- Allow pam_selinux_permit to kill all processes
This commit is contained in:
parent
cc5bb89ef0
commit
0939872058
@ -3742,8 +3742,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||||||
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
|
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.5/policy/modules/apps/nsplugin.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.5/policy/modules/apps/nsplugin.if
|
||||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if 2008-01-22 13:24:31.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if 2008-01-23 11:19:15.000000000 -0500
|
||||||
@@ -0,0 +1,330 @@
|
@@ -0,0 +1,332 @@
|
||||||
+
|
+
|
||||||
+## <summary>policy for nsplugin</summary>
|
+## <summary>policy for nsplugin</summary>
|
||||||
+
|
+
|
||||||
@ -3895,18 +3895,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||||||
+ type nsplugin_config_t;
|
+ type nsplugin_config_t;
|
||||||
+ type nsplugin_rw_t;
|
+ type nsplugin_rw_t;
|
||||||
+ ')
|
+ ')
|
||||||
+ nsplugin_domtrans($1)
|
+ nsplugin_domtrans($2)
|
||||||
+
|
+
|
||||||
+ nsplugin_config_domtrans($1)
|
+ nsplugin_config_domtrans($2)
|
||||||
+
|
+
|
||||||
+ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
|
+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
|
||||||
+ read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
|
+ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
|
||||||
+ can_exec($1, nsplugin_rw_t)
|
+ can_exec($2, nsplugin_rw_t)
|
||||||
+
|
+
|
||||||
+ allow nsplugin_t $1:udp_socket { read write };
|
+ allow nsplugin_t $2:udp_socket { read write };
|
||||||
|
+ allow nsplugin_t $2:tcp_socket { read write };
|
||||||
+
|
+
|
||||||
+ allow $1 nsplugin_t:process { getattr ptrace signal_perms };
|
+ allow $2 nsplugin_t:process { getattr ptrace signal_perms };
|
||||||
+ allow $1 nsplugin_t:unix_stream_socket connectto;
|
+ allow $2 nsplugin_t:unix_stream_socket connectto;
|
||||||
|
+ userdom_use_user_terminals($1, $2)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -3947,7 +3949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||||||
+ type nsplugin_config_t;
|
+ type nsplugin_config_t;
|
||||||
+ type nsplugin_rw_t;
|
+ type nsplugin_rw_t;
|
||||||
+ ')
|
+ ')
|
||||||
+ nsplugin_use($2)
|
+ nsplugin_use($1, $2)
|
||||||
+ role $3 types nsplugin_t;
|
+ role $3 types nsplugin_t;
|
||||||
+ role $3 types nsplugin_config_t;
|
+ role $3 types nsplugin_config_t;
|
||||||
+')
|
+')
|
||||||
@ -4076,8 +4078,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.5/policy/modules/apps/nsplugin.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.5/policy/modules/apps/nsplugin.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-21 18:20:27.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-23 11:16:36.000000000 -0500
|
||||||
@@ -0,0 +1,100 @@
|
@@ -0,0 +1,105 @@
|
||||||
+policy_module(nsplugin,1.0.0)
|
+policy_module(nsplugin,1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -4120,6 +4122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||||||
+files_read_etc_files(nsplugin_t)
|
+files_read_etc_files(nsplugin_t)
|
||||||
+
|
+
|
||||||
+fs_list_inotifyfs(nsplugin_t)
|
+fs_list_inotifyfs(nsplugin_t)
|
||||||
|
+fs_rw_tmpfs_files(nsplugin_t)
|
||||||
+
|
+
|
||||||
+auth_use_nsswitch(nsplugin_t)
|
+auth_use_nsswitch(nsplugin_t)
|
||||||
+
|
+
|
||||||
@ -4151,6 +4154,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||||||
+## internal communication is often done using fifo and unix sockets.
|
+## internal communication is often done using fifo and unix sockets.
