From 2d175266814b1b57ace7378abd816ddbaad490d6 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 29 Aug 2008 18:58:58 +0000 Subject: [PATCH] - Update to upstream - Fix crontab use by unconfined user --- policy-20080710.patch | 858 +++++++++++++++++++++++++++--------------- 1 file changed, 552 insertions(+), 306 deletions(-) diff --git a/policy-20080710.patch b/policy-20080710.patch index e92e00b0..cac86434 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -8170,8 +8170,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t }) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.5/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.5/policy/modules/roles/staff.te 2008-08-25 10:50:15.000000000 -0400 -@@ -8,18 +8,34 @@ ++++ serefpolicy-3.5.5/policy/modules/roles/staff.te 2008-08-28 09:46:16.000000000 -0400 +@@ -8,23 +8,50 @@ role staff_r; @@ -8192,10 +8192,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -+ cron_per_role_template(staff, staff_t, staff_r) -+') -+ -+optional_policy(` + logadm_role_change_template(staff) +') + @@ -8207,7 +8203,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol secadm_role_change_template(staff) ') -@@ -28,3 +44,14 @@ + optional_policy(` ++ ssh_per_role_template(staff, staff_t, staff_r) ++') ++ ++optional_policy(` + sysadm_role_change_template(staff) sysadm_dontaudit_use_terms(staff_t) ') @@ -9639,7 +9640,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.5.5/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.5/policy/modules/services/apache.if 2008-08-25 10:50:15.000000000 -0400 ++++ serefpolicy-3.5.5/policy/modules/services/apache.if 2008-08-29 14:16:41.000000000 -0400 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -10129,7 +10130,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1098,3 +1071,144 @@ +@@ -1098,3 +1071,178 @@ allow httpd_t $1:process signal; ') @@ -10274,9 +10275,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow httpd_setsebool_t httpd_bool_t:file rw_file_perms; +') +') ++ ++######################################## ++## ++## Mark content as being readable by standard apache processes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++template(`apache_ro_content',` ++ gen_require(` ++ attribute httpd_ro_content; ++ ') ++ typeattribute $1 httpd_ro_content; ++') ++ ++######################################## ++## ++## Mark content as being read/write by standard apache processes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++template(`apache_rw_content',` ++ gen_require(` ++ attribute httpd_rw_content; ++ ') ++ typeattribute $1 httpd_rw_content; ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.5/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.5/policy/modules/services/apache.te 2008-08-26 10:08:47.000000000 -0400 ++++ serefpolicy-3.5.5/policy/modules/services/apache.te 2008-08-29 14:24:52.000000000 -0400 @@ -20,6 +20,8 @@ # Declarations # @@ -10322,7 +10357,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

## gen_tunable(httpd_can_network_connect, false) -@@ -109,14 +125,33 @@ +@@ -109,14 +125,35 @@ ## gen_tunable(httpd_unified, false) @@ -10347,6 +10382,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(allow_httpd_sys_script_anon_write, false) + ++attribute httpd_ro_content; ++attribute httpd_rw_content; attribute httpdcontent; -attribute httpd_user_content_type; @@ -10358,7 +10395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # user script domains attribute httpd_script_domains; -@@ -147,6 +182,9 @@ +@@ -147,6 +184,9 @@ type httpd_log_t; logging_log_file(httpd_log_t) @@ -10368,17 +10405,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # httpd_modules_t is the type given to module files (libraries) # that come with Apache /etc/httpd/modules and /usr/lib/apache type httpd_modules_t; -@@ -180,6 +218,9 @@ +@@ -180,6 +220,9 @@ # setup the system domain for system CGI scripts apache_content_template(sys) -+typeattribute httpd_sys_content_t httpdcontent; # customizable -+typeattribute httpd_sys_content_rw_t httpdcontent; # customizable ++typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable ++typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable +typeattribute httpd_sys_content_ra_t httpdcontent; # customizable type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -202,12 +243,16 @@ +@@ -202,12 +245,16 @@ prelink_object_file(httpd_modules_t) ') @@ -10396,7 +10433,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; -@@ -249,6 +294,7 @@ +@@ -249,6 +296,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -10404,7 +10441,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -289,6 +335,7 @@ +@@ -260,9 +308,9 @@ + + allow httpd_t httpd_suexec_exec_t:file { getattr read }; + +-allow httpd_t httpd_sys_content_t:dir list_dir_perms; +-read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) +-read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) ++allow httpd_t httpd_ro_content:dir list_dir_perms; ++read_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content) ++read_lnk_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content) + + manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) + manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +@@ -289,6 +337,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -10412,7 +10462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -312,12 +359,11 @@ +@@ -312,12 +361,11 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -10427,7 +10477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(httpd_t) -@@ -335,6 +381,10 @@ +@@ -335,6 +383,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -10438,7 +10488,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -351,18 +401,33 @@ +@@ -351,18 +403,33 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -10459,7 +10509,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(allow_httpd_mod_auth_pam, false) + -+tunable_policy(`allow_httpd_mod_auth_pam',` + tunable_policy(`allow_httpd_mod_auth_pam',` +- auth_domtrans_chk_passwd(httpd_t) + auth_domtrans_chkpwd(httpd_t) +') + @@ -10470,13 +10521,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) +optional_policy(` - tunable_policy(`allow_httpd_mod_auth_pam',` -- auth_domtrans_chk_passwd(httpd_t) ++tunable_policy(`allow_httpd_mod_auth_pam',` + samba_domtrans_winbind_helper(httpd_t) ') ') -@@ -370,6 +435,16 @@ +@@ -370,6 +437,16 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -10493,7 +10543,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_can_network_relay',` # allow httpd to work as a relay corenet_tcp_connect_gopher_port(httpd_t) -@@ -382,23 +457,34 @@ +@@ -382,23 +459,34 @@ corenet_sendrecv_http_cache_client_packets(httpd_t) ') @@ -10504,14 +10554,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) + can_exec(httpd_sys_script_t, httpd_sys_content_t) +') -+ -+tunable_policy(`allow_httpd_sys_script_anon_write',` -+ miscfiles_manage_public_files(httpd_sys_script_t) -+') - manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) - manage_files_pattern(httpd_t, httpdcontent, httpdcontent) - manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) ++tunable_policy(`allow_httpd_sys_script_anon_write',` ++ miscfiles_manage_public_files(httpd_sys_script_t) ++') ++ +tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` + domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t) + filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) @@ -10536,7 +10586,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_read_nfs_files(httpd_t) fs_read_nfs_symlinks(httpd_t) ') -@@ -408,6 +494,11 @@ +@@ -408,6 +496,11 @@ fs_read_cifs_symlinks(httpd_t) ') @@ -10548,7 +10598,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -441,8 +532,13 @@ +@@ -441,8 +534,13 @@ ') optional_policy(` @@ -10564,7 +10614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -454,18 +550,13 @@ +@@ -454,18 +552,13 @@ ') optional_policy(` @@ -10584,7 +10634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -475,6 +566,12 @@ +@@ -475,6 +568,12 @@ openca_kill(httpd_t) ') @@ -10597,7 +10647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) -@@ -482,6 +579,7 @@ +@@ -482,6 +581,7 @@ tunable_policy(`httpd_can_network_connect_db',` postgresql_tcp_connect(httpd_t) @@ -10605,7 +10655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -490,6 +588,7 @@ +@@ -490,6 +590,7 @@ ') optional_policy(` @@ -10613,7 +10663,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -519,9 +618,28 @@ +@@ -519,9 +620,28 @@ logging_send_syslog_msg(httpd_helper_t) tunable_policy(`httpd_tty_comm',` @@ -10642,7 +10692,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache PHP script local policy -@@ -551,22 +669,27 @@ +@@ -551,22 +671,27 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -10676,7 +10726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -590,6 +713,8 @@ +@@ -590,6 +715,8 @@ manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -10685,7 +10735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -598,9 +723,7 @@ +@@ -598,9 +725,7 @@ fs_search_auto_mountpoints(httpd_suexec_t) @@ -10696,7 +10746,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -633,12 +756,21 @@ +@@ -633,12 +758,21 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -10721,7 +10771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -647,6 +779,12 @@ +@@ -647,6 +781,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -10734,7 +10784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -664,10 +802,6 @@ +@@ -664,10 +804,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -10745,7 +10795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache system script local policy -@@ -677,7 +811,8 @@ +@@ -677,7 +813,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -10755,7 +10805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) -@@ -691,12 +826,15 @@ +@@ -691,12 +828,15 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -10773,7 +10823,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -704,6 +842,28 @@ +@@ -704,6 +844,28 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -10802,7 +10852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -716,10 +876,10 @@ +@@ -716,10 +878,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -10817,7 +10867,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -727,6 +887,8 @@ +@@ -727,6 +889,8 @@ # httpd_rotatelogs local policy # @@ -10826,7 +10876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -741,3 +903,48 @@ +@@ -741,3 +905,56 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -10875,6 +10925,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + postgresql_stream_connect(httpd_bugzilla_script_t) +') ++ ++manage_dirs_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) ++manage_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) ++manage_lnk_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) ++ ++manage_dirs_pattern(httpd_t,httpdcontent,httpd_rw_content) ++manage_files_pattern(httpd_t,httpdcontent,httpd_rw_content) ++manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.5.5/policy/modules/services/apcupsd.fc --- nsaserefpolicy/policy/modules/services/apcupsd.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.5.5/policy/modules/services/apcupsd.fc 2008-08-25 10:50:15.000000000 -0400 @@ -12538,9 +12596,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_dontaudit_rw_cifs_files(consolekit_t) +') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.fc serefpolicy-3.5.5/policy/modules/services/courier.fc +--- nsaserefpolicy/policy/modules/services/courier.fc 2008-08-14 13:08:27.000000000 -0400 ++++ serefpolicy-3.5.5/policy/modules/services/courier.fc 2008-08-26 20:27:36.000000000 -0400 +@@ -21,3 +21,4 @@ + /var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0) + + /var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) ++/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.5.5/policy/modules/services/courier.te --- nsaserefpolicy/policy/modules/services/courier.te 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.5/policy/modules/services/courier.te 2008-08-25 10:50:15.000000000 -0400 ++++ serefpolicy-3.5.5/policy/modules/services/courier.te 2008-08-28 09:50:54.000000000 -0400 @@ -28,6 +28,7 @@ type courier_exec_t; @@ -12549,6 +12615,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol courier_domain_template(sqwebmail) typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t; +@@ -73,6 +74,9 @@ + + sysadm_dontaudit_search_home_dirs(courier_authdaemon_t) + ++files_search_spool(courier_authdaemon_t, courier_spool_t, courier_spool_t) ++manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) ++ + ######################################## + # + # Calendar (PCP) local policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.5.5/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.5.5/policy/modules/services/cron.fc 2008-08-25 10:50:15.000000000 -0400 @@ -12568,7 +12644,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.5/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.5/policy/modules/services/cron.if 2008-08-25 10:50:15.000000000 -0400 ++++ serefpolicy-3.5.5/policy/modules/services/cron.if 2008-08-26 20:18:25.000000000 -0400 @@ -35,39 +35,23 @@ # template(`cron_per_role_template',` @@ -12737,7 +12813,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # $1_crontab_t local policy -@@ -193,9 +84,13 @@ +@@ -193,10 +84,13 @@ # dac_override is to create the file in the directory under /tmp allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override }; allow $1_crontab_t self:process signal_perms; @@ -12746,12 +12822,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Transition from the user domain to the derived domain. domtrans_pattern($2, crontab_exec_t, $1_crontab_t) + allow $2 $1_crontab_t:fd use; -+ -+ auth_domtrans_chk_passwd($1_crontab_t) ++ auth_run_chk_passwd($1_crontab_t, $3, { $1_devpts_t $1_tty_device_t }) # crontab shows up in user ps ps_process_pattern($2, $1_crontab_t) -@@ -206,9 +101,6 @@ + +@@ -206,9 +100,6 @@ # Allow crond to read those crontabs in cron spool. allow crond_t $1_cron_spool_t:file manage_file_perms; @@ -12761,7 +12837,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # create files in /var/spool/cron manage_files_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t) filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t,file) -@@ -227,27 +119,32 @@ +@@ -227,27 +118,32 @@ # Run helper programs as the user domain corecmd_bin_domtrans($1_crontab_t, $2) corecmd_shell_domtrans($1_crontab_t, $2) @@ -12796,7 +12872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`fcron_crond',` # fcron wants