- Fix userdom_list_user_files

2008-02-19 22:20:15 +00:00 · 2008-02-19 22:20:15 +00:00 · 306393505f
parent eb3e9fbc68
commit 306393505f
2 changed files with 196 additions and 31 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -1423,6 +1423,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
 ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.2.8/policy/modules/admin/vpn.te
+--- nsaserefpolicy/policy/modules/admin/vpn.te	2008-02-18 14:30:19.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/admin/vpn.te	2008-02-19 10:59:29.000000000 -0500
+@@ -24,7 +24,8 @@
+ 
+ allow vpnc_t self:capability { dac_override net_admin ipc_lock net_raw };
+ allow vpnc_t self:process getsched;
+-allow vpnc_t self:fifo_file { getattr ioctl read write };
+allow vpnc_t self:fifo_file rw_fifo_file_perms;
+allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
+ allow vpnc_t self:tcp_socket create_stream_socket_perms;
+ allow vpnc_t self:udp_socket create_socket_perms;
+ allow vpnc_t self:rawip_socket create_socket_perms;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.2.8/policy/modules/apps/ethereal.fc
 --- nsaserefpolicy/policy/modules/apps/ethereal.fc	2007-10-12 08:56:02.000000000 -0400
 +++ serefpolicy-3.2.8/policy/modules/apps/ethereal.fc	2008-02-18 14:57:04.000000000 -0500
@ -2546,7 +2559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te s
 +	
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.2.8/policy/modules/apps/java.fc
 --- nsaserefpolicy/policy/modules/apps/java.fc	2007-03-01 10:01:48.000000000 -0500
-+++ serefpolicy-3.2.8/policy/modules/apps/java.fc	2008-02-18 14:57:04.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/apps/java.fc	2008-02-19 10:48:39.000000000 -0500
@@ -11,6 +11,7 @@
 #
 /usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
@ -2555,7 +2568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
 /usr/bin/frysk		--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/gappletviewer  --	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:java_exec_t,s0)
-@@ -20,5 +21,13 @@
+@@ -20,5 +21,14 @@
 /usr/bin/grmic  	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/grmiregistry  	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/jv-convert  	--	gen_context(system_u:object_r:java_exec_t,s0)
@ -2566,6 +2579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
 +/usr/matlab(/.*)?/bin/(.*/)?MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
 +/opt/matlab(/.*)?/bin(/.*)?/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
 +/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
 +
 +/usr/lib/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
 +/usr/lib64/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
@ -4643,7 +4657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.8/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.2.8/policy/modules/kernel/corecommands.fc	2008-02-18 14:57:04.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/kernel/corecommands.fc	2008-02-19 09:58:42.000000000 -0500
@@ -7,11 +7,11 @@
 /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
@ -4700,9 +4714,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 
 /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -186,7 +193,10 @@
+@@ -185,8 +192,12 @@
+ /usr/local/Brother(/.*)?/lpd(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/local/Printer/[^/]*/lpd(/.*)?     	gen_context(system_u:object_r:bin_t,s0)
+/usr/local/linuxprinter/filters(/.*)?   gen_context(system_u:object_r:bin_t,s0)
 
 +/usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
 +/usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
@ -4711,7 +4727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 
 /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
-@@ -284,3 +294,9 @@
+@@ -284,3 +295,10 @@
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
@ -4721,6 +4737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 +/usr/lib(64)?/ConsoleKit/scripts(/.*)?  gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib(64)?/ConsoleKit/run-session.d(/.*)?  gen_context(system_u:object_r:bin_t,s0)
 +/etc/ConsoleKit/run-session.d(/.*)?  gen_context(system_u:object_r:bin_t,s0)
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.8/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2007-11-14 08:17:58.000000000 -0500
 +++ serefpolicy-3.2.8/policy/modules/kernel/corecommands.if	2008-02-18 14:57:04.000000000 -0500
@ -4826,7 +4843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 network_port(xen, tcp,8002,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.2.8/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.2.8/policy/modules/kernel/devices.fc	2008-02-18 14:57:04.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/kernel/devices.fc	2008-02-19 10:48:15.000000000 -0500
@@ -1,7 +1,7 @@
 