|
||||||
+allow nsplugin_config_t self:capability { sys_nice setuid setgid };
|
+allow nsplugin_config_t self:capability { sys_nice setuid setgid };
|
||||||
+allow nsplugin_config_t self:process { setsched getsched };
|
+allow nsplugin_config_t self:process { setsched getsched };
|
||||||
|
+allow nsplugin_t self:sem rw_sem_perms;
|
||||||
|
+allow nsplugin_t self:shm rw_shm_perms;
|
||||||
+
|
+
|
||||||
+allow nsplugin_config_t self:fifo_file rw_file_perms;
|
+allow nsplugin_config_t self:fifo_file rw_file_perms;
|
||||||
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
|
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
@ -4174,10 +4179,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||||||
+libs_use_shared_libs(nsplugin_config_t)
|
+libs_use_shared_libs(nsplugin_config_t)
|
||||||
+
|
+
|
||||||
+miscfiles_read_localization(nsplugin_config_t)
|
+miscfiles_read_localization(nsplugin_config_t)
|
||||||
|
+miscfiles_read_fonts(nsplugin_config_t)
|
||||||
+
|
+
|
||||||
+userdom_dontaudit_search_all_users_home_content(nsplugin_config_t)
|
+userdom_dontaudit_search_all_users_home_content(nsplugin_config_t)
|
||||||
+
|
+
|
||||||
+nsplugin_domtrans(nsplugin_config_t)
|
+nsplugin_domtrans(nsplugin_config_t)
|
||||||
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.5/policy/modules/apps/screen.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.5/policy/modules/apps/screen.fc
|
||||||
--- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400
|
--- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400
|
||||||
+++ serefpolicy-3.2.5/policy/modules/apps/screen.fc 2008-01-18 12:40:46.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/apps/screen.fc 2008-01-18 12:40:46.000000000 -0500
|
||||||
@ -20403,7 +20410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.5/policy/modules/system/authlogin.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.5/policy/modules/system/authlogin.if
|
||||||
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-11-29 13:29:35.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-11-29 13:29:35.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/system/authlogin.if 2008-01-21 14:40:46.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/system/authlogin.if 2008-01-23 09:15:22.000000000 -0500
|
||||||
@@ -99,7 +99,7 @@
|
@@ -99,7 +99,7 @@
|
||||||
template(`authlogin_per_role_template',`
|
template(`authlogin_per_role_template',`
|
||||||
|
|
||||||
@ -20421,10 +20428,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
')
|
')
|
||||||
|
|
||||||
domain_type($1)
|
domain_type($1)
|
||||||
@@ -177,12 +178,23 @@
|
@@ -177,12 +178,27 @@
|
||||||
domain_obj_id_change_exemption($1)
|
domain_obj_id_change_exemption($1)
|
||||||
role system_r types $1;
|
role system_r types $1;
|
||||||
|
|
||||||
|
+ # Needed for pam_selinux_permit to cleanup properly
|
||||||
|
+ domain_read_all_domains_state($1)
|
||||||
|
+ domain_kill_all_domains($1)
|
||||||
|
+
|
||||||
+ # pam_keyring
|
+ # pam_keyring
|
||||||
+ allow $1 self:capability ipc_lock;
|
+ allow $1 self:capability ipc_lock;
|
||||||
+ allow $1 self:process setkeycreate;
|
+ allow $1 self:process setkeycreate;
|
||||||
@ -20445,7 +20456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
# for SSP/ProPolice
|
# for SSP/ProPolice
|
||||||
dev_read_urand($1)
|
dev_read_urand($1)
|
||||||
# for fingerprint readers
|
# for fingerprint readers
|
||||||
@@ -221,11 +233,35 @@
|
@@ -221,11 +237,35 @@
|
||||||
|
|
||||||
logging_send_audit_msgs($1)
|
logging_send_audit_msgs($1)
|
||||||
logging_send_syslog_msg($1)
|
logging_send_syslog_msg($1)
|
||||||
@ -20482,7 +20493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
tunable_policy(`allow_polyinstantiation',`
|
tunable_policy(`allow_polyinstantiation',`
|
||||||
files_polyinstantiate_all($1)
|
files_polyinstantiate_all($1)
|
||||||
')
|
')
|
||||||
@@ -342,6 +378,8 @@
|
@@ -342,6 +382,8 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_use($1)
|
kerberos_use($1)
|
||||||
@ -20491,7 +20502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -356,6 +394,7 @@
|
@@ -356,6 +398,7 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
samba_stream_connect_winbind($1)
|
samba_stream_connect_winbind($1)
|
||||||
')
|
')
|
||||||
@ -20499,7 +20510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -369,12 +408,12 @@
|
@@ -369,12 +412,12 @@
|
||||||
## </param>
|
## </param>
|
||||||
## <param name="role">
|
## <param name="role">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -20514,7 +20525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@@ -386,6 +425,7 @@
|
