- Fix confined users
- Allow xguest to read/write xguest_dbusd_t
This commit is contained in:
parent
812930ae8d
commit
0c5d01932f
@ -557,8 +557,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.5.13/policy/modules/admin/netutils.te
|
||||
--- nsaserefpolicy/policy/modules/admin/netutils.te 2008-10-14 11:58:10.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/admin/netutils.te 2008-10-28 10:56:19.000000000 -0400
|
||||
@@ -149,6 +149,10 @@
|
||||
+++ serefpolicy-3.5.13/policy/modules/admin/netutils.te 2008-10-29 09:05:23.000000000 -0400
|
||||
@@ -130,6 +130,8 @@
|
||||
files_read_etc_files(ping_t)
|
||||
files_dontaudit_search_var(ping_t)
|
||||
|
||||
+kernel_read_system_state(ping_t)
|
||||
+
|
||||
auth_use_nsswitch(ping_t)
|
||||
|
||||
libs_use_ld_so(ping_t)
|
||||
@@ -149,6 +151,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -6191,6 +6200,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ allow $1 self:capability sys_chroot;
|
||||
')
|
||||
|
||||
########################################
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in
|
||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2008-08-07 11:15:01.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in 2008-10-29 11:09:14.000000000 -0400
|
||||
@@ -1441,10 +1441,11 @@
|
||||
#
|
||||
interface(`corenet_tcp_bind_all_unreserved_ports',`
|
||||
gen_require(`
|
||||
- attribute port_type, reserved_port_type;
|
||||
+ attribute port_type;
|
||||
+ type hi_reserved_port_t, reserved_port_t;
|
||||
')
|
||||
|
||||
- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
|
||||
+ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:tcp_socket name_bind;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1459,10 +1460,11 @@
|
||||
#
|
||||
interface(`corenet_udp_bind_all_unreserved_ports',`
|
||||
gen_require(`
|
||||
- attribute port_type, reserved_port_type;
|
||||
+ attribute port_type;
|
||||
+ type hi_reserved_port_t, reserved_port_t;
|
||||
')
|
||||
|
||||
- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
|
||||
+ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind;
|
||||
')
|
||||
|
||||
########################################
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
|
||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-14 11:58:07.000000000 -0400
|
||||
@ -7495,7 +7535,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
#
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.13/policy/modules/kernel/filesystem.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-08-14 13:08:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if 2008-10-28 10:56:19.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if 2008-10-29 08:25:22.000000000 -0400
|
||||
@@ -535,6 +535,24 @@
|
||||
|
||||
########################################
|
||||
@ -8816,7 +8856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.5.13/policy/modules/roles/sysadm.te
|
||||
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.te 2008-10-28 11:25:32.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.te 2008-10-29 12:00:43.000000000 -0400
|
||||
@@ -15,7 +14,7 @@
|
||||
|
||||
role sysadm_r;
|
||||
@ -8826,6 +8866,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
ifndef(`enable_mls',`
|
||||
userdom_security_admin_template(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
|
||||
@@ -109,9 +108,9 @@
|
||||
consoletype_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- cron_admin_template(sysadm)
|
||||
-')
|
||||
+#optional_policy(`
|
||||
+# cron_admin_template(sysadm)
|
||||
+#')
|
||||
|
||||
optional_policy(`
|
||||
cvs_exec(sysadm_t)
|
||||
@@ -171,6 +170,10 @@
|
||||
')
|
||||
|
||||
@ -10666,7 +10719,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-28 10:56:19.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-29 08:27:18.000000000 -0400
