- Allow pam_selinux_permit to kill all processes

This commit is contained in:
Daniel J Walsh 2008-01-23 18:24:12 +00:00
parent cc5bb89ef0
commit 0939872058
2 changed files with 149 additions and 135 deletions

View File

@ -3742,8 +3742,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.5/policy/modules/apps/nsplugin.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.5/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if 2008-01-22 13:24:31.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if 2008-01-23 11:19:15.000000000 -0500
@@ -0,0 +1,330 @@ @@ -0,0 +1,332 @@
+ +
+## <summary>policy for nsplugin</summary> +## <summary>policy for nsplugin</summary>
+ +
@ -3895,18 +3895,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+ type nsplugin_config_t; + type nsplugin_config_t;
+ type nsplugin_rw_t; + type nsplugin_rw_t;
+ ') + ')
+ nsplugin_domtrans($1) + nsplugin_domtrans($2)
+ +
+ nsplugin_config_domtrans($1) + nsplugin_config_domtrans($2)
+ +
+ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) + read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) + read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ can_exec($1, nsplugin_rw_t) + can_exec($2, nsplugin_rw_t)
+ +
+ allow nsplugin_t $1:udp_socket { read write }; + allow nsplugin_t $2:udp_socket { read write };
+ allow nsplugin_t $2:tcp_socket { read write };
+ +
+ allow $1 nsplugin_t:process { getattr ptrace signal_perms }; + allow $2 nsplugin_t:process { getattr ptrace signal_perms };
+ allow $1 nsplugin_t:unix_stream_socket connectto; + allow $2 nsplugin_t:unix_stream_socket connectto;
+ userdom_use_user_terminals($1, $2)
+') +')
+ +
+####################################### +#######################################
@ -3947,7 +3949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+ type nsplugin_config_t; + type nsplugin_config_t;
+ type nsplugin_rw_t; + type nsplugin_rw_t;
+ ') + ')
+ nsplugin_use($2) + nsplugin_use($1, $2)
+ role $3 types nsplugin_t; + role $3 types nsplugin_t;
+ role $3 types nsplugin_config_t; + role $3 types nsplugin_config_t;
+') +')
@ -4076,8 +4078,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.5/policy/modules/apps/nsplugin.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.5/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-21 18:20:27.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-23 11:16:36.000000000 -0500
@@ -0,0 +1,100 @@ @@ -0,0 +1,105 @@
+policy_module(nsplugin,1.0.0) +policy_module(nsplugin,1.0.0)
+ +
+######################################## +########################################
@ -4120,6 +4122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+files_read_etc_files(nsplugin_t) +files_read_etc_files(nsplugin_t)
+ +
+fs_list_inotifyfs(nsplugin_t) +fs_list_inotifyfs(nsplugin_t)
+fs_rw_tmpfs_files(nsplugin_t)
+ +
+auth_use_nsswitch(nsplugin_t) +auth_use_nsswitch(nsplugin_t)
+ +
@ -4151,6 +4154,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+## internal communication is often done using fifo and unix sockets. +## internal communication is often done using fifo and unix sockets.