 /dev			-d	gen_context(system_u:object_r:device_t,s0)
@ -4836,7 +4853,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/admmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/adsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
-@@ -16,28 +16,40 @@
+@@ -12,32 +12,45 @@
+ /dev/apm_bios		-c	gen_context(system_u:object_r:apm_bios_t,s0)
+ /dev/atibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/autofs.*		-c	gen_context(system_u:object_r:autofs_device_t,s0)
+ /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
@ -4877,7 +4899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/microcode		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
-@@ -48,6 +60,7 @@
+@@ -48,6 +61,7 @@
 /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
 /dev/oldmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
@ -4885,7 +4907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 /dev/par.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/patmgr[01]		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
-@@ -69,9 +82,8 @@
+@@ -69,9 +83,8 @@
 /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
@ -4897,7 +4919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -98,13 +110,23 @@
+@@ -98,13 +111,23 @@
 
 /dev/dvb/.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 
@ -4923,7 +4945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.8/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.8/policy/modules/kernel/devices.if	2008-02-18 14:57:04.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/kernel/devices.if	2008-02-19 10:51:36.000000000 -0500
@@ -65,7 +65,7 @@
 
 	relabelfrom_dirs_pattern($1,device_t,device_node)
@ -5073,10 +5095,120 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 ##	Mount a usbfs filesystem.
 ## </summary>
 ## <param name="domain">
+@@ -3322,3 +3434,96 @@
+ 
+ 	typeattribute $1 devices_unconfined_type;
+ ')
+
+########################################
+## <summary>
+##	Get the attributes of the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_autofs_dev',`
+	gen_require(`
+		type device_t, autofs_device_t;
+	')
+
+	getattr_chr_files_pattern($1,device_t,autofs_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_autofs_dev',`
+	gen_require(`
+		type autofs_device_t;
+	')
+
+	dontaudit $1 autofs_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_autofs_dev',`
+	gen_require(`
+		type device_t, autofs_device_t;
+	')
+
+	setattr_chr_files_pattern($1,device_t,autofs_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes of
+##	the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_autofs_dev',`
+	gen_require(`
+		type autofs_device_t;
+	')
+
+	dontaudit $1 autofs_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Read and write the autofs device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_autofs',`
+	gen_require(`
+		type device_t, autofs_device_t;
+	')
+
+	rw_chr_files_pattern($1,device_t,autofs_device_t)
+')
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.2.8/policy/modules/kernel/devices.te
 --- nsaserefpolicy/policy/modules/kernel/devices.te	2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.2.8/policy/modules/kernel/devices.te	2008-02-18 14:57:04.000000000 -0500
-@@ -66,12 +66,25 @@
+++ serefpolicy-3.2.8/policy/modules/kernel/devices.te	2008-02-19 10:49:19.000000000 -0500
+@@ -32,6 +32,12 @@
+ type apm_bios_t;
+ dev_node(apm_bios_t)
+ 
+#
+# Type for /dev/autofs
+#
+type autofs_device_t;
+dev_node(autofs_device_t)
+
+ type cardmgr_dev_t;
+ dev_node(cardmgr_dev_t)
+ files_tmp_file(cardmgr_dev_t)
+@@ -66,12 +72,25 @@
 dev_node(framebuf_device_t)
 