|
||||
@@ -20,6 +20,8 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -10898,7 +10951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -370,20 +440,45 @@
|
||||
@@ -370,20 +440,54 @@
|
||||
corenet_tcp_connect_all_ports(httpd_t)
|
||||
')
|
||||
|
||||
@ -10934,6 +10987,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+tunable_policy(`allow_httpd_sys_script_anon_write',`
|
||||
+ miscfiles_manage_public_files(httpd_sys_script_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
|
||||
+ fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
|
||||
+ fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
|
||||
- domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
|
||||
@ -10945,7 +11007,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||
@@ -394,11 +489,12 @@
|
||||
@@ -394,11 +498,12 @@
|
||||
corenet_tcp_bind_ftp_port(httpd_t)
|
||||
')
|
||||
|
||||
@ -10961,7 +11023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_read_nfs_files(httpd_t)
|
||||
fs_read_nfs_symlinks(httpd_t)
|
||||
')
|
||||
@@ -408,6 +504,11 @@
|
||||
@@ -408,6 +513,11 @@
|
||||
fs_read_cifs_symlinks(httpd_t)
|
||||
')
|
||||
|
||||
@ -10973,7 +11035,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`httpd_ssi_exec',`
|
||||
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||
allow httpd_sys_script_t httpd_t:fd use;
|
||||
@@ -441,8 +542,13 @@
|
||||
@@ -441,8 +551,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10989,7 +11051,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -454,18 +560,13 @@
|
||||
@@ -454,18 +569,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11009,7 +11071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -475,6 +576,12 @@
|
||||
@@ -475,6 +585,12 @@
|
||||
openca_kill(httpd_t)
|
||||
')
|
||||
|
||||
@ -11022,7 +11084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
# Allow httpd to work with postgresql
|
||||
postgresql_stream_connect(httpd_t)
|
||||
@@ -482,6 +589,7 @@
|
||||
@@ -482,6 +598,7 @@
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
postgresql_tcp_connect(httpd_t)
|
||||
@ -11030,7 +11092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -490,6 +598,7 @@
|
||||
@@ -490,6 +607,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11038,7 +11100,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||
')
|
||||
@@ -519,9 +628,28 @@
|
||||
@@ -519,9 +637,28 @@
|
||||
logging_send_syslog_msg(httpd_helper_t)
|
||||
|
||||
tunable_policy(`httpd_tty_comm',`
|
||||
@ -11067,7 +11129,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Apache PHP script local policy
|
||||
@@ -551,22 +679,27 @@
|
||||
@@ -551,22 +688,27 @@
|
||||
|
||||
fs_search_auto_mountpoints(httpd_php_t)
|
||||
|
||||
@ -11101,7 +11163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -584,12 +717,14 @@
|
||||
@@ -584,12 +726,14 @@
|
||||
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
@ -11117,7 +11179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_read_kernel_sysctls(httpd_suexec_t)
|
||||
kernel_list_proc(httpd_suexec_t)
|
||||
kernel_read_proc_symlinks(httpd_suexec_t)
|
||||
@@ -598,9 +733,7 @@
|
||||
@@ -598,9 +742,7 @@
|
||||
|
||||
fs_search_auto_mountpoints(httpd_suexec_t)
|
||||
|
||||
@ -11128,7 +11190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
files_read_etc_files(httpd_suexec_t)
|
||||
files_read_usr_files(httpd_suexec_t)
|
||||
@@ -633,12 +766,25 @@
|
||||
@@ -633,12 +775,25 @@
|
||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||
')
|
||||
|
||||
@ -11157,7 +11219,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -647,6 +793,12 @@
|
||||
@@ -647,6 +802,12 @@
|
||||
fs_exec_nfs_files(httpd_suexec_t)
|
||||
')
|
||||
|
||||
@ -11170,7 +11232,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_suexec_t)