+allow nsplugin_config_t self:capability { sys_nice setuid setgid }; +allow nsplugin_config_t self:capability { sys_nice setuid setgid };
+allow nsplugin_config_t self:process { setsched getsched }; +allow nsplugin_config_t self:process { setsched getsched };
+allow nsplugin_t self:sem rw_sem_perms;
+allow nsplugin_t self:shm rw_shm_perms;
+ +
+allow nsplugin_config_t self:fifo_file rw_file_perms; +allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; +allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
@ -4174,10 +4179,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+libs_use_shared_libs(nsplugin_config_t) +libs_use_shared_libs(nsplugin_config_t)
+ +
+miscfiles_read_localization(nsplugin_config_t) +miscfiles_read_localization(nsplugin_config_t)
+miscfiles_read_fonts(nsplugin_config_t)
+ +
+userdom_dontaudit_search_all_users_home_content(nsplugin_config_t) +userdom_dontaudit_search_all_users_home_content(nsplugin_config_t)
+ +
+nsplugin_domtrans(nsplugin_config_t) +nsplugin_domtrans(nsplugin_config_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.5/policy/modules/apps/screen.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.5/policy/modules/apps/screen.fc
--- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400 --- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/screen.fc 2008-01-18 12:40:46.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/apps/screen.fc 2008-01-18 12:40:46.000000000 -0500
@ -20403,7 +20410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.5/policy/modules/system/authlogin.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.5/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-11-29 13:29:35.000000000 -0500 --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-11-29 13:29:35.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/authlogin.if 2008-01-21 14:40:46.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/system/authlogin.if 2008-01-23 09:15:22.000000000 -0500
@@ -99,7 +99,7 @@ @@ -99,7 +99,7 @@
template(`authlogin_per_role_template',` template(`authlogin_per_role_template',`
@ -20421,10 +20428,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
') ')
domain_type($1) domain_type($1)
@@ -177,12 +178,23 @@ @@ -177,12 +178,27 @@
domain_obj_id_change_exemption($1) domain_obj_id_change_exemption($1)
role system_r types $1; role system_r types $1;
+ # Needed for pam_selinux_permit to cleanup properly
+ domain_read_all_domains_state($1)
+ domain_kill_all_domains($1)
+
+ # pam_keyring + # pam_keyring
+ allow $1 self:capability ipc_lock; + allow $1 self:capability ipc_lock;
+ allow $1 self:process setkeycreate; + allow $1 self:process setkeycreate;
@ -20445,7 +20456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
# for SSP/ProPolice # for SSP/ProPolice
dev_read_urand($1) dev_read_urand($1)
# for fingerprint readers # for fingerprint readers
@@ -221,11 +233,35 @@ @@ -221,11 +237,35 @@
logging_send_audit_msgs($1) logging_send_audit_msgs($1)
logging_send_syslog_msg($1) logging_send_syslog_msg($1)
@ -20482,7 +20493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
tunable_policy(`allow_polyinstantiation',` tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1) files_polyinstantiate_all($1)
') ')
@@ -342,6 +378,8 @@ @@ -342,6 +382,8 @@
optional_policy(` optional_policy(`
kerberos_use($1) kerberos_use($1)
@ -20491,7 +20502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
') ')
optional_policy(` optional_policy(`
@@ -356,6 +394,7 @@ @@ -356,6 +398,7 @@
optional_policy(` optional_policy(`
samba_stream_connect_winbind($1) samba_stream_connect_winbind($1)
') ')
@ -20499,7 +20510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
') ')
######################################## ########################################
@@ -369,12 +408,12 @@ @@ -369,12 +412,12 @@
## </param> ## </param>
## <param name="role"> ## <param name="role">
## <summary> ## <summary>
@ -20514,7 +20525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## </summary> ## </summary>
## </param> ## </param>
# #
@@ -386,6 +425,7 @@ @@ -386,6 +429,7 @@
auth_domtrans_chk_passwd($1) auth_domtrans_chk_passwd($1)
role $2 types system_chkpwd_t; role $2 types system_chkpwd_t;
