- Merge upstream changes
- Add Xavier Toth patches
This commit is contained in:
Daniel J Walsh
parent
13e7ea697a
commit
0abbc2d405
@ -3571,7 +3571,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.5.8/policy/modules/apps/mozilla.if
|
||||
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-08-07 11:15:02.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/apps/mozilla.if 2008-09-12 10:59:28.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/apps/mozilla.if 2008-09-17 07:36:14.000000000 -0400
|
||||
@@ -35,7 +35,10 @@
|
||||
template(`mozilla_per_role_template',`
|
||||
gen_require(`
|
||||
@ -3583,7 +3583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -45,20 +48,24 @@
|
||||
@@ -45,36 +48,44 @@
|
||||
application_domain($1_mozilla_t, mozilla_exec_t)
|
||||
role $3 types $1_mozilla_t;
|
||||
|
||||
@ -3609,15 +3609,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
allow $1_mozilla_t self:capability { sys_nice setgid setuid };
|
||||
- allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit };
|
||||
+ allow $1_mozilla_t self:process { ptrace sigkill signal setsched getsched setrlimit };
|
||||
+ allow $1_mozilla_t self:process { ptrace sigkill signal signull setsched getsched setrlimit };
|
||||
allow $1_mozilla_t self:fifo_file rw_fifo_file_perms;
|
||||
allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create };
|
||||
allow $1_mozilla_t self:sem create_sem_perms;
|
||||
@@ -66,15 +73,19 @@
|
||||
allow $1_mozilla_t self:socket create_socket_perms;
|
||||
allow $1_mozilla_t self:unix_stream_socket { listen accept };
|
||||
# Browse the web, connect to printer
|
||||
allow $1_mozilla_t self:tcp_socket create_socket_perms;
|
||||
- allow $1_mozilla_t self:tcp_socket create_socket_perms;
|
||||
- allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
+ allow $1_mozilla_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
# for bash - old mozilla binary
|
||||
can_exec($1_mozilla_t, mozilla_exec_t)
|
||||
@ -3720,15 +3721,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Browse the web, connect to printer
|
||||
corenet_all_recvfrom_unlabeled($1_mozilla_t)
|
||||
@@ -139,7 +178,6 @@
|
||||
@@ -137,9 +176,9 @@
|
||||
corenet_tcp_sendrecv_ipp_port($1_mozilla_t)
|
||||
corenet_tcp_connect_http_port($1_mozilla_t)
|
||||
corenet_tcp_connect_http_cache_port($1_mozilla_t)
|
||||
+ corenet_tcp_connect_flash_port($1_mozilla_t)
|
||||
corenet_tcp_connect_ftp_port($1_mozilla_t)
|
||||
corenet_tcp_connect_ipp_port($1_mozilla_t)
|
||||
- corenet_tcp_connect_generic_port($1_mozilla_t)
|
||||
corenet_sendrecv_http_client_packets($1_mozilla_t)
|
||||
corenet_sendrecv_http_cache_client_packets($1_mozilla_t)
|
||||
corenet_sendrecv_ftp_client_packets($1_mozilla_t)
|
||||
@@ -165,13 +203,28 @@
|
||||
@@ -165,13 +204,28 @@
|
||||
files_read_var_files($1_mozilla_t)
|
||||
files_read_var_symlinks($1_mozilla_t)
|
||||
files_dontaudit_getattr_boot_dirs($1_mozilla_t)
|
||||
@ -3757,7 +3761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
libs_use_ld_so($1_mozilla_t)
|
||||
libs_use_shared_libs($1_mozilla_t)
|
||||
|
||||
@@ -180,16 +233,8 @@
|
||||
@@ -180,17 +234,10 @@
|
||||
miscfiles_read_fonts($1_mozilla_t)
|
||||
miscfiles_read_localization($1_mozilla_t)
|
||||
|
||||
@ -3774,9 +3778,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ userdom_dontaudit_read_user_tmp_files($1, $1_mozilla_t)
|
||||
+ userdom_dontaudit_use_user_terminals($1, $1_mozilla_t)
|
||||
|
||||
+ xserver_read_xdm_pid($1_mozilla_t)
|
||||
xserver_user_x_domain_template($1, $1_mozilla, $1_mozilla_t, $1_mozilla_tmpfs_t)
|
||||
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
|
||||
@@ -211,131 +256,8 @@
|
||||
xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t)
|
||||
@@ -211,131 +258,8 @@
|
||||
fs_manage_cifs_symlinks($1_mozilla_t)
|
||||
')
|
||||
|
||||
@ -3910,7 +3916,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -350,57 +272,48 @@
|
||||
