- Add back in unconfined.pp and unconfineduser.pp

- Add Sandbox unshare
2009-08-26 20:19:02 +00:00 · 2009-08-26 20:19:02 +00:00 · 42f9effee7
commit 42f9effee7
parent 07c04f81b6
4 changed files with 361 additions and 146 deletions
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@ -1301,6 +1301,13 @@ selinuxutil = base
 # 
 sendmail = base

+# Layer: apps
+# Module: seunshare
+#
+# seunshare executable
+# 
+seunshare = module
+
 # Layer: services
 # Module: shorewall
 #
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -1301,6 +1301,13 @@ selinuxutil = base
 # 
 sendmail = base

+# Layer: apps
+# Module: seunshare
+#
+# seunshare executable
+# 
+seunshare = module
+
 # Layer: services
 # Module: shorewall
 #
--- a/policy-F12.patch
+++ b/policy-F12.patch
@ -3604,8 +3604,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.28/policy/modules/apps/pulseaudio.te
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.28/policy/modules/apps/pulseaudio.te	2009-08-26 08:11:55.000000000 -0400
-@@ -22,7 +22,11 @@
+++ serefpolicy-3.6.28/policy/modules/apps/pulseaudio.te	2009-08-26 11:42:50.000000000 -0400
+@@ -22,7 +22,12 @@
 allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
 allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
 allow pulseaudio_t self:udp_socket create_socket_perms;
@ -3613,11 +3613,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 +can_exec(pulseaudio_t, pulseaudio_exec_t)
 +
+kernel_getattr_proc(pulseaudio_t)
 +kernel_read_system_state(pulseaudio_t)
 kernel_read_kernel_sysctls(pulseaudio_t)
 
 corecmd_exec_bin(pulseaudio_t)
-@@ -47,6 +51,7 @@
+@@ -47,6 +52,7 @@
 
 fs_rw_anon_inodefs_files(pulseaudio_t)
 fs_getattr_tmpfs(pulseaudio_t)
@ -3625,7 +3626,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 term_use_all_user_ttys(pulseaudio_t)
 term_use_all_user_ptys(pulseaudio_t)
-@@ -78,6 +83,15 @@
+@@ -78,6 +84,15 @@
 	policykit_domtrans_auth(pulseaudio_t)
 	policykit_read_lib(pulseaudio_t)
 	policykit_read_reload(pulseaudio_t)
@ -3641,7 +3642,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -85,8 +99,7 @@
+@@ -85,8 +100,7 @@
 ')
 