|
||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||
@@ -664,20 +816,20 @@
|
||||
@@ -664,20 +825,20 @@
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
@ -11196,7 +11258,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
||||
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
@@ -691,12 +843,15 @@
|
||||
@@ -691,12 +852,15 @@
|
||||
# Should we add a boolean?
|
||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
@ -11214,7 +11276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -704,6 +859,30 @@
|
||||
@@ -704,6 +868,30 @@
|
||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
@ -11245,7 +11307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_sys_script_t)
|
||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
@@ -716,10 +895,10 @@
|
||||
@@ -716,10 +904,10 @@
|
||||
optional_policy(`
|
||||
mysql_stream_connect(httpd_sys_script_t)
|
||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||
@ -11260,7 +11322,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -727,6 +906,8 @@
|
||||
@@ -727,6 +915,8 @@
|
||||
# httpd_rotatelogs local policy
|
||||
#
|
||||
|
||||
@ -11269,7 +11331,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
||||
@@ -741,3 +922,66 @@
|
||||
@@ -741,3 +931,66 @@
|
||||
logging_search_logs(httpd_rotatelogs_t)
|
||||
|
||||
miscfiles_read_localization(httpd_rotatelogs_t)
|
||||
@ -12503,7 +12565,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.13/policy/modules/services/cron.if
|
||||
--- nsaserefpolicy/policy/modules/services/cron.if 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-10-28 10:56:19.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-10-29 11:57:59.000000000 -0400
|
||||
@@ -35,39 +35,24 @@
|
||||
#
|
||||
template(`cron_per_role_template',`
|
||||
@ -13762,7 +13824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.13/policy/modules/services/dbus.if
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.if 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/dbus.if 2008-10-28 10:56:19.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/dbus.if 2008-10-29 11:24:31.000000000 -0400
|
||||
@@ -53,19 +53,19 @@
|
||||
gen_require(`
|
||||
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
|
||||
@ -13796,7 +13858,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# For connecting to the bus
|
||||
- allow $2 $1_dbusd_t:unix_stream_socket connectto;
|
||||
- type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
|
||||
+ allow $2 $1_dbusd_t:unix_stream_socket { getattr connectto };
|
||||
+ allow $2 $1_dbusd_t:unix_stream_socket { rw_socket_perms connectto };
|
||||
+ allow $2 $1_dbusd_t:unix_dgram_socket getattr;
|
||||
+ allow $1_dbusd_t $2:unix_stream_socket rw_socket_perms;
|
||||
|
||||
@ -16571,7 +16633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.5.13/policy/modules/services/munin.te
|
||||
--- nsaserefpolicy/policy/modules/services/munin.te 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-10-28 10:56:19.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-10-28 19:45:12.000000000 -0400
|
||||
@@ -13,6 +13,9 @@
|
||||
type munin_etc_t alias lrrd_etc_t;
|
||||
files_config_file(munin_etc_t)
|
||||
@ -16637,7 +16699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dev_read_urand(munin_t)
|
||||
|
||||
domain_use_interactive_fds(munin_t)
|
||||
+domain_dontaudit_read_all_domains_state(munin_t)
|
||||
+domain_read_all_domains_state(munin_t)
|
||||
|
||||
files_read_etc_files(munin_t)
|
||||
files_read_etc_runtime_files(munin_t)
|
||||
@ -19584,7 +19646,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.5.13/policy/modules/services/ppp.te
|
||||
--- nsaserefpolicy/policy/modules/services/ppp.te 2008-10-16 17:21:16.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/ppp.te 2008-10-28 10:56:19.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/services/ppp.te 2008-10-29 10:47:55.000000000 -0400
|
||||
@@ -37,8 +37,8 @@
|
||||
type pppd_etc_rw_t;
|
||||
files_type(pppd_etc_rw_t)
|
||||
@ -19669,7 +19731,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
miscfiles_read_localization(pptp_t)
|
||||
|
||||
sysnet_read_config(pptp_t)
|
||||
+sysnet_exec_ifconfig(pppd_t)
|
||||
+sysnet_exec_ifconfig(pptp_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
|
||||
|
||||
@ -29047,7 +29109,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.13/policy/modules/system/sysnetwork.te
|
||||
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-10-16 17:21:16.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2008-10-28 10:56:19.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2008-10-29 09:04:33.000000000 -0400
|
||||
@@ -20,6 +20,9 @@
|
||||
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
|
||||
role system_r types dhcpc_t;
|
||||
@ -30086,7 +30148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-28 12:38:58.000000000 -0400
|
||||
