- Allow pam_selinux_permit to kill all processes

2008-01-23 18:24:12 +00:00 · 2008-01-23 18:24:12 +00:00 · 0939872058
parent cc5bb89ef0
commit 0939872058
2 changed files with 149 additions and 135 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -3742,8 +3742,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.5/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if	2008-01-22 13:24:31.000000000 -0500
-@@ -0,0 +1,330 @@
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if	2008-01-23 11:19:15.000000000 -0500
+@@ -0,0 +1,332 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@ -3895,18 +3895,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +		type nsplugin_config_t;
 +		type nsplugin_rw_t;
 +	')
-+	nsplugin_domtrans($1)
+	nsplugin_domtrans($2)
 +
-+	nsplugin_config_domtrans($1)
+	nsplugin_config_domtrans($2)
 +
-+	read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
-+	read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
-+	can_exec($1, nsplugin_rw_t)
+	read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+	read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+	can_exec($2, nsplugin_rw_t)
 +
-+	allow nsplugin_t $1:udp_socket { read write };
+	allow nsplugin_t $2:udp_socket { read write };
+	allow nsplugin_t $2:tcp_socket { read write };
 +
-+	allow $1 nsplugin_t:process { getattr ptrace signal_perms };
-+	allow $1 nsplugin_t:unix_stream_socket connectto;
+	allow $2 nsplugin_t:process { getattr ptrace signal_perms };
+	allow $2 nsplugin_t:unix_stream_socket connectto;
+	userdom_use_user_terminals($1, $2)
 +')
 +
 +#######################################
@ -3947,7 +3949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +		type nsplugin_config_t;
 +		type nsplugin_rw_t;
 +	')
-+	nsplugin_use($2)
+	nsplugin_use($1, $2)
 +	role $3 types nsplugin_t;
 +	role $3 types nsplugin_config_t;
 +')
@ -4076,8 +4078,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.5/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te	2008-01-21 18:20:27.000000000 -0500
-@@ -0,0 +1,100 @@
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te	2008-01-23 11:16:36.000000000 -0500
+@@ -0,0 +1,105 @@
 +policy_module(nsplugin,1.0.0)
 +
 +########################################
@ -4120,6 +4122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +files_read_etc_files(nsplugin_t)
 +
 +fs_list_inotifyfs(nsplugin_t)
+fs_rw_tmpfs_files(nsplugin_t)
 +
 +auth_use_nsswitch(nsplugin_t)
 +
@ -4151,6 +4154,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +## internal communication is often done using fifo and unix sockets.
 +allow nsplugin_config_t self:capability { sys_nice setuid setgid };
 +allow nsplugin_config_t self:process { setsched getsched };
+allow nsplugin_t self:sem rw_sem_perms;
+allow nsplugin_t self:shm rw_shm_perms;
 +
 +allow nsplugin_config_t self:fifo_file rw_file_perms;
 +allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
@ -4174,10 +4179,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +libs_use_shared_libs(nsplugin_config_t)
 +
 +miscfiles_read_localization(nsplugin_config_t)
+miscfiles_read_fonts(nsplugin_config_t)
 +
 +userdom_dontaudit_search_all_users_home_content(nsplugin_config_t)
 +
 +nsplugin_domtrans(nsplugin_config_t)
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.5/policy/modules/apps/screen.fc
 --- nsaserefpolicy/policy/modules/apps/screen.fc	2007-10-12 08:56:02.000000000 -0400
 +++ serefpolicy-3.2.5/policy/modules/apps/screen.fc	2008-01-18 12:40:46.000000000 -0500
@ -20403,7 +20410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.5/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/authlogin.if	2008-01-21 14:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/authlogin.if	2008-01-23 09:15:22.000000000 -0500
@@ -99,7 +99,7 @@
 template(`authlogin_per_role_template',`
 
@ -20421,10 +20428,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	')
 
 	domain_type($1)
-@@ -177,12 +178,23 @@
+@@ -177,12 +178,27 @@
 	domain_obj_id_change_exemption($1)
 	role system_r types $1;
 