 optional_policy(`
@ -4155,8 +4156,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# No types are sandbox_exec_t
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.28/policy/modules/apps/sandbox.if
 --- nsaserefpolicy/policy/modules/apps/sandbox.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.28/policy/modules/apps/sandbox.if	2009-08-21 18:56:07.000000000 -0400
-@@ -0,0 +1,143 @@
+++ serefpolicy-3.6.28/policy/modules/apps/sandbox.if	2009-08-26 15:34:36.000000000 -0400
+@@ -0,0 +1,167 @@
 +
 +## <summary>policy for sandbox</summary>
 +
@ -4180,12 +4181,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	gen_require(`
 +		type sandbox_xserver_t;
 +		attribute sandbox_domain;
+		attribute sandbox_x_domain;
+		attribute sandbox_file_type;
 +	')
 +
 +	allow $1 sandbox_domain:process transition;
 +	dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
 +	role $2 types sandbox_domain;
+	allow sandbox_domain $1:process sigchld;
+
+	allow $1 sandbox_x_domain:process transition;
+	dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
+	role $2 types sandbox_x_domain;
 +	role $2 types sandbox_xserver_t;
+	allow sandbox_x_domain $1:process sigchld;
+
+	manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
+	manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
+	manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type);
+	manage_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type);
+	manage_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type);
+	allow $1 sandbox_file_type:dir relabelto;
 +')
 +
 +########################################
@ -4203,12 +4219,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	gen_require(`
 +		attribute sandbox_domain;
+		attribute sandbox_file_type;
 +	')
 +
 +	type $1_t, sandbox_domain;
 +	domain_type($1_t)
 +
-+	type $1_file_t;
+	type $1_file_t, sandbox_file_type;
 +	files_type($1_file_t)
 +
 +	can_exec($1_t, $1_file_t)
@ -4237,16 +4254,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		attribute sandbox_domain, sandbox_x_domain;
 +	')
 +
-+	sandbox_domain_template($1)
+	type $1_t, sandbox_x_domain;
+	domain_type($1_t)
 +
-+	
-+	typeattribute $1_t sandbox_x_domain;
+	type $1_file_t, sandbox_file_type;
+	files_type($1_file_t)
+
+	can_exec($1_t, $1_file_t)
+	manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
+	manage_files_pattern($1_t, $1_file_t, $1_file_t)
+	manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
+	manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
+	manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
 +
 +	# window manager
 +	miscfiles_setattr_fonts($1_t)
 +	allow $1_t self:capability setuid;
 +
-+	type $1_client_t, sandbox_x_domain, sandbox_domain;
+	type $1_client_t, sandbox_x_domain;
 +	domain_type($1_client_t)
 +
 +	type $1_client_tmpfs_t;
@ -4302,12 +4327,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.28/policy/modules/apps/sandbox.te
 --- nsaserefpolicy/policy/modules/apps/sandbox.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.28/policy/modules/apps/sandbox.te	2009-08-21 18:56:07.000000000 -0400
-@@ -0,0 +1,274 @@
+++ serefpolicy-3.6.28/policy/modules/apps/sandbox.te	2009-08-26 16:12:59.000000000 -0400
+@@ -0,0 +1,302 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
 +attribute sandbox_x_domain;
+attribute sandbox_file_type;
 +
 +########################################
 +#
@ -4337,7 +4363,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#
 +allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
 +allow sandbox_xserver_t self:shm create_shm_perms;
-+allow sandbox_xserver_t self:tcp_socket create_socket_perms;
+allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
 +
 +manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
 +manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
@ -4392,10 +4418,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#
 +
 +## internal communication is often done using fifo and unix sockets.
-+allow sandbox_domain self:fifo_file rw_file_perms;
+allow sandbox_domain self:fifo_file manage_file_perms;
 +allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
 +
-+files_rw_all_inherited_files(sandbox_domain)
+gen_require(`
