- Fixes for polkit

- Allow xserver to ptrace
2007-12-12 14:53:07 +00:00 · 2007-12-12 14:53:07 +00:00 · 4c6f2dd6a3
parent 7dfe3eb3ef
commit 4c6f2dd6a3
2 changed files with 200 additions and 117 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -6145,7 +6145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.3/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/dbus.if	2007-12-06 16:37:24.000000000 -0500
+++ serefpolicy-3.2.3/policy/modules/services/dbus.if	2007-12-11 17:07:29.000000000 -0500
@@ -91,7 +91,7 @@
 	# SE-DBus specific permissions
 	allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
@ -6165,7 +6165,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 	allow $1_dbusd_t $2:process sigkill;
 	allow $2 $1_dbusd_t:fd use;
 	allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-@@ -214,7 +213,7 @@
+@@ -161,7 +160,8 @@
+ 	seutil_read_config($1_dbusd_t)
+ 	seutil_read_default_contexts($1_dbusd_t)
+ 
+-	userdom_read_user_home_content_files($1, $1_dbusd_t)
+	userdom_read_unpriv_users_home_content_files($1_dbusd_t)
+	userdom_dontaudit_append_unpriv_home_content_files($1_dbusd_t)
+ 
+ 	ifdef(`hide_broken_symptoms', `
+ 		dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
+@@ -214,7 +214,7 @@
 
 	# SE-DBus specific permissions
 #	allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
@ -6174,7 +6184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 
 	read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 	files_search_var_lib($2)
-@@ -366,3 +365,35 @@
+@@ -366,3 +366,35 @@
 
 	allow $1 system_dbusd_t:dbus *;
 ')
@ -6868,7 +6878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.3/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2007-11-14 08:17:58.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/hal.te	2007-12-11 00:56:25.000000000 -0500
+++ serefpolicy-3.2.3/policy/modules/services/hal.te	2007-12-11 16:49:43.000000000 -0500
@@ -49,6 +49,9 @@
 type hald_var_lib_t;
 files_type(hald_var_lib_t)
@ -6905,18 +6915,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 storage_raw_read_removable_device(hald_t)
 storage_raw_write_removable_device(hald_t)
 storage_raw_read_fixed_disk(hald_t)
-@@ -265,6 +271,10 @@
+@@ -265,6 +271,11 @@
 ')
 
 optional_policy(`
 +	polkit_domtrans_auth(hald_t)
+	polkit_read_lib(hald_t)
 +')
 +
 +optional_policy(`
 	rpc_search_nfs_state_data(hald_t)
 ')
 
-@@ -291,6 +301,7 @@
+@@ -291,6 +302,7 @@
 #
 
 allow hald_acl_t self:capability { dac_override fowner };
@ -6924,19 +6935,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 allow hald_acl_t self:fifo_file read_fifo_file_perms;
 
 domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
-@@ -325,6 +336,11 @@
+@@ -325,6 +337,11 @@
 
 miscfiles_read_localization(hald_acl_t)
 
 +optional_policy(`
 +	polkit_domtrans_auth(hald_acl_t)
-+	polkit_search_lib(hald_acl_t)
+	polkit_read_lib(hald_acl_t)
 +')
 +
 ########################################
 #
 # Local hald mac policy
-@@ -338,10 +354,14 @@
+@@ -338,10 +355,14 @@
 manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
 files_search_var_lib(hald_mac_t)
 
@ -6951,7 +6962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 libs_use_ld_so(hald_mac_t)
 libs_use_shared_libs(hald_mac_t)
 