@@ -386,6 +429,7 @@
|
||||||
auth_domtrans_chk_passwd($1)
|
auth_domtrans_chk_passwd($1)
|
||||||
role $2 types system_chkpwd_t;
|
role $2 types system_chkpwd_t;
|
||||||
allow system_chkpwd_t $3:chr_file rw_file_perms;
|
allow system_chkpwd_t $3:chr_file rw_file_perms;
|
||||||
@ -20522,7 +20533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1457,6 +1497,7 @@
|
@@ -1457,6 +1501,7 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
samba_stream_connect_winbind($1)
|
samba_stream_connect_winbind($1)
|
||||||
samba_read_var_files($1)
|
samba_read_var_files($1)
|
||||||
@ -20530,7 +20541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -1491,3 +1532,23 @@
|
@@ -1491,3 +1536,23 @@
|
||||||
typeattribute $1 can_write_shadow_passwords;
|
typeattribute $1 can_write_shadow_passwords;
|
||||||
typeattribute $1 can_relabelto_shadow_passwords;
|
typeattribute $1 can_relabelto_shadow_passwords;
|
||||||
')
|
')
|
||||||
@ -23097,8 +23108,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
')
|
')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te
|
||||||
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-22 13:25:12.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-23 13:13:29.000000000 -0500
|
||||||
@@ -6,35 +6,58 @@
|
@@ -6,35 +6,59 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -23116,7 +23127,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
-userdom_manage_home_template(unconfined)
|
-userdom_manage_home_template(unconfined)
|
||||||
-userdom_manage_tmp_template(unconfined)
|
-userdom_manage_tmp_template(unconfined)
|
||||||
-userdom_manage_tmpfs_template(unconfined)
|
-userdom_manage_tmpfs_template(unconfined)
|
||||||
+userdom_unpriv_user_template(unconfined)
|
+userdom_restricted_user_template(unconfined)
|
||||||
|
+userdom_common_user_template(unconfined)
|
||||||
+userdom_xwindows_client_template(unconfined)
|
+userdom_xwindows_client_template(unconfined)
|
||||||
|
|
||||||
type unconfined_exec_t;
|
type unconfined_exec_t;
|
||||||
@ -23161,7 +23173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
|
|
||||||
libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||||
|
|
||||||
@@ -42,7 +65,10 @@
|
@@ -42,7 +66,10 @@
|
||||||
logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||||
|
|
||||||
mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||||
@ -23172,12 +23184,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||||
seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||||
|
|
||||||
@@ -50,14 +76,28 @@
|
@@ -51,13 +78,25 @@
|
||||||
|
|
||||||
userdom_priveleged_home_dir_manager(unconfined_t)
|
userdom_priveleged_home_dir_manager(unconfined_t)
|
||||||
|
|
||||||
+
|
optional_policy(`
|
||||||
+optional_policy(`
|
- ada_domtrans(unconfined_t)
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
+ type nsplugin_t;
|
+ type nsplugin_t;
|
||||||
+ type nsplugin_config_t;
|
+ type nsplugin_config_t;
|
||||||
@ -23185,13 +23196,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
+ role unconfined_r types nsplugin_t;
|
+ role unconfined_r types nsplugin_t;
|
||||||
+ role unconfined_r types nsplugin_config_t;
|
+ role unconfined_r types nsplugin_config_t;
|
||||||
+ tunable_policy(`allow_unconfined_nsplugin_transition', `
|
+ tunable_policy(`allow_unconfined_nsplugin_transition', `
|
||||||
+
|
+ nsplugin_use(unconfined, unconfined_t)
|
||||||
+ nsplugin_use(unconfined_t)
|
|
||||||
+ ')
|
+ ')
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
optional_policy(`
|
+optional_policy(`
|
||||||
- ada_domtrans(unconfined_t)
|
|
||||||
+ ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
+ ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -23203,7 +23212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
unconfined_domain(httpd_unconfined_script_t)
|
unconfined_domain(httpd_unconfined_script_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -69,11 +109,11 @@
|
@@ -69,11 +108,11 @@
|
||||||
bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -23220,7 +23229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
init_dbus_chat_script(unconfined_t)
|
init_dbus_chat_script(unconfined_t)
|
||||||
@@ -107,6 +147,10 @@
|
@@ -107,6 +146,10 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
oddjob_dbus_chat(unconfined_t)
|
oddjob_dbus_chat(unconfined_t)
|
||||||
')
|
')
|
||||||
@ -23231,7 +23240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -118,11 +162,7 @@
|
@@ -118,11 +161,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23244,7 +23253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -134,14 +174,6 @@
|