+	type usr_t, lib_t, locale_t;
+	attribute exec_type;
+')
+
+files_rw_all_inherited_files(sandbox_domain, -exec_type -usr_t -lib_t -locale_t )
 +files_entrypoint_all_files(sandbox_domain)
 +
 +miscfiles_read_localization(sandbox_domain)
@ -4403,11 +4434,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +kernel_dontaudit_read_system_state(sandbox_domain)
 +corecmd_exec_all_executables(sandbox_domain)
 +
+userdom_dontaudit_use_user_terminals(sandbox_domain)
 +
 +########################################
 +#
 +# sandbox_x_domain local policy
 +#
+## internal communication is often done using fifo and unix sockets.
+allow sandbox_x_domain self:fifo_file manage_file_perms;
+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+
 +allow sandbox_x_domain self:process { signal_perms getsched setpgid };
 +allow sandbox_x_domain self:shm create_shm_perms;
 +allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
@ -4415,20 +4451,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
 +dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 +
+files_search_home(sandbox_x_domain)
+
+kernel_read_system_state(sandbox_x_domain)
+
+corecmd_exec_all_executables(sandbox_x_domain)
+
+
 +dev_read_urand(sandbox_x_domain)
 +dev_dontaudit_read_rand(sandbox_x_domain)
 +
+files_entrypoint_all_files(sandbox_x_domain)
 +files_read_etc_files(sandbox_x_domain)
 +files_read_usr_files(sandbox_x_domain)
 +files_read_usr_symlinks(sandbox_x_domain)
 +
 +fs_getattr_tmpfs(sandbox_x_domain)
 +fs_getattr_xattr_fs(sandbox_x_domain)
+fs_list_inotifyfs(sandbox_x_domain)
 +
 +auth_dontaudit_read_login_records(sandbox_x_domain)
+auth_use_nsswitch(sandbox_x_domain)
 +
 +init_read_utmp(sandbox_x_domain)
 +
+miscfiles_read_localization(sandbox_x_domain)
+
 +term_getattr_pty_fs(sandbox_x_domain)
 +term_use_ptmx(sandbox_x_domain)
 +
@ -4445,6 +4493,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	cups_read_rw_config(sandbox_x_domain)
 +')
 +
+#============= sandbox_x_t ==============
+allow sandbox_x_t home_root_t:dir search;
+allow sandbox_x_t user_devpts_t:chr_file { read write };
+
+
 +########################################
 +#
 +# sandbox_x_client_t local policy
@ -4623,6 +4676,133 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +         manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t)
 +         manage_fifo_files_pattern($1,screen_var_run_t,screen_var_run_t)
 +')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.fc serefpolicy-3.6.28/policy/modules/apps/seunshare.fc
+--- nsaserefpolicy/policy/modules/apps/seunshare.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.28/policy/modules/apps/seunshare.fc	2009-08-26 11:10:13.000000000 -0400
+@@ -0,0 +1,2 @@
+
+/usr/sbin/seunshare	--	gen_context(system_u:object_r:seunshare_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.6.28/policy/modules/apps/seunshare.if
+--- nsaserefpolicy/policy/modules/apps/seunshare.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.28/policy/modules/apps/seunshare.if	2009-08-26 11:46:03.000000000 -0400
+@@ -0,0 +1,76 @@
+
+## <summary>policy for seunshare</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run seunshare.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seunshare_domtrans',`
+	gen_require(`
+		type seunshare_t;
+                type seunshare_exec_t;
+	')
+
+	domtrans_pattern($1,seunshare_exec_t,seunshare_t)
+')
+
+
+########################################
+## <summary>
+##	Execute seunshare in the seunshare domain, and
+##	allow the specified role the seunshare domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the seunshare domain.
+##	</summary>
+## </param>
+#
+interface(`seunshare_run',`
+	gen_require(`
+		type seunshare_t;
+	')
+
+	seunshare_domtrans($1)
+	sandbox_transition(seunshare_t, $2)
+	role $2 types seunshare_t;
+')
+
+########################################
+## <summary>
+##	Role access for seunshare
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`seunshare_role',`
+	gen_require(`
+              type seunshare_t;
+	')
+
+	role $2 types seunshare_t;
+
+	seunshare_domtrans($1)
+
+	ps_process_pattern($2, seunshare_t)
+	allow $2 seunshare_t:process signal;