allow system_chkpwd_t $3:chr_file rw_file_perms; allow system_chkpwd_t $3:chr_file rw_file_perms;
@ -20522,7 +20533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
') ')
######################################## ########################################
@@ -1457,6 +1497,7 @@ @@ -1457,6 +1501,7 @@
optional_policy(` optional_policy(`
samba_stream_connect_winbind($1) samba_stream_connect_winbind($1)
samba_read_var_files($1) samba_read_var_files($1)
@ -20530,7 +20541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
') ')
') ')
@@ -1491,3 +1532,23 @@ @@ -1491,3 +1536,23 @@
typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords;
') ')
@ -23097,8 +23108,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
') ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500 --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-22 13:25:12.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-23 13:13:29.000000000 -0500
@@ -6,35 +6,58 @@ @@ -6,35 +6,59 @@
# Declarations # Declarations
# #
@ -23116,7 +23127,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-userdom_manage_home_template(unconfined) -userdom_manage_home_template(unconfined)
-userdom_manage_tmp_template(unconfined) -userdom_manage_tmp_template(unconfined)
-userdom_manage_tmpfs_template(unconfined) -userdom_manage_tmpfs_template(unconfined)
+userdom_unpriv_user_template(unconfined) +userdom_restricted_user_template(unconfined)
+userdom_common_user_template(unconfined)
+userdom_xwindows_client_template(unconfined) +userdom_xwindows_client_template(unconfined)
type unconfined_exec_t; type unconfined_exec_t;
@ -23161,7 +23173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -42,7 +65,10 @@ @@ -42,7 +66,10 @@
logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@ -23172,12 +23184,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -50,14 +76,28 @@ @@ -51,13 +78,25 @@
userdom_priveleged_home_dir_manager(unconfined_t) userdom_priveleged_home_dir_manager(unconfined_t)
+ optional_policy(`
+optional_policy(` - ada_domtrans(unconfined_t)
+ gen_require(` + gen_require(`
+ type nsplugin_t; + type nsplugin_t;
+ type nsplugin_config_t; + type nsplugin_config_t;
@ -23185,13 +23196,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+ role unconfined_r types nsplugin_t; + role unconfined_r types nsplugin_t;
+ role unconfined_r types nsplugin_config_t; + role unconfined_r types nsplugin_config_t;
+ tunable_policy(`allow_unconfined_nsplugin_transition', ` + tunable_policy(`allow_unconfined_nsplugin_transition', `
+ + nsplugin_use(unconfined, unconfined_t)
+ nsplugin_use(unconfined_t)
+ ') + ')
+') +')
+ +
optional_policy(` +optional_policy(`
- ada_domtrans(unconfined_t)
+ ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
') ')
@ -23203,7 +23212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
unconfined_domain(httpd_unconfined_script_t) unconfined_domain(httpd_unconfined_script_t)
') ')
@@ -69,11 +109,11 @@ @@ -69,11 +108,11 @@
bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
') ')
@ -23220,7 +23229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
optional_policy(` optional_policy(`
init_dbus_chat_script(unconfined_t) init_dbus_chat_script(unconfined_t)
@@ -107,6 +147,10 @@ @@ -107,6 +146,10 @@
optional_policy(` optional_policy(`
oddjob_dbus_chat(unconfined_t) oddjob_dbus_chat(unconfined_t)
') ')
@ -23231,7 +23240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
') ')
optional_policy(` optional_policy(`
@@ -118,11 +162,7 @@ @@ -118,11 +161,7 @@
') ')
optional_policy(` optional_policy(`
@ -23244,7 +23253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
') ')
optional_policy(` optional_policy(`
@@ -134,14 +174,6 @@ @@ -134,14 +173,6 @@
') ')
optional_policy(` optional_policy(`
@ -23259,7 +23268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
oddjob_domtrans_mkhomedir(unconfined_t) oddjob_domtrans_mkhomedir(unconfined_t)
') ')
@@ -154,38 +186,27 @@ @@ -154,38 +185,27 @@
') ')
optional_policy(` optional_policy(`
@ -23304,7 +23313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
') ')
optional_policy(` optional_policy(`
@@ -205,11 +226,30 @@ @@ -205,11 +225,30 @@
') ')
optional_policy(` optional_policy(`
@ -23337,7 +23346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