@@ -134,14 +173,6 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23259,7 +23268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
oddjob_domtrans_mkhomedir(unconfined_t)
|
oddjob_domtrans_mkhomedir(unconfined_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -154,38 +186,27 @@
|
@@ -154,38 +185,27 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23304,7 +23313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -205,11 +226,30 @@
|
@@ -205,11 +225,30 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -23337,7 +23346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -219,14 +259,34 @@
|
@@ -219,14 +258,34 @@
|
||||||
|
|
||||||
allow unconfined_execmem_t self:process { execstack execmem };
|
allow unconfined_execmem_t self:process { execstack execmem };
|
||||||
unconfined_domain_noaudit(unconfined_execmem_t)
|
unconfined_domain_noaudit(unconfined_execmem_t)
|
||||||
@ -23392,7 +23401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-22 14:46:10.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-23 13:14:20.000000000 -0500
|
||||||
@@ -29,9 +29,14 @@
|
@@ -29,9 +29,14 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -24102,7 +24111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
typeattribute $1_tty_device_t user_ttynode;
|
typeattribute $1_tty_device_t user_ttynode;
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
@@ -1025,16 +1004,32 @@
|
@@ -1025,16 +1004,29 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
# privileged home directory writers
|
# privileged home directory writers
|
||||||
@ -24135,13 +24144,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
loadkeys_run($1_t,$1_r,$1_tty_device_t)
|
loadkeys_run($1_t,$1_r,$1_tty_device_t)
|
||||||
')
|
')
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
|
||||||
+ nsplugin_per_role_template($1, $1_usertype, $1_r)
|
|
||||||
+ ')
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -1062,6 +1057,13 @@
|
@@ -1062,6 +1054,13 @@
|
||||||
|
|
||||||
userdom_restricted_user_template($1)
|
userdom_restricted_user_template($1)
|
||||||
|
|
||||||
@ -24155,7 +24161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
userdom_xwindows_client_template($1)
|
userdom_xwindows_client_template($1)
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
@@ -1070,14 +1072,14 @@
|
@@ -1070,14 +1069,14 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
authlogin_per_role_template($1, $1_t, $1_r)
|
authlogin_per_role_template($1, $1_t, $1_r)
|
||||||
@ -24175,7 +24181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
logging_dontaudit_send_audit_msgs($1_t)
|
logging_dontaudit_send_audit_msgs($1_t)
|
||||||
|
|
||||||
# Need to to this just so screensaver will work. Should be moved to screensaver domain
|
# Need to to this just so screensaver will work. Should be moved to screensaver domain
|
||||||
@@ -1085,33 +1087,14 @@
|
@@ -1085,32 +1084,17 @@
|
||||||
selinux_get_enforce_mode($1_t)
|
selinux_get_enforce_mode($1_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -24197,25 +24203,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
-
|
-
|
||||||
- optional_policy(`
|
- optional_policy(`
|
||||||
- java_per_role_template($1, $1_t, $1_r)
|
- java_per_role_template($1, $1_t, $1_r)
|
||||||
- ')
|
|
||||||
-
|
|
||||||
- optional_policy(`
|
|
||||||
- mono_per_role_template($1, $1_t, $1_r)
|
|
||||||
+ alsa_read_rw_config($1_usertype)
|
+ alsa_read_rw_config($1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
- optional_policy(`
|
- optional_policy(`
|
||||||
- setroubleshoot_dontaudit_stream_connect($1_t)
|
- mono_per_role_template($1, $1_t, $1_r)
|
||||||
- ')
|
- ')
|
||||||
+ # Broken Cover up bugzilla #345921 Should be removed when this is fixed
|
+ # Broken Cover up bugzilla #345921 Should be removed when this is fixed
|
||||||
+ corenet_tcp_connect_soundd_port($1_t)
|
+ corenet_tcp_connect_soundd_port($1_t)
|
||||||
+ corenet_tcp_sendrecv_soundd_port($1_t)
|
+ corenet_tcp_sendrecv_soundd_port($1_t)
|
||||||
+ corenet_tcp_sendrecv_all_if($1_t)
|
+ corenet_tcp_sendrecv_all_if($1_t)
|
||||||
+ corenet_tcp_sendrecv_lo_node($1_t)
|
+ corenet_tcp_sendrecv_lo_node($1_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
- setroubleshoot_dontaudit_stream_connect($1_t)
|
||||||
|
+ nsplugin_per_role_template($1, $1_usertype, $1_r)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
@@ -1121,10 +1105,10 @@
|
||||||
@@ -1121,10 +1104,10 @@
|
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
@ -24230,7 +24236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## This template creates a user domain, types, and