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.6.28/policy/modules/apps/seunshare.te
+--- nsaserefpolicy/policy/modules/apps/seunshare.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.28/policy/modules/apps/seunshare.te	2009-08-26 16:07:56.000000000 -0400
+@@ -0,0 +1,37 @@
+policy_module(seunshare,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type seunshare_t;
+type seunshare_exec_t;
+application_domain(seunshare_t, seunshare_exec_t)
+role system_r types seunshare_t;
+
+permissive seunshare_t;
+
+########################################
+#
+# seunshare local policy
+#
+
+allow seunshare_t self:process { fork setexec signal };
+allow seunshare_t self:capability setpcap;
+allow seunshare_t self:process { getcap setcap };
+
+allow seunshare_t self:fifo_file rw_file_perms;
+allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(seunshare_t)
+files_mounton_all_poly_members(seunshare_t)
+
+corecmd_exec_shell(seunshare_t)
+corecmd_exec_bin(seunshare_t)
+
+auth_use_nsswitch(seunshare_t)
+
+miscfiles_read_localization(seunshare_t)
+
+userdom_use_user_terminals(seunshare_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.28/policy/modules/apps/vmware.fc
 --- nsaserefpolicy/policy/modules/apps/vmware.fc	2009-07-28 13:28:33.000000000 -0400
 +++ serefpolicy-3.6.28/policy/modules/apps/vmware.fc	2009-08-21 18:56:07.000000000 -0400
@ -4795,7 +4975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.28/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2009-07-30 13:09:10.000000000 -0400
-+++ serefpolicy-3.6.28/policy/modules/kernel/corecommands.fc	2009-08-21 18:56:07.000000000 -0400
+++ serefpolicy-3.6.28/policy/modules/kernel/corecommands.fc	2009-08-26 13:56:26.000000000 -0400
@@ -54,6 +54,7 @@
 /etc/cron.weekly/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/cron.monthly/.*		--	gen_context(system_u:object_r:bin_t,s0)
@ -4822,7 +5002,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 #
 # /usr
 #
-@@ -315,3 +320,21 @@
+@@ -221,6 +226,7 @@
+ /usr/share/PackageKit/pk-upgrade-distro\.sh -- 	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/PackageKit/helpers(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-perl(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-shell(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+@@ -315,3 +321,21 @@
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
@ -5582,7 +5770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.28/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.28/policy/modules/kernel/files.if	2009-08-22 09:30:11.000000000 -0400
+++ serefpolicy-3.6.28/policy/modules/kernel/files.if	2009-08-26 15:56:29.000000000 -0400
@@ -110,6 +110,11 @@
 ## </param>
 #
@ -5957,11 +6145,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		attribute file_type;
 +	')
 +
-+	allow $1 file_type:dir search_dir_perms;
-+	allow $1 file_type:file { getattr read write append lock };
-+	allow $1 file_type:fifo_file { getattr read write append ioctl lock };
-+	allow $1 file_type:sock_file { getattr read write append ioctl lock };
-+	allow $1 file_type:chr_file { getattr read write append ioctl lock };
+	allow $1 { file_type $2 }:dir search_dir_perms;
+	allow $1 { file_type $2 }:file { getattr read write append lock };
+	allow $1 { file_type $2 }:fifo_file { getattr read write append ioctl lock };
+	allow $1 { file_type $2 }:sock_file { getattr read write append ioctl lock };
+	allow $1 { file_type $2 }:chr_file { getattr read write append ioctl lock };
 +')
 +
 +########################################
@ -15176,7 +15364,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.28/policy/modules/services/postgresql.te
 --- nsaserefpolicy/policy/modules/services/postgresql.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.28/policy/modules/services/postgresql.te	2009-08-21 18:56:07.000000000 -0400
+++ serefpolicy-3.6.28/policy/modules/services/postgresql.te	2009-08-26 14:57:08.000000000 -0400
@@ -32,6 +32,9 @@
 type postgresql_etc_t;
 files_config_file(postgresql_etc_t)
@ -15207,7 +15395,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_sendrecv_postgresql_server_packets(postgresql_t)
 corenet_sendrecv_auth_client_packets(postgresql_t)
 