') ')
######################################## ########################################
@@ -219,14 +259,34 @@ @@ -219,14 +258,34 @@
allow unconfined_execmem_t self:process { execstack execmem }; allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t) unconfined_domain_noaudit(unconfined_execmem_t)
@ -23392,7 +23401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-22 14:46:10.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-23 13:14:20.000000000 -0500
@@ -29,9 +29,14 @@ @@ -29,9 +29,14 @@
') ')
@ -24102,7 +24111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
typeattribute $1_tty_device_t user_ttynode; typeattribute $1_tty_device_t user_ttynode;
############################## ##############################
@@ -1025,16 +1004,32 @@ @@ -1025,16 +1004,29 @@
# #
# privileged home directory writers # privileged home directory writers
@ -24135,13 +24144,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
loadkeys_run($1_t,$1_r,$1_tty_device_t) loadkeys_run($1_t,$1_r,$1_tty_device_t)
') ')
+ +
+ optional_policy(`
+ nsplugin_per_role_template($1, $1_usertype, $1_r)
+ ')
') ')
####################################### #######################################
@@ -1062,6 +1057,13 @@ @@ -1062,6 +1054,13 @@
userdom_restricted_user_template($1) userdom_restricted_user_template($1)
@ -24155,7 +24161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_xwindows_client_template($1) userdom_xwindows_client_template($1)
############################## ##############################
@@ -1070,14 +1072,14 @@ @@ -1070,14 +1069,14 @@
# #
authlogin_per_role_template($1, $1_t, $1_r) authlogin_per_role_template($1, $1_t, $1_r)
@ -24175,7 +24181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
logging_dontaudit_send_audit_msgs($1_t) logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain # Need to to this just so screensaver will work. Should be moved to screensaver domain
@@ -1085,33 +1087,14 @@ @@ -1085,32 +1084,17 @@
selinux_get_enforce_mode($1_t) selinux_get_enforce_mode($1_t)
optional_policy(` optional_policy(`
@ -24197,25 +24203,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- -
- optional_policy(` - optional_policy(`
- java_per_role_template($1, $1_t, $1_r) - java_per_role_template($1, $1_t, $1_r)
- ')
-
- optional_policy(`
- mono_per_role_template($1, $1_t, $1_r)
+ alsa_read_rw_config($1_usertype) + alsa_read_rw_config($1_usertype)
') ')
- optional_policy(` - optional_policy(`
- setroubleshoot_dontaudit_stream_connect($1_t) - mono_per_role_template($1, $1_t, $1_r)
- ') - ')
+ # Broken Cover up bugzilla #345921 Should be removed when this is fixed + # Broken Cover up bugzilla #345921 Should be removed when this is fixed
+ corenet_tcp_connect_soundd_port($1_t) + corenet_tcp_connect_soundd_port($1_t)
+ corenet_tcp_sendrecv_soundd_port($1_t) + corenet_tcp_sendrecv_soundd_port($1_t)
+ corenet_tcp_sendrecv_all_if($1_t) + corenet_tcp_sendrecv_all_if($1_t)
+ corenet_tcp_sendrecv_lo_node($1_t) + corenet_tcp_sendrecv_lo_node($1_t)
optional_policy(`
- setroubleshoot_dontaudit_stream_connect($1_t)
+ nsplugin_per_role_template($1, $1_usertype, $1_r)
')
') ')
####################################### @@ -1121,10 +1105,10 @@
@@ -1121,10 +1104,10 @@
## </summary> ## </summary>
## <desc> ## <desc>
## <p> ## <p>
@ -24230,7 +24236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## This template creates a user domain, types, and ## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories, ## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files. ## tmp, and tmpfs files.
@@ -1187,22 +1170,17 @@ @@ -1187,12 +1171,11 @@
# and may change other protocols # and may change other protocols
tunable_policy(`user_tcp_server',` tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t) corenet_tcp_bind_all_nodes($1_t)
@ -24245,17 +24251,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
# Run pppd in pppd_t by default for user # Run pppd in pppd_t by default for user
optional_policy(` @@ -1201,7 +1184,7 @@
ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
') ')
-
- optional_policy(` optional_policy(`
- setroubleshoot_stream_connect($1_t) - setroubleshoot_stream_connect($1_t)
- ') + nsplugin_per_role_template($1, $1_usertype, $1_r)
')
') ')