|
## This template creates a user domain, types, and
|
||||||
## rules for the user's tty, pty, home directories,
|
## rules for the user's tty, pty, home directories,
|
||||||
## tmp, and tmpfs files.
|
## tmp, and tmpfs files.
|
||||||
@@ -1187,22 +1170,17 @@
|
@@ -1187,12 +1171,11 @@
|
||||||
# and may change other protocols
|
# and may change other protocols
|
||||||
tunable_policy(`user_tcp_server',`
|
tunable_policy(`user_tcp_server',`
|
||||||
corenet_tcp_bind_all_nodes($1_t)
|
corenet_tcp_bind_all_nodes($1_t)
|
||||||
@ -24245,17 +24251,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
# Run pppd in pppd_t by default for user
|
# Run pppd in pppd_t by default for user
|
||||||
optional_policy(`
|
@@ -1201,7 +1184,7 @@
|
||||||
ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
|
||||||
')
|
|
||||||
-
|
|
||||||
- optional_policy(`
|
|
||||||
- setroubleshoot_stream_connect($1_t)
|
|
||||||
- ')
|
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
optional_policy(`
|
||||||
@@ -1278,8 +1256,6 @@
|
- setroubleshoot_stream_connect($1_t)
|
||||||
|
+ nsplugin_per_role_template($1, $1_usertype, $1_r)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
@@ -1278,8 +1261,6 @@
|
||||||
# Manipulate other users crontab.
|
# Manipulate other users crontab.
|
||||||
allow $1_t self:passwd crontab;
|
allow $1_t self:passwd crontab;
|
||||||
|
|
||||||
@ -24264,7 +24269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
kernel_read_software_raid_state($1_t)
|
kernel_read_software_raid_state($1_t)
|
||||||
kernel_getattr_core_if($1_t)
|
kernel_getattr_core_if($1_t)
|
||||||
kernel_getattr_message_if($1_t)
|
kernel_getattr_message_if($1_t)
|
||||||
@@ -1416,6 +1392,7 @@
|
@@ -1416,6 +1397,7 @@
|
||||||
dev_relabel_all_dev_nodes($1)
|
dev_relabel_all_dev_nodes($1)
|
||||||
|
|
||||||
files_create_boot_flag($1)
|
files_create_boot_flag($1)
|
||||||
@ -24272,7 +24277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
|
|
||||||
# Necessary for managing /boot/efi
|
# Necessary for managing /boot/efi
|
||||||
fs_manage_dos_files($1)
|
fs_manage_dos_files($1)
|
||||||
@@ -1781,10 +1758,14 @@
|
@@ -1781,10 +1763,14 @@
|
||||||
template(`userdom_user_home_content',`
|
template(`userdom_user_home_content',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute $1_file_type;
|
attribute $1_file_type;
|
||||||
@ -24288,7 +24293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1880,11 +1861,11 @@
|
@@ -1880,11 +1866,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_search_user_home_dirs',`
|
template(`userdom_search_user_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24302,7 +24307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1914,11 +1895,11 @@
|
@@ -1914,11 +1900,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_list_user_home_dirs',`
|
template(`userdom_list_user_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24316,7 +24321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1962,12 +1943,12 @@
|
@@ -1962,12 +1948,12 @@
|
||||||
#
|
#
|
||||||
template(`userdom_user_home_domtrans',`
|
template(`userdom_user_home_domtrans',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24332,7 +24337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1997,10 +1978,10 @@
|
@@ -1997,10 +1983,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_list_user_home_dirs',`
|
template(`userdom_dontaudit_list_user_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24345,7 +24350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2032,11 +2013,47 @@
|
@@ -2032,11 +2018,47 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_home_content_dirs',`
|
template(`userdom_manage_user_home_content_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24395,7 +24400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2068,10 +2085,10 @@
|
@@ -2068,10 +2090,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_setattr_user_home_content_files',`
|
template(`userdom_dontaudit_setattr_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24408,7 +24413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2101,11 +2118,11 @@
|
@@ -2101,11 +2123,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_read_user_home_content_files',`
|
template(`userdom_read_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24422,7 +24427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2135,11 +2152,11 @@
|
@@ -2135,11 +2157,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_read_user_home_content_files',`
|
template(`userdom_dontaudit_read_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24437,7 +24442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2169,10 +2186,10 @@
|
@@ -2169,10 +2191,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_write_user_home_content_files',`
|
template(`userdom_dontaudit_write_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24450,7 +24455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2202,11 +2219,11 @@
|
@@ -2202,11 +2224,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_read_user_home_content_symlinks',`
|