@@ -350,57 +274,48 @@
|
||||
optional_policy(`
|
||||
cups_read_rw_config($1_mozilla_t)
|
||||
cups_dbus_chat($1_mozilla_t)
|
||||
@ -3984,7 +3990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -430,11 +343,11 @@
|
||||
@@ -430,11 +345,11 @@
|
||||
#
|
||||
template(`mozilla_read_user_home_files',`
|
||||
gen_require(`
|
||||
@ -3999,7 +4005,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -464,11 +377,10 @@
|
||||
@@ -464,11 +379,10 @@
|
||||
#
|
||||
template(`mozilla_write_user_home_files',`
|
||||
gen_require(`
|
||||
@ -4013,7 +4019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -573,3 +485,27 @@
|
||||
@@ -573,3 +487,27 @@
|
||||
|
||||
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
|
||||
')
|
||||
@ -4074,8 +4080,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+typealias mozilla_tmp_t alias user_mozilla_tmp_t;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.5.8/policy/modules/apps/mplayer.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-08-07 11:15:03.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/apps/mplayer.fc 2008-09-12 10:59:28.000000000 -0400
|
||||
@@ -10,4 +10,4 @@
|
||||
+++ serefpolicy-3.5.8/policy/modules/apps/mplayer.fc 2008-09-17 07:30:05.000000000 -0400
|
||||
@@ -1,13 +1,8 @@
|
||||
#
|
||||
-# /etc
|
||||
-#
|
||||
-/etc/mplayer(/.*)? gen_context(system_u:object_r:mplayer_etc_t,s0)
|
||||
-
|
||||
-#
|
||||
# /usr
|
||||
#
|
||||
/usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0)
|
||||
/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
|
||||
/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
|
||||
|
||||
@ -4786,8 +4801,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.5.8/policy/modules/apps/openoffice.if
|
||||
--- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.8/policy/modules/apps/openoffice.if 2008-09-12 10:59:28.000000000 -0400
|
||||
@@ -0,0 +1,102 @@
|
||||
+++ serefpolicy-3.5.8/policy/modules/apps/openoffice.if 2008-09-17 07:25:52.000000000 -0400
|
||||
@@ -0,0 +1,103 @@
|
||||
+## <summary>Openoffice</summary>
|
||||
+
|
||||
+#######################################
|
||||
@ -4834,6 +4849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ #
|
||||
+
|
||||
+ domtrans_pattern($2, openoffice_exec_t, $1_openoffice_t)
|
||||
+ allow $2 $1_openoffice_t:process { signal sigkill };
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
@ -8413,8 +8429,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.5.8/policy/modules/roles/guest.te
|
||||
--- nsaserefpolicy/policy/modules/roles/guest.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.8/policy/modules/roles/guest.te 2008-09-12 10:59:28.000000000 -0400
|
||||
@@ -0,0 +1,44 @@
|
||||
+++ serefpolicy-3.5.8/policy/modules/roles/guest.te 2008-09-17 07:32:27.000000000 -0400
|
||||
@@ -0,0 +1,46 @@
|
||||
+
|
||||
+policy_module(guest, 1.0.0)
|
||||
+
|
||||
@ -8458,6 +8474,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ ')
|
||||
+
|
||||
+ domtrans_pattern(xguest_mozilla_t, openoffice_exec_t, xguest_openoffice_t)
|
||||
+ allow xguest_mozilla_t xguest_openoffice_t:process { signal sigkill };
|
||||
+ allow xguest_openoffice_t xguest_mozilla_t:unix_sream_socket connectto;
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.5.8/policy/modules/roles/logadm.fc
|
||||
--- nsaserefpolicy/policy/modules/roles/logadm.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
@ -9966,7 +9984,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.5.8/policy/modules/services/apache.fc
|
||||
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/apache.fc 2008-09-12 10:59:28.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/apache.fc 2008-09-16 15:29:22.000000000 -0400
|
||||
@@ -1,10 +1,10 @@
|
||||
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
|
||||
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||
@ -13058,7 +13076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.8/policy/modules/services/cron.if
|
