- Fix confined users

- Allow xguest to read/write xguest_dbusd_t
This commit is contained in:
Daniel J Walsh 2008-10-29 17:03:57 +00:00
parent 812930ae8d
commit 0c5d01932f

View File

@ -557,8 +557,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.5.13/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2008-10-14 11:58:10.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/admin/netutils.te 2008-10-28 10:56:19.000000000 -0400
@@ -149,6 +149,10 @@
+++ serefpolicy-3.5.13/policy/modules/admin/netutils.te 2008-10-29 09:05:23.000000000 -0400
@@ -130,6 +130,8 @@
files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t)
+kernel_read_system_state(ping_t)
+
auth_use_nsswitch(ping_t)
libs_use_ld_so(ping_t)
@@ -149,6 +151,10 @@
')
optional_policy(`
@ -6191,6 +6200,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 self:capability sys_chroot;
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2008-08-07 11:15:01.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in 2008-10-29 11:09:14.000000000 -0400
@@ -1441,10 +1441,11 @@
#
interface(`corenet_tcp_bind_all_unreserved_ports',`
gen_require(`
- attribute port_type, reserved_port_type;
+ attribute port_type;
+ type hi_reserved_port_t, reserved_port_t;
')
- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
+ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:tcp_socket name_bind;
')
########################################
@@ -1459,10 +1460,11 @@
#
interface(`corenet_udp_bind_all_unreserved_ports',`
gen_require(`
- attribute port_type, reserved_port_type;
+ attribute port_type;
+ type hi_reserved_port_t, reserved_port_t;
')
- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
+ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind;
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-14 11:58:07.000000000 -0400
@ -7495,7 +7535,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.13/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-08-14 13:08:27.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if 2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if 2008-10-29 08:25:22.000000000 -0400
@@ -535,6 +535,24 @@
########################################
@ -8816,7 +8856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.5.13/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.te 2008-10-28 11:25:32.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.te 2008-10-29 12:00:43.000000000 -0400
@@ -15,7 +14,7 @@
role sysadm_r;
@ -8826,6 +8866,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`enable_mls',`
userdom_security_admin_template(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
@@ -109,9 +108,9 @@
consoletype_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
')
-optional_policy(`
- cron_admin_template(sysadm)
-')
+#optional_policy(`
+# cron_admin_template(sysadm)
+#')
optional_policy(`
cvs_exec(sysadm_t)
@@ -171,6 +170,10 @@
')
@ -10666,7 +10719,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-29 08:27:18.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@ -10898,7 +10951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
@@ -370,20 +440,45 @@
@@ -370,20 +440,54 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@ -10934,6 +10987,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+tunable_policy(`allow_httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
+ fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+ fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
+
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@ -10945,7 +11007,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
@@ -394,11 +489,12 @@
@@ -394,11 +498,12 @@
corenet_tcp_bind_ftp_port(httpd_t)
')
@ -10961,7 +11023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
@@ -408,6 +504,11 @@
@@ -408,6 +513,11 @@
fs_read_cifs_symlinks(httpd_t)
')
@ -10973,7 +11035,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
@@ -441,8 +542,13 @@
@@ -441,8 +551,13 @@
')
optional_policy(`
@ -10989,7 +11051,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -454,18 +560,13 @@
@@ -454,18 +569,13 @@
')
optional_policy(`
@ -11009,7 +11071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -475,6 +576,12 @@
@@ -475,6 +585,12 @@
openca_kill(httpd_t)
')
@ -11022,7 +11084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
@@ -482,6 +589,7 @@
@@ -482,6 +598,7 @@
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
@ -11030,7 +11092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
@@ -490,6 +598,7 @@
@@ -490,6 +607,7 @@
')
optional_policy(`
@ -11038,7 +11100,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
@@ -519,9 +628,28 @@
@@ -519,9 +637,28 @@
logging_send_syslog_msg(httpd_helper_t)
tunable_policy(`httpd_tty_comm',`
@ -11067,7 +11129,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Apache PHP script local policy
@@ -551,22 +679,27 @@
@@ -551,22 +688,27 @@
fs_search_auto_mountpoints(httpd_php_t)
@ -11101,7 +11163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -584,12 +717,14 @@
@@ -584,12 +726,14 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@ -11117,7 +11179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
@@ -598,9 +733,7 @@
@@ -598,9 +742,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@ -11128,7 +11190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
@@ -633,12 +766,25 @@
@@ -633,12 +775,25 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@ -11157,7 +11219,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -647,6 +793,12 @@
@@ -647,6 +802,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@ -11170,7 +11232,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
@@ -664,20 +816,20 @@
@@ -664,20 +825,20 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@ -11196,7 +11258,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -691,12 +843,15 @@
@@ -691,12 +852,15 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@ -11214,7 +11276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -704,6 +859,30 @@