+	# Needed for pam_selinux_permit to cleanup properly
+	domain_read_all_domains_state($1)
+	domain_kill_all_domains($1)
+
 +	# pam_keyring
 +	allow $1 self:capability ipc_lock;
 +	allow $1 self:process setkeycreate;
@ -20445,7 +20456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	# for SSP/ProPolice
 	dev_read_urand($1)
 	# for fingerprint readers
-@@ -221,11 +233,35 @@
+@@ -221,11 +237,35 @@
 
 	logging_send_audit_msgs($1)
 	logging_send_syslog_msg($1)
@ -20482,7 +20493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	tunable_policy(`allow_polyinstantiation',`
 		files_polyinstantiate_all($1)
 	')
-@@ -342,6 +378,8 @@
+@@ -342,6 +382,8 @@
 
 	optional_policy(`
 		kerberos_use($1)
@ -20491,7 +20502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	')
 
 	optional_policy(`
-@@ -356,6 +394,7 @@
+@@ -356,6 +398,7 @@
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 	')
@ -20499,7 +20510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ')
 
 ########################################
-@@ -369,12 +408,12 @@
+@@ -369,12 +412,12 @@
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -20514,7 +20525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ##	</summary>
 ## </param>
 #
-@@ -386,6 +425,7 @@
+@@ -386,6 +429,7 @@
 	auth_domtrans_chk_passwd($1)
 	role $2 types system_chkpwd_t;
 	allow system_chkpwd_t $3:chr_file rw_file_perms;
@ -20522,7 +20533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ')
 
 ########################################
-@@ -1457,6 +1497,7 @@
+@@ -1457,6 +1501,7 @@
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 		samba_read_var_files($1)
@ -20530,7 +20541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	')
 ')
 
-@@ -1491,3 +1532,23 @@
+@@ -1491,3 +1536,23 @@
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -23097,8 +23108,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te	2008-01-22 13:25:12.000000000 -0500
-@@ -6,35 +6,58 @@
+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te	2008-01-23 13:13:29.000000000 -0500
+@@ -6,35 +6,59 @@
 # Declarations
 #
 
@ -23116,7 +23127,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 -userdom_manage_home_template(unconfined)
 -userdom_manage_tmp_template(unconfined)
 -userdom_manage_tmpfs_template(unconfined)
-+userdom_unpriv_user_template(unconfined)
+userdom_restricted_user_template(unconfined)
+userdom_common_user_template(unconfined)
 +userdom_xwindows_client_template(unconfined)
 
 type unconfined_exec_t;
@ -23161,7 +23173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 
 libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 
-@@ -42,7 +65,10 @@
+@@ -42,7 +66,10 @@
 logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 
 mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@ -23172,12 +23184,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 
-@@ -50,14 +76,28 @@
- 
+@@ -51,13 +78,25 @@
 userdom_priveleged_home_dir_manager(unconfined_t)
 
-+
-+optional_policy(`
+ optional_policy(`
+-	ada_domtrans(unconfined_t)
 +	gen_require(`
 +		type nsplugin_t;
 +		type nsplugin_config_t;
@ -23185,13 +23196,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +	role unconfined_r types nsplugin_t;
 +	role unconfined_r types nsplugin_config_t;
 +	tunable_policy(`allow_unconfined_nsplugin_transition', `
-+	
-+		nsplugin_use(unconfined_t)
+		nsplugin_use(unconfined, unconfined_t)
 +	')
 +')
 +
- optional_policy(`
-	ada_domtrans(unconfined_t)
+optional_policy(`
 +	ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
 
@ -23203,7 +23212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 	unconfined_domain(httpd_unconfined_script_t)
 ')
 
-@@ -69,11 +109,11 @@
+@@ -69,11 +108,11 @@
 	bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
 
@ -23220,7 +23229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 
 optional_policy(`
 	init_dbus_chat_script(unconfined_t)
-@@ -107,6 +147,10 @@
+@@ -107,6 +146,10 @@
 	optional_policy(`
 		oddjob_dbus_chat(unconfined_t)
 	')
@ -23231,7 +23240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -118,11 +162,7 @@
+@@ -118,11 +161,7 @@
 ')
 
 optional_policy(`
@ -23244,7 +23253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -134,14 +174,6 @@
+@@ -134,14 +173,6 @@
 ')
 
 optional_policy(`
@ -23259,7 +23268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 	oddjob_domtrans_mkhomedir(unconfined_t)
 ')
 
-@@ -154,38 +186,27 @@
+@@ -154,38 +185,27 @@
 ')
 
 optional_policy(`
@ -23304,7 +23313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -205,11 +226,30 @@
+@@ -205,11 +225,30 @@
 ')
 
 optional_policy(`
@ -23337,7 +23346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 ########################################
-@@ -219,14 +259,34 @@
+@@ -219,14 +258,34 @@
 
 allow unconfined_execmem_t self:process { execstack execmem };
 unconfined_domain_noaudit(unconfined_execmem_t)
@ -23392,7 +23401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2008-01-22 14:46:10.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2008-01-23 13:14:20.000000000 -0500
@@ -29,9 +29,14 @@
 	')
 
