- Additional access for nsplugin

- Allow xdm setcap/getcap until pulseaudio is fixed
This commit is contained in:
Daniel J Walsh 2008-03-28 21:09:45 +00:00
parent f70afcdd9e
commit 478aeeca6b

View File

@ -1885,7 +1885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
-') -')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.3.1/policy/modules/admin/logrotate.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.3.1/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2008-02-19 23:24:26.000000000 +0100 --- nsaserefpolicy/policy/modules/admin/logrotate.te 2008-02-19 23:24:26.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/admin/logrotate.te 2008-02-26 14:29:22.000000000 +0100 +++ serefpolicy-3.3.1/policy/modules/admin/logrotate.te 2008-03-28 10:55:06.000000000 +0100
@@ -96,9 +96,11 @@ @@ -96,9 +96,11 @@
files_read_etc_files(logrotate_t) files_read_etc_files(logrotate_t)
files_read_etc_runtime_files(logrotate_t) files_read_etc_runtime_files(logrotate_t)
@ -3042,7 +3042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.3.1/policy/modules/apps/gnome.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.3.1/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2007-07-23 16:20:12.000000000 +0200 --- nsaserefpolicy/policy/modules/apps/gnome.if 2007-07-23 16:20:12.000000000 +0200
+++ serefpolicy-3.3.1/policy/modules/apps/gnome.if 2008-02-26 14:29:22.000000000 +0100 +++ serefpolicy-3.3.1/policy/modules/apps/gnome.if 2008-03-27 23:42:35.000000000 +0100
@@ -33,9 +33,60 @@ @@ -33,9 +33,60 @@
## </param> ## </param>
# #
@ -4302,13 +4302,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
+ +
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.3.1/policy/modules/apps/loadkeys.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.3.1/policy/modules/apps/loadkeys.te
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-12-19 11:32:09.000000000 +0100 --- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-12-19 11:32:09.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/apps/loadkeys.te 2008-02-26 14:29:22.000000000 +0100 +++ serefpolicy-3.3.1/policy/modules/apps/loadkeys.te 2008-03-28 21:10:09.000000000 +0100
@@ -44,3 +44,5 @@ @@ -44,3 +44,6 @@
optional_policy(` optional_policy(`
nscd_dontaudit_search_pid(loadkeys_t) nscd_dontaudit_search_pid(loadkeys_t)
') ')
+ +
+userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t) +userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t)
+userdom_dontaudit_list_user_home_dirs(user, loadkeys_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.3.1/policy/modules/apps/mono.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.3.1/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 18:57:22.000000000 +0100 --- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 18:57:22.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/apps/mono.if 2008-03-03 14:24:51.000000000 +0100 +++ serefpolicy-3.3.1/policy/modules/apps/mono.if 2008-03-03 14:24:51.000000000 +0100
@ -5085,8 +5086,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
+ +
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.3.1/policy/modules/apps/nsplugin.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.3.1/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1970-01-01 01:00:00.000000000 +0100 --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.fc 2008-03-25 22:48:09.000000000 +0100 +++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.fc 2008-03-27 23:41:57.000000000 +0100
@@ -0,0 +1,8 @@ @@ -0,0 +1,9 @@
+ +
+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
@ -5095,10 +5096,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0) +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:user_nsplugin_home_t,s0) +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:user_nsplugin_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:user_nsplugin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1970-01-01 01:00:00.000000000 +0100 --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-03-25 06:36:27.000000000 +0100 +++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-03-28 08:16:42.000000000 +0100
@@ -0,0 +1,352 @@ @@ -0,0 +1,351 @@
+ +
+## <summary>policy for nsplugin</summary> +## <summary>policy for nsplugin</summary>
+ +
@ -5273,7 +5275,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+ dontaudit nsplugin_t $2:process ptrace; + dontaudit nsplugin_t $2:process ptrace;
+ +
+ allow nsplugin_t $1_tmpfs_t:file { read getattr }; + allow nsplugin_t $1_tmpfs_t:file { read getattr };
+
+ allow $2 nsplugin_t:process { getattr ptrace signal_perms }; + allow $2 nsplugin_t:process { getattr ptrace signal_perms };
+ allow $2 nsplugin_t:unix_stream_socket connectto; + allow $2 nsplugin_t:unix_stream_socket connectto;
+ +