-@@ -391,3 +411,4 @@
+@@ -391,3 +412,4 @@
 libs_use_shared_libs(hald_keymap_t)
 
 miscfiles_read_localization(hald_keymap_t)
@ -8351,8 +8362,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
 +/var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:polkit_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.3/policy/modules/services/polkit.if
 --- nsaserefpolicy/policy/modules/services/polkit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/polkit.if	2007-12-11 00:56:05.000000000 -0500
-@@ -0,0 +1,41 @@
+++ serefpolicy-3.2.3/policy/modules/services/polkit.if	2007-12-11 16:49:17.000000000 -0500
+@@ -0,0 +1,60 @@
 +
 +## <summary>policy for polkit_auth</summary>
 +
@ -8394,6 +8405,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
 +	files_search_var_lib($1)
 +')
 +
+########################################
+## <summary>
+##	read polkit lib files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`polkit_read_lib',`
+	gen_require(`
+		type polkit_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, polkit_var_lib_t,  polkit_var_lib_t)
+')
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.3/policy/modules/services/polkit.te
 --- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.2.3/policy/modules/services/polkit.te	2007-12-11 00:18:16.000000000 -0500
@ -10792,7 +10822,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.3/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/xserver.if	2007-12-06 16:37:24.000000000 -0500
+++ serefpolicy-3.2.3/policy/modules/services/xserver.if	2007-12-11 17:02:56.000000000 -0500
+@@ -45,7 +45,7 @@
+ 	# execheap needed until the X module loader is fixed.
+ 	# NVIDIA Needs execstack
+ 
+-	allow $1_xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+	allow $1_xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_ptrace sys_tty_config mknod net_bind_service };
+ 	dontaudit $1_xserver_t self:capability chown;
+ 	allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ 	allow $1_xserver_t self:memprotect mmap_zero;
@@ -115,8 +115,7 @@
 	dev_rw_agp($1_xserver_t)
 	dev_rw_framebuffer($1_xserver_t)
@ -10803,7 +10842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	# raw memory access is needed if not using the frame buffer
 	dev_read_raw_memory($1_xserver_t)
 	dev_wx_raw_memory($1_xserver_t)
-@@ -125,8 +124,12 @@
+@@ -125,8 +124,13 @@
 	# read events - the synaptics touchpad driver reads raw events
 	dev_rw_input_dev($1_xserver_t)
 	dev_rwx_zero($1_xserver_t)
@ -10813,10 +10852,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 	domain_mmap_low($1_xserver_t)
 +	domain_read_all_domains_state($1_xserver_t)
+	domain_dontaudit_ptrace_all_domains($1_xserver_t)
 
 	files_read_etc_files($1_xserver_t)
 	files_read_etc_runtime_files($1_xserver_t)
-@@ -140,12 +143,16 @@
+@@ -140,12 +144,16 @@
 	fs_getattr_xattr_fs($1_xserver_t)
 	fs_search_nfs($1_xserver_t)
 	fs_search_auto_mountpoints($1_xserver_t)
@ -10834,7 +10874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	term_setattr_unallocated_ttys($1_xserver_t)
 	term_use_unallocated_ttys($1_xserver_t)
 
-@@ -232,39 +239,26 @@
+@@ -232,39 +240,26 @@
 	# Declarations
 	#
 
@ -10881,7 +10921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	##############################
 	#
 	# $1_xserver_t Local policy
-@@ -272,12 +266,15 @@
+@@ -272,12 +267,15 @@
 
 	domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
 
@ -10898,7 +10938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 	manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
 	manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
-@@ -307,6 +304,7 @@
+@@ -307,6 +305,7 @@
 	userdom_use_user_ttys($1,$1_xserver_t)
 	userdom_setattr_user_ttys($1,$1_xserver_t)
 	userdom_rw_user_tmpfs_files($1,$1_xserver_t)
@ -10906,7 +10946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 	xserver_use_user_fonts($1,$1_xserver_t)
 	xserver_rw_xdm_tmp_files($1_xauth_t)
-@@ -330,12 +328,12 @@
+@@ -330,12 +329,12 @@
 	allow $1_xauth_t self:process signal;
 	allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
 
@ -10924,7 +10964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
 
-@@ -344,12 +342,6 @@
+@@ -344,12 +343,6 @@
 	# allow ps to show xauth
 	ps_process_pattern($2,$1_xauth_t)
 