-@@ -247,6 +253,7 @@
+@@ -242,11 +248,12 @@
+ files_read_etc_runtime_files(postgresql_t)
+ files_read_usr_files(postgresql_t)
+ 
+-auth_use_nsswitch(postgresql_t)
+auth_use_pam(postgresql_t)
+ 
 init_read_utmp(postgresql_t)
 
 logging_send_syslog_msg(postgresql_t)
@ -26139,7 +26333,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.28/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.28/policy/modules/system/userdomain.if	2009-08-25 09:28:37.000000000 -0400
+++ serefpolicy-3.6.28/policy/modules/system/userdomain.if	2009-08-26 16:12:51.000000000 -0400
@@ -30,8 +30,9 @@
 	')
 
@ -26584,7 +26778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	##############################
 	#
-@@ -511,182 +525,195 @@
+@@ -511,182 +525,203 @@
 	# evolution and gnome-session try to create a netlink socket
 	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
 	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@ -26695,159 +26889,165 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	tunable_policy(`user_direct_mouse',`
 -		dev_read_mouse($1_t)
-	')
-
-	tunable_policy(`user_ttyfile_stat',`
-		term_getattr_all_user_ttys($1_t)
 +		dev_read_mouse($1_usertype)
 	')
 
- 	optional_policy(`
-		alsa_read_rw_config($1_t)
+-	tunable_policy(`user_ttyfile_stat',`
+-		term_getattr_all_user_ttys($1_t)
+	optional_policy(`
 +		alsa_read_rw_config($1_usertype)
 	')
 
 	optional_policy(`
- 		# Allow graphical boot to check battery lifespan
-		apm_stream_connect($1_t)
+-		alsa_read_rw_config($1_t)
+		# Allow graphical boot to check battery lifespan
 +		apm_stream_connect($1_usertype)
 	')
 
 	optional_policy(`
-		canna_stream_connect($1_t)
+-		# Allow graphical boot to check battery lifespan
+-		apm_stream_connect($1_t)
 +		canna_stream_connect($1_usertype)
+	')
+
+	optional_policy(`
+		dbus_system_bus_client($1_usertype)
+
+		allow $1_usertype $1_usertype:dbus  send_msg;
+
+		optional_policy(`
+			avahi_dbus_chat($1_usertype)
+ 	')
+ 
+ 	optional_policy(`
+-		canna_stream_connect($1_t)
+			bluetooth_dbus_chat($1_usertype)
 	')
 
 	optional_policy(`
 -		dbus_system_bus_client($1_t)
-+		dbus_system_bus_client($1_usertype)
-+
-+		allow $1_usertype $1_usertype:dbus  send_msg;
+			consolekit_dbus_chat($1_usertype)
+			consolekit_read_log($1_usertype)
+		')
 
 		optional_policy(`
 -			bluetooth_dbus_chat($1_t)
-+			avahi_dbus_chat($1_usertype)
- 		')
- 
- 		optional_policy(`
-			evolution_dbus_chat($1_t)
-			evolution_alarm_dbus_chat($1_t)
-+			bluetooth_dbus_chat($1_usertype)
- 		')
- 
- 		optional_policy(`
-			cups_dbus_chat_config($1_t)
-+			consolekit_dbus_chat($1_usertype)
-+			consolekit_read_log($1_usertype)
- 		')
- 
- 		optional_policy(`
-			hal_dbus_chat($1_t)
 +			devicekit_dbus_chat($1_usertype)
 +			devicekit_dbus_chat_disk($1_usertype)
 +			devicekit_dbus_chat_power($1_usertype)
 		')
 
 		optional_policy(`
-			networkmanager_dbus_chat($1_t)
-		')
+-			evolution_dbus_chat($1_t)
+-			evolution_alarm_dbus_chat($1_t)
 +			evolution_dbus_chat($1_usertype)
 +			evolution_alarm_dbus_chat($1_usertype)
+ 		')
+ 
+ 		optional_policy(`
+-			cups_dbus_chat_config($1_t)
+			hal_dbus_chat($1_usertype)
+ 		')
+ 
+ 		optional_policy(`
+-			hal_dbus_chat($1_t)
+			networkmanager_dbus_chat($1_usertype)
+ 		')
+ 
+ 		optional_policy(`
+-			networkmanager_dbus_chat($1_t)
+			vpnc_dbus_chat($1_usertype)
+ 		')
 	')
 
 	optional_policy(`
 -		inetd_use_fds($1_t)
 -		inetd_rw_tcp_sockets($1_t)
-+			hal_dbus_chat($1_usertype)
+		inetd_use_fds($1_usertype)
+		inetd_rw_tcp_sockets($1_usertype)
 	')
 
 	optional_policy(`
 -		inn_read_config($1_t)
 -		inn_read_news_lib($1_t)
 -		inn_read_news_spool($1_t)
-+			networkmanager_dbus_chat($1_usertype)
- 	')
- 
- 	optional_policy(`
-		locate_read_lib_files($1_t)
-+			vpnc_dbus_chat($1_usertype)
-+		')
- 	')
- 
-	# for running depmod as part of the kernel packaging process
- 	optional_policy(`
-		modutils_read_module_config($1_t)
-+		inetd_use_fds($1_usertype)
-+		inetd_rw_tcp_sockets($1_usertype)
- 	')
- 
- 	optional_policy(`
-		mta_rw_spool($1_t)
 +		inn_read_config($1_usertype)
 +		inn_read_news_lib($1_usertype)
 +		inn_read_news_spool($1_usertype)
 	')
 
 	optional_policy(`
-		tunable_policy(`allow_user_mysql_connect',`
-			mysql_stream_connect($1_t)
+-		locate_read_lib_files($1_t)
 +		locate_read_lib_files($1_usertype)
- 		')
-+
-+	# for running depmod as part of the kernel packaging process
-+	optional_policy(`
-+		modutils_read_module_config($1_usertype)
 	')
 