@ -5453,8 +5454,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1970-01-01 01:00:00.000000000 +0100 --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-03-14 16:50:19.000000000 +0100 +++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-03-28 09:20:56.000000000 +0100
@@ -0,0 +1,176 @@ @@ -0,0 +1,179 @@
+ +
+policy_module(nsplugin,1.0.0) +policy_module(nsplugin,1.0.0)
+ +
@ -5508,9 +5509,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+') +')
+ +
+manage_dirs_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t) +manage_dirs_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
+exec_files_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
+manage_files_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t) +manage_files_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t) +manage_lnk_files_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
+userdom_user_home_dir_filetrans(user, nsplugin_t, user_nsplugin_home_t, {file dir}) +userdom_user_home_dir_filetrans(user, nsplugin_t, user_nsplugin_home_t, {file dir})
+userdom_dontaudit_write_user_home_content_files(user, nsplugin_t)
+ +
+corecmd_exec_bin(nsplugin_t) +corecmd_exec_bin(nsplugin_t)
+corecmd_exec_shell(nsplugin_t) +corecmd_exec_shell(nsplugin_t)
@ -5575,6 +5578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+ +
+optional_policy(` +optional_policy(`
+ gnome_exec_gconf(nsplugin_t) + gnome_exec_gconf(nsplugin_t)
+ gnome_manage_user_gnome_config(user, nsplugin_t)
+') +')
+ +
+optional_policy(` +optional_policy(`
@ -12462,7 +12466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 17:02:50.000000000 +0100 --- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 17:02:50.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-03-04 16:11:49.000000000 +0100 +++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-03-27 23:55:52.000000000 +0100
@@ -53,6 +53,7 @@ @@ -53,6 +53,7 @@
gen_require(` gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@ -12615,7 +12619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
') ')
######################################## ########################################
@@ -292,6 +307,59 @@ @@ -292,6 +307,55 @@
######################################## ########################################
## <summary> ## <summary>
@ -12634,10 +12638,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+## </param> +## </param>
+# +#
+template(`dbus_connectto_user_bus',` +template(`dbus_connectto_user_bus',`
+ gen_require(`
+ type $1_dbusd_t;
+ ')
+
+ allow $2 $1_dbusd_t:unix_stream_socket connectto; + allow $2 $1_dbusd_t:unix_stream_socket connectto;
+') +')
+ +
@ -12675,7 +12675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
## Read dbus configuration. ## Read dbus configuration.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -366,3 +434,55 @@ @@ -366,3 +430,55 @@
allow $1 system_dbusd_t:dbus *; allow $1 system_dbusd_t:dbus *;
') ')
@ -14741,7 +14741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
+ +
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.3.1/policy/modules/services/hal.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.3.1/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-11-14 14:17:58.000000000 +0100 --- nsaserefpolicy/policy/modules/services/hal.fc 2007-11-14 14:17:58.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/services/hal.fc 2008-03-21 23:49:34.000000000 +0100 +++ serefpolicy-3.3.1/policy/modules/services/hal.fc 2008-03-28 10:45:08.000000000 +0100
@@ -8,6 +8,7 @@ @@ -8,6 +8,7 @@
/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
@ -14813,7 +14813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.3.1/policy/modules/services/hal.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.3.1/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-12-19 11:32:17.000000000 +0100 --- nsaserefpolicy/policy/modules/services/hal.te 2007-12-19 11:32:17.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-03-21 23:50:19.000000000 +0100 +++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-03-28 08:16:08.000000000 +0100
@@ -49,6 +49,9 @@ @@ -49,6 +49,9 @@
type hald_var_lib_t; type hald_var_lib_t;
files_type(hald_var_lib_t) files_type(hald_var_lib_t)
@ -14852,7 +14852,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
auth_read_pam_console_data(hald_t) auth_read_pam_console_data(hald_t)
@@ -155,6 +160,8 @@ @@ -121,6 +126,7 @@
dev_rw_power_management(hald_t)
# hal is now execing pm-suspend
dev_rw_sysfs(hald_t)
+dev_read_video_dev(hald_t)
domain_use_interactive_fds(hald_t)
domain_read_all_domains_state(hald_t)
@@ -155,6 +161,8 @@
selinux_compute_relabel_context(hald_t) selinux_compute_relabel_context(hald_t)
selinux_compute_user_contexts(hald_t) selinux_compute_user_contexts(hald_t)
@ -14861,7 +14869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