an instant update of a crontab change for the administrator -@@ -286,14 +183,12 @@ +@@ -286,14 +182,12 @@ template(`cron_admin_template',` gen_require(` attribute cron_spool_type; @@ -12812,7 +12888,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Manipulate other users crontab. selinux_get_fs_mount($1_crontab_t) selinux_validate_context($1_crontab_t) -@@ -421,6 +316,24 @@ +@@ -421,6 +315,24 @@ ######################################## ## @@ -12837,20 +12913,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write a cron daemon unnamed pipe. ## ## -@@ -439,7 +352,7 @@ +@@ -439,7 +351,26 @@ ######################################## ## -## Read, and write cron daemon TCP sockets. +## Read temporary files from cron. - ## - ## - ## -@@ -447,7 +360,26 @@ - ## - ## - # --interface(`cron_rw_tcp_sockets',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`cron_read_tmp_files',` + gen_require(` + type crond_tmp_t; @@ -12863,18 +12938,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +######################################## +## +## Dontaudit Read, and write cron daemon TCP sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -447,7 +378,7 @@ + ## + ## + # +-interface(`cron_rw_tcp_sockets',` +interface(`cron_dontaudit_rw_tcp_sockets',` gen_require(` type crond_t; ') -@@ -559,11 +491,14 @@ +@@ -559,11 +490,14 @@ # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -12890,7 +12966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -584,3 +519,44 @@ +@@ -584,3 +518,44 @@ dontaudit $1 system_crond_tmp_t:file append; ') @@ -13416,7 +13492,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.5/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.5/policy/modules/services/cups.te 2008-08-25 10:50:15.000000000 -0400 ++++ serefpolicy-3.5.5/policy/modules/services/cups.te 2008-08-29 12:52:54.000000000 -0400 @@ -48,6 +48,9 @@ type hplip_t; type hplip_exec_t; @@ -13624,6 +13700,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) +@@ -281,7 +326,7 @@ + # Cups configuration daemon local policy + # + +-allow cupsd_config_t self:capability { chown sys_tty_config }; ++allow cupsd_config_t self:capability { chown dav_override sys_tty_config }; + dontaudit cupsd_config_t self:capability sys_tty_config; + allow cupsd_config_t self:process signal_perms; + allow cupsd_config_t self:fifo_file rw_fifo_file_perms; @@ -326,6 +371,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) @@ -17715,7 +17800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.5.5/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.5/policy/modules/services/mailman.te 2008-08-25 10:50:15.000000000 -0400 ++++ serefpolicy-3.5.5/policy/modules/services/mailman.te 2008-08-28 09:24:48.000000000 -0400 @@ -53,10 +53,9 @@ apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) @@ -17734,7 +17819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow mailman_mail_t self:unix_dgram_socket create_socket_perms; +allow mailman_mail_t initrc_t:process signal; -+allow mailman_mail_t self:process signal; ++allow mailman_mail_t self:process { signal signull }; +allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; + +files_search_spool(mailman_mail_t) @@ -19945,7 +20030,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.5/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.5/policy/modules/services/polkit.if 2008-08-25 10:50:15.000000000 -0400 ++++ serefpolicy-3.5.5/policy/modules/services/polkit.if 2008-08-26 20:18:05.000000000 -0400 @@ -0,0 +1,212 @@ + +## policy for polkit_auth @@ -20396,7 +20481,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.5.5/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.5/policy/modules/services/postfix.fc 2008-08-25 10:50:15.000000000 -0400 ++++ serefpolicy-3.5.5/policy/modules/services/postfix.fc 2008-08-26 13:08:46.000000000 -0400 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -20500,7 +20585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.5/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.5/policy/modules/services/postfix.te 2008-08-25 10:50:15.000000000 -0400 ++++ serefpolicy-3.5.5/policy/modules/services/postfix.te 2008-08-26 13:30:44.000000000 -0400 @@ -6,6 +6,14 @@ # Declarations # @@ -20695,18 +20780,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` procmail_domtrans(postfix_pipe_t) ') -@@ -407,6 +446,10 @@ +@@ -407,6 +446,14 @@ ') optional_policy(` + mta_manage_spool(postfix_pipe_t) +') + ++optional_policy(` ++ spamassassin_domtrans_spamc(postfix_pipe_t) ++') ++ +optional_policy(` uucp_domtrans_uux(postfix_pipe_t) ') -@@ -443,8 +486,7 @@ +@@ -443,8 +490,7 @@ ') optional_policy(` @@ -20716,7 +20805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -470,6 +512,15 @@ +@@ -470,6 +516,15 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) @@ -20732,7 +20821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix qmgr local policy -@@ -564,6 +615,10 @@ +@@ -564,6 +619,10 @@ sasl_connect(postfix_smtpd_t) ') @@ -20743,7 +20832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix virtual local policy -@@ -579,7 +634,7 @@ +@@ -579,7 +638,7 @@ files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir }) # connect to master process @@ -21280,7 +21369,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.5.5/policy/modules/services/prelude.if --- nsaserefpolicy/policy/modules/services/prelude.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.5/policy/modules/services/prelude.if 2008-08-25 10:50:15.000000000 -0400 ++++ serefpolicy-3.5.5/policy/modules/services/prelude.if 2008-08-29 14:42:14.000000000 -0400 @@ -6,7 +6,7 @@ ## ## @@ -21322,7 +21411,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## -+## Read/Write to prelude-manager spool files. ++## Manage to prelude-manager spool files. +## +## +## @@ -21330,14 +21419,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`prelude_rw_spool',` ++interface(`prelude_manage_spool',` + gen_require(` + type prelude_spool_t; + ') + + files_search_spool($1) -+ list_dirs_pattern($1, prelude_spool_t, prelude_spool_t) -+ rw_files_pattern($1, prelude_spool_t, prelude_spool_t) ++ manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t) ++ manage_files_pattern($1, prelude_spool_t, prelude_spool_t) +') + +######################################## @@ -21872,7 +21961,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/rc.d/init.d/pyzord -- gen_context(system_u:object_r:pyzord_script_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.5.5/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.5/policy/modules/services/pyzor.if 2008-08-25 10:50:15.000000000 -0400 ++++ serefpolicy-3.5.5/policy/modules/services/pyzor.if 2008-08-26 13:06:33.000000000 -0400 @@ -25,16 +25,16 @@ # template(`pyzor_per_role_template',` @@ -24886,7 +24975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/rc.d/init.d/spamd -- gen_context(system_u:object_r:spamd_script_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.5.5/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.5/policy/modules/services/spamassassin.if 2008-08-25 10:50:15.000000000 -0400 ++++ serefpolicy-3.5.5/policy/modules/services/spamassassin.if 2008-08-26 13:44:12.000000000 -0400 @@ -34,10 +34,10 @@ # cjp: when tunables are available, spamc stuff should be # toggled on activation of spamc, and similarly for spamd. @@ -25969,7 +26058,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.5/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.5/policy/modules/services/ssh.if 2008-08-25 10:50:15.000000000 -0400 ++++ serefpolicy-3.5.5/policy/modules/services/ssh.if 2008-08-29 13:10:02.