+ 	# for running depmod as part of the kernel packaging process
 	optional_policy(`
-		# to allow monitoring of pcmcia status
-		pcmcia_read_pid($1_t)
+-		modutils_read_module_config($1_t)
+		modutils_read_module_config($1_usertype)
+	')
+
+	optional_policy(`
 +		mta_rw_spool($1_usertype)
 +		mta_manage_queue($1_usertype)
 	')
 
 	optional_policy(`
-		pcscd_read_pub_files($1_t)
-		pcscd_stream_connect($1_t)
+-		mta_rw_spool($1_t)
 +		nsplugin_role($1_r, $1_usertype)
 	')
 
 	optional_policy(`
- 		tunable_policy(`allow_user_postgresql_connect',`
-			postgresql_stream_connect($1_t)
-			postgresql_tcp_connect($1_t)
+-		tunable_policy(`allow_user_mysql_connect',`
+-			mysql_stream_connect($1_t)
+		tunable_policy(`allow_user_postgresql_connect',`
 +			postgresql_stream_connect($1_usertype)
-+		')
 		')
-+
-+	optional_policy(`
-+		# to allow monitoring of pcmcia status
+ 	')
+ 
+ 	optional_policy(`
+ 		# to allow monitoring of pcmcia status
+-		pcmcia_read_pid($1_t)
 +		pcmcia_read_pid($1_usertype)
 	')
 
 	optional_policy(`
-		resmgr_stream_connect($1_t)
+-		pcscd_read_pub_files($1_t)
+-		pcscd_stream_connect($1_t)
 +		pcscd_read_pub_files($1_usertype)
 +		pcscd_stream_connect($1_usertype)
 	')
 
 	optional_policy(`
-		rpc_dontaudit_getattr_exports($1_t)
-		rpc_manage_nfs_rw_content($1_t)
+-		tunable_policy(`allow_user_postgresql_connect',`
+-			postgresql_stream_connect($1_t)
+-			postgresql_tcp_connect($1_t)
+-		')
 +		resmgr_stream_connect($1_usertype)
 	')
 
 	optional_policy(`
-		samba_stream_connect_winbind($1_t)
+-		resmgr_stream_connect($1_t)
 +		rpc_dontaudit_getattr_exports($1_usertype)
 +		rpc_manage_nfs_rw_content($1_usertype)
 	')
 
 	optional_policy(`
-		slrnpull_search_spool($1_t)
+-		rpc_dontaudit_getattr_exports($1_t)
+-		rpc_manage_nfs_rw_content($1_t)
 +		samba_stream_connect_winbind($1_usertype)
 	')
 
+ 	optional_policy(`
+-		samba_stream_connect_winbind($1_t)
+		sandbox_transition($1_t, $1_r)
+ 	')
+ 
+ 	optional_policy(`
+-		slrnpull_search_spool($1_t)
+		seunshare_run($1_t, $1_r)
+ 	')
+ 
 	optional_policy(`
 -		usernetctl_run($1_t,$1_r)
 +		slrnpull_search_spool($1_usertype)
@ -26856,23 +27056,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 #######################################
-@@ -714,13 +741,26 @@
+@@ -714,13 +749,26 @@
 
 	userdom_base_user_template($1)
 
 -	userdom_manage_home_role($1_r, $1_t)
 +	userdom_manage_home_role($1_r, $1_usertype)
+
+	userdom_manage_tmp_role($1_r, $1_usertype)
+	userdom_manage_tmpfs_role($1_r, $1_usertype)
+
+	ifelse(`$1',`unconfined',`',`
+		gen_tunable(allow_$1_exec_content, true)
 
 -	userdom_manage_tmp_role($1_r, $1_t)
 -	userdom_manage_tmpfs_role($1_r, $1_t)
-+	userdom_manage_tmp_role($1_r, $1_usertype)
-+	userdom_manage_tmpfs_role($1_r, $1_usertype)
- 
-	userdom_exec_user_tmp_files($1_t)
-	userdom_exec_user_home_content_files($1_t)
-+	ifelse(`$1',`unconfined',`',`
-+		gen_tunable(allow_$1_exec_content, true)
-+
 +		tunable_policy(`allow_$1_exec_content',`
 +			userdom_exec_user_tmp_files($1_usertype)
 +			userdom_exec_user_home_content_files($1_usertype)
@ -26880,7 +27078,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
 +                        fs_exec_nfs_files($1_usertype)
 +		')
-+
+ 
+-	userdom_exec_user_tmp_files($1_t)
+-	userdom_exec_user_home_content_files($1_t)
 +		tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
 +			fs_exec_cifs_files($1_usertype)
 +		')
@ -26888,7 +27088,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	userdom_change_password_template($1)
 