 #
@ -7160,7 +7292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.2.8/policy/modules/services/automount.te
 --- nsaserefpolicy/policy/modules/services/automount.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.8/policy/modules/services/automount.te	2008-02-18 14:57:04.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/services/automount.te	2008-02-19 10:52:07.000000000 -0500
@@ -20,6 +20,9 @@
 files_tmp_file(automount_tmp_t)
 files_mountpoint(automount_tmp_t)
@ -7198,7 +7330,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
 
 fs_mount_all_fs(automount_t)
 fs_unmount_all_fs(automount_t)
-@@ -126,8 +129,12 @@
+@@ -101,6 +104,7 @@
+ # for SSP
+ dev_read_rand(automount_t)
+ dev_read_urand(automount_t)
+dev_rw_autofs(automount_t)
+ 
+ domain_use_interactive_fds(automount_t)
+ domain_dontaudit_read_all_domains_state(automount_t)
+@@ -126,8 +130,12 @@
 fs_mount_autofs(automount_t)
 fs_manage_autofs_symlinks(automount_t)
 
@ -7211,7 +7351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
 libs_use_ld_so(automount_t)
 libs_use_shared_libs(automount_t)
 
-@@ -140,10 +147,6 @@
+@@ -140,10 +148,6 @@
 # Run mount in the mount_t domain.
 mount_domtrans(automount_t)
 
@ -7222,7 +7362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
 userdom_dontaudit_use_unpriv_user_fds(automount_t)
 userdom_dontaudit_search_sysadm_home_dirs(automount_t)
 
-@@ -162,11 +165,12 @@
+@@ -162,11 +166,12 @@
 ')
 
 optional_policy(`
@ -8773,7 +8913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 -') dnl end TODO
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.2.8/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.2.8/policy/modules/services/cups.fc	2008-02-18 14:57:04.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/services/cups.fc	2008-02-19 10:03:13.000000000 -0500
@@ -8,24 +8,28 @@
 /etc/cups/ppd/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/cups/ppds\.dat	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@ -8817,7 +8957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 
 /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /var/cache/foomatic(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -50,3 +54,9 @@
+@@ -50,3 +54,10 @@
 /var/run/hp.*\.port	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
 /var/run/ptal-printd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
 /var/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
@ -8827,6 +8967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +
 +/etc/rc.d/init.d/cups	--	gen_context(system_u:object_r:cups_script_exec_t,s0)
 +
+/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.2.8/policy/modules/services/cups.if
 --- nsaserefpolicy/policy/modules/services/cups.if	2007-01-02 12:57:43.000000000 -0500
 +++ serefpolicy-3.2.8/policy/modules/services/cups.if	2008-02-18 14:57:04.000000000 -0500
@ -9375,7 +9516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyph
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.te serefpolicy-3.2.8/policy/modules/services/cyphesis.te
 --- nsaserefpolicy/policy/modules/services/cyphesis.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.8/policy/modules/services/cyphesis.te	2008-02-18 14:57:04.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/services/cyphesis.te	2008-02-19 17:06:51.000000000 -0500
@@ -0,0 +1,92 @@
 +policy_module(cyphesis,1.0.0)
 +
@ -9442,7 +9583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyph
 +corenet_tcp_sendrecv_all_nodes(cyphesis_t)
 +corenet_all_recvfrom_unlabeled(cyphesis_t)
 +corenet_tcp_bind_all_nodes(cyphesis_t)
-+corenet_tcp_cyphesis_bind(cyphesis_t)
+corenet_tcp_bind_cyphesis_port(cyphesis_t)
 +corenet_tcp_sendrecv_all_ports(cyphesis_t)
 +
 +# Init script handling
@ -9571,7 +9712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
 # Local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.8/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.8/policy/modules/services/dbus.if	2008-02-18 14:57:04.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/services/dbus.if	2008-02-19 15:48:52.000000000 -0500
@@ -53,6 +53,7 @@
 	gen_require(`
 		type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@ -12627,6 +12768,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
 ########################################
 #
 # Local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.2.8/policy/modules/services/lpd.fc
+--- nsaserefpolicy/policy/modules/services/lpd.fc	2007-11-16 13:45:14.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/services/lpd.fc	2008-02-19 10:01:14.000000000 -0500
+@@ -22,6 +22,8 @@
+ /usr/sbin/lpinfo	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+ /usr/sbin/lpmove	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+ 
+/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
+ /usr/share/printconf/.* --	gen_context(system_u:object_r:printconf_t,s0)
+ 
+ #
+@@ -30,3 +32,4 @@
+ /var/spool/cups(/.*)?		gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+ /var/spool/lpd(/.*)?		gen_context(system_u:object_r:print_spool_t,s0)
+ /var/run/lprng(/.*)?		gen_context(system_u:object_r:lpd_var_run_t,s0)
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.2.8/policy/modules/services/lpd.if
 --- nsaserefpolicy/policy/modules/services/lpd.if	2007-11-16 13:45:14.000000000 -0500
 +++ serefpolicy-3.2.8/policy/modules/services/lpd.if	2008-02-18 14:57:04.000000000 -0500
@ -13426,7 +13584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.8/policy/modules/services/nagios.fc
 --- nsaserefpolicy/policy/modules/services/nagios.fc	2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.2.8/policy/modules/services/nagios.fc	2008-02-18 14:57:04.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/services/nagios.fc	2008-02-19 15:22:13.000000000 -0500
@@ -4,13 +4,19 @@
 /usr/bin/nagios			--	gen_context(system_u:object_r:nagios_exec_t,s0)
 /usr/bin/nrpe			--	gen_context(system_u:object_r:nrpe_exec_t,s0)
@ -13434,7 +13592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 -/usr/lib(64)?/cgi-bin/netsaint/.+ --	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
 -/usr/lib(64)?/nagios/cgi/.+	--	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
 +/usr/lib(64)?/cgi-bin/netsaint(/.*)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-+/usr/lib(64)?/nagios/cgi(/.*)?		gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi-bin(/.*)?		gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
 