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -25990,7 +26079,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -93,18 +95,18 @@ +@@ -93,20 +95,21 @@ ps_process_pattern($2, $1_ssh_t) # user can manage the keys and config @@ -26016,8 +26105,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t) kernel_read_kernel_sysctls($1_ssh_t) ++ kernel_read_system_state($1_ssh_t) -@@ -212,7 +214,7 @@ + corenet_all_recvfrom_unlabeled($1_ssh_t) + corenet_all_recvfrom_netlabel($1_ssh_t) +@@ -212,7 +215,7 @@ ssh_basic_client_template($1, $2, $3) @@ -26026,7 +26118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type $1_ssh_agent_t; application_domain($1_ssh_agent_t, ssh_agent_exec_t) -@@ -240,9 +242,9 @@ +@@ -240,9 +243,9 @@ manage_sock_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t) fs_tmpfs_filetrans($1_ssh_t, $1_ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -26039,7 +26131,50 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t) -@@ -413,6 +415,25 @@ +@@ -254,6 +257,8 @@ + userdom_use_unpriv_users_fds($1_ssh_t) + userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t) + userdom_search_user_home_dirs($1,$1_ssh_t) ++ userdom_write_user_tmp_sockets(user,$1_ssh_t) ++ + # Write to the user domain tty. + userdom_use_user_terminals($1,$1_ssh_t) + # needs to read krb tgt +@@ -282,21 +287,10 @@ + ') + + optional_policy(` +- xserver_user_x_domain_template($1, $1_ssh, $1_ssh_t, $1_ssh_tmpfs_t) ++# xserver_user_x_domain_template($1, $1_ssh, $1_ssh_t, $1_ssh_tmpfs_t) + xserver_domtrans_user_xauth($1, $1_ssh_t) + ') + +- ifdef(`TODO',` +- # for /bin/sh used to execute xauth +- dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read }; +- +- #allow ssh to access keys stored on removable media +- # Should we have a boolean around this? +- files_search_mnt($1_ssh_t) +- r_dir_file($1_ssh_t, removable_t) +- +- ') dnl endif TODO +- + ############################## + # + # $1_ssh_agent_t local policy +@@ -383,10 +377,6 @@ + xserver_rw_xdm_pipes($1_ssh_agent_t) + ') + +- ifdef(`TODO',` +- dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read }; +- ') dnl endif TODO +- + ############################## + # + # $1_ssh_keysign_t local policy +@@ -413,6 +403,25 @@ ') ') @@ -26065,7 +26200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ####################################### ## ## The template to define a ssh server. -@@ -443,13 +464,14 @@ +@@ -443,13 +452,14 @@ type $1_var_run_t; files_pid_file($1_var_run_t) @@ -26081,7 +26216,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; term_create_pty($1_t,$1_devpts_t) -@@ -479,6 +501,10 @@ +@@ -479,6 +489,10 @@ corenet_tcp_bind_ssh_port($1_t) corenet_tcp_connect_all_ports($1_t) corenet_sendrecv_ssh_server_packets($1_t) @@ -26092,7 +26227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_dontaudit_getattr_all_fs($1_t) -@@ -506,9 +532,14 @@ +@@ -506,9 +520,14 @@ userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t) userdom_search_all_users_home_dirs($1_t) @@ -26107,7 +26242,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`use_samba_home_dirs',` -@@ -517,11 +548,7 @@ +@@ -517,11 +536,7 @@ optional_policy(` kerberos_use($1_t) @@ -26120,7 +26255,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -710,3 +737,22 @@ +@@ -710,3 +725,22 @@ dontaudit $1 sshd_key_t:file { getattr read }; ') @@ -26762,7 +26897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.5/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.5/policy/modules/services/xserver.if 2008-08-25 10:50:15.000000000 -0400 ++++ serefpolicy-3.5.5/policy/modules/services/xserver.if 2008-08-28 14:39:44.000000000 -0400 @@ -16,6 +16,7 @@ gen_require(` type xkb_var_lib_t, xserver_exec_t, xserver_log_t; @@ -26823,11 +26958,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type iceauth_exec_t, xauth_exec_t; attribute fonts_type, fonts_cache_type, fonts_config_type; + type fonts_home_t, fonts_cache_home_t, fonts_config_home_t; -+ type iceauth_home_t, xauth_home_t, xauth_tmp_t; ++ type iceauth_home_t, xauth_t, xauth_home_t, xauth_tmp_t; ') ############################## -@@ -280,35 +293,25 @@ +@@ -280,61 +293,41 @@ xserver_common_domain_template($1) role $3 types $1_xserver_t; @@ -26851,33 +26986,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - type $1_iceauth_home_t alias $1_iceauth_rw_t; - files_poly_member($1_iceauth_home_t) - userdom_user_home_content($1, $1_iceauth_home_t) -+ typealias iceauth_home_t alias $1_iceauth_rw_t; -+ typealias iceauth_home_t alias $1_iceauth_home_t; - - type $1_xauth_t; - domain_type($1_xauth_t) - domain_entry_file($1_xauth_t, xauth_exec_t) - role $3 types $1_xauth_t; - +- +- type $1_xauth_t; +- domain_type($1_xauth_t) +- domain_entry_file($1_xauth_t, xauth_exec_t) +- role $3 types $1_xauth_t; +- - type $1_xauth_home_t alias $1_xauth_rw_t, xauth_home_type; - files_poly_member($1_xauth_home_t) - userdom_user_home_content($1, $1_xauth_home_t) -- ++ typealias iceauth_home_t alias $1_iceauth_rw_t; ++ typealias iceauth_home_t alias $1_iceauth_home_t; + - type $1_xauth_tmp_t; - files_tmp_file($1_xauth_tmp_t) +- +- ############################## +- # +- # $1_xserver_t Local policy +- # + typealias xauth_home_t alias $1_xauth_rw_t; + typealias xauth_home_t alias $1_xauth_home_t; - ############################## - # -@@ -317,24 +320,24 @@ - - domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t) - -- allow $1_xserver_t $1_xauth_home_t:file { getattr read }; +- domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t) + allow $1_xserver_t xauth_home_t:file { getattr read }; - domtrans_pattern($2, xserver_exec_t, $1_xserver_t) +- allow $1_xserver_t $1_xauth_home_t:file { getattr read }; ++ domtrans_pattern($1_xserver_t, xauth_exec_t, xauth_t) ++ role $3 types xauth_t; + +- domtrans_pattern($2, xserver_exec_t, $1_xserver_t) allow $1_xserver_t $2:process signal; allow $1_xserver_t $2:shm rw_shm_perms; @@ -26905,7 +27043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol stream_connect_pattern($2, $1_xserver_tmp_t, $1_xserver_tmp_t, $1_xserver_t) -@@ -348,6 +351,8 @@ +@@ -348,85 +341,32 @@ locallogin_use_fds($1_xserver_t) @@ -26914,10 +27052,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_search_user_home_dirs($1, $1_xserver_t) userdom_use_user_ttys($1, $1_xserver_t) userdom_setattr_user_ttys($1, $1_xserver_t) -@@ -355,18 +360,12 @@ + userdom_rw_user_tmpfs_files($1, $1_xserver_t) xserver_use_user_fonts($1, $1_xserver_t) - xserver_rw_xdm_tmp_files($1_xauth_t) +- xserver_rw_xdm_tmp_files($1_xauth_t) ++ xserver_rw_xdm_tmp_files(xauth_t) + xserver_read_xdm_xserver_tmp_files($2) optional_policy(` @@ -26930,43 +27069,78 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - allow $1_xserver_t xdm_var_run_t:dir search; - ') - ') dnl end TODO -- - ############################## - # - # $1_xauth_t Local policy -@@ -375,12 +374,12 @@ - allow $1_xauth_t self:process signal; - allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; ++ domtrans_pattern($2, xauth_exec_t, xauth_t) ++ allow $2 xauth_t:process