+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-29 11:53:44.000000000 -0400
|
||||
@@ -28,10 +28,14 @@
|
||||
class context contains;
|
||||
')
|
||||
@ -30696,7 +30758,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
@@ -699,188 +672,206 @@
|
||||
@@ -686,10 +659,6 @@
|
||||
|
||||
userdom_exec_generic_pgms_template($1)
|
||||
|
||||
- optional_policy(`
|
||||
- userdom_xwindows_client_template($1)
|
||||
- ')
|
||||
-
|
||||
##############################
|
||||
#
|
||||
# User domain Local policy
|
||||
@@ -699,188 +668,204 @@
|
||||
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
|
||||
|
||||
@ -30786,10 +30859,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
- auth_read_login_records($1_t)
|
||||
- auth_search_pam_console_data($1_t)
|
||||
+ auth_read_login_records($1_usertype)
|
||||
+ auth_search_pam_console_data($1_usertype)
|
||||
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||
auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||
+ authlogin_per_role_template($1, $1_t, $1_r)
|
||||
|
||||
- init_read_utmp($1_t)
|
||||
+ init_read_utmp($1_usertype)
|
||||
@ -30983,7 +31054,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -902,9 +893,7 @@
|
||||
@@ -902,9 +887,7 @@
|
||||
## </param>
|
||||
#
|
||||
template(`userdom_login_user_template', `
|
||||
@ -30994,7 +31065,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
userdom_base_user_template($1)
|
||||
|
||||
@@ -930,74 +919,77 @@
|
||||
@@ -930,74 +913,77 @@
|
||||
|
||||
allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
|
||||
dontaudit $1_t self:process setrlimit;
|
||||
@ -31105,7 +31176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -1031,9 +1023,6 @@
|
||||
@@ -1031,9 +1017,6 @@
|
||||
domain_interactive_fd($1_t)
|
||||
|
||||
typeattribute $1_devpts_t user_ptynode;
|
||||
@ -31115,7 +31186,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
typeattribute $1_tty_device_t user_ttynode;
|
||||
|
||||
##############################
|
||||
@@ -1042,12 +1031,25 @@
|
||||
@@ -1042,12 +1025,25 @@
|
||||
#
|
||||
|
||||
# privileged home directory writers
|
||||
@ -31147,7 +31218,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
loadkeys_run($1_t,$1_r,$1_tty_device_t)
|
||||
@@ -1087,14 +1089,16 @@
|
||||
@@ -1079,7 +1075,9 @@
|
||||
|
||||
userdom_restricted_user_template($1)
|
||||
|
||||
+ optional_policy(`
|
||||
userdom_xwindows_client_template($1)
|
||||
+ ')
|
||||
|
||||
##############################
|
||||
#
|
||||
@@ -1087,14 +1085,16 @@
|
||||
#
|
||||
|
||||
authlogin_per_role_template($1, $1_t, $1_r)
|
||||
@ -31169,23 +31250,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
logging_dontaudit_send_audit_msgs($1_t)
|
||||
|
||||
# Need to to this just so screensaver will work. Should be moved to screensaver domain
|
||||
@@ -1102,28 +1106,19 @@
|
||||
@@ -1102,28 +1102,19 @@
|
||||
selinux_get_enforce_mode($1_t)
|
||||
|
||||
optional_policy(`
|
||||
- alsa_read_rw_config($1_t)
|
||||
+ alsa_read_rw_config($1_usertype)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
- dbus_per_role_template($1, $1_t, $1_r)
|
||||
- dbus_system_bus_client_template($1, $1_t)
|
||||
-
|
||||
- optional_policy(`
|
||||
- consolekit_dbus_chat($1_t)
|
||||
- ')
|
||||
-
|
||||
- optional_policy(`
|
||||
+ alsa_read_rw_config($1_usertype)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- cups_dbus_chat($1_t)
|
||||
- ')
|
||||
+ apache_per_role_template($1, $1_usertype, $1_r)
|
||||
@ -31202,7 +31283,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -1134,8 +1129,7 @@
|
||||
@@ -1134,8 +1125,7 @@
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
@ -31212,17 +31293,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </p>
|
||||
## <p>
|
||||
## This template creates a user domain, types, and
|
||||
@@ -1157,8 +1151,8 @@
|
||||
@@ -1157,8 +1147,8 @@
|
||||
# Declarations
|
||||
#
|
||||
|
||||
+ userdom_login_user_template($1)
|
||||
+ userdom_restricted_xwindows_user_template($1)
|
||||
# Inherit rules for ordinary users.
|
||||
- userdom_restricted_user_template($1)
|
||||
userdom_common_user_template($1)
|
||||
|
||||
##############################
|
||||
@@ -1167,11 +1161,10 @@
|
||||
@@ -1167,11 +1157,10 @@
|
||||
#
|
||||
|
||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||
@ -31235,7 +31316,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# cjp: why?
|
||||
files_read_kernel_symbol_table($1_t)
|
||||
|
||||
@@ -1189,36 +1182,41 @@
|
||||
@@ -1189,36 +1178,41 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -31290,7 +31371,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -1263,8 +1261,7 @@
|
||||
@@ -1263,8 +1257,7 @@
|
||||
#
|
||||
|
||||
# Inherit rules for ordinary users.
|
||||
@ -31300,7 +31381,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
typeattribute $1_t privhome;
|
||||
domain_obj_id_change_exemption($1_t)