storage_raw_read_removable_device(hald_t) storage_raw_read_removable_device(hald_t)
storage_raw_write_removable_device(hald_t) storage_raw_write_removable_device(hald_t)
storage_raw_read_fixed_disk(hald_t) storage_raw_read_fixed_disk(hald_t)
@@ -172,6 +179,8 @@ @@ -172,6 +180,8 @@
init_rw_utmp(hald_t) init_rw_utmp(hald_t)
init_telinit(hald_t) init_telinit(hald_t)
@ -14870,7 +14878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
libs_use_ld_so(hald_t) libs_use_ld_so(hald_t)
libs_use_shared_libs(hald_t) libs_use_shared_libs(hald_t)
libs_exec_ld_so(hald_t) libs_exec_ld_so(hald_t)
@@ -244,6 +253,10 @@ @@ -244,6 +254,10 @@
') ')
optional_policy(` optional_policy(`
@ -14881,7 +14889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
hotplug_read_config(hald_t) hotplug_read_config(hald_t)
') ')
@@ -265,6 +278,11 @@ @@ -265,6 +279,11 @@
') ')
optional_policy(` optional_policy(`
@ -14893,7 +14901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
rpc_search_nfs_state_data(hald_t) rpc_search_nfs_state_data(hald_t)
') ')
@@ -291,7 +309,8 @@ @@ -291,7 +310,8 @@
# #
allow hald_acl_t self:capability { dac_override fowner }; allow hald_acl_t self:capability { dac_override fowner };
@ -14903,7 +14911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t) domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
allow hald_t hald_acl_t:process signal; allow hald_t hald_acl_t:process signal;
@@ -301,9 +320,14 @@ @@ -301,9 +321,14 @@
manage_files_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t) manage_files_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t)
files_search_var_lib(hald_acl_t) files_search_var_lib(hald_acl_t)
@ -14918,7 +14926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
dev_getattr_generic_usb_dev(hald_acl_t) dev_getattr_generic_usb_dev(hald_acl_t)
dev_getattr_video_dev(hald_acl_t) dev_getattr_video_dev(hald_acl_t)
dev_setattr_video_dev(hald_acl_t) dev_setattr_video_dev(hald_acl_t)
@@ -325,6 +349,11 @@ @@ -325,6 +350,11 @@
miscfiles_read_localization(hald_acl_t) miscfiles_read_localization(hald_acl_t)
@ -14930,7 +14938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
######################################## ########################################
# #
# Local hald mac policy # Local hald mac policy
@@ -338,10 +367,14 @@ @@ -338,10 +368,14 @@
manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t) manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
files_search_var_lib(hald_mac_t) files_search_var_lib(hald_mac_t)
@ -14945,7 +14953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
libs_use_ld_so(hald_mac_t) libs_use_ld_so(hald_mac_t)
libs_use_shared_libs(hald_mac_t) libs_use_shared_libs(hald_mac_t)
@@ -391,3 +424,7 @@ @@ -391,3 +425,7 @@
libs_use_shared_libs(hald_keymap_t) libs_use_shared_libs(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t) miscfiles_read_localization(hald_keymap_t)
@ -16432,7 +16440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+ +
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.3.1/policy/modules/services/munin.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.3.1/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 11:32:17.000000000 +0100 --- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 11:32:17.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/services/munin.te 2008-03-17 16:21:36.000000000 +0100 +++ serefpolicy-3.3.1/policy/modules/services/munin.te 2008-03-28 11:44:38.000000000 +0100
@@ -25,26 +25,33 @@ @@ -25,26 +25,33 @@
type munin_var_run_t alias lrrd_var_run_t; type munin_var_run_t alias lrrd_var_run_t;
files_pid_file(munin_var_run_t) files_pid_file(munin_var_run_t)
@ -16521,7 +16529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
userdom_dontaudit_use_unpriv_user_fds(munin_t) userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_sysadm_home_dirs(munin_t) userdom_dontaudit_search_sysadm_home_dirs(munin_t)
@@ -108,7 +126,20 @@ @@ -108,7 +126,21 @@
') ')
optional_policy(` optional_policy(`
@ -16531,6 +16539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+ +
+optional_policy(` +optional_policy(`
+ mta_read_config(munin_t) + mta_read_config(munin_t)
+ mta_send_mail(munin_t)
+') +')
+ +
+optional_policy(` +optional_policy(`
@ -16543,7 +16552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
') ')
optional_policy(` optional_policy(`
@@ -118,3 +149,9 @@ @@ -118,3 +150,9 @@
optional_policy(` optional_policy(`
udev_read_db(munin_t) udev_read_db(munin_t)
') ')
@ -25374,7 +25383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ +
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 11:32:17.000000000 +0100 --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 11:32:17.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-25 08:25:28.000000000 +0100 +++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-28 22:07:37.000000000 +0100