@@ -704,6 +868,30 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@ -11245,7 +11307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -716,10 +895,10 @@
@@ -716,10 +904,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@ -11260,7 +11322,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -727,6 +906,8 @@
@@ -727,6 +915,8 @@
# httpd_rotatelogs local policy
#
@ -11269,7 +11331,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
@@ -741,3 +922,66 @@
@@ -741,3 +931,66 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@ -12503,7 +12565,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.13/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-10-29 11:57:59.000000000 -0400
@@ -35,39 +35,24 @@
#
template(`cron_per_role_template',`
@ -13762,7 +13824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.13/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/dbus.if 2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/dbus.if 2008-10-29 11:24:31.000000000 -0400
@@ -53,19 +53,19 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@ -13796,7 +13858,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# For connecting to the bus
- allow $2 $1_dbusd_t:unix_stream_socket connectto;
- type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
+ allow $2 $1_dbusd_t:unix_stream_socket { getattr connectto };
+ allow $2 $1_dbusd_t:unix_stream_socket { rw_socket_perms connectto };
+ allow $2 $1_dbusd_t:unix_dgram_socket getattr;
+ allow $1_dbusd_t $2:unix_stream_socket rw_socket_perms;
@ -16571,7 +16633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.5.13/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-10-28 19:45:12.000000000 -0400
@@ -13,6 +13,9 @@
type munin_etc_t alias lrrd_etc_t;
files_config_file(munin_etc_t)
@ -16637,7 +16699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_urand(munin_t)
domain_use_interactive_fds(munin_t)
+domain_dontaudit_read_all_domains_state(munin_t)
+domain_read_all_domains_state(munin_t)
files_read_etc_files(munin_t)
files_read_etc_runtime_files(munin_t)
@ -19584,7 +19646,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.5.13/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2008-10-16 17:21:16.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/ppp.te 2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/ppp.te 2008-10-29 10:47:55.000000000 -0400
@@ -37,8 +37,8 @@
type pppd_etc_rw_t;
files_type(pppd_etc_rw_t)
@ -19669,7 +19731,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(pptp_t)
sysnet_read_config(pptp_t)
+sysnet_exec_ifconfig(pppd_t)
+sysnet_exec_ifconfig(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
@ -29047,7 +29109,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.13/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-10-16 17:21:16.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2008-10-29 09:04:33.000000000 -0400
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
role system_r types dhcpc_t;
@ -30086,7 +30148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-28 12:38:58.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-29 11:53:44.000000000 -0400
@@ -28,10 +28,14 @@
class context contains;
')
@ -30696,7 +30758,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
@@ -699,188 +672,206 @@
@@ -686,10 +659,6 @@
userdom_exec_generic_pgms_template($1)
- optional_policy(`
- userdom_xwindows_client_template($1)
- ')
-
##############################
#
# User domain Local policy
@@ -699,188 +668,204 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@ -30786,10 +30859,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- auth_read_login_records($1_t)
- auth_search_pam_console_data($1_t)
+ auth_read_login_records($1_usertype)
+ auth_search_pam_console_data($1_usertype)
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ authlogin_per_role_template($1, $1_t, $1_r)
- init_read_utmp($1_t)
+ init_read_utmp($1_usertype)
@ -30983,7 +31054,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
@@ -902,9 +893,7 @@
@@ -902,9 +887,7 @@
## </param>
#
template(`userdom_login_user_template', `
@ -30994,7 +31065,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_base_user_template($1)
@@ -930,74 +919,77 @@
@@ -930,74 +913,77 @@
allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
dontaudit $1_t self:process setrlimit;
@ -31105,7 +31176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
@@ -1031,9 +1023,6 @@
@@ -1031,9 +1017,6 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
@ -31115,7 +31186,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
typeattribute $1_tty_device_t user_ttynode;
##############################
@@ -1042,12 +1031,25 @@
@@ -1042,12 +1025,25 @@
#
# privileged home directory writers
@ -31147,7 +31218,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
loadkeys_run($1_t,$1_r,$1_tty_device_t)
@@ -1087,14 +1089,16 @@
@@ -1079,7 +1075,9 @@
userdom_restricted_user_template($1)
+ optional_policy(`
userdom_xwindows_client_template($1)
+ ')
##############################
#
@@ -1087,14 +1085,16 @@
#
authlogin_per_role_template($1, $1_t, $1_r)
@ -31169,23 +31250,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
@@ -1102,28 +1106,19 @@
@@ -1102,28 +1102,19 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
- alsa_read_rw_config($1_t)
+ alsa_read_rw_config($1_usertype)
')
optional_policy(`
- ')
-
- optional_policy(`
- dbus_per_role_template($1, $1_t, $1_r)
- dbus_system_bus_client_template($1, $1_t)
-
- optional_policy(`
- consolekit_dbus_chat($1_t)
- ')
-
- optional_policy(`
+ alsa_read_rw_config($1_usertype)
')
optional_policy(`
- cups_dbus_chat($1_t)
- ')
+ apache_per_role_template($1, $1_usertype, $1_r)
@ -31202,7 +31283,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
@@ -1134,8 +1129,7 @@
@@ -1134,8 +1125,7 @@
## </summary>
## <desc>
## <p>
@ -31212,17 +31293,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </p>
## <p>
## This template creates a user domain, types, and
@@ -1157,8 +1151,8 @@
@@ -1157,8 +1147,8 @@
# Declarations
#
+ userdom_login_user_template($1)
+ userdom_restricted_xwindows_user_template($1)