||||
--- nsaserefpolicy/policy/modules/services/cron.if 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/cron.if 2008-09-12 16:29:28.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/cron.if 2008-09-16 14:09:27.000000000 -0400
|
||||
@@ -35,39 +35,24 @@
|
||||
#
|
||||
template(`cron_per_role_template',`
|
||||
@ -13362,7 +13380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -584,3 +500,44 @@
|
||||
@@ -584,3 +500,45 @@
|
||||
|
||||
dontaudit $1 system_crond_tmp_t:file append;
|
||||
')
|
||||
@ -13382,6 +13400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+interface(`cron_dontaudit_write_system_job_tmp_files',`
|
||||
+ gen_require(`
|
||||
+ type system_crond_tmp_t;
|
||||
+ type cron_var_run_t;
|
||||
+ type system_crond_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
@ -20379,8 +20398,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.8/policy/modules/services/polkit.if
|
||||
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/polkit.if 2008-09-12 10:59:28.000000000 -0400
|
||||
@@ -0,0 +1,212 @@
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/polkit.if 2008-09-16 15:04:25.000000000 -0400
|
||||
@@ -0,0 +1,213 @@
|
||||
+
|
||||
+## <summary>policy for polkit_auth</summary>
|
||||
+
|
||||
@ -20484,6 +20503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ allow polkit_resolve_t $1:dir list_dir_perms;
|
||||
+ read_files_pattern(polkit_resolve_t, $1, $1)
|
||||
+ read_lnk_files_pattern(polkit_resolve_t, $1, $1)
|
||||
+ allow polkit_resolve_t $1:process getattr;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -27459,7 +27479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.8/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/xserver.if 2008-09-12 10:59:29.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/services/xserver.if 2008-09-17 07:35:23.000000000 -0400
|
||||
@@ -16,6 +16,7 @@
|
||||
gen_require(`
|
||||
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
|
||||
@ -33260,7 +33280,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.8/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/system/userdomain.if 2008-09-16 09:56:01.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/system/userdomain.if 2008-09-17 07:27:44.000000000 -0400
|
||||
@@ -28,10 +28,14 @@
|
||||
class context contains;
|
||||
')
|
||||
@ -34287,7 +34307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
typeattribute $1_tty_device_t user_ttynode;
|
||||
|
||||
##############################
|
||||
@@ -1042,12 +1029,24 @@
|
||||
@@ -1042,12 +1029,25 @@
|
||||
#
|
||||
|
||||
# privileged home directory writers
|
||||
@ -34313,12 +34333,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ ')
|
||||
+ optional_policy(`
|
||||
+ cups_dbus_chat($1_usertype)
|
||||
+ cups_dbus_chat_config($1_usertype)
|
||||
+ ')
|
||||
+ ')
|
||||
|
||||
optional_policy(`
|
||||
loadkeys_run($1_t,$1_r,$1_tty_device_t)
|
||||
@@ -1087,14 +1086,16 @@
|
||||
@@ -1087,14 +1087,16 @@
|
||||
#
|
||||
|
||||
authlogin_per_role_template($1, $1_t, $1_r)
|
||||
@ -34340,7 +34361,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
logging_dontaudit_send_audit_msgs($1_t)
|
||||
|
||||
# Need to to this just so screensaver will work. Should be moved to screensaver domain
|
||||
@@ -1102,28 +1103,23 @@
|
||||
@@ -1102,28 +1104,23 @@
|
||||
selinux_get_enforce_mode($1_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -34374,7 +34395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -1134,8 +1130,7 @@
|
||||
@@ -1134,8 +1131,7 @@
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
@ -34384,7 +34405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </p>
|
||||
## <p>
|
||||
## This template creates a user domain, types, and
|
||||
@@ -1167,11 +1162,10 @@
|
||||
@@ -1167,11 +1163,10 @@
|
||||
#
|
||||
|
||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||
@ -34397,7 +34418,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# cjp: why?