signal; +- ############################## +- # +- # $1_xauth_t Local policy +- # +- +- allow $1_xauth_t self:process signal; +- allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; +- - allow $1_xauth_t $1_xauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1, $1_xauth_t, $1_xauth_home_t,file) -+ allow $1_xauth_t xauth_home_t:file manage_file_perms; -+ userdom_user_home_dir_filetrans($1, $1_xauth_t, xauth_home_t, file) - +- - manage_dirs_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t) - manage_files_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t) - files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir }) -+ manage_dirs_pattern($1_xauth_t, xauth_tmp_t, xauth_tmp_t) -+ manage_files_pattern($1_xauth_t, xauth_tmp_t, xauth_tmp_t) -+ files_tmp_filetrans($1_xauth_t, xauth_tmp_t, { file dir }) +- +- domtrans_pattern($2, xauth_exec_t, $1_xauth_t) +- +- allow $2 $1_xauth_t:process signal; ++ allow $2 xauth_home_t:file manage_file_perms; ++ allow $2 xauth_home_t:file { relabelfrom relabelto }; - domtrans_pattern($2, xauth_exec_t, $1_xauth_t) - -@@ -389,11 +388,8 @@ # allow ps to show xauth - ps_process_pattern($2,$1_xauth_t) - +- ps_process_pattern($2,$1_xauth_t) +- - allow $2 $1_xauth_home_t:file manage_file_perms; - allow $2 $1_xauth_home_t:file { relabelfrom relabelto }; - - allow xdm_t $1_xauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1, xdm_t, $1_xauth_home_t, file) -+ allow $2 xauth_home_t:file manage_file_perms; -+ allow $2 xauth_home_t:file { relabelfrom relabelto }; +- +- domain_use_interactive_fds($1_xauth_t) +- +- files_read_etc_files($1_xauth_t) +- files_search_pids($1_xauth_t) +- +- fs_getattr_xattr_fs($1_xauth_t) +- fs_search_auto_mountpoints($1_xauth_t) +- +- # cjp: why? +- term_use_ptmx($1_xauth_t) +- +- auth_use_nsswitch($1_xauth_t) +- +- libs_use_ld_so($1_xauth_t) +- libs_use_shared_libs($1_xauth_t) ++ ps_process_pattern($2,xauth_t) - domain_use_interactive_fds($1_xauth_t) +- userdom_use_user_terminals($1, $1_xauth_t) +- userdom_read_user_tmp_files($1, $1_xauth_t) +- +- tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_files($1_xauth_t) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_files($1_xauth_t) +- ') +- +- optional_policy(` +- ssh_sigchld($1_xauth_t) +- ssh_read_pipes($1_xauth_t) +- ssh_dontaudit_rw_tcp_sockets($1_xauth_t) +- ') ++ userdom_use_user_terminals($1, xauth_t) ++ userdom_read_user_tmp_files($1, xauth_t) -@@ -435,16 +431,16 @@ + ############################## + # +@@ -435,16 +375,16 @@ domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t) @@ -26988,7 +27162,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints($1_iceauth_t) -@@ -467,34 +463,12 @@ +@@ -467,34 +407,12 @@ # # Device rules @@ -27025,7 +27199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # xrdb X11:ChangeProperty prop=RESOURCE_MANAGER allow $2 info_xproperty_t:x_property { create write append }; -@@ -610,7 +584,7 @@ +@@ -610,7 +528,7 @@ # refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') gen_require(` type xdm_t, xdm_tmp_t; @@ -27034,7 +27208,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') allow $2 self:shm create_shm_perms; -@@ -618,8 +592,8 @@ +@@ -618,8 +536,8 @@ allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -27045,7 +27219,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -643,13 +617,177 @@ +@@ -643,11 +561,80 @@ xserver_read_xdm_tmp_files($2) @@ -27127,20 +27301,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + # setattr: metacity X11:InstallColormap + allow $3 $1_xserver_t:x_screen { getattr saver_setattr saver_getattr setattr }; -+') -+ -+####################################### -+## -+## Interface to provide X object permissions on a given X server to -+## an X client domain. Provides the minimal set required by a basic -+## X client application. -+## -+## -+## -+## The prefix of the X server domain (e.g., user -+## is the prefix for user_t). -+## -+## + ') + + ####################################### +@@ -662,6 +649,101 @@ + ## is the prefix for user_t). + ## + ## +## +## +## Client domain allowed access. @@ -27221,13 +27388,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +# xserver_use($1, $1, $2) + xserver_use(xdm, $1, $2) - ') - ++') + - ####################################### - ## - ## Interface to provide X object permissions on a given X server to -@@ -676,7 +814,7 @@ ++ ++####################################### ++## ++## Interface to provide X object permissions on a given X server to ++## an X client domain. Provides the minimal set required by a basic ++## X client application. ++## ++## ++## ++## The prefix of the X server domain (e.g., user ++## is the prefix for user_t). ++## ++## + ## + ## + ## The prefix of the X client domain (e.g., user +@@ -676,7 +758,7 @@ # template(`xserver_common_x_domain_template',` gen_require(` @@ -27236,7 +27415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type xproperty_t, info_xproperty_t, clipboard_xproperty_t; type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; type xevent_t, client_xevent_t; -@@ -685,7 +823,6 @@ +@@ -685,7 +767,6 @@ attribute x_server_domain, x_domain; attribute xproperty_type; attribute xevent_type, xextension_type; @@ -27244,7 +27423,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol class x_drawable all_x_drawable_perms; class x_screen all_x_screen_perms; -@@ -709,20 +846,22 @@ +@@ -709,20 +790,22 @@ # Declarations # @@ -27270,7 +27449,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # Local Policy -@@ -740,7 +879,7 @@ +@@ -740,7 +823,7 @@ allow $3 x_server_domain:x_server getattr; # everyone can do override-redirect windows. # this could be used to spoof labels @@ -27279,7 +27458,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # everyone can receive management events on the root window # allows to know when new windows appear, among other things allow $3 manage_xevent_t:x_event receive; -@@ -749,7 +888,7 @@ +@@ -749,7 +832,7 @@ # can read server-owned resources allow $3 x_server_domain:x_resource read; # can mess with own clients @@ -27288,7 +27467,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Protocol Extensions allow $3 std_xext_t:x_extension { query use }; -@@ -758,27 +897,17 @@ +@@ -758,27 +841,17 @@ # X Properties # can read and write client properties @@ -27321,7 +27500,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Input # can receive own events -@@ -805,6 +934,12 @@ +@@ -805,6 +878,12 @@ allow $3 manage_xevent_t:x_synthetic_event send; allow $3 client_xevent_t:x_synthetic_event send; @@ -27334,7 +27513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Selections # can use the clipboard allow $3 clipboard_xselection_t:x_selection { getattr setattr read }; -@@ -813,13 +948,15 @@ +@@ -813,13 +892,15 @@ # Other X Objects # can create and use cursors @@ -27354,7 +27533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined($3), -@@ -879,17 +1016,17 @@ +@@ -879,17 +960,17 @@ # template(`xserver_user_x_domain_template',` gen_require(` @@ -27379,7 +27558,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for when /tmp/.X11-unix is created by the system allow $3 xdm_t:fd use; -@@ -916,11 +1053,9 @@ +@@ -916,11 +997,9 @@ # X object manager xserver_common_x_domain_template($1, $2, $3) @@ -27394,7 +27573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -952,26 +1087,43 @@ +@@ -952,26 +1031,43 @@ # template(`xserver_use_user_fonts',` gen_require(` @@ -27445,10 +27624,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Transition to a user Xauthority domain. ## ## -@@ -1005,6 +1157,73 @@ +@@ -997,10 +1093,77 @@ + # + template(`xserver_domtrans_user_xauth',` + gen_require(` +- type $1_xauth_t, xauth_exec_t; ++ type xauth_t, xauth_exec_t; + ') - ######################################## - ## +- domtrans_pattern($2, xauth_exec_t, $1_xauth_t) ++ domtrans_pattern($2, xauth_exec_t, xauth_t) ++') ++ ++######################################## ++## +## Read a user Xauthority domain. +## +## @@ -27512,14 +27701,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + # Read .Iceauthority file + allow $2 iceauth_home_t:file { getattr read }; -+') -+ -+######################################## -+## - ## Transition to a user Xauthority domain. - ## - ## -@@ -1030,10 +1249,10 @@ + ') + + ######################################## +@@ -1030,10 +1193,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -27532,7 +27717,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1219,6 +1438,25 @@ +@@ -1219,6 +1382,25 @@ ######################################## ## @@ -27558,7 +27743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read xdm-writable configuration files. ## ## -@@ -1273,6 +1511,7 @@ +@@ -1273,6 +1455,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) @@ -27566,7 +27751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1291,7 +1530,7 @@ +@@ -1291,7 +1474,7 @@ ') files_search_pids($1) @@ -27575,7 +27760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1314,6 +1553,24 @@ +@@ -1314,6 +1497,24 @@ ######################################## ## @@ -27600,7 +27785,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute the X server in the XDM X server domain. ## ## -@@ -1324,15 +1581,47 @@ +@@ -1324,15 +1525,47 @@ # interface(`xserver_domtrans_xdm_xserver',` gen_require(` @@ -27649,7 +27834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1482,7 +1771,7 @@ +@@ -1482,7 +1715,7 @@ type xdm_xserver_tmp_t; ') @@ -27658,7 +27843,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1674,6 +1963,65 @@ +@@ -1674,6 +1907,65 @@ ######################################## ## @@ -27724,7 +27909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1686,8 +2034,126 @@ +@@ -1686,8 +1978,126 @@ # interface(`xserver_unconfined',` gen_require(` @@ -27855,7 +28040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.5/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.5/policy/modules/services/xserver.te 2008-08-25 10:50:15.000000000 -0400 ++++ serefpolicy-3.5.5/policy/modules/services/xserver.te 2008-08-28 12:54:34.000000000 -0400 @@ -8,6 +8,14 @@ ## @@ -27925,7 +28110,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # type for /var/lib/xkb type xkb_var_lib_t; files_type(xkb_var_lib_t) -@@ -122,6 +147,27 @@ +@@ -122,6 +147,31 @@ type xserver_log_t; logging_log_file(xserver_log_t) @@ -27941,6 +28126,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type iceauth_home_t; +userdom_user_home_content(user, iceauth_home_t) + ++type xauth_t; ++domain_type(xauth_t) ++domain_entry_file(xauth_t, xauth_exec_t) ++ +type xauth_home_t, xauth_home_type; +userdom_user_home_content(user, xauth_home_t) + @@ -27953,7 +28142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_common_domain_template(xdm) xserver_common_x_domain_template(xdm, xdm, xdm_t) init_system_domain(xdm_xserver_t, xserver_exec_t) -@@ -140,8 +186,9 @@ +@@ -140,8 +190,9 @@ # XDM Local policy # @@ -27965,7 +28154,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; -@@ -154,6 +201,12 @@ +@@ -154,6 +205,12 @@ allow xdm_t self:key { search link write }; allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; @@ -27978,7 +28167,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -169,6 +222,8 @@ +@@ -169,6 +226,8 @@ manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) @@ -27987,7 +28176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -@@ -176,15 +231,25 @@ +@@ -176,15 +235,25 @@ manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) @@ -28015,7 +28204,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -@@ -198,6 +263,7 @@ +@@ -198,6 +267,7 @@ allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xdm_xserver_t:shm rw_shm_perms; @@ -28023,7 +28212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t) -@@ -229,6 +295,7 @@ +@@ -229,6 +299,7 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) @@ -28031,7 +28220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t -@@ -241,6 +308,7 @@ +@@ -241,6 +312,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -28039,7 +28228,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -253,14 +321,17 @@ +@@ -253,14 +325,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -28059,7 +28248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -271,9 +342,13 @@ +@@ -271,9 +346,13 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -28073,7 +28262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -282,6 +357,7 @@ +@@ -282,6 +361,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -28081,7 +28270,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -290,6 +366,7 @@ +@@ -290,6 +370,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -28089,7 +28278,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -301,21 +378,25 @@ +@@ -301,21 +382,25 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -28120,7 +28309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -348,10 +429,12 @@ +@@ -348,10 +433,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -28133,7 +28322,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -359,6 +442,22 @@ +@@ -359,6 +446,22 @@ ') optional_policy(` @@ -28156,7 +28345,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) -@@ -382,16 +481,32 @@ +@@ -382,16 +485,32 @@ ') optional_policy(` @@ -28190,7 +28379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -427,7 +542,7 @@ +@@ -427,7 +546,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -28199,7 +28388,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -439,6 +554,15 @@ +@@ -439,6 +558,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -28215,7 +28404,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -450,10 +574,19 @@ +@@ -450,10 +578,19 @@ # xdm_xserver_t may no longer have any reason # to read ROLE_home_t - examine this in more detail # (xauth?) @@ -28236,7 +28425,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) -@@ -468,8 +601,19 @@ +@@ -468,8 +605,19 @@ optional_policy(` dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t) @@ -28256,7 +28445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` resmgr_stream_connect(xdm_t) -@@ -481,8 +625,25 @@ +@@ -481,8 +629,25 @@ ') optional_policy(` @@ -28284,7 +28473,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_xserver_t self:process { execheap execmem }; -@@ -491,7 +652,6 @@ +@@ -491,7 +656,6 @@ ifdef(`distro_rhel4',` allow xdm_xserver_t self:process { execheap execmem }; ') @@ -28292,7 +28481,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -544,3 +704,10 @@ +@@ -544,3 +708,56 @@ # allow pam_t xdm_t:fifo_file { getattr ioctl write }; ') dnl end TODO @@ -28303,6 +28492,52 