@@ -8,6 +8,14 @@ @@ -8,6 +8,14 @@
## <desc> ## <desc>
@ -25447,7 +25456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
type iceauth_exec_t; type iceauth_exec_t;
-application_executable_file(iceauth_exec_t) -application_executable_file(iceauth_exec_t)
+application_domain(iceauth_t,iceauth_exec_t) +application_domain(iceauth_t,iceauth_exec_t)
+
+type input_xevent_t, xevent_type; +type input_xevent_t, xevent_type;
+type manage_xevent_t, xevent_type; +type manage_xevent_t, xevent_type;
+type output_xext_t, xextension_type; +type output_xext_t, xextension_type;
@ -25463,7 +25472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+type x_rootcolormap_t; +type x_rootcolormap_t;
+type x_rootscreen_t; +type x_rootscreen_t;
+type x_rootwindow_t; +type x_rootwindow_t;
+
+type xauth_t; +type xauth_t;
type xauth_exec_t; type xauth_exec_t;
-application_executable_file(xauth_exec_t) -application_executable_file(xauth_exec_t)
@ -25529,13 +25538,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(` optional_policy(`
prelink_object_file(xkb_var_lib_t) prelink_object_file(xkb_var_lib_t)
') ')
@@ -95,8 +196,11 @@ @@ -95,8 +196,13 @@
# XDM Local policy # XDM Local policy
# #
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; +allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+allow xdm_t self:capability { getcap setcap };
+
+dontaudit xdm_t self:capability sys_admin; +dontaudit xdm_t self:capability sys_admin;
+ +
+allow xdm_t self:process { getattr setexec setpgid getsched ptrace setsched setrlimit signal_perms }; +allow xdm_t self:process { getattr setexec setpgid getsched ptrace setsched setrlimit signal_perms };
@ -25543,7 +25554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms; allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms; allow xdm_t self:sem create_sem_perms;
@@ -109,6 +213,8 @@ @@ -109,6 +215,8 @@
allow xdm_t self:key { search link write }; allow xdm_t self:key { search link write };
allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@ -25552,7 +25563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Allow gdm to run gdm-binary # Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t) can_exec(xdm_t, xdm_exec_t)
@@ -131,15 +237,22 @@ @@ -131,15 +239,22 @@
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@ -25576,7 +25587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto; allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
@@ -153,6 +266,7 @@ @@ -153,6 +268,7 @@
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xdm_xserver_t:shm rw_shm_perms; allow xdm_t xdm_xserver_t:shm rw_shm_perms;
@ -25584,7 +25595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket # connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
@@ -173,6 +287,8 @@ @@ -173,6 +289,8 @@
corecmd_exec_shell(xdm_t) corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t) corecmd_exec_bin(xdm_t)
@ -25593,7 +25604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t) corenet_all_recvfrom_netlabel(xdm_t)
@@ -184,6 +300,7 @@ @@ -184,6 +302,7 @@
corenet_udp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t) corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t)
@ -25601,7 +25612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corenet_tcp_connect_all_ports(xdm_t) corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t) corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t # xdm tries to bind to biff_port_t
@@ -196,6 +313,7 @@ @@ -196,6 +315,7 @@
dev_getattr_mouse_dev(xdm_t) dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t) dev_rw_apm_bios(xdm_t)
@ -25609,7 +25620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t) dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t) dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t) dev_rw_agp(xdm_t)
@@ -208,8 +326,8 @@ @@ -208,8 +328,8 @@
dev_setattr_video_dev(xdm_t) dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t) dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t)
@ -25620,7 +25631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_getattr_power_mgmt_dev(xdm_t) dev_getattr_power_mgmt_dev(xdm_t)
dev_setattr_power_mgmt_dev(xdm_t) dev_setattr_power_mgmt_dev(xdm_t)
@@ -226,9 +344,12 @@ @@ -226,9 +346,12 @@
files_read_usr_files(xdm_t) files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm # Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t) files_create_boot_flag(xdm_t)
@ -25633,7 +25644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t)
@@ -237,6 +358,7 @@ @@ -237,6 +360,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t)
@ -25641,7 +25652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
term_setattr_console(xdm_t) term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t) term_use_unallocated_ttys(xdm_t)