####################################### @@ -1278,8 +1261,6 @@
@@ -1278,8 +1256,6 @@
# Manipulate other users crontab. # Manipulate other users crontab.
allow $1_t self:passwd crontab; allow $1_t self:passwd crontab;
@ -24264,7 +24269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t) kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t) kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t) kernel_getattr_message_if($1_t)
@@ -1416,6 +1392,7 @@ @@ -1416,6 +1397,7 @@
dev_relabel_all_dev_nodes($1) dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1) files_create_boot_flag($1)
@ -24272,7 +24277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi # Necessary for managing /boot/efi
fs_manage_dos_files($1) fs_manage_dos_files($1)
@@ -1781,10 +1758,14 @@ @@ -1781,10 +1763,14 @@
template(`userdom_user_home_content',` template(`userdom_user_home_content',`
gen_require(` gen_require(`
attribute $1_file_type; attribute $1_file_type;
@ -24288,7 +24293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -1880,11 +1861,11 @@ @@ -1880,11 +1866,11 @@
# #
template(`userdom_search_user_home_dirs',` template(`userdom_search_user_home_dirs',`
gen_require(` gen_require(`
@ -24302,7 +24307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -1914,11 +1895,11 @@ @@ -1914,11 +1900,11 @@
# #
template(`userdom_list_user_home_dirs',` template(`userdom_list_user_home_dirs',`
gen_require(` gen_require(`
@ -24316,7 +24321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -1962,12 +1943,12 @@ @@ -1962,12 +1948,12 @@
# #
template(`userdom_user_home_domtrans',` template(`userdom_user_home_domtrans',`
gen_require(` gen_require(`
@ -24332,7 +24337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -1997,10 +1978,10 @@ @@ -1997,10 +1983,10 @@
# #
template(`userdom_dontaudit_list_user_home_dirs',` template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(` gen_require(`
@ -24345,7 +24350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2032,11 +2013,47 @@ @@ -2032,11 +2018,47 @@
# #
template(`userdom_manage_user_home_content_dirs',` template(`userdom_manage_user_home_content_dirs',`
gen_require(` gen_require(`
@ -24395,7 +24400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2068,10 +2085,10 @@ @@ -2068,10 +2090,10 @@
# #
template(`userdom_dontaudit_setattr_user_home_content_files',` template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(` gen_require(`
@ -24408,7 +24413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2101,11 +2118,11 @@ @@ -2101,11 +2123,11 @@
# #
template(`userdom_read_user_home_content_files',` template(`userdom_read_user_home_content_files',`
gen_require(` gen_require(`
@ -24422,7 +24427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2135,11 +2152,11 @@ @@ -2135,11 +2157,11 @@
# #
template(`userdom_dontaudit_read_user_home_content_files',` template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(` gen_require(`
@ -24437,7 +24442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2169,10 +2186,10 @@ @@ -2169,10 +2191,10 @@
# #
template(`userdom_dontaudit_write_user_home_content_files',` template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(` gen_require(`
@ -24450,7 +24455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2202,11 +2219,11 @@ @@ -2202,11 +2224,11 @@
# #
template(`userdom_read_user_home_content_symlinks',` template(`userdom_read_user_home_content_symlinks',`
gen_require(` gen_require(`
@ -24464,7 +24469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2236,11 +2253,11 @@ @@ -2236,11 +2258,11 @@
# #
template(`userdom_exec_user_home_content_files',` template(`userdom_exec_user_home_content_files',`
gen_require(` gen_require(`
@ -24478,7 +24483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2270,10 +2287,10 @@ @@ -2270,10 +2292,10 @@
# #
template(`userdom_dontaudit_exec_user_home_content_files',` template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(` gen_require(`
@ -24491,7 +24496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2305,12 +2322,12 @@ @@ -2305,12 +2327,12 @@
# #
template(`userdom_manage_user_home_content_files',` template(`userdom_manage_user_home_content_files',`
gen_require(` gen_require(`
