rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Fix confined users

Browse Source 
- Allow xguest to read/write xguest_dbusd_t
This commit is contained in:
Daniel J Walsh 2008-10-29 20:45:55 +00:00
parent e704a148fe
commit 1bc89b8d4c
2 changed files with 86 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

163
policy-20080710.patch
View File

@ -30167,7 +30167,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-29 11:53:44.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-29 16:35:07.000000000 -0400
@@ -28,10 +28,14 @@
class context contains;
')
@ -30788,7 +30788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
# User domain Local policy
@@ -699,188 +668,204 @@
@@ -699,188 +668,199 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@ -30847,11 +30847,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ fs_read_noxattr_fs_files($1_usertype)
+ fs_read_noxattr_fs_symlinks($1_usertype)
+
+ tunable_policy(`user_rw_noexattrfile',`
+ fs_manage_noxattr_fs_files($1_usertype)
+ fs_manage_noxattr_fs_dirs($1_usertype)
+ ')
+
+ logging_send_syslog_msg($1_usertype)
+ logging_send_audit_msgs($1_usertype)
+ selinux_get_enforce_mode($1_usertype)
@ -31073,7 +31068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
@@ -902,9 +887,7 @@
@@ -902,9 +882,7 @@
## </param>
#
template(`userdom_login_user_template', `
@ -31084,7 +31079,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_base_user_template($1)
@@ -930,74 +913,77 @@
@@ -930,74 +908,77 @@
allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
dontaudit $1_t self:process setrlimit;
@ -31195,7 +31190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
@@ -1031,9 +1017,6 @@
@@ -1031,9 +1012,6 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
@ -31205,7 +31200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
typeattribute $1_tty_device_t user_ttynode;
##############################
@@ -1042,12 +1025,25 @@
@@ -1042,12 +1020,32 @@
#
# privileged home directory writers
@ -31222,6 +31217,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_fifo_files_pattern(privhome, { user_home_dir_t user_home_t }, user_home_t)
+ filetrans_pattern(privhome, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+
+ tunable_policy(`user_rw_noexattrfile',`
+ fs_manage_noxattr_fs_files($1_usertype)
+ fs_manage_noxattr_fs_dirs($1_usertype)
+ fs_manage_dos_dirs($1_usertype)
+ fs_manage_dos_files($1_usertype)
+ ')
+
+ optional_policy(`
+ dbus_per_role_template($1, $1_usertype, $1_r)
+ dbus_system_bus_client_template($1, $1_usertype)
@ -31237,7 +31239,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
loadkeys_run($1_t,$1_r,$1_tty_device_t)
@@ -1079,7 +1075,9 @@
@@ -1079,7 +1077,9 @@
userdom_restricted_user_template($1)
@ -31247,7 +31249,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
@@ -1087,14 +1085,16 @@
@@ -1087,14 +1087,16 @@
#
authlogin_per_role_template($1, $1_t, $1_r)
@ -31269,7 +31271,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
@@ -1102,28 +1102,19 @@
@@ -1102,28 +1104,19 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@ -31302,7 +31304,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
@@ -1134,8 +1125,7 @@
@@ -1134,8 +1127,7 @@
## </summary>
## <desc>
## <p>
@ -31312,7 +31314,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </p>
## <p>
## This template creates a user domain, types, and
@@ -1157,8 +1147,8 @@
@@ -1157,8 +1149,8 @@
# Declarations
#
@ -31322,7 +31324,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1)
##############################
@@ -1167,11 +1157,10 @@
@@ -1167,11 +1159,10 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@ -31335,7 +31337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: why?
files_read_kernel_symbol_table($1_t)
@@ -1189,36 +1178,41 @@
@@ -1189,36 +1180,41 @@
')
')
@ -31390,7 +31392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
@@ -1263,8 +1257,7 @@
@@ -1263,8 +1259,7 @@
#
# Inherit rules for ordinary users.
@ -31400,7 +31402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
typeattribute $1_t privhome;
domain_obj_id_change_exemption($1_t)
@@ -1295,8 +1288,6 @@
@@ -1295,8 +1290,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@ -31409,7 +31411,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
@@ -1318,8 +1309,6 @@
@@ -1318,8 +1311,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@ -31418,7 +31420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
@@ -1374,13 +1363,6 @@
@@ -1374,13 +1365,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@ -31432,7 +31434,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
@@ -1432,6 +1414,7 @@
@@ -1432,6 +1416,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@ -31440,7 +31442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
@@ -1461,10 +1444,6 @@
@@ -1461,10 +1446,6 @@
seutil_run_semanage($1,$2,$3)
seutil_run_setfiles($1, $2, $3)
@ -31451,7 +31453,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
aide_run($1,$2, $3)
')
@@ -1484,6 +1463,14 @@
@@ -1484,6 +1465,14 @@
optional_policy(`
netlabel_run_mgmt($1,$2, $3)
')
@ -31466,7 +31468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1741,11 +1728,15 @@
@@ -1741,11 +1730,15 @@
#
template(`userdom_user_home_content',`
gen_require(`
@ -31485,7 +31487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1841,11 +1832,11 @@
@@ -1841,11 +1834,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@ -31499,7 +31501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1875,11 +1866,11 @@
@@ -1875,11 +1868,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@ -31513,7 +31515,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1923,12 +1914,12 @@
@@ -1923,12 +1916,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@ -31529,7 +31531,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1958,10 +1949,11 @@
@@ -1958,10 +1951,11 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@ -31543,7 +31545,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1993,11 +1985,47 @@
@@ -1993,11 +1987,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@ -31593,7 +31595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2029,10 +2057,10 @@
@@ -2029,10 +2059,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@ -31606,7 +31608,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2062,11 +2090,11 @@
@@ -2062,11 +2092,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@ -31620,7 +31622,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2096,11 +2124,11 @@
@@ -2096,11 +2126,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@ -31635,7 +31637,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2130,10 +2158,14 @@
@@ -2130,10 +2160,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@ -31652,7 +31654,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2163,11 +2195,11 @@
@@ -2163,11 +2197,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@ -31666,7 +31668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2197,11 +2229,11 @@
@@ -2197,11 +2231,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@ -31680,7 +31682,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2231,10 +2263,10 @@