@ -24102,7 +24111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	typeattribute $1_tty_device_t user_ttynode;
 
 	##############################
-@@ -1025,16 +1004,32 @@
+@@ -1025,16 +1004,29 @@
 	#
 
 	# privileged home directory writers
@ -24135,13 +24144,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 		loadkeys_run($1_t,$1_r,$1_tty_device_t)
 	')
 +
-+	optional_policy(`
-+		nsplugin_per_role_template($1, $1_usertype, $1_r)
-+	')
 ')
 
 #######################################
-@@ -1062,6 +1057,13 @@
+@@ -1062,6 +1054,13 @@
 
 	userdom_restricted_user_template($1)
 
@ -24155,7 +24161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	userdom_xwindows_client_template($1)
 
 	##############################
-@@ -1070,14 +1072,14 @@
+@@ -1070,14 +1069,14 @@
 	#
 
 	authlogin_per_role_template($1, $1_t, $1_r)
@ -24175,7 +24181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	logging_dontaudit_send_audit_msgs($1_t)
 
 	# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1085,33 +1087,14 @@
+@@ -1085,32 +1084,17 @@
 	selinux_get_enforce_mode($1_t)
 
 	optional_policy(`
@ -24197,25 +24203,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -
 -	optional_policy(`
 -		java_per_role_template($1, $1_t, $1_r)
-	')
-
-	optional_policy(`
-		mono_per_role_template($1, $1_t, $1_r)
 +		alsa_read_rw_config($1_usertype)
 	')
 
 -	optional_policy(`
-		setroubleshoot_dontaudit_stream_connect($1_t)
+-		mono_per_role_template($1, $1_t, $1_r)
 -	')
 +	# Broken Cover up bugzilla #345921 Should be removed when this is fixed
 +	corenet_tcp_connect_soundd_port($1_t)
 +	corenet_tcp_sendrecv_soundd_port($1_t)
 +	corenet_tcp_sendrecv_all_if($1_t)
 +	corenet_tcp_sendrecv_lo_node($1_t)
+ 
+ 	optional_policy(`
+-		setroubleshoot_dontaudit_stream_connect($1_t)
+		nsplugin_per_role_template($1, $1_usertype, $1_r)
+ 	')
 ')
 
- #######################################
-@@ -1121,10 +1104,10 @@
+@@ -1121,10 +1105,10 @@
 ## </summary>
 ## <desc>
 ##	<p>
@ -24230,7 +24236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	This template creates a user domain, types, and
 ##	rules for the user's tty, pty, home directories,
 ##	tmp, and tmpfs files.
-@@ -1187,22 +1170,17 @@
+@@ -1187,12 +1171,11 @@
 	# and may change other protocols
 	tunable_policy(`user_tcp_server',`
 		corenet_tcp_bind_all_nodes($1_t)
@ -24245,17 +24251,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 
 	# Run pppd in pppd_t by default for user
- 	optional_policy(`
- 		ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+@@ -1201,7 +1184,7 @@
 	')
-
-	optional_policy(`
+ 
+ 	optional_policy(`
 -		setroubleshoot_stream_connect($1_t)
-	')
+		nsplugin_per_role_template($1, $1_usertype, $1_r)
+ 	')
 ')
 
- #######################################
-@@ -1278,8 +1256,6 @@
+@@ -1278,8 +1261,6 @@
 	# Manipulate other users crontab.
 	allow $1_t self:passwd crontab;
 
@ -24264,7 +24269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
 	kernel_getattr_message_if($1_t)
-@@ -1416,6 +1392,7 @@
+@@ -1416,6 +1397,7 @@
 	dev_relabel_all_dev_nodes($1)
 