@ -24507,7 +24512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2342,10 +2359,10 @@ @@ -2342,10 +2364,10 @@
# #
template(`userdom_dontaudit_manage_user_home_content_dirs',` template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(` gen_require(`
@ -24520,7 +24525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2377,12 +2394,12 @@ @@ -2377,12 +2399,12 @@
# #
template(`userdom_manage_user_home_content_symlinks',` template(`userdom_manage_user_home_content_symlinks',`
gen_require(` gen_require(`
@ -24536,7 +24541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2414,12 +2431,12 @@ @@ -2414,12 +2436,12 @@
# #
template(`userdom_manage_user_home_content_pipes',` template(`userdom_manage_user_home_content_pipes',`
gen_require(` gen_require(`
@ -24552,7 +24557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2451,12 +2468,12 @@ @@ -2451,12 +2473,12 @@
# #
template(`userdom_manage_user_home_content_sockets',` template(`userdom_manage_user_home_content_sockets',`
gen_require(` gen_require(`
@ -24568,7 +24573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2501,11 +2518,11 @@ @@ -2501,11 +2523,11 @@
# #
template(`userdom_user_home_dir_filetrans',` template(`userdom_user_home_dir_filetrans',`
gen_require(` gen_require(`
@ -24582,7 +24587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2550,11 +2567,11 @@ @@ -2550,11 +2572,11 @@
# #
template(`userdom_user_home_content_filetrans',` template(`userdom_user_home_content_filetrans',`
gen_require(` gen_require(`
@ -24596,7 +24601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2594,11 +2611,11 @@ @@ -2594,11 +2616,11 @@
# #
template(`userdom_user_home_dir_filetrans_user_home_content',` template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(` gen_require(`
@ -24610,7 +24615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2628,11 +2645,11 @@ @@ -2628,11 +2650,11 @@
# #
template(`userdom_write_user_tmp_sockets',` template(`userdom_write_user_tmp_sockets',`
gen_require(` gen_require(`
@ -24624,7 +24629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2662,11 +2679,11 @@ @@ -2662,11 +2684,11 @@
# #
template(`userdom_list_user_tmp',` template(`userdom_list_user_tmp',`
gen_require(` gen_require(`
@ -24638,7 +24643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2698,10 +2715,10 @@ @@ -2698,10 +2720,10 @@
# #
template(`userdom_dontaudit_list_user_tmp',` template(`userdom_dontaudit_list_user_tmp',`
gen_require(` gen_require(`
@ -24651,7 +24656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2733,10 +2750,10 @@ @@ -2733,10 +2755,10 @@
# #
template(`userdom_dontaudit_manage_user_tmp_dirs',` template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(` gen_require(`
@ -24664,7 +24669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2766,12 +2783,12 @@ @@ -2766,12 +2788,12 @@
# #
template(`userdom_read_user_tmp_files',` template(`userdom_read_user_tmp_files',`
gen_require(` gen_require(`
@ -24680,7 +24685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2803,10 +2820,10 @@ @@ -2803,10 +2825,10 @@
# #
template(`userdom_dontaudit_read_user_tmp_files',` template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(` gen_require(`
@ -24693,7 +24698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2838,10 +2855,48 @@ @@ -2838,10 +2860,48 @@
# #
template(`userdom_dontaudit_append_user_tmp_files',` template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(` gen_require(`
@ -24744,7 +24749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2871,12 +2926,12 @@ @@ -2871,12 +2931,12 @@
# #
template(`userdom_rw_user_tmp_files',` template(`userdom_rw_user_tmp_files',`
gen_require(` gen_require(`
@ -24760,7 +24765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2908,10 +2963,10 @@ @@ -2908,10 +2968,10 @@
# #
template(`userdom_dontaudit_manage_user_tmp_files',` template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(` gen_require(`
@ -24773,7 +24778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2943,12 +2998,12 @@ @@ -2943,12 +3003,12 @@
# #
template(`userdom_read_user_tmp_symlinks',` template(`userdom_read_user_tmp_symlinks',`
gen_require(` gen_require(`
@ -24789,7 +24794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2980,11 +3035,11 @@ @@ -2980,11 +3040,11 @@