template(`userdom_read_user_home_content_symlinks',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24464,7 +24469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2236,11 +2253,11 @@
|
@@ -2236,11 +2258,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_exec_user_home_content_files',`
|
template(`userdom_exec_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24478,7 +24483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2270,10 +2287,10 @@
|
@@ -2270,10 +2292,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_exec_user_home_content_files',`
|
template(`userdom_dontaudit_exec_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24491,7 +24496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2305,12 +2322,12 @@
|
@@ -2305,12 +2327,12 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_home_content_files',`
|
template(`userdom_manage_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24507,7 +24512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2342,10 +2359,10 @@
|
@@ -2342,10 +2364,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_manage_user_home_content_dirs',`
|
template(`userdom_dontaudit_manage_user_home_content_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24520,7 +24525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2377,12 +2394,12 @@
|
@@ -2377,12 +2399,12 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_home_content_symlinks',`
|
template(`userdom_manage_user_home_content_symlinks',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24536,7 +24541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2414,12 +2431,12 @@
|
@@ -2414,12 +2436,12 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_home_content_pipes',`
|
template(`userdom_manage_user_home_content_pipes',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24552,7 +24557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2451,12 +2468,12 @@
|
@@ -2451,12 +2473,12 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_home_content_sockets',`
|
template(`userdom_manage_user_home_content_sockets',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24568,7 +24573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2501,11 +2518,11 @@
|
@@ -2501,11 +2523,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_user_home_dir_filetrans',`
|
template(`userdom_user_home_dir_filetrans',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24582,7 +24587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2550,11 +2567,11 @@
|
@@ -2550,11 +2572,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_user_home_content_filetrans',`
|
template(`userdom_user_home_content_filetrans',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24596,7 +24601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2594,11 +2611,11 @@
|
@@ -2594,11 +2616,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_user_home_dir_filetrans_user_home_content',`
|
template(`userdom_user_home_dir_filetrans_user_home_content',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24610,7 +24615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2628,11 +2645,11 @@
|
@@ -2628,11 +2650,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_write_user_tmp_sockets',`
|
template(`userdom_write_user_tmp_sockets',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24624,7 +24629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2662,11 +2679,11 @@
|
@@ -2662,11 +2684,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_list_user_tmp',`
|
template(`userdom_list_user_tmp',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24638,7 +24643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2698,10 +2715,10 @@
|
@@ -2698,10 +2720,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_list_user_tmp',`
|
template(`userdom_dontaudit_list_user_tmp',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24651,7 +24656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2733,10 +2750,10 @@
|
@@ -2733,10 +2755,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_manage_user_tmp_dirs',`
|
template(`userdom_dontaudit_manage_user_tmp_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24664,7 +24669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2766,12 +2783,12 @@
|
@@ -2766,12 +2788,12 @@
|
||||||
#
|
#
|
||||||
template(`userdom_read_user_tmp_files',`
|
template(`userdom_read_user_tmp_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24680,7 +24685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2803,10 +2820,10 @@
|
@@ -2803,10 +2825,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_read_user_tmp_files',`
|
template(`userdom_dontaudit_read_user_tmp_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24693,7 +24698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2838,10 +2855,48 @@
|
@@ -2838,10 +2860,48 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_append_user_tmp_files',`
|
template(`userdom_dontaudit_append_user_tmp_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24744,7 +24749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2871,12 +2926,12 @@
|
@@ -2871,12 +2931,12 @@
|
||||||
#
|
#
|
||||||