 	files_create_boot_flag($1)
@ -24272,7 +24277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 
 	# Necessary for managing /boot/efi
 	fs_manage_dos_files($1)
-@@ -1781,10 +1758,14 @@
+@@ -1781,10 +1763,14 @@
 template(`userdom_user_home_content',`
 	gen_require(`
 		attribute $1_file_type;
@ -24288,7 +24293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -1880,11 +1861,11 @@
+@@ -1880,11 +1866,11 @@
 #
 template(`userdom_search_user_home_dirs',`
 	gen_require(`
@ -24302,7 +24307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -1914,11 +1895,11 @@
+@@ -1914,11 +1900,11 @@
 #
 template(`userdom_list_user_home_dirs',`
 	gen_require(`
@ -24316,7 +24321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -1962,12 +1943,12 @@
+@@ -1962,12 +1948,12 @@
 #
 template(`userdom_user_home_domtrans',`
 	gen_require(`
@ -24332,7 +24337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -1997,10 +1978,10 @@
+@@ -1997,10 +1983,10 @@
 #
 template(`userdom_dontaudit_list_user_home_dirs',`
 	gen_require(`
@ -24345,7 +24350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2032,11 +2013,47 @@
+@@ -2032,11 +2018,47 @@
 #
 template(`userdom_manage_user_home_content_dirs',`
 	gen_require(`
@ -24395,7 +24400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2068,10 +2085,10 @@
+@@ -2068,10 +2090,10 @@
 #
 template(`userdom_dontaudit_setattr_user_home_content_files',`
 	gen_require(`
@ -24408,7 +24413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2101,11 +2118,11 @@
+@@ -2101,11 +2123,11 @@
 #
 template(`userdom_read_user_home_content_files',`
 	gen_require(`
@ -24422,7 +24427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2135,11 +2152,11 @@
+@@ -2135,11 +2157,11 @@
 #
 template(`userdom_dontaudit_read_user_home_content_files',`
 	gen_require(`
@ -24437,7 +24442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2169,10 +2186,10 @@
+@@ -2169,10 +2191,10 @@
 #
 template(`userdom_dontaudit_write_user_home_content_files',`
 	gen_require(`
@ -24450,7 +24455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2202,11 +2219,11 @@
+@@ -2202,11 +2224,11 @@
 #
 template(`userdom_read_user_home_content_symlinks',`
 	gen_require(`
@ -24464,7 +24469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2236,11 +2253,11 @@
+@@ -2236,11 +2258,11 @@
 #
 template(`userdom_exec_user_home_content_files',`
 	gen_require(`
@ -24478,7 +24483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2270,10 +2287,10 @@
+@@ -2270,10 +2292,10 @@
 #
 template(`userdom_dontaudit_exec_user_home_content_files',`
 	gen_require(`
@ -24491,7 +24496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2305,12 +2322,12 @@
+@@ -2305,12 +2327,12 @@
 #
 template(`userdom_manage_user_home_content_files',`
 	gen_require(`
@ -24507,7 +24512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2342,10 +2359,10 @@
+@@ -2342,10 +2364,10 @@
 #
 template(`userdom_dontaudit_manage_user_home_content_dirs',`
 	gen_require(`
@ -24520,7 +24525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2377,12 +2394,12 @@
+@@ -2377,12 +2399,12 @@
 #
 template(`userdom_manage_user_home_content_symlinks',`
 	gen_require(`
@ -24536,7 +24541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2414,12 +2431,12 @@
+@@ -2414,12 +2436,12 @@
 #
 template(`userdom_manage_user_home_content_pipes',`
 	gen_require(`
@ -24552,7 +24557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2451,12 +2468,12 @@
+@@ -2451,12 +2473,12 @@
 #
 template(`userdom_manage_user_home_content_sockets',`
 	gen_require(`
@ -24568,7 +24573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2501,11 +2518,11 @@
+@@ -2501,11 +2523,11 @@
 #
 template(`userdom_user_home_dir_filetrans',`
 	gen_require(`
@ -24582,7 +24587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2550,11 +2567,11 @@
+@@ -2550,11 +2572,11 @@
 #
 template(`userdom_user_home_content_filetrans',`
 	gen_require(`
@ -24596,7 +24601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2594,11 +2611,11 @@
+@@ -2594,11 +2616,11 @@
 #
 template(`userdom_user_home_dir_filetrans_user_home_content',`
 	gen_require(`
@ -24610,7 +24615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2628,11 +2645,11 @@
+@@ -2628,11 +2650,11 @@
 #
 template(`userdom_write_user_tmp_sockets',`
 	gen_require(`
@ -24624,7 +24629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2662,11 +2679,11 @@
+@@ -2662,11 +2684,11 @@
 #
 template(`userdom_list_user_tmp',`
 	gen_require(`
@ -24638,7 +24643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2698,10 +2715,10 @@
+@@ -2698,10 +2720,10 @@
 #
 template(`userdom_dontaudit_list_user_tmp',`
 	gen_require(`
@ -24651,7 +24656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2733,10 +2750,10 @@
+@@ -2733,10 +2755,10 @@
 #
 template(`userdom_dontaudit_manage_user_tmp_dirs',`
 	gen_require(`
@ -24664,7 +24669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2766,12 +2783,12 @@
+@@ -2766,12 +2788,12 @@
 #
 template(`userdom_read_user_tmp_files',`
 	gen_require(`
@ -24680,7 +24685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2803,10 +2820,10 @@
+@@ -2803,10 +2825,10 @@
 #
 template(`userdom_dontaudit_read_user_tmp_files',`
 	gen_require(`
@ -24693,7 +24698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2838,10 +2855,48 @@
+@@ -2838,10 +2860,48 @@
 #
 template(`userdom_dontaudit_append_user_tmp_files',`
 	gen_require(`
@ -24744,7 +24749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2871,12 +2926,12 @@
+@@ -2871,12 +2931,12 @@
 #
 template(`userdom_rw_user_tmp_files',`
 	gen_require(`
@ -24760,7 +24765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2908,10 +2963,10 @@
+@@ -2908,10 +2968,10 @@
 #
 template(`userdom_dontaudit_manage_user_tmp_files',`
 	gen_require(`
@ -24773,7 +24778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2943,12 +2998,12 @@
+@@ -2943,12 +3003,12 @@
 #
 template(`userdom_read_user_tmp_symlinks',`
 	gen_require(`
@ -24789,7 +24794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -2980,11 +3035,11 @@
+@@ -2980,11 +3040,11 @@
 #
 template(`userdom_manage_user_tmp_dirs',`
 	gen_require(`
@ -24803,7 +24808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -3016,11 +3071,11 @@
+@@ -3016,11 +3076,11 @@
 #
 template(`userdom_manage_user_tmp_files',`
 	gen_require(`
@ -24817,7 +24822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -3052,11 +3107,11 @@
+@@ -3052,11 +3112,11 @@
 #
 template(`userdom_manage_user_tmp_symlinks',`
 	gen_require(`
@ -24831,7 +24836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -3088,11 +3143,11 @@
+@@ -3088,11 +3148,11 @@
 #
 template(`userdom_manage_user_tmp_pipes',`
 	gen_require(`
@ -24845,7 +24850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -3124,11 +3179,11 @@
+@@ -3124,11 +3184,11 @@
 #
 template(`userdom_manage_user_tmp_sockets',`
 	gen_require(`
@ -24859,7 +24864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -3173,10 +3228,10 @@
+@@ -3173,10 +3233,10 @@
 #
 template(`userdom_user_tmp_filetrans',`
 	gen_require(`
@ -24872,7 +24877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	files_search_tmp($2)
 ')
 