-@@ -738,70 +778,71 @@
+@@ -738,70 +786,71 @@
 
 	allow $1_t self:context contains;
 
@ -26993,7 +27193,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -838,6 +879,28 @@
+@@ -838,6 +887,28 @@
 	# Local policy
 	#
 
@ -27022,7 +27222,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	optional_policy(`
 		loadkeys_run($1_t,$1_r)
 	')
-@@ -868,7 +931,10 @@
+@@ -868,7 +939,10 @@
 
 	userdom_restricted_user_template($1)
 
@ -27034,7 +27234,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	##############################
 	#
-@@ -876,14 +942,19 @@
+@@ -876,14 +950,19 @@
 	#
 
 	auth_role($1_r, $1_t)
@ -27059,7 +27259,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	logging_dontaudit_send_audit_msgs($1_t)
 
 	# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -891,28 +962,47 @@
+@@ -891,28 +970,47 @@
 	selinux_get_enforce_mode($1_t)
 
 	optional_policy(`
@ -27075,15 +27275,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		devicekit_dbus_chat($1_usertype)
 +		devicekit_dbus_chat_disk($1_usertype)
 +		devicekit_dbus_chat_power($1_usertype)
+	')
+
+	optional_policy(`
+		fprintd_dbus_chat($1_t)
 	')
 
 	optional_policy(`
 -		dbus_role_template($1, $1_r, $1_t)
 -		dbus_system_bus_client($1_t)
-+		fprintd_dbus_chat($1_t)
-+	')
-+
-+	optional_policy(`
 +		gnomeclock_dbus_chat($1_t)
 +	')	  
 
@ -27114,7 +27314,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -946,8 +1036,8 @@
+@@ -946,8 +1044,8 @@
 	# Declarations
 	#
 
@ -27124,7 +27324,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	userdom_common_user_template($1)
 
 	##############################
-@@ -956,11 +1046,12 @@
+@@ -956,11 +1054,12 @@
 	#
 
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
@ -27139,7 +27339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# cjp: why?
 	files_read_kernel_symbol_table($1_t)
 
-@@ -978,36 +1069,53 @@
+@@ -978,36 +1077,53 @@
 		')
 	')
 
@ -27207,7 +27407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -1042,7 +1150,7 @@
+@@ -1042,7 +1158,7 @@
 #
 template(`userdom_admin_user_template',`
 	gen_require(`
@ -27216,7 +27416,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 
 	##############################
-@@ -1051,8 +1159,7 @@
+@@ -1051,8 +1167,7 @@
 	#
 
 	# Inherit rules for ordinary users.
@ -27226,7 +27426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	domain_obj_id_change_exemption($1_t)
 	role system_r types $1_t;
-@@ -1075,7 +1182,8 @@
+@@ -1075,7 +1190,8 @@
 	# Skip authentication when pam_rootok is specified.
 	allow $1_t self:passwd rootok;
 
@ -27236,7 +27436,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
-@@ -1091,6 +1199,7 @@
+@@ -1091,6 +1207,7 @@
 	kernel_sigstop_unlabeled($1_t)
 	kernel_signull_unlabeled($1_t)
 	kernel_sigchld_unlabeled($1_t)
@ -27244,7 +27444,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	corenet_tcp_bind_generic_port($1_t)
 	# allow setting up tunnels
-@@ -1098,8 +1207,6 @@
+@@ -1098,8 +1215,6 @@
 
 	dev_getattr_generic_blk_files($1_t)
 	dev_getattr_generic_chr_files($1_t)
@ -27253,7 +27453,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# Allow MAKEDEV to work
 	dev_create_all_blk_files($1_t)
 	dev_create_all_chr_files($1_t)
-@@ -1126,6 +1233,7 @@
+@@ -1126,6 +1241,7 @@
 	files_exec_usr_src_files($1_t)
 
 	fs_getattr_all_fs($1_t)
@ -27261,7 +27461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	fs_set_all_quotas($1_t)
 	fs_exec_noxattr($1_t)
 