|
||||
files_read_kernel_symbol_table($1_t)
|
||||
|
||||
@@ -1189,36 +1183,49 @@
|
||||
@@ -1189,36 +1184,49 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -34460,7 +34481,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -1295,8 +1302,6 @@
|
||||
@@ -1295,8 +1303,6 @@
|
||||
# Manipulate other users crontab.
|
||||
allow $1_t self:passwd crontab;
|
||||
|
||||
@ -34469,7 +34490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core_if($1_t)
|
||||
kernel_getattr_message_if($1_t)
|
||||
@@ -1318,8 +1323,6 @@
|
||||
@@ -1318,8 +1324,6 @@
|
||||
|
||||
dev_getattr_generic_blk_files($1_t)
|
||||
dev_getattr_generic_chr_files($1_t)
|
||||
@ -34478,7 +34499,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# Allow MAKEDEV to work
|
||||
dev_create_all_blk_files($1_t)
|
||||
dev_create_all_chr_files($1_t)
|
||||
@@ -1374,13 +1377,6 @@
|
||||
@@ -1374,13 +1378,6 @@
|
||||
# But presently necessary for installing the file_contexts file.
|
||||
seutil_manage_bin_policy($1_t)
|
||||
|
||||
@ -34492,7 +34513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
postgresql_unconfined($1_t)
|
||||
')
|
||||
@@ -1432,6 +1428,7 @@
|
||||
@@ -1432,6 +1429,7 @@
|
||||
dev_relabel_all_dev_nodes($1)
|
||||
|
||||
files_create_boot_flag($1)
|
||||
@ -34500,7 +34521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Necessary for managing /boot/efi
|
||||
fs_manage_dos_files($1)
|
||||
@@ -1461,10 +1458,6 @@
|
||||
@@ -1461,10 +1459,6 @@
|
||||
seutil_run_semanage($1,$2,$3)
|
||||
seutil_run_setfiles($1, $2, $3)
|
||||
|
||||
@ -34511,7 +34532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
aide_run($1,$2, $3)
|
||||
')
|
||||
@@ -1484,6 +1477,14 @@
|
||||
@@ -1484,6 +1478,14 @@
|
||||
optional_policy(`
|
||||
netlabel_run_mgmt($1,$2, $3)
|
||||
')
|
||||
@ -34526,7 +34547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1741,11 +1742,15 @@
|
||||
@@ -1741,11 +1743,15 @@
|
||||
#
|
||||
template(`userdom_user_home_content',`
|
||||
gen_require(`
|
||||
@ -34545,7 +34566,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1841,11 +1846,11 @@
|
||||
@@ -1841,11 +1847,11 @@
|
||||
#
|
||||
template(`userdom_search_user_home_dirs',`
|
||||
gen_require(`
|
||||
@ -34559,7 +34580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1875,11 +1880,11 @@
|
||||
@@ -1875,11 +1881,11 @@
|
||||
#
|
||||
template(`userdom_list_user_home_dirs',`
|
||||
gen_require(`
|
||||
@ -34573,7 +34594,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1923,12 +1928,12 @@
|
||||
@@ -1923,12 +1929,12 @@
|
||||
#
|
||||
template(`userdom_user_home_domtrans',`
|
||||
gen_require(`
|
||||
@ -34589,7 +34610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1958,10 +1963,11 @@
|
||||
@@ -1958,10 +1964,11 @@
|
||||
#
|
||||
template(`userdom_dontaudit_list_user_home_dirs',`
|
||||
gen_require(`
|
||||
@ -34603,7 +34624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1993,11 +1999,47 @@
|
||||
@@ -1993,11 +2000,47 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_dirs',`
|
||||
gen_require(`
|
||||
@ -34653,7 +34674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2029,10 +2071,10 @@
|
||||
@@ -2029,10 +2072,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_setattr_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -34666,7 +34687,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2062,11 +2104,11 @@
|
||||
@@ -2062,11 +2105,11 @@
|
||||
#
|
||||
template(`userdom_read_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -34680,7 +34701,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2096,11 +2138,11 @@
|
||||
@@ -2096,11 +2139,11 @@
|
||||
#
|
||||
template(`userdom_dontaudit_read_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -34695,7 +34716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2130,10 +2172,14 @@
|
||||
@@ -2130,10 +2173,14 @@
|
||||
#
|
||||
template(`userdom_dontaudit_write_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -34712,7 +34733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2163,11 +2209,11 @@
|
||||
@@ -2163,11 +2210,11 @@
|
||||
#
|
||||
template(`userdom_read_user_home_content_symlinks',`