|
||||
@@ -1295,8 +1292,6 @@
|
||||
@@ -1295,8 +1288,6 @@
|
||||
# Manipulate other users crontab.
|
||||
allow $1_t self:passwd crontab;
|
||||
|
||||
@ -31309,7 +31390,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core_if($1_t)
|
||||
kernel_getattr_message_if($1_t)
|
||||
@@ -1318,8 +1313,6 @@
|
||||
@@ -1318,8 +1309,6 @@
|
||||
|
||||
dev_getattr_generic_blk_files($1_t)
|
||||
dev_getattr_generic_chr_files($1_t)
|
||||
@ -31318,7 +31399,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# Allow MAKEDEV to work
|
||||
dev_create_all_blk_files($1_t)
|
||||
dev_create_all_chr_files($1_t)
|
||||
@@ -1374,13 +1367,6 @@
|
||||
@@ -1374,13 +1363,6 @@
|
||||
# But presently necessary for installing the file_contexts file.
|
||||
seutil_manage_bin_policy($1_t)
|
||||
|
||||
@ -31332,7 +31413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
postgresql_unconfined($1_t)
|
||||
')
|
||||
@@ -1432,6 +1418,7 @@
|
||||
@@ -1432,6 +1414,7 @@
|
||||
dev_relabel_all_dev_nodes($1)
|
||||
|
||||
files_create_boot_flag($1)
|
||||
@ -31340,7 +31421,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Necessary for managing /boot/efi
|
||||
fs_manage_dos_files($1)
|
||||
@@ -1461,10 +1448,6 @@
|
||||
@@ -1461,10 +1444,6 @@
|
||||
seutil_run_semanage($1,$2,$3)
|
||||
seutil_run_setfiles($1, $2, $3)
|
||||
|
||||
@ -31351,7 +31432,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
aide_run($1,$2, $3)
|
||||
')
|
||||
@@ -1484,6 +1467,14 @@
|
||||
@@ -1484,6 +1463,14 @@
|
||||
optional_policy(`
|
||||
netlabel_run_mgmt($1,$2, $3)
|
||||
')
|
||||
@ -31366,7 +31447,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1741,11 +1732,15 @@
|
||||
@@ -1741,11 +1728,15 @@
|
||||
#
|
||||
template(`userdom_user_home_content',`
|
||||
gen_require(`
|
||||
@ -31385,7 +31466,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1841,11 +1836,11 @@
|
||||
@@ -1841,11 +1832,11 @@
|
||||
#
|
||||
template(`userdom_search_user_home_dirs',`
|
||||
gen_require(`
|
||||
@ -31399,7 +31480,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1875,11 +1870,11 @@
|
||||
@@ -1875,11 +1866,11 @@
|
||||
#
|
||||
template(`userdom_list_user_home_dirs',`
|
||||
gen_require(`
|
||||
@ -31413,7 +31494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1923,12 +1918,12 @@
|
||||
@@ -1923,12 +1914,12 @@
|
||||
#
|
||||
template(`userdom_user_home_domtrans',`
|
||||
gen_require(`
|
||||
@ -31429,7 +31510,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1958,10 +1953,11 @@
|
||||
@@ -1958,10 +1949,11 @@
|
||||
#
|
||||
template(`userdom_dontaudit_list_user_home_dirs',`
|
||||
gen_require(`
|
||||
@ -31443,7 +31524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1993,11 +1989,47 @@
|
||||
@@ -1993,11 +1985,47 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_dirs',`
|
||||
gen_require(`
|
||||
@ -31493,7 +31574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2029,10 +2061,10 @@
|
||||
@@ -2029,10 +2057,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_setattr_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -31506,7 +31587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2062,11 +2094,11 @@
|
||||
@@ -2062,11 +2090,11 @@
|
||||
#
|
||||
template(`userdom_read_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -31520,7 +31601,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2096,11 +2128,11 @@
|
||||
@@ -2096,11 +2124,11 @@
|
||||
#
|
||||
template(`userdom_dontaudit_read_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -31535,7 +31616,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2130,10 +2162,14 @@
|
||||
@@ -2130,10 +2158,14 @@
|
||||
#
|
||||
template(`userdom_dontaudit_write_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -31552,7 +31633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2163,11 +2199,11 @@
|
||||
@@ -2163,11 +2195,11 @@
|
||||
#
|
||||
template(`userdom_read_user_home_content_symlinks',`
|
||||
gen_require(`
|
||||
@ -31566,7 +31647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2197,11 +2233,11 @@
|
||||
@@ -2197,11 +2229,11 @@
|
||||
#
|
||||
template(`userdom_exec_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -31580,7 +31661,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2231,10 +2267,10 @@
|
||||
@@ -2231,10 +2263,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_exec_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -31593,7 +31674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2266,12 +2302,12 @@