@ -10937,7 +10977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	domain_use_interactive_fds($1_xauth_t)
 
 	files_read_etc_files($1_xauth_t)
-@@ -378,6 +370,14 @@
+@@ -378,6 +371,14 @@
 	')
 
 	optional_policy(`
@ -10952,7 +10992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 		ssh_sigchld($1_xauth_t)
 		ssh_read_pipes($1_xauth_t)
 		ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
-@@ -390,16 +390,16 @@
+@@ -390,16 +391,16 @@
 
 	domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
 
@ -10974,7 +11014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 	fs_search_auto_mountpoints($1_iceauth_t)
 
-@@ -523,17 +523,16 @@
+@@ -523,17 +524,16 @@
 template(`xserver_user_client_template',`
 
 	gen_require(`
@ -10999,7 +11039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
-@@ -542,25 +541,55 @@
+@@ -542,25 +542,55 @@
 	allow $2 xdm_tmp_t:sock_file { read write };
 	dontaudit $2 xdm_t:tcp_socket { read write };
 
@ -11063,7 +11103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	')
 ')
 
-@@ -613,6 +642,24 @@
+@@ -613,6 +643,24 @@
 
 ########################################
 ## <summary>
@ -11088,7 +11128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Transition to a user Xauthority domain.
 ## </summary>
 ## <desc>
-@@ -646,6 +693,73 @@
+@@ -646,6 +694,73 @@
 
 ########################################
 ## <summary>
@ -11162,7 +11202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Transition to a user Xauthority domain.
 ## </summary>
 ## <desc>
-@@ -671,10 +785,10 @@
+@@ -671,10 +786,10 @@
 #
 template(`xserver_user_home_dir_filetrans_user_xauth',`
 	gen_require(`
@ -11175,7 +11215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 ########################################
-@@ -760,7 +874,7 @@
+@@ -760,7 +875,7 @@
 		type xconsole_device_t;
 	')
 
@ -11184,7 +11224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 ########################################
-@@ -860,6 +974,25 @@
+@@ -860,6 +975,25 @@
 
 ########################################
 ## <summary>
@ -11210,7 +11250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Read xdm-writable configuration files.
 ## </summary>
 ## <param name="domain">
-@@ -914,6 +1047,7 @@
+@@ -914,6 +1048,7 @@
 	files_search_tmp($1)
 	allow $1 xdm_tmp_t:dir list_dir_perms;
 	create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@ -11218,7 +11258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 ########################################
-@@ -974,6 +1108,37 @@
+@@ -974,6 +1109,37 @@
 
 ########################################
 ## <summary>
@ -11256,7 +11296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Make an X session script an entrypoint for the specified domain.
 ## </summary>
 ## <param name="domain">
-@@ -1123,7 +1288,7 @@
+@@ -1123,7 +1289,7 @@
 		type xdm_xserver_tmp_t;
 	')
 
@ -11265,7 +11305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 ########################################
-@@ -1312,3 +1477,45 @@
+@@ -1312,3 +1478,45 @@
 	files_search_tmp($1)
 	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
 ')
@ -14503,7 +14543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.2.3/policy/modules/system/userdomain.fc
 --- nsaserefpolicy/policy/modules/system/userdomain.fc	2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/userdomain.fc	2007-12-06 16:37:24.000000000 -0500
+++ serefpolicy-3.2.3/policy/modules/system/userdomain.fc	2007-12-11 16:44:50.000000000 -0500
@@ -1,4 +1,5 @@
 -HOME_DIR	-d	gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
 -HOME_DIR/.+		gen_context(system_u:object_r:ROLE_home_t,s0)
@ -14513,10 +14553,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +HOME_DIR	-l	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 +HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
 +/tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
-+/root(/.*)	 	gen_context(system_u:object_r:admin_home_t,s0)
+/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.3/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/userdomain.if	2007-12-10 23:50:13.000000000 -0500
+++ serefpolicy-3.2.3/policy/modules/system/userdomain.if	2007-12-11 17:06:47.000000000 -0500
@@ -29,8 +29,9 @@
 	')
 