# Inherit rules for ordinary users.
- userdom_restricted_user_template($1)
userdom_common_user_template($1)
##############################
@@ -1167,11 +1161,10 @@
@@ -1167,11 +1157,10 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@ -31235,7 +31316,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: why?
files_read_kernel_symbol_table($1_t)
@@ -1189,36 +1182,41 @@
@@ -1189,36 +1178,41 @@
')
')
@ -31290,7 +31371,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
@@ -1263,8 +1261,7 @@
@@ -1263,8 +1257,7 @@
#
# Inherit rules for ordinary users.
@ -31300,7 +31381,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
typeattribute $1_t privhome;
domain_obj_id_change_exemption($1_t)
@@ -1295,8 +1292,6 @@
@@ -1295,8 +1288,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@ -31309,7 +31390,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
@@ -1318,8 +1313,6 @@
@@ -1318,8 +1309,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@ -31318,7 +31399,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
@@ -1374,13 +1367,6 @@
@@ -1374,13 +1363,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@ -31332,7 +31413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
@@ -1432,6 +1418,7 @@
@@ -1432,6 +1414,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@ -31340,7 +31421,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
@@ -1461,10 +1448,6 @@
@@ -1461,10 +1444,6 @@
seutil_run_semanage($1,$2,$3)
seutil_run_setfiles($1, $2, $3)
@ -31351,7 +31432,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
aide_run($1,$2, $3)
')
@@ -1484,6 +1467,14 @@
@@ -1484,6 +1463,14 @@
optional_policy(`
netlabel_run_mgmt($1,$2, $3)
')
@ -31366,7 +31447,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1741,11 +1732,15 @@
@@ -1741,11 +1728,15 @@
#
template(`userdom_user_home_content',`
gen_require(`
@ -31385,7 +31466,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1841,11 +1836,11 @@
@@ -1841,11 +1832,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@ -31399,7 +31480,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1875,11 +1870,11 @@
@@ -1875,11 +1866,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@ -31413,7 +31494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1923,12 +1918,12 @@
@@ -1923,12 +1914,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@ -31429,7 +31510,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1958,10 +1953,11 @@
@@ -1958,10 +1949,11 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@ -31443,7 +31524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1993,11 +1989,47 @@
@@ -1993,11 +1985,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@ -31493,7 +31574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2029,10 +2061,10 @@
@@ -2029,10 +2057,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@ -31506,7 +31587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2062,11 +2094,11 @@
@@ -2062,11 +2090,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@ -31520,7 +31601,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2096,11 +2128,11 @@
@@ -2096,11 +2124,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@ -31535,7 +31616,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2130,10 +2162,14 @@
@@ -2130,10 +2158,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@ -31552,7 +31633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2163,11 +2199,11 @@
@@ -2163,11 +2195,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@ -31566,7 +31647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2197,11 +2233,11 @@
@@ -2197,11 +2229,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@ -31580,7 +31661,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2231,10 +2267,10 @@
@@ -2231,10 +2263,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@ -31593,7 +31674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2266,12 +2302,12 @@
@@ -2266,12 +2298,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@ -31609,7 +31690,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2303,10 +2339,10 @@
@@ -2303,10 +2335,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@ -31622,7 +31703,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2338,12 +2374,12 @@
@@ -2338,12 +2370,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@ -31638,7 +31719,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2375,12 +2411,12 @@
@@ -2375,12 +2407,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@ -31654,7 +31735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2412,12 +2448,12 @@
@@ -2412,12 +2444,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@ -31670,7 +31751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2462,11 +2498,11 @@
@@ -2462,11 +2494,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@ -31684,7 +31765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2511,11 +2547,11 @@
@@ -2511,11 +2543,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@ -31698,7 +31779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2555,11 +2591,11 @@
@@ -2555,11 +2587,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@ -31712,7 +31793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2589,11 +2625,11 @@
@@ -2589,11 +2621,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@ -31726,7 +31807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2623,11 +2659,11 @@