 /var/log/nagios(/.*)?			gen_context(system_u:object_r:nagios_log_t,s0)
 /var/log/netsaint(/.*)?			gen_context(system_u:object_r:nagios_log_t,s0)
@ -22757,7 +22915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.8/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.2.8/policy/modules/system/libraries.fc	2008-02-18 14:57:04.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/system/libraries.fc	2008-02-19 10:39:35.000000000 -0500
@@ -133,6 +133,7 @@
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -22800,13 +22958,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 /var/ftp/lib(64)?(/.*)?				gen_context(system_u:object_r:lib_t,s0)
 /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
 
-@@ -304,3 +309,6 @@
+@@ -304,3 +309,9 @@
 /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
 +
 +/usr/lib(64)?/libavdevice\.so.*	 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/libmythavcodec-[^/]+\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/jvm/java(.*/)bin(/.*)?/.*\.so 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.8/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2008-02-06 10:33:22.000000000 -0500
 +++ serefpolicy-3.2.8/policy/modules/system/libraries.te	2008-02-18 14:57:04.000000000 -0500
@ -25608,7 +25769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.2.8/policy/modules/system/userdomain.if	2008-02-18 14:57:04.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/system/userdomain.if	2008-02-19 10:26:53.000000000 -0500
@@ -29,9 +29,14 @@
 	')
 
@ -27962,11 +28123,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +#
 +interface(`userdom_list_user_files',`
 +	gen_require(`
-+		attribute $1_file_type;
+		attribute $1_home_type;
 +	')
 +
-+	allow $2 $1_file_type:dir search_dir_perms;
-+	allow $2 $1_file_type:file getattr;
+	allow $2 $1_home_type:dir search_dir_perms;
+	allow $2 $1_home_type:file getattr;
 +')
 +
 +########################################
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.8
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -387,6 +387,10 @@ exit 0
 %endif

 %changelog
+* Tue Feb 19 2008 Dan Walsh <dwalsh@redhat.com> 3.2.8-2
+- Fix userdom_list_user_files
+
+
 * Fri Feb 15 2008 Dan Walsh <dwalsh@redhat.com> 3.2.8-1
 - Merge with upstream