-@@ -3217,10 +3272,10 @@
+@@ -3217,10 +3277,10 @@
 #
 template(`userdom_tmp_filetrans_user_tmp',`
 	gen_require(`
@ -24885,7 +24890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -3248,6 +3303,42 @@
+@@ -3248,6 +3308,42 @@
 ##	</summary>
 ## </param>
 #
@ -24928,7 +24933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 template(`userdom_rw_user_tmpfs_files',`
 	gen_require(`
 		type $1_tmpfs_t;
-@@ -4225,11 +4316,11 @@
+@@ -4225,11 +4321,11 @@
 #
 interface(`userdom_search_staff_home_dirs',`
 	gen_require(`
@ -24942,7 +24947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4245,10 +4336,10 @@
+@@ -4245,10 +4341,10 @@
 #
 interface(`userdom_dontaudit_search_staff_home_dirs',`
 	gen_require(`
@ -24955,7 +24960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4264,11 +4355,11 @@
+@@ -4264,11 +4360,11 @@
 #
 interface(`userdom_manage_staff_home_dirs',`
 	gen_require(`
@ -24969,7 +24974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4283,16 +4374,16 @@
+@@ -4283,16 +4379,16 @@
 #
 interface(`userdom_relabelto_staff_home_dirs',`
 	gen_require(`
@ -24989,7 +24994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	users home directory.
 ## </summary>
 ## <param name="domain">
-@@ -4301,12 +4392,27 @@
+@@ -4301,17 +4397,32 @@
 ##	</summary>
 ## </param>
 #
@ -25002,10 +25007,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 
 -	dontaudit $1 staff_home_t:file append;
 +	dontaudit $1 user_home_t:file append_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read files in the staff users home directory.
 +##	Do not audit attempts to append to the staff
 +##	users home directory.
 +## </summary>
@ -25017,10 +25023,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +#
 +interface(`userdom_dontaudit_append_staff_home_content_files',`
 +	userdom_dontaudit_append_unpriv_home_content_files($1)
- ')
- 
- ########################################
-@@ -4321,13 +4427,13 @@
+')
+
+########################################
+## <summary>
+##	Read files in the staff users home directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4321,13 +4432,13 @@
 #
 interface(`userdom_read_staff_home_content_files',`
 	gen_require(`
@ -25038,7 +25049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4525,10 +4631,10 @@
+@@ -4525,10 +4636,10 @@
 #
 interface(`userdom_getattr_sysadm_home_dirs',`
 	gen_require(`
@ -25051,7 +25062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4545,10 +4651,10 @@
+@@ -4545,10 +4656,10 @@
 #
 interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
 	gen_require(`
@ -25064,7 +25075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4563,10 +4669,10 @@
+@@ -4563,10 +4674,10 @@
 #
 interface(`userdom_search_sysadm_home_dirs',`
 	gen_require(`
@ -25077,7 +25088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4582,10 +4688,10 @@
+@@ -4582,10 +4693,10 @@
 #
 interface(`userdom_dontaudit_search_sysadm_home_dirs',`
 	gen_require(`
@ -25090,7 +25101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4600,10 +4706,10 @@
+@@ -4600,10 +4711,10 @@
 #
 interface(`userdom_list_sysadm_home_dirs',`
 	gen_require(`
@ -25103,7 +25114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4619,10 +4725,10 @@
+@@ -4619,10 +4730,10 @@
 #
 interface(`userdom_dontaudit_list_sysadm_home_dirs',`
 	gen_require(`
@ -25116,7 +25127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4638,12 +4744,11 @@
+@@ -4638,12 +4749,11 @@
 #
 interface(`userdom_dontaudit_read_sysadm_home_content_files',`
 	gen_require(`
@ -25132,7 +25143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4670,10 +4775,10 @@
+@@ -4670,10 +4780,10 @@
 #
 interface(`userdom_sysadm_home_dir_filetrans',`
 	gen_require(`
@ -25145,7 +25156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4688,10 +4793,10 @@
+@@ -4688,10 +4798,10 @@
 #
 interface(`userdom_search_sysadm_home_content_dirs',`
 	gen_require(`
@ -25158,7 +25169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4706,13 +4811,13 @@
+@@ -4706,13 +4816,13 @@
 #
 interface(`userdom_read_sysadm_home_content_files',`
 	gen_require(`
@ -25176,7 +25187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4748,11 +4853,49 @@
+@@ -4748,11 +4858,49 @@
 #
 interface(`userdom_search_all_users_home_dirs',`
 	gen_require(`
@ -25227,7 +25238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4772,6 +4915,14 @@
+@@ -4772,6 +4920,14 @@
 