@@ -2623,11 +2655,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@ -31740,7 +31821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2659,10 +2695,10 @@
@@ -2659,10 +2691,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@ -31753,7 +31834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2694,10 +2730,10 @@
@@ -2694,10 +2726,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@ -31766,7 +31847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2727,12 +2763,12 @@
@@ -2727,12 +2759,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@ -31782,7 +31863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2764,10 +2800,10 @@
@@ -2764,10 +2796,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@ -31795,7 +31876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2799,10 +2835,10 @@
@@ -2799,10 +2831,10 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@ -31808,7 +31889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2832,12 +2868,12 @@
@@ -2832,12 +2864,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@ -31824,7 +31905,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2869,10 +2905,10 @@
@@ -2869,10 +2901,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@ -31837,7 +31918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2904,12 +2940,12 @@
@@ -2904,12 +2936,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@ -31853,7 +31934,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2941,11 +2977,11 @@
@@ -2941,11 +2973,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@ -31867,7 +31948,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2977,11 +3013,11 @@
@@ -2977,11 +3009,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@ -31881,7 +31962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -3013,11 +3049,11 @@
@@ -3013,11 +3045,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@ -31895,7 +31976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -3049,11 +3085,11 @@
@@ -3049,11 +3081,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@ -31909,7 +31990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -3085,11 +3121,11 @@
@@ -3085,11 +3117,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@ -31923,7 +32004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -3134,10 +3170,10 @@
@@ -3134,10 +3166,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@ -31936,7 +32017,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_search_tmp($2)
')
@@ -3178,19 +3214,19 @@
@@ -3178,19 +3210,19 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@ -31960,7 +32041,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </p>
## <p>
## This is a templated interface, and should only
@@ -3211,13 +3247,13 @@
@@ -3211,13 +3243,13 @@
#
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
@ -31978,7 +32059,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -4616,11 +4652,11 @@
@@ -4616,11 +4648,11 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@ -31992,7 +32073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -4640,6 +4676,14 @@
@@ -4640,6 +4672,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@ -32007,7 +32088,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -4677,6 +4721,8 @@
@@ -4677,6 +4717,8 @@
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@ -32016,7 +32097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -4721,6 +4767,25 @@
@@ -4721,6 +4763,25 @@
########################################
## <summary>
@ -32042,7 +32123,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
@@ -4946,7 +5011,7 @@
@@ -4946,7 +5007,7 @@
########################################
## <summary>
@ -32051,7 +32132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
@@ -5318,7 +5383,7 @@
@@ -5318,7 +5379,7 @@
########################################
## <summary>
@ -32060,7 +32141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
@@ -5326,18 +5391,17 @@
@@ -5326,18 +5387,17 @@
## </summary>
## </param>
#
@ -32083,7 +32164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
@@ -5345,17 +5409,17 @@
@@ -5345,17 +5405,17 @@
## </summary>
## </param>
#
@ -32105,7 +32186,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
@@ -5363,18 +5427,18 @@
@@ -5363,18 +5423,18 @@
## </summary>
## </param>
#
@ -32129,18 +32210,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
@@ -5382,12 +5446,49 @@
@@ -5382,7 +5442,44 @@
## </summary>
## </param>
#
-interface(`userdom_getattr_all_users',`
+interface(`userdom_dontaudit_use_unpriv_users_ttys',`
gen_require(`
- attribute userdomain;
+ gen_require(`
+ attribute user_ttynode;
')
- allow $1 userdomain:process getattr;
+ ')
+
+ dontaudit $1 user_ttynode:chr_file rw_file_perms;
+')
+
@ -32174,15 +32253,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </param>
+#
+interface(`userdom_getattr_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process getattr;
gen_require(`
attribute userdomain;
')
########################################
@@ -5483,6 +5584,42 @@
@@ -5483,6 +5580,42 @@
########################################
## <summary>
@ -32225,7 +32299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
@@ -5513,3 +5650,548 @@
@@ -5513,3 +5646,546 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@ -32593,9 +32667,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+template(`userdom_admin_login_user_template',`
+
+ userdom_login_user_template($1)
+
+ allow $1_t self:capability sys_nice;
+ userdom_unpriv_user_template($1)
+
+ domain_read_all_domains_state($1_t)
+ domain_getattr_all_domains($1_t)