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow x_domain xdm_xserver_tmpfs_t:file rw_file_perms; +') + ++############################## ++# ++# xauth_t Local policy ++# ++ ++allow xauth_t self:process signal; ++allow xauth_t self:unix_stream_socket create_stream_socket_perms; ++ ++allow xauth_t xauth_home_t:file manage_file_perms; ++userdom_user_home_dir_filetrans($1, xauth_t, xauth_home_t, file) ++ ++manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) ++manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) ++files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) ++ ++domain_use_interactive_fds(xauth_t) ++ ++files_read_etc_files(xauth_t) ++files_search_pids(xauth_t) ++ ++fs_getattr_xattr_fs(xauth_t) ++fs_search_auto_mountpoints(xauth_t) ++ ++auth_use_nsswitch(xauth_t) ++ ++libs_use_ld_so(xauth_t) ++libs_use_shared_libs(xauth_t) ++ ++files_search_pids(xauth_t) ++rw_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_files(xauth_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_files(xauth_t) ++') ++ ++optional_policy(` ++ ssh_sigchld(xauth_t) ++ ssh_read_pipes(xauth_t) ++ ssh_dontaudit_rw_tcp_sockets(xauth_t) ++') ++ ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.fc serefpolicy-3.5.5/policy/modules/services/zabbix.fc --- nsaserefpolicy/policy/modules/services/zabbix.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.5.5/policy/modules/services/zabbix.fc 2008-08-25 10:50:15.000000000 -0400 @@ -29764,8 +29999,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.5.5/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2008-08-25 09:12:31.000000000 -0400 -+++ serefpolicy-3.5.5/policy/modules/system/logging.if 2008-08-25 10:50:15.000000000 -0400 -@@ -699,6 +699,8 @@ ++++ serefpolicy-3.5.5/policy/modules/system/logging.if 2008-08-29 14:20:21.000000000 -0400 +@@ -281,7 +281,9 @@ + role system_r types $1; + + domtrans_pattern(audisp_t, $2, $1) ++# Not sure if this is necessary? + allow $1 audisp_t:process signal; ++ allow audisp_t $1:process signal; + + allow audisp_t $2:file getattr; + allow $1 audisp_t:unix_stream_socket rw_socket_perms; +@@ -699,6 +701,8 @@ files_search_var($1) manage_files_pattern($1,logfile,logfile) read_lnk_files_pattern($1,logfile,logfile) @@ -29774,7 +30019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -803,6 +805,42 @@ +@@ -803,6 +807,42 @@ ######################################## ## @@ -29817,7 +30062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## the audit environment ## -@@ -827,6 +865,7 @@ +@@ -827,6 +867,7 @@ gen_require(` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; @@ -29825,7 +30070,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') allow $1 auditd_t:process { ptrace signal_perms }; -@@ -842,6 +881,13 @@ +@@ -842,6 +883,13 @@ manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t) logging_run_auditctl($1, $2, $3) @@ -29839,7 +30084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -862,6 +908,7 @@ +@@ -862,6 +910,7 @@ type syslogd_tmp_t, syslogd_var_lib_t; type syslogd_var_run_t, klogd_var_run_t; type klogd_tmp_t, var_log_t; @@ -29847,7 +30092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') allow $1 syslogd_t:process { ptrace signal_perms }; -@@ -889,6 +936,12 @@ +@@ -889,6 +938,12 @@ manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -29860,7 +30105,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -915,5 +968,5 @@ +@@ -915,5 +970,5 @@ # interface(`logging_admin',` logging_admin_audit($1, $2, $3) @@ -32435,7 +32680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.5/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.5/policy/modules/system/userdomain.if 2008-08-25 10:50:15.000000000 -0400 ++++ serefpolicy-3.5.5/policy/modules/system/userdomain.if 2008-08-29 13:08:43.000000000 -0400 @@ -28,10 +28,14 @@ class context contains; ') @@ -33341,7 +33586,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_base_user_template($1) -@@ -934,70 +921,72 @@ +@@ -930,74 +917,77 @@ + + allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; + dontaudit $1_t self:process setrlimit; ++ + dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; allow $1_t self:context contains; @@ -33447,7 +33697,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1031,9 +1020,6 @@ +@@ -1031,9 +1021,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -33457,7 +33707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1042,12 +1028,24 @@ +@@ -1042,12 +1029,24 @@ # # privileged home directory writers @@ -33488,7 +33738,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r,$1_tty_device_t) -@@ -1087,14 +1085,16 @@ +@@ -1087,14 +1086,16 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -33510,7 +33760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1102,28 +1102,23 @@ +@@ -1102,28 +1103,23 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -33544,7 +33794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1134,8 +1129,7 @@ +@@ -1134,8 +1130,7 @@ ## ## ##

@@ -33554,7 +33804,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This template creates a user domain, types, and -@@ -1167,11 +1161,10 @@ +@@ -1167,11 +1162,10 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -33567,7 +33817,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1189,36 +1182,45 @@ +@@ -1189,36 +1183,45 @@ ') ') @@ -33626,7 +33876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1295,8 +1297,6 @@ +@@ -1295,8 +1298,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -33635,7 +33885,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1318,8 +1318,6 @@ +@@ -1318,8 +1319,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -33644,7 +33894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1374,13 +1372,6 @@ +@@ -1374,13 +1373,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -33658,7 +33908,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1432,6 +1423,7 @@ +@@ -1432,6 +1424,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -33666,7 +33916,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1461,10 +1453,6 @@ +@@ -1461,10 +1454,6 @@ seutil_run_semanage($1,$2,$3) seutil_run_setfiles($1, $2, $3) @@ -33677,7 +33927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` aide_run($1,$2, $3) ') -@@ -1484,6 +1472,14 @@ +@@ -1484,6 +1473,14 @@ optional_policy(` netlabel_run_mgmt($1,$2, $3) ') @@ -33692,7 +33942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1741,11 +1737,15 @@ +@@ -1741,11 +1738,15 @@ # template(`userdom_user_home_content',` gen_require(` @@ -33711,7 +33961,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1841,11 +1841,11 @@ +@@ -1841,11 +1842,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -33725,7 +33975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1875,11 +1875,11 @@ +@@ -1875,11 +1876,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -33739,7 +33989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1923,12 +1923,12 @@ +@@ -1923,12 +1924,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -33755,7 +34005,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1958,10 +1958,11 @@ +@@ -1958,10 +1959,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -33769,7 +34019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1993,11 +1994,47 @@ +@@ -1993,11 +1995,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -33819,7 +34069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2029,10 +2066,10 @@ +@@ -2029,10 +2067,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -33832,7 +34082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2062,11 +2099,11 @@ +@@ -2062,11 +2100,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -33846,7 +34096,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2096,11 +2133,11 @@ +@@ -2096,11 +2134,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -33861,7 +34111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2130,10 +2167,14 @@ +@@ -2130,10 +2168,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -33878,7 +34128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2163,11 +2204,11 @@ +@@ -2163,11 +2205,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -33892,7 +34142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2197,11 +2238,11 @@ +@@ -2197,11 +2239,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -33906,7 +34156,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2231,10 +2272,10 @@ +@@ -2231,10 +2273,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -33919,7 +34169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2266,12 +2307,12 @@ +@@ -2266,12 +2308,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -33935,7 +34185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2303,10 +2344,10 @@ +@@ -2303,10 +2345,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -33948,7 +34198,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2338,12 +2379,12 @@ +@@ -2338,12 +2380,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -33964,7 +34214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2375,12 +2416,12 @@ +@@ -2375,12 +2417,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -33980,7 +34230,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2412,12 +2453,12 @@ +@@ -2412,12 +2454,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -33996,7 +34246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2462,11 +2503,11 @@ +@@ -2462,11 +2504,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -34010,7 +34260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2511,11 +2552,11 @@ +@@ -2511,11 +2553,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -34024,7 +34274,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2555,11 +2596,11 @@ +@@ -2555,11 +2597,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -34038,7 +34288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2589,11 +2630,11 @@ +@@ -2589,11 +2631,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -34052,7 +34302,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2623,11 +2664,11 @@ +@@ -2623,11 +2665,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -34066,7 +34316,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2659,10 +2700,10 @@ +@@ -2659,10 +2701,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -34079,7 +34329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2694,10 +2735,10 @@ +@@ -2694,10 +2736,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -34092,7 +34342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2727,12 +2768,12 @@ +@@ -2727,12 +2769,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -34108,7 +34358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2764,10 +2805,10 @@ +@@ -2764,10 +2806,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -34121,7 +34371,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2799,10 +2840,10 @@ +@@ -2799,10 +2841,10 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -34134,7 +34384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2832,12 +2873,12 @@ +@@ -2832,12 +2874,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -34150,7 +34400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2869,10 +2910,10 @@ +@@ -2869,10 +2911,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -34163,7 +34413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2904,12 +2945,12 @@ +@@ -2904,12 +2946,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -34179,7 +34429,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2941,11 +2982,11 @@ +@@ -2941,11 +2983,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -34193,7 +34443,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2977,11 +3018,11 @@ +@@ -2977,11 +3019,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -34207,7 +34457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3013,11 +3054,11 @@ +@@ -3013,11 +3055,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -34221,7 +34471,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3049,11 +3090,11 @@ +@@ -3049,11 +3091,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -34235,7 +34485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3085,11 +3126,11 @@ +@@ -3085,11 +3127,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -34249,7 +34499,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3134,10 +3175,10 @@ +@@ -3134,10 +3176,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -34262,7 +34512,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_tmp($2) ') -@@ -3178,19 +3219,19 @@ +@@ -3178,19 +3220,19 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -34286,7 +34536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This is a templated interface, and should only -@@ -4616,11 +4657,11 @@ +@@ -4616,11 +4658,11 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -34300,7 +34550,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4640,6 +4681,14 @@ +@@ -4640,6 +4682,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -34315,7 +34565,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4677,6 +4726,8 @@ +@@ -4677,6 +4727,8 @@ ') dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; @@ -34324,7 +34574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4721,6 +4772,25 @@ +@@ -4721,6 +4773,25 @@ ######################################## ##

@@ -34350,7 +34600,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4946,7 +5016,7 @@ +@@ -4946,7 +5017,7 @@ ######################################## ## @@ -34359,7 +34609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5318,6 +5388,42 @@ +@@ -5318,6 +5389,42 @@ ######################################## ## @@ -34402,7 +34652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write unprivileged user ttys. ## ## -@@ -5368,7 +5474,7 @@ +@@ -5368,7 +5475,7 @@ attribute userdomain; ') @@ -34411,7 +34661,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -5483,7 +5589,7 @@ +@@ -5483,7 +5590,7 @@ ######################################## ## @@ -34420,15 +34670,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5491,10 +5597,46 @@ +@@ -5491,7 +5598,43 @@ ## ## # -interface(`userdom_dbus_send_all_users',` +interface(`userdom_manage_all_users_keys',` - gen_require(` - attribute userdomain; -- class dbus send_msg; ++ gen_require(` ++ attribute userdomain; + ') + + allow $1 userdomain:key manage_key_perms; @@ -34463,13 +34712,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +# +interface(`userdom_dbus_send_all_users',` -+ gen_require(` -+ attribute userdomain; -+ class dbus send_msg; - ') - - allow $1 userdomain:dbus send_msg; -@@ -5513,3 +5655,506 @@ + gen_require(` + attribute userdomain; + class dbus send_msg; +@@ -5513,3 +5656,506 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ')