint interface is not used as this is not
 # a regular entrypoint.  Since crontab files are
 # not directly executed, crond must ensure that
-@@ -249,6 +278,8 @@
+@@ -249,6 +282,8 @@
 # for this purpose.
 allow system_crond_t system_cron_spool_t:file entrypoint;
 
@ -4757,7 +4801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 # Permit a transition from the crond_t domain to this domain.
 # The transition is requested explicitly by the modified crond 
 # via setexeccon.  There is no way to set up an automatic
-@@ -270,9 +301,16 @@
+@@ -270,9 +305,16 @@
 filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
 files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
 
@ -4775,7 +4819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 
 kernel_read_kernel_sysctls(system_crond_t)
 kernel_read_system_state(system_crond_t)
-@@ -326,7 +364,7 @@
+@@ -326,7 +368,7 @@
 init_read_utmp(system_crond_t)
 init_dontaudit_rw_utmp(system_crond_t)
 # prelink tells init to restart it self, we either need to allow or dontaudit
@ -4784,7 +4828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 
 libs_use_ld_so(system_crond_t)
 libs_use_shared_libs(system_crond_t)
-@@ -334,6 +372,7 @@
+@@ -334,6 +376,7 @@
 libs_exec_ld_so(system_crond_t)
 
 logging_read_generic_logs(system_crond_t)
@ -4792,7 +4836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 logging_send_syslog_msg(system_crond_t)
 
 miscfiles_read_localization(system_crond_t)
-@@ -384,6 +423,14 @@
+@@ -384,6 +427,14 @@
 ')
 
 optional_policy(`
@ -4807,7 +4851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 	mrtg_append_create_logs(system_crond_t)
 ')
 
-@@ -424,8 +471,7 @@
+@@ -424,8 +475,7 @@
 ')
 
 optional_policy(`
@ -4817,7 +4861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 ')
 
 optional_policy(`
-@@ -433,9 +479,13 @@
+@@ -433,9 +483,13 @@
 ')
 
 optional_policy(`
@ -12585,7 +12629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.7/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/userdomain.if	2007-09-05 22:07:53.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/system/userdomain.if	2007-09-06 10:57:49.000000000 -0400
@@ -45,7 +45,7 @@
 	type $1_tty_device_t; 
 	term_user_tty($1_t,$1_tty_device_t)
@ -13255,15 +13299,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
-@@ -1852,21 +1935,57 @@
+@@ -1856,17 +1939,53 @@
+ ##	</summary>
 ## </param>
- ## <param name="domain">
- ##	<summary>
-##	Domain to not audit
-+##	Domain to not audit
-+##	</summary>
-+## </param>
-+#
+ #
+-template(`userdom_dontaudit_list_user_home_dirs',`
 +template(`userdom_dontaudit_list_user_home_dirs',`
 +	gen_require(`
 +		type $1_home_dir_t;
@ -13296,10 +13336,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
-template(`userdom_dontaudit_list_user_home_dirs',`
+##	</summary>
+## </param>
+#
 +template(`userdom_manage_user_home_content_dirs',`
 	gen_require(`
 -		type $1_home_dir_t;
@ -13378,7 +13417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -5559,3 +5695,297 @@
+@@ -5559,3 +5695,299 @@
 interface(`userdom_unconfined',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
@ -13633,8 +13672,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +interface(`userdom_user_home_type',`
 +	gen_require(`
 +		attribute user_home_type;
+		attribute home_type;
 +	')
 +	typeattribute $1 user_home_type;
+	typeattribute $1 home_type;
 +')
 +
 +########################################
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.7
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -362,6 +362,9 @@ exit 0
 %endif

 %changelog
+* Thu Sep 6 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-4
+- Define user_home_type as home_type
+
 * Tue Aug 28 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-3
 - Allow sendmail to create etc_aliases_t