|
||||
gen_require(`
|
||||
@ -34726,7 +34747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2197,11 +2243,11 @@
|
||||
@@ -2197,11 +2244,11 @@
|
||||
#
|
||||
template(`userdom_exec_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -34740,7 +34761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2231,10 +2277,10 @@
|
||||
@@ -2231,10 +2278,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_exec_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -34753,7 +34774,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2266,12 +2312,12 @@
|
||||
@@ -2266,12 +2313,12 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -34769,7 +34790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2303,10 +2349,10 @@
|
||||
@@ -2303,10 +2350,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_manage_user_home_content_dirs',`
|
||||
gen_require(`
|
||||
@ -34782,7 +34803,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2338,12 +2384,12 @@
|
||||
@@ -2338,12 +2385,12 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_symlinks',`
|
||||
gen_require(`
|
||||
@ -34798,7 +34819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2375,12 +2421,12 @@
|
||||
@@ -2375,12 +2422,12 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_pipes',`
|
||||
gen_require(`
|
||||
@ -34814,7 +34835,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2412,12 +2458,12 @@
|
||||
@@ -2412,12 +2459,12 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_sockets',`
|
||||
gen_require(`
|
||||
@ -34830,7 +34851,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2462,11 +2508,11 @@
|
||||
@@ -2462,11 +2509,11 @@
|
||||
#
|
||||
template(`userdom_user_home_dir_filetrans',`
|
||||
gen_require(`
|
||||
@ -34844,7 +34865,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2511,11 +2557,11 @@
|
||||
@@ -2511,11 +2558,11 @@
|
||||
#
|
||||
template(`userdom_user_home_content_filetrans',`
|
||||
gen_require(`
|
||||
@ -34858,7 +34879,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2555,11 +2601,11 @@
|
||||
@@ -2555,11 +2602,11 @@
|
||||
#
|
||||
template(`userdom_user_home_dir_filetrans_user_home_content',`
|
||||
gen_require(`
|
||||
@ -34872,7 +34893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2589,11 +2635,11 @@
|
||||
@@ -2589,11 +2636,11 @@
|
||||
#
|
||||
template(`userdom_write_user_tmp_sockets',`
|
||||
gen_require(`
|
||||
@ -34886,7 +34907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2623,11 +2669,11 @@
|
||||
@@ -2623,11 +2670,11 @@
|
||||
#
|
||||
template(`userdom_list_user_tmp',`
|
||||
gen_require(`
|
||||
@ -34900,7 +34921,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2659,10 +2705,10 @@
|
||||
@@ -2659,10 +2706,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_list_user_tmp',`
|
||||
gen_require(`
|
||||
@ -34913,7 +34934,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2694,10 +2740,10 @@
|
||||
@@ -2694,10 +2741,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_manage_user_tmp_dirs',`
|
||||
gen_require(`
|
||||
@ -34926,7 +34947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2727,12 +2773,12 @@
|
||||
@@ -2727,12 +2774,12 @@
|
||||
#
|
||||
template(`userdom_read_user_tmp_files',`
|
||||
gen_require(`
|
||||
@ -34942,7 +34963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2764,10 +2810,10 @@
|
||||
@@ -2764,10 +2811,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_read_user_tmp_files',`
|
||||
gen_require(`
|
||||
@ -34955,7 +34976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2799,10 +2845,10 @@
|
||||
@@ -2799,10 +2846,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_append_user_tmp_files',`
|
||||
gen_require(`
|
||||
@ -34968,7 +34989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2832,12 +2878,12 @@
|
||||
@@ -2832,12 +2879,12 @@
|
||||
#
|
||||
template(`userdom_rw_user_tmp_files',`
|
||||
gen_require(`
|
||||
@ -34984,7 +35005,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2869,10 +2915,10 @@
|
||||
@@ -2869,10 +2916,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_manage_user_tmp_files',`
|
||||
gen_require(`
|