|
||||
@@ -2266,12 +2298,12 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -31609,7 +31690,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2303,10 +2339,10 @@
|
||||
@@ -2303,10 +2335,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_manage_user_home_content_dirs',`
|
||||
gen_require(`
|
||||
@ -31622,7 +31703,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2338,12 +2374,12 @@
|
||||
@@ -2338,12 +2370,12 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_symlinks',`
|
||||
gen_require(`
|
||||
@ -31638,7 +31719,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2375,12 +2411,12 @@
|
||||
@@ -2375,12 +2407,12 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_pipes',`
|
||||
gen_require(`
|
||||
@ -31654,7 +31735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2412,12 +2448,12 @@
|
||||
@@ -2412,12 +2444,12 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_sockets',`
|
||||
gen_require(`
|
||||
@ -31670,7 +31751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2462,11 +2498,11 @@
|
||||
@@ -2462,11 +2494,11 @@
|
||||
#
|
||||
template(`userdom_user_home_dir_filetrans',`
|
||||
gen_require(`
|
||||
@ -31684,7 +31765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2511,11 +2547,11 @@
|
||||
@@ -2511,11 +2543,11 @@
|
||||
#
|
||||
template(`userdom_user_home_content_filetrans',`
|
||||
gen_require(`
|
||||
@ -31698,7 +31779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2555,11 +2591,11 @@
|
||||
@@ -2555,11 +2587,11 @@
|
||||
#
|
||||
template(`userdom_user_home_dir_filetrans_user_home_content',`
|
||||
gen_require(`
|
||||
@ -31712,7 +31793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2589,11 +2625,11 @@
|
||||
@@ -2589,11 +2621,11 @@
|
||||
#
|
||||
template(`userdom_write_user_tmp_sockets',`
|
||||
gen_require(`
|
||||
@ -31726,7 +31807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2623,11 +2659,11 @@
|
||||
@@ -2623,11 +2655,11 @@
|
||||
#
|
||||
template(`userdom_list_user_tmp',`
|
||||
gen_require(`
|
||||
@ -31740,7 +31821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2659,10 +2695,10 @@
|
||||
@@ -2659,10 +2691,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_list_user_tmp',`
|
||||
gen_require(`
|
||||
@ -31753,7 +31834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2694,10 +2730,10 @@
|
||||
@@ -2694,10 +2726,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_manage_user_tmp_dirs',`
|
||||
gen_require(`
|
||||
@ -31766,7 +31847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2727,12 +2763,12 @@
|
||||
@@ -2727,12 +2759,12 @@
|
||||
#
|
||||
template(`userdom_read_user_tmp_files',`
|
||||
gen_require(`
|
||||
@ -31782,7 +31863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2764,10 +2800,10 @@
|
||||
@@ -2764,10 +2796,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_read_user_tmp_files',`
|
||||
gen_require(`
|
||||
@ -31795,7 +31876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2799,10 +2835,10 @@
|
||||
@@ -2799,10 +2831,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_append_user_tmp_files',`
|
||||
gen_require(`
|
||||
@ -31808,7 +31889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2832,12 +2868,12 @@
|
||||
@@ -2832,12 +2864,12 @@
|
||||
#
|
||||
template(`userdom_rw_user_tmp_files',`
|
||||
gen_require(`
|
||||
@ -31824,7 +31905,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2869,10 +2905,10 @@
|
||||
@@ -2869,10 +2901,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_manage_user_tmp_files',`
|
||||
gen_require(`
|
||||
@ -31837,7 +31918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2904,12 +2940,12 @@
|
||||
@@ -2904,12 +2936,12 @@
|
||||
#
|
||||
template(`userdom_read_user_tmp_symlinks',`
|
||||
gen_require(`
|
||||
@ -31853,7 +31934,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2941,11 +2977,11 @@
|
||||
@@ -2941,11 +2973,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_dirs',`
|
||||
gen_require(`
|
||||
@ -31867,7 +31948,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2977,11 +3013,11 @@
|
||||
@@ -2977,11 +3009,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_files',`
|
||||
gen_require(`
|
||||
@ -31881,7 +31962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3013,11 +3049,11 @@
|
||||
@@ -3013,11 +3045,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_symlinks',`
|
||||
gen_require(`
|
||||
@ -31895,7 +31976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3049,11 +3085,11 @@
|
||||
@@ -3049,11 +3081,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_pipes',`
|
||||
gen_require(`
|
||||
@ -31909,7 +31990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3085,11 +3121,11 @@
|
||||
@@ -3085,11 +3117,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_sockets',`
|
||||
gen_require(`
|
||||
@ -31923,7 +32004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3134,10 +3170,10 @@
|
||||
@@ -3134,10 +3166,10 @@
|
||||
#
|
||||
template(`userdom_user_tmp_filetrans',`
|
||||
gen_require(`
|
||||
@ -31936,7 +32017,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_search_tmp($2)
|
||||
')
|
||||
|
||||
@@ -3178,19 +3214,19 @@
|
||||
@@ -3178,19 +3210,19 @@
|
||||
#
|
||||
template(`userdom_tmp_filetrans_user_tmp',`
|
||||
gen_require(`
|
||||
@ -31960,7 +32041,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
@@ -3211,13 +3247,13 @@
|
||||
@@ -3211,13 +3243,13 @@
|
||||
#
|
||||
template(`userdom_rw_user_tmpfs_files',`
|
||||
gen_require(`
|
||||
@ -31978,7 +32059,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4616,11 +4652,11 @@
|
||||
@@ -4616,11 +4648,11 @@
|
||||
#
|
||||
interface(`userdom_search_all_users_home_dirs',`
|
||||
gen_require(`
|
||||
@ -31992,7 +32073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4640,6 +4676,14 @@
|
||||
@@ -4640,6 +4672,14 @@
|
||||
|
||||
files_list_home($1)
|
||||
allow $1 home_dir_type:dir list_dir_perms;
|
||||
@ -32007,7 +32088,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4677,6 +4721,8 @@
|
||||
@@ -4677,6 +4717,8 @@
|
||||
')
|
||||
|
||||
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
|
||||
@ -32016,7 +32097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4721,6 +4767,25 @@
|
||||
@@ -4721,6 +4763,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -32042,7 +32123,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Create, read, write, and delete all files
|
||||
## in all users home directories.
|
||||
## </summary>
|
||||
@@ -4946,7 +5011,7 @@
|
||||
@@ -4946,7 +5007,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -32051,7 +32132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5318,7 +5383,7 @@
|
||||
@@ -5318,7 +5379,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -32060,7 +32141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5326,18 +5391,17 @@
|
||||
@@ -5326,18 +5387,17 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -32083,7 +32164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5345,17 +5409,17 @@
|
||||
@@ -5345,17 +5405,17 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -32105,7 +32186,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5363,18 +5427,18 @@
|
||||
@@ -5363,18 +5423,18 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -32129,18 +32210,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5382,12 +5446,49 @@
|
||||
@@ -5382,7 +5442,44 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`userdom_getattr_all_users',`
|
||||
+interface(`userdom_dontaudit_use_unpriv_users_ttys',`
|
||||
gen_require(`
|
||||
- attribute userdomain;
|
||||
+ gen_require(`
|
||||
+ attribute user_ttynode;
|
||||
')
|
||||
|
||||
- allow $1 userdomain:process getattr;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 user_ttynode:chr_file rw_file_perms;
|
||||
+')
|
||||
+
|
||||
@ -32174,15 +32253,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_getattr_all_users',`
|
||||
+ gen_require(`
|
||||
+ attribute userdomain;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 userdomain:process getattr;
|
||||
gen_require(`
|
||||
attribute userdomain;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5483,6 +5584,42 @@
|
||||
@@ -5483,6 +5580,42 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -32225,7 +32299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Send a dbus message to all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -5513,3 +5650,548 @@
|
||||
@@ -5513,3 +5646,546 @@
|
||||
interface(`userdom_unconfined',`
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
@ -32593,9 +32667,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+#
|
||||
+template(`userdom_admin_login_user_template',`
|
||||
+
|
||||
+ userdom_login_user_template($1)
|
||||
+
|
||||
+ allow $1_t self:capability sys_nice;
|
||||
+ userdom_unpriv_user_template($1)
|
||||
+
|
||||
+ domain_read_all_domains_state($1_t)
|
||||
+ domain_getattr_all_domains($1_t)
|
||||
|
Loading…
Reference in New Issue
Block a user