-@@ -1154,20 +1262,6 @@
+@@ -1154,20 +1270,6 @@
 	# But presently necessary for installing the file_contexts file.
 	seutil_manage_bin_policy($1_t)
 
@ -27282,7 +27482,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	optional_policy(`
 		postgresql_unconfined($1_t)
 	')
-@@ -1213,6 +1307,7 @@
+@@ -1213,6 +1315,7 @@
 	dev_relabel_all_dev_nodes($1)
 
 	files_create_boot_flag($1)
@ -27290,7 +27490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	# Necessary for managing /boot/efi
 	fs_manage_dos_files($1)
-@@ -1278,11 +1373,15 @@
+@@ -1278,11 +1381,15 @@
 interface(`userdom_user_home_content',`
 	gen_require(`
 		type user_home_t;
@ -27306,7 +27506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1374,12 +1473,13 @@
+@@ -1374,12 +1481,13 @@
 	')
 
 	allow $1 user_home_dir_t:dir search_dir_perms;
@ -27321,7 +27521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1412,6 +1512,14 @@
+@@ -1412,6 +1520,14 @@
 
 	allow $1 user_home_dir_t:dir list_dir_perms;
 	files_search_home($1)
@ -27336,7 +27536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1427,9 +1535,11 @@
+@@ -1427,9 +1543,11 @@
 interface(`userdom_dontaudit_list_user_home_dirs',`
 	gen_require(`
 		type user_home_dir_t;
@ -27348,7 +27548,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1486,6 +1596,25 @@
+@@ -1486,6 +1604,25 @@
 	allow $1 user_home_dir_t:dir relabelto;
 ')
 
@ -27374,7 +27574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 ## <summary>
 ##	Create directories in the home dir root with
-@@ -1560,6 +1689,8 @@
+@@ -1560,6 +1697,8 @@
 	')
 
 	dontaudit $1 user_home_t:dir search_dir_perms;
@ -27383,7 +27583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1653,6 +1784,7 @@
+@@ -1653,6 +1792,7 @@
 		type user_home_dir_t, user_home_t;
 	')
 
@ -27391,7 +27591,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
 	files_search_home($1)
 ')
-@@ -1780,19 +1912,32 @@
+@@ -1780,19 +1920,32 @@
 #
 interface(`userdom_exec_user_home_content_files',`
 	gen_require(`
@ -27431,7 +27631,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1827,6 +1972,7 @@
+@@ -1827,6 +1980,7 @@
 interface(`userdom_manage_user_home_content_files',`
 	gen_require(`
 		type user_home_dir_t, user_home_t;
@ -27439,7 +27639,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 
 	manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2374,7 +2520,7 @@
+@@ -2374,7 +2528,7 @@
 
 ########################################
 ## <summary>
@ -27448,7 +27648,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2728,11 +2874,32 @@
+@@ -2728,11 +2882,32 @@
 #
 interface(`userdom_search_user_home_content',`
 	gen_require(`
@ -27483,7 +27683,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -2860,7 +3027,25 @@
+@@ -2860,7 +3035,25 @@
 		type user_tmp_t;
 	')
 
@ -27510,7 +27710,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -2897,6 +3082,7 @@
+@@ -2897,6 +3090,7 @@
 	')
 
 	read_files_pattern($1, userdomain, userdomain)
@ -27518,7 +27718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	kernel_search_proc($1)
 ')
 
-@@ -3027,3 +3213,559 @@
+@@ -3027,3 +3221,559 @@
 
 	allow $1 userdomain:dbus send_msg;
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -443,6 +443,7 @@ exit 0
 %changelog
 * Wed Aug 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-8
 - Add back in unconfined.pp and unconfineduser.pp
+- Add Sandbox unshare

 * Tue Aug 25 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-7
 - Fixes for cdrecord, mdadm, and others