@@ -245,6 +367,7 @@ @@ -245,6 +369,7 @@
auth_domtrans_pam_console(xdm_t) auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t) auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t) auth_manage_pam_console_data(xdm_t)
@ -25649,7 +25660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t) auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t) auth_write_login_records(xdm_t)
@@ -256,12 +379,11 @@ @@ -256,12 +381,11 @@
libs_exec_lib_files(xdm_t) libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t) logging_read_generic_logs(xdm_t)
@ -25663,7 +25674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_dontaudit_search_sysadm_home_dirs(xdm_t) userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
userdom_create_all_users_keys(xdm_t) userdom_create_all_users_keys(xdm_t)
@@ -270,8 +392,13 @@ @@ -270,8 +394,13 @@
# Search /proc for any user domain processes. # Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t) userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t) userdom_signal_all_users(xdm_t)
@ -25677,7 +25688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t) fs_manage_nfs_dirs(xdm_t)
@@ -301,10 +428,15 @@ @@ -301,10 +430,15 @@
optional_policy(` optional_policy(`
alsa_domtrans(xdm_t) alsa_domtrans(xdm_t)
@ -25694,7 +25705,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
optional_policy(` optional_policy(`
@@ -312,6 +444,23 @@ @@ -312,6 +446,23 @@
') ')
optional_policy(` optional_policy(`
@ -25718,7 +25729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Talk to the console mouse server. # Talk to the console mouse server.
gpm_stream_connect(xdm_t) gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t) gpm_setattr_gpmctl(xdm_t)
@@ -322,6 +471,10 @@ @@ -322,6 +473,10 @@
') ')
optional_policy(` optional_policy(`
@ -25729,7 +25740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
loadkeys_exec(xdm_t) loadkeys_exec(xdm_t)
') ')
@@ -335,6 +488,11 @@ @@ -335,6 +490,11 @@
') ')
optional_policy(` optional_policy(`
@ -25741,7 +25752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
seutil_sigchld_newrole(xdm_t) seutil_sigchld_newrole(xdm_t)
') ')
@@ -343,8 +501,8 @@ @@ -343,8 +503,8 @@
') ')
optional_policy(` optional_policy(`
@ -25751,7 +25762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',` ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem }; allow xdm_t self:process { execheap execmem };
@@ -380,7 +538,7 @@ @@ -380,7 +540,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search; dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@ -25760,7 +25771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types. # Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
@@ -392,6 +550,15 @@ @@ -392,6 +552,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t) can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t) files_search_var_lib(xdm_xserver_t)
@ -25776,7 +25787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# VNC v4 module in X server # VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t) corenet_tcp_bind_vnc_port(xdm_xserver_t)
@@ -404,9 +571,17 @@ @@ -404,9 +573,17 @@
# to read ROLE_home_t - examine this in more detail # to read ROLE_home_t - examine this in more detail
# (xauth?) # (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t) userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@ -25794,7 +25805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t)
@@ -420,6 +595,22 @@ @@ -420,6 +597,22 @@
') ')
optional_policy(` optional_policy(`
@ -25817,7 +25828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t) resmgr_stream_connect(xdm_t)
') ')
@@ -429,47 +620,139 @@ @@ -429,47 +622,139 @@
') ')
optional_policy(` optional_policy(`
@ -29507,7 +29518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.3.1/policy/modules/system/sysnetwork.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.3.1/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-02-06 16:33:22.000000000 +0100 --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-02-06 16:33:22.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-03-25 06:46:13.000000000 +0100 +++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-03-28 13:41:55.000000000 +0100
@@ -45,7 +45,7 @@ @@ -45,7 +45,7 @@
dontaudit dhcpc_t self:capability sys_tty_config; dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat # for access("/etc/bashrc", X_OK) on Red Hat
@ -30353,7 +30364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 15:52:56.000000000 +0100 --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 15:52:56.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-25 08:52:58.000000000 +0100 +++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-27 23:47:44.000000000 +0100
@@ -29,9 +29,14 @@ @@ -29,9 +29,14 @@
') ')