template(`userdom_rw_user_tmp_files',`
|
template(`userdom_rw_user_tmp_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24760,7 +24765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2908,10 +2963,10 @@
|
@@ -2908,10 +2968,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_manage_user_tmp_files',`
|
template(`userdom_dontaudit_manage_user_tmp_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24773,7 +24778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2943,12 +2998,12 @@
|
@@ -2943,12 +3003,12 @@
|
||||||
#
|
#
|
||||||
template(`userdom_read_user_tmp_symlinks',`
|
template(`userdom_read_user_tmp_symlinks',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24789,7 +24794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2980,11 +3035,11 @@
|
@@ -2980,11 +3040,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_tmp_dirs',`
|
template(`userdom_manage_user_tmp_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24803,7 +24808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3016,11 +3071,11 @@
|
@@ -3016,11 +3076,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_tmp_files',`
|
template(`userdom_manage_user_tmp_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24817,7 +24822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3052,11 +3107,11 @@
|
@@ -3052,11 +3112,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_tmp_symlinks',`
|
template(`userdom_manage_user_tmp_symlinks',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24831,7 +24836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3088,11 +3143,11 @@
|
@@ -3088,11 +3148,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_tmp_pipes',`
|
template(`userdom_manage_user_tmp_pipes',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24845,7 +24850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3124,11 +3179,11 @@
|
@@ -3124,11 +3184,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_tmp_sockets',`
|
template(`userdom_manage_user_tmp_sockets',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24859,7 +24864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3173,10 +3228,10 @@
|
@@ -3173,10 +3233,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_user_tmp_filetrans',`
|
template(`userdom_user_tmp_filetrans',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24872,7 +24877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
files_search_tmp($2)
|
files_search_tmp($2)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -3217,10 +3272,10 @@
|
@@ -3217,10 +3277,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_tmp_filetrans_user_tmp',`
|
template(`userdom_tmp_filetrans_user_tmp',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24885,7 +24890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3248,6 +3303,42 @@
|
@@ -3248,6 +3308,42 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -24928,7 +24933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
template(`userdom_rw_user_tmpfs_files',`
|
template(`userdom_rw_user_tmpfs_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type $1_tmpfs_t;
|
type $1_tmpfs_t;
|
||||||
@@ -4225,11 +4316,11 @@
|
@@ -4225,11 +4321,11 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_search_staff_home_dirs',`
|
interface(`userdom_search_staff_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24942,7 +24947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4245,10 +4336,10 @@
|
@@ -4245,10 +4341,10 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_dontaudit_search_staff_home_dirs',`
|
interface(`userdom_dontaudit_search_staff_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24955,7 +24960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4264,11 +4355,11 @@
|
@@ -4264,11 +4360,11 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_manage_staff_home_dirs',`
|
interface(`userdom_manage_staff_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24969,7 +24974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4283,16 +4374,16 @@
|
@@ -4283,16 +4379,16 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_relabelto_staff_home_dirs',`
|
interface(`userdom_relabelto_staff_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -24989,7 +24994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## users home directory.
|
## users home directory.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -4301,12 +4392,27 @@
|
@@ -4301,17 +4397,32 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -25002,10 +25007,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
|
|
||||||
- dontaudit $1 staff_home_t:file append;
|
- dontaudit $1 staff_home_t:file append;
|
||||||
+ dontaudit $1 user_home_t:file append_file_perms;
|
+ dontaudit $1 user_home_t:file append_file_perms;
|
||||||
+')
|
')
|
||||||
+
|
|
||||||
+########################################
|
########################################
|
||||||
+## <summary>
|
## <summary>
|
||||||
|
-## Read files in the staff users home directory.
|
||||||
+## Do not audit attempts to append to the staff
|
+## Do not audit attempts to append to the staff
|
||||||
+## users home directory.