# #
template(`userdom_manage_user_tmp_dirs',` template(`userdom_manage_user_tmp_dirs',`
gen_require(` gen_require(`
@ -24803,7 +24808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -3016,11 +3071,11 @@ @@ -3016,11 +3076,11 @@
# #
template(`userdom_manage_user_tmp_files',` template(`userdom_manage_user_tmp_files',`
gen_require(` gen_require(`
@ -24817,7 +24822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -3052,11 +3107,11 @@ @@ -3052,11 +3112,11 @@
# #
template(`userdom_manage_user_tmp_symlinks',` template(`userdom_manage_user_tmp_symlinks',`
gen_require(` gen_require(`
@ -24831,7 +24836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -3088,11 +3143,11 @@ @@ -3088,11 +3148,11 @@
# #
template(`userdom_manage_user_tmp_pipes',` template(`userdom_manage_user_tmp_pipes',`
gen_require(` gen_require(`
@ -24845,7 +24850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -3124,11 +3179,11 @@ @@ -3124,11 +3184,11 @@
# #
template(`userdom_manage_user_tmp_sockets',` template(`userdom_manage_user_tmp_sockets',`
gen_require(` gen_require(`
@ -24859,7 +24864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -3173,10 +3228,10 @@ @@ -3173,10 +3233,10 @@
# #
template(`userdom_user_tmp_filetrans',` template(`userdom_user_tmp_filetrans',`
gen_require(` gen_require(`
@ -24872,7 +24877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($2) files_search_tmp($2)
') ')
@@ -3217,10 +3272,10 @@ @@ -3217,10 +3277,10 @@
# #
template(`userdom_tmp_filetrans_user_tmp',` template(`userdom_tmp_filetrans_user_tmp',`
gen_require(` gen_require(`
@ -24885,7 +24890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -3248,6 +3303,42 @@ @@ -3248,6 +3308,42 @@
## </summary> ## </summary>
## </param> ## </param>
# #
@ -24928,7 +24933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
template(`userdom_rw_user_tmpfs_files',` template(`userdom_rw_user_tmpfs_files',`
gen_require(` gen_require(`
type $1_tmpfs_t; type $1_tmpfs_t;
@@ -4225,11 +4316,11 @@ @@ -4225,11 +4321,11 @@
# #
interface(`userdom_search_staff_home_dirs',` interface(`userdom_search_staff_home_dirs',`
gen_require(` gen_require(`
@ -24942,7 +24947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4245,10 +4336,10 @@ @@ -4245,10 +4341,10 @@
# #
interface(`userdom_dontaudit_search_staff_home_dirs',` interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(` gen_require(`
@ -24955,7 +24960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4264,11 +4355,11 @@ @@ -4264,11 +4360,11 @@
# #
interface(`userdom_manage_staff_home_dirs',` interface(`userdom_manage_staff_home_dirs',`
gen_require(` gen_require(`
@ -24969,7 +24974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4283,16 +4374,16 @@ @@ -4283,16 +4379,16 @@
# #
interface(`userdom_relabelto_staff_home_dirs',` interface(`userdom_relabelto_staff_home_dirs',`
gen_require(` gen_require(`
@ -24989,7 +24994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## users home directory. ## users home directory.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4301,12 +4392,27 @@ @@ -4301,17 +4397,32 @@
## </summary> ## </summary>
## </param> ## </param>
# #
@ -25002,10 +25007,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- dontaudit $1 staff_home_t:file append; - dontaudit $1 staff_home_t:file append;
+ dontaudit $1 user_home_t:file append_file_perms; + dontaudit $1 user_home_t:file append_file_perms;
+') ')
+
+######################################## ########################################
+## <summary> ## <summary>
-## Read files in the staff users home directory.
+## Do not audit attempts to append to the staff +## Do not audit attempts to append to the staff
+## users home directory. +## users home directory.
+## </summary> +## </summary>
@ -25017,10 +25023,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+# +#
+interface(`userdom_dontaudit_append_staff_home_content_files',` +interface(`userdom_dontaudit_append_staff_home_content_files',`
+ userdom_dontaudit_append_unpriv_home_content_files($1) + userdom_dontaudit_append_unpriv_home_content_files($1)
') +')
+
######################################## +########################################
@@ -4321,13 +4427,13 @@ +## <summary>
+## Read files in the staff users home directory.