@@ -2231,10 +2265,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@ -31693,7 +31695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2266,12 +2298,12 @@
@@ -2266,12 +2300,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@ -31709,7 +31711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2303,10 +2335,10 @@
@@ -2303,10 +2337,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@ -31722,7 +31724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2338,12 +2370,12 @@
@@ -2338,12 +2372,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@ -31738,7 +31740,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2375,12 +2407,12 @@
@@ -2375,12 +2409,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@ -31754,7 +31756,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2412,12 +2444,12 @@
@@ -2412,12 +2446,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@ -31770,7 +31772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2462,11 +2494,11 @@
@@ -2462,11 +2496,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@ -31784,7 +31786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2511,11 +2543,11 @@
@@ -2511,11 +2545,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@ -31798,7 +31800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2555,11 +2587,11 @@
@@ -2555,11 +2589,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@ -31812,7 +31814,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2589,11 +2621,11 @@
@@ -2589,11 +2623,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@ -31826,7 +31828,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2623,11 +2655,11 @@
@@ -2623,11 +2657,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@ -31840,7 +31842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2659,10 +2691,10 @@
@@ -2659,10 +2693,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@ -31853,7 +31855,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2694,10 +2726,10 @@
@@ -2694,10 +2728,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@ -31866,7 +31868,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2727,12 +2759,12 @@
@@ -2727,12 +2761,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@ -31882,7 +31884,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2764,10 +2796,10 @@
@@ -2764,10 +2798,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@ -31895,7 +31897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2799,10 +2831,10 @@
@@ -2799,10 +2833,10 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@ -31908,7 +31910,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2832,12 +2864,12 @@
@@ -2832,12 +2866,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@ -31924,7 +31926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2869,10 +2901,10 @@
@@ -2869,10 +2903,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@ -31937,7 +31939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2904,12 +2936,12 @@
@@ -2904,12 +2938,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@ -31953,7 +31955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2941,11 +2973,11 @@
@@ -2941,11 +2975,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@ -31967,7 +31969,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2977,11 +3009,11 @@
@@ -2977,11 +3011,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@ -31981,7 +31983,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -3013,11 +3045,11 @@
@@ -3013,11 +3047,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@ -31995,7 +31997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -3049,11 +3081,11 @@
@@ -3049,11 +3083,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@ -32009,7 +32011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -3085,11 +3117,11 @@
@@ -3085,11 +3119,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@ -32023,7 +32025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -3134,10 +3166,10 @@
@@ -3134,10 +3168,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@ -32036,7 +32038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_search_tmp($2)
')
@@ -3178,19 +3210,19 @@
@@ -3178,19 +3212,19 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@ -32060,7 +32062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </p>
## <p>
## This is a templated interface, and should only
@@ -3211,13 +3243,13 @@
@@ -3211,13 +3245,13 @@
#
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
@ -32078,7 +32080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -4616,11 +4648,11 @@
@@ -4616,11 +4650,11 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@ -32092,7 +32094,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -4640,6 +4672,14 @@
@@ -4640,6 +4674,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@ -32107,7 +32109,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -4677,6 +4717,8 @@
@@ -4677,6 +4719,8 @@
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@ -32116,7 +32118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -4721,6 +4763,25 @@
@@ -4721,6 +4765,25 @@
########################################
## <summary>
@ -32142,7 +32144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
@@ -4946,7 +5007,7 @@
@@ -4946,7 +5009,7 @@
########################################
## <summary>
@ -32151,7 +32153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
@@ -5318,7 +5379,7 @@
@@ -5318,7 +5381,7 @@
########################################
## <summary>
@ -32160,7 +32162,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
@@ -5326,18 +5387,17 @@
@@ -5326,18 +5389,17 @@
## </summary>
## </param>
#
@ -32183,7 +32185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
@@ -5345,17 +5405,17 @@
@@ -5345,17 +5407,17 @@
## </summary>
## </param>
#
@ -32205,7 +32207,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
@@ -5363,18 +5423,18 @@
@@ -5363,18 +5425,18 @@
## </summary>
## </param>
#
@ -32229,13 +32231,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
@@ -5382,7 +5442,44 @@
@@ -5382,9 +5444,46 @@
## </summary>
## </param>
#
-interface(`userdom_getattr_all_users',`
+interface(`userdom_dontaudit_use_unpriv_users_ttys',`
+ gen_require(`
gen_require(`
- attribute userdomain;
+ attribute user_ttynode;
+ ')
+
@ -32272,10 +32275,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </param>
+#
+interface(`userdom_getattr_all_users',`
gen_require(`
attribute userdomain;
+ gen_require(`
+ attribute userdomain;
')
@@ -5483,6 +5580,42 @@
allow $1 userdomain:process getattr;
@@ -5483,6 +5582,42 @@
########################################
## <summary>
@ -32318,7 +32323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
@@ -5513,3 +5646,546 @@
@@ -5513,3 +5648,546 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')

4
selinux-policy.spec
View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
Release: 10%{?dist}
Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -457,7 +457,7 @@ exit 0
%endif
%changelog
* Wed Oct 29 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-10
* Wed Oct 29 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-11
- Fix confined users
- Allow xguest to read/write xguest_dbusd_t