||||
@ -34997,7 +35018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2904,12 +2950,12 @@
|
||||
@@ -2904,12 +2951,12 @@
|
||||
#
|
||||
template(`userdom_read_user_tmp_symlinks',`
|
||||
gen_require(`
|
||||
@ -35013,7 +35034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2941,11 +2987,11 @@
|
||||
@@ -2941,11 +2988,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_dirs',`
|
||||
gen_require(`
|
||||
@ -35027,7 +35048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2977,11 +3023,11 @@
|
||||
@@ -2977,11 +3024,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_files',`
|
||||
gen_require(`
|
||||
@ -35041,7 +35062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3013,11 +3059,11 @@
|
||||
@@ -3013,11 +3060,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_symlinks',`
|
||||
gen_require(`
|
||||
@ -35055,7 +35076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3049,11 +3095,11 @@
|
||||
@@ -3049,11 +3096,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_pipes',`
|
||||
gen_require(`
|
||||
@ -35069,7 +35090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3085,11 +3131,11 @@
|
||||
@@ -3085,11 +3132,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_sockets',`
|
||||
gen_require(`
|
||||
@ -35083,7 +35104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3134,10 +3180,10 @@
|
||||
@@ -3134,10 +3181,10 @@
|
||||
#
|
||||
template(`userdom_user_tmp_filetrans',`
|
||||
gen_require(`
|
||||
@ -35096,7 +35117,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_search_tmp($2)
|
||||
')
|
||||
|
||||
@@ -3178,19 +3224,19 @@
|
||||
@@ -3178,19 +3225,19 @@
|
||||
#
|
||||
template(`userdom_tmp_filetrans_user_tmp',`
|
||||
gen_require(`
|
||||
@ -35120,7 +35141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
@@ -4616,11 +4662,11 @@
|
||||
@@ -4616,11 +4663,11 @@
|
||||
#
|
||||
interface(`userdom_search_all_users_home_dirs',`
|
||||
gen_require(`
|
||||
@ -35134,7 +35155,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4640,6 +4686,14 @@
|
||||
@@ -4640,6 +4687,14 @@
|
||||
|
||||
files_list_home($1)
|
||||
allow $1 home_dir_type:dir list_dir_perms;
|
||||
@ -35149,7 +35170,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4677,6 +4731,8 @@
|
||||
@@ -4677,6 +4732,8 @@
|
||||
')
|
||||
|
||||
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
|
||||
@ -35158,7 +35179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4721,6 +4777,25 @@
|
||||
@@ -4721,6 +4778,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -35184,7 +35205,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Create, read, write, and delete all files
|
||||
## in all users home directories.
|
||||
## </summary>
|
||||
@@ -4946,7 +5021,7 @@
|
||||
@@ -4946,7 +5022,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -35193,7 +35214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5318,7 +5393,7 @@
|
||||
@@ -5318,7 +5394,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -35202,7 +35223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5326,18 +5401,17 @@
|
||||
@@ -5326,18 +5402,17 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -35225,7 +35246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5345,17 +5419,17 @@
|
||||
@@ -5345,17 +5420,17 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -35247,7 +35268,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5363,18 +5437,18 @@
|
||||
@@ -5363,18 +5438,18 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -35271,7 +35292,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5382,17 +5456,54 @@
|
||||
@@ -5382,17 +5457,54 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -35330,7 +35351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5483,6 +5594,42 @@
|
||||
@@ -5483,6 +5595,42 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -35373,7 +35394,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Send a dbus message to all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -5513,3 +5660,524 @@
|
||||
@@ -5513,3 +5661,524 @@
|
||||
interface(`userdom_unconfined',`
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user