## </summary>
## <param name="domain">
## <summary>
@@ -4321,13 +4432,13 @@
# #
interface(`userdom_read_staff_home_content_files',` interface(`userdom_read_staff_home_content_files',`
gen_require(` gen_require(`
@ -25038,7 +25049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4525,10 +4631,10 @@ @@ -4525,10 +4636,10 @@
# #
interface(`userdom_getattr_sysadm_home_dirs',` interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(` gen_require(`
@ -25051,7 +25062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4545,10 +4651,10 @@ @@ -4545,10 +4656,10 @@
# #
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(` gen_require(`
@ -25064,7 +25075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4563,10 +4669,10 @@ @@ -4563,10 +4674,10 @@
# #
interface(`userdom_search_sysadm_home_dirs',` interface(`userdom_search_sysadm_home_dirs',`
gen_require(` gen_require(`
@ -25077,7 +25088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4582,10 +4688,10 @@ @@ -4582,10 +4693,10 @@
# #
interface(`userdom_dontaudit_search_sysadm_home_dirs',` interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(` gen_require(`
@ -25090,7 +25101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4600,10 +4706,10 @@ @@ -4600,10 +4711,10 @@
# #
interface(`userdom_list_sysadm_home_dirs',` interface(`userdom_list_sysadm_home_dirs',`
gen_require(` gen_require(`
@ -25103,7 +25114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4619,10 +4725,10 @@ @@ -4619,10 +4730,10 @@
# #
interface(`userdom_dontaudit_list_sysadm_home_dirs',` interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(` gen_require(`
@ -25116,7 +25127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4638,12 +4744,11 @@ @@ -4638,12 +4749,11 @@
# #
interface(`userdom_dontaudit_read_sysadm_home_content_files',` interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(` gen_require(`
@ -25132,7 +25143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4670,10 +4775,10 @@ @@ -4670,10 +4780,10 @@
# #
interface(`userdom_sysadm_home_dir_filetrans',` interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(` gen_require(`
@ -25145,7 +25156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4688,10 +4793,10 @@ @@ -4688,10 +4798,10 @@
# #
interface(`userdom_search_sysadm_home_content_dirs',` interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(` gen_require(`
@ -25158,7 +25169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4706,13 +4811,13 @@ @@ -4706,13 +4816,13 @@
# #
interface(`userdom_read_sysadm_home_content_files',` interface(`userdom_read_sysadm_home_content_files',`
gen_require(` gen_require(`
@ -25176,7 +25187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4748,11 +4853,49 @@ @@ -4748,11 +4858,49 @@
# #
interface(`userdom_search_all_users_home_dirs',` interface(`userdom_search_all_users_home_dirs',`
gen_require(` gen_require(`
@ -25227,7 +25238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4772,6 +4915,14 @@ @@ -4772,6 +4920,14 @@
files_list_home($1) files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms; allow $1 home_dir_type:dir list_dir_perms;
@ -25242,7 +25253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -5109,7 +5260,7 @@ @@ -5109,7 +5265,7 @@
# #
interface(`userdom_relabelto_generic_user_home_dirs',` interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(` gen_require(`
@ -25251,7 +25262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
files_search_home($1) files_search_home($1)
@@ -5298,6 +5449,49 @@ @@ -5298,6 +5454,49 @@
######################################## ########################################
## <summary> ## <summary>
@ -25301,7 +25312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete directories in ## Create, read, write, and delete directories in
## unprivileged users home directories. ## unprivileged users home directories.
## </summary> ## </summary>
@@ -5503,6 +5697,42 @@ @@ -5503,6 +5702,42 @@
######################################## ########################################
## <summary> ## <summary>
@ -25344,7 +25355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Read and write unprivileged user ttys. ## Read and write unprivileged user ttys.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -5668,6 +5898,42 @@ @@ -5668,6 +5903,42 @@
######################################## ########################################
## <summary> ## <summary>
@ -25387,7 +25398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains. ## Send a dbus message to all user domains.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -5698,3 +5964,277 @@ @@ -5698,3 +5969,277 @@
interface(`userdom_unconfined',` interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.') refpolicywarn(`$0($*) has been deprecated.')
') ')

View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.2.5 Version: 3.2.5
Release: 17%{?dist} Release: 18%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -387,6 +387,9 @@ exit 0
%endif %endif
%changelog %changelog
* Wed Jan 23 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-18
- Allow pam_selinux_permit to kill all processes
* Mon Jan 21 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-17 * Mon Jan 21 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-17
- Allow ptrace or user processes by users of same type - Allow ptrace or user processes by users of same type
- Add boolean for transition to nsplugin - Add boolean for transition to nsplugin