|
+## users home directory.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
@ -25017,10 +25023,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
+#
|
+#
|
||||||
+interface(`userdom_dontaudit_append_staff_home_content_files',`
|
+interface(`userdom_dontaudit_append_staff_home_content_files',`
|
||||||
+ userdom_dontaudit_append_unpriv_home_content_files($1)
|
+ userdom_dontaudit_append_unpriv_home_content_files($1)
|
||||||
')
|
+')
|
||||||
|
+
|
||||||
########################################
|
+########################################
|
||||||
@@ -4321,13 +4427,13 @@
|
+## <summary>
|
||||||
|
+## Read files in the staff users home directory.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
@@ -4321,13 +4432,13 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_read_staff_home_content_files',`
|
interface(`userdom_read_staff_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -25038,7 +25049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4525,10 +4631,10 @@
|
@@ -4525,10 +4636,10 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_getattr_sysadm_home_dirs',`
|
interface(`userdom_getattr_sysadm_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -25051,7 +25062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4545,10 +4651,10 @@
|
@@ -4545,10 +4656,10 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
|
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -25064,7 +25075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4563,10 +4669,10 @@
|
@@ -4563,10 +4674,10 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_search_sysadm_home_dirs',`
|
interface(`userdom_search_sysadm_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -25077,7 +25088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4582,10 +4688,10 @@
|
@@ -4582,10 +4693,10 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
|
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -25090,7 +25101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4600,10 +4706,10 @@
|
@@ -4600,10 +4711,10 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_list_sysadm_home_dirs',`
|
interface(`userdom_list_sysadm_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -25103,7 +25114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4619,10 +4725,10 @@
|
@@ -4619,10 +4730,10 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
|
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -25116,7 +25127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4638,12 +4744,11 @@
|
@@ -4638,12 +4749,11 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
|
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -25132,7 +25143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4670,10 +4775,10 @@
|
@@ -4670,10 +4780,10 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_sysadm_home_dir_filetrans',`
|
interface(`userdom_sysadm_home_dir_filetrans',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -25145,7 +25156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4688,10 +4793,10 @@
|
@@ -4688,10 +4798,10 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_search_sysadm_home_content_dirs',`
|
interface(`userdom_search_sysadm_home_content_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -25158,7 +25169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4706,13 +4811,13 @@
|
@@ -4706,13 +4816,13 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_read_sysadm_home_content_files',`
|
interface(`userdom_read_sysadm_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -25176,7 +25187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4748,11 +4853,49 @@
|
@@ -4748,11 +4858,49 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_search_all_users_home_dirs',`
|
interface(`userdom_search_all_users_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -25227,7 +25238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4772,6 +4915,14 @@
|
@@ -4772,6 +4920,14 @@
|
||||||
|
|
||||||
files_list_home($1)
|
files_list_home($1)
|
||||||
allow $1 home_dir_type:dir list_dir_perms;
|
allow $1 home_dir_type:dir list_dir_perms;
|
||||||
@ -25242,7 +25253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -5109,7 +5260,7 @@
|
@@ -5109,7 +5265,7 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_relabelto_generic_user_home_dirs',`
|
interface(`userdom_relabelto_generic_user_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -25251,7 +25262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_search_home($1)
|
files_search_home($1)
|
||||||
@@ -5298,6 +5449,49 @@
|
@@ -5298,6 +5454,49 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -25301,7 +25312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## Create, read, write, and delete directories in
|
## Create, read, write, and delete directories in
|
||||||
## unprivileged users home directories.
|
## unprivileged users home directories.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -5503,6 +5697,42 @@
|
@@ -5503,6 +5702,42 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -25344,7 +25355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## Read and write unprivileged user ttys.
|
## Read and write unprivileged user ttys.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -5668,6 +5898,42 @@
|
@@ -5668,6 +5903,42 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -25387,7 +25398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## Send a dbus message to all user domains.
|
## Send a dbus message to all user domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -5698,3 +5964,277 @@
|
@@ -5698,3 +5969,277 @@
|
||||||
interface(`userdom_unconfined',`
|
interface(`userdom_unconfined',`
|
||||||
refpolicywarn(`$0($*) has been deprecated.')
|
refpolicywarn(`$0($*) has been deprecated.')
|
||||||
')
|
')
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.2.5
|
Version: 3.2.5
|
||||||
Release: 17%{?dist}
|
Release: 18%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -387,6 +387,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jan 23 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-18
|
||||||
|
- Allow pam_selinux_permit to kill all processes
|
||||||
|
|
||||||
* Mon Jan 21 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-17
|
* Mon Jan 21 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-17
|
||||||
- Allow ptrace or user processes by users of same type
|
- Allow ptrace or user processes by users of same type
|
||||||
- Add boolean for transition to nsplugin
|
- Add boolean for transition to nsplugin
|
||||||
|
Loading…
Reference in New Issue
Block a user