- Define user_home_type as home_type

policy-20070703.patch

@@ -368,6 +368,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
 +	hal_use_fds(alsa_t)
 +	hal_write_log(alsa_t)
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-3.0.7/policy/modules/admin/amanda.if
+--- nsaserefpolicy/policy/modules/admin/amanda.if	2007-05-29 14:10:59.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/admin/amanda.if	2007-09-06 10:18:35.000000000 -0400
+@@ -71,6 +71,26 @@
+ 
+ ########################################
+ ## <summary>
++##	Search amanda var library directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`amanda_search_var_lib',`
++	gen_require(`
++		type amanda_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	allow $1 amanda_var_lib_t:dir search_dir_perms;
++
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to read /etc/dumpdates.
+ ## </summary>
+ ## <param name="domain">
+@@ -141,3 +161,4 @@
+ 
+ 	allow $1 amanda_log_t:file { read_file_perms append_file_perms };
+ ')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.0.7/policy/modules/admin/anaconda.te
 --- nsaserefpolicy/policy/modules/admin/anaconda.te	2007-05-29 14:10:59.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/admin/anaconda.te	2007-08-28 15:53:39.000000000 -0400
@@ -4634,7 +4669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.7/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/cron.te	2007-08-28 15:53:39.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/cron.te	2007-09-06 10:19:10.000000000 -0400
 @@ -50,6 +50,7 @@
  
  type crond_tmp_t;
@@ -4724,7 +4759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ifdef(`distro_debian',`
  	optional_policy(`
  		# Debian logcheck has the home dir set to its cache
-@@ -180,6 +201,15 @@
+@@ -180,11 +201,24 @@
  	locallogin_link_keys(crond_t)
  ')
  
@@ -4740,7 +4775,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  tunable_policy(`fcron_crond', `
  	allow crond_t system_cron_spool_t:file manage_file_perms;
  ')
-@@ -239,7 +269,6 @@
+ 
+ optional_policy(`
++	amanda_search_var_lib(crond_t)
++')
++
++optional_policy(`
+ 	amavis_search_lib(crond_t)
+ ')
+ 
+@@ -239,7 +273,6 @@
  allow system_crond_t cron_var_lib_t:file manage_file_perms;
  files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file)
  
@@ -4748,7 +4792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  # The entrypoint interface is not used as this is not
  # a regular entrypoint.  Since crontab files are
  # not directly executed, crond must ensure that
-@@ -249,6 +278,8 @@
+@@ -249,6 +282,8 @@
  # for this purpose.
  allow system_crond_t system_cron_spool_t:file entrypoint;
  
@@ -4757,7 +4801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  # Permit a transition from the crond_t domain to this domain.
  # The transition is requested explicitly by the modified crond 
  # via setexeccon.  There is no way to set up an automatic
-@@ -270,9 +301,16 @@
+@@ -270,9 +305,16 @@
  filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
  files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
  
@@ -4775,7 +4819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  kernel_read_kernel_sysctls(system_crond_t)
  kernel_read_system_state(system_crond_t)
-@@ -326,7 +364,7 @@
+@@ -326,7 +368,7 @@
  init_read_utmp(system_crond_t)
  init_dontaudit_rw_utmp(system_crond_t)
  # prelink tells init to restart it self, we either need to allow or dontaudit
@@ -4784,7 +4828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  libs_use_ld_so(system_crond_t)
  libs_use_shared_libs(system_crond_t)
-@@ -334,6 +372,7 @@
+@@ -334,6 +376,7 @@
  libs_exec_ld_so(system_crond_t)
  
  logging_read_generic_logs(system_crond_t)
@@ -4792,7 +4836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  logging_send_syslog_msg(system_crond_t)
  
  miscfiles_read_localization(system_crond_t)
-@@ -384,6 +423,14 @@
+@@ -384,6 +427,14 @@
  ')
  
  optional_policy(`
@@ -4807,7 +4851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	mrtg_append_create_logs(system_crond_t)
  ')
  
-@@ -424,8 +471,7 @@
+@@ -424,8 +475,7 @@
  ')
  
  optional_policy(`
@@ -4817,7 +4861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  optional_policy(`
-@@ -433,9 +479,13 @@
+@@ -433,9 +483,13 @@
  ')
  
  optional_policy(`
@@ -12585,7 +12629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.7/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/userdomain.if	2007-09-05 22:07:53.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/userdomain.if	2007-09-06 10:57:49.000000000 -0400
 @@ -45,7 +45,7 @@
  	type $1_tty_device_t; 
  	term_user_tty($1_t,$1_tty_device_t)
@@ -13255,15 +13299,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
-@@ -1852,21 +1935,57 @@
+@@ -1856,17 +1939,53 @@
+ ##	</summary>
  ## </param>
- ## <param name="domain">
+ #
- ##	<summary>
+-template(`userdom_dontaudit_list_user_home_dirs',`
--##	Domain to not audit
-+##	Domain to not audit
-+##	</summary>
-+## </param>
-+#
 +template(`userdom_dontaudit_list_user_home_dirs',`
 +	gen_require(`
 +		type $1_home_dir_t;
@@ -13296,10 +13336,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
- ##	</summary>
++##	</summary>
- ## </param>
++## </param>
- #
++#
--template(`userdom_dontaudit_list_user_home_dirs',`
 +template(`userdom_manage_user_home_content_dirs',`
  	gen_require(`
 -		type $1_home_dir_t;
@@ -13378,7 +13417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -5559,3 +5695,297 @@
+@@ -5559,3 +5695,299 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -13633,8 +13672,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +interface(`userdom_user_home_type',`
 +	gen_require(`
 +		attribute user_home_type;
++		attribute home_type;
 +	')
 +	typeattribute $1 user_home_type;
++	typeattribute $1 home_type;
 +')
 +
 +########################################

selinux-policy.spec

@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.7
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -362,6 +362,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Sep 6 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-4
+- Define user_home_type as home_type
+
 * Tue Aug 28 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-3
 - Allow sendmail to create etc_aliases_t