 	files_list_home($1)
 	allow $1 home_dir_type:dir list_dir_perms;
@ -25242,7 +25253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -5109,7 +5260,7 @@
+@@ -5109,7 +5265,7 @@
 #
 interface(`userdom_relabelto_generic_user_home_dirs',`
 	gen_require(`
@ -25251,7 +25262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 
 	files_search_home($1)
-@@ -5298,6 +5449,49 @@
+@@ -5298,6 +5454,49 @@
 
 ########################################
 ## <summary>
@ -25301,7 +25312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Create, read, write, and delete directories in
 ##	unprivileged users home directories.
 ## </summary>
-@@ -5503,6 +5697,42 @@
+@@ -5503,6 +5702,42 @@
 
 ########################################
 ## <summary>
@ -25344,7 +25355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Read and write unprivileged user ttys.
 ## </summary>
 ## <param name="domain">
-@@ -5668,6 +5898,42 @@
+@@ -5668,6 +5903,42 @@
 
 ########################################
 ## <summary>
@ -25387,7 +25398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Send a dbus message to all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -5698,3 +5964,277 @@
+@@ -5698,3 +5969,277 @@
 interface(`userdom_unconfined',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.5
-Release: 17%{?dist}
+Release: 18%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -387,6 +387,9 @@ exit 0
 %endif

 %changelog
+* Wed Jan 23 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-18
+- Allow pam_selinux_permit to kill all processes
+
 * Mon Jan 21 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-17
 - Allow ptrace or user processes by users of same type
 - Add boolean for transition to nsplugin