@ -16020,7 +16060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4283,11 +4334,11 @@
+@@ -4283,16 +4334,16 @@
 #
 interface(`userdom_relabelto_staff_home_dirs',`
 	gen_require(`
@ -16034,20 +16074,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4303,10 +4354,10 @@
+ ## <summary>
+-##	Do not audit attempts to append to the staff
+##	Do not audit attempts to append to the 
+ ##	users home directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -4301,12 +4352,27 @@
+ ##	</summary>
+ ## </param>
 #
- interface(`userdom_dontaudit_append_staff_home_content_files',`
+-interface(`userdom_dontaudit_append_staff_home_content_files',`
+interface(`userdom_dontaudit_append_unpriv_home_content_files',`
 	gen_require(`
 -		type staff_home_t;
 +		type user_home_t;
 	')
 
 -	dontaudit $1 staff_home_t:file append;
-+	dontaudit $1 user_home_t:file append;
+	dontaudit $1 user_home_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to append to the staff
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_append_staff_home_content_files',`
+	userdom_dontaudit_append_unpriv_home_content_files($1)
 ')
 
 ########################################
-@@ -4321,13 +4372,13 @@
+@@ -4321,13 +4387,13 @@
 #
 interface(`userdom_read_staff_home_content_files',`
 	gen_require(`
@ -16065,7 +16129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4525,10 +4576,10 @@
+@@ -4525,10 +4591,10 @@
 #
 interface(`userdom_getattr_sysadm_home_dirs',`
 	gen_require(`
@ -16078,7 +16142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4545,10 +4596,10 @@
+@@ -4545,10 +4611,10 @@
 #
 interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
 	gen_require(`
@ -16091,7 +16155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4563,10 +4614,10 @@
+@@ -4563,10 +4629,10 @@
 #
 interface(`userdom_search_sysadm_home_dirs',`
 	gen_require(`
@ -16104,7 +16168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4582,10 +4633,10 @@
+@@ -4582,10 +4648,10 @@
 #
 interface(`userdom_dontaudit_search_sysadm_home_dirs',`
 	gen_require(`
@ -16117,7 +16181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4600,10 +4651,10 @@
+@@ -4600,10 +4666,10 @@
 #
 interface(`userdom_list_sysadm_home_dirs',`
 	gen_require(`
@ -16130,7 +16194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4619,10 +4670,10 @@
+@@ -4619,10 +4685,10 @@
 #
 interface(`userdom_dontaudit_list_sysadm_home_dirs',`
 	gen_require(`
@ -16143,7 +16207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4638,12 +4689,11 @@
+@@ -4638,12 +4704,11 @@
 #
 interface(`userdom_dontaudit_read_sysadm_home_content_files',`
 	gen_require(`
@ -16159,7 +16223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4670,10 +4720,10 @@
+@@ -4670,10 +4735,10 @@
 #
 interface(`userdom_sysadm_home_dir_filetrans',`
 	gen_require(`
@ -16172,7 +16236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4688,10 +4738,10 @@
+@@ -4688,10 +4753,10 @@
 #
 interface(`userdom_search_sysadm_home_content_dirs',`
 	gen_require(`
@ -16185,7 +16249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4706,13 +4756,13 @@
+@@ -4706,13 +4771,13 @@
 #
 interface(`userdom_read_sysadm_home_content_files',`
 	gen_require(`
@ -16203,41 +16267,61 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -4748,11 +4798,29 @@
+@@ -4748,16 +4813,15 @@
 #
 interface(`userdom_search_all_users_home_dirs',`
 	gen_require(`
+-		attribute home_dir_type;
 +		attribute user_home_dir_type;
-+	')
-+
-+	files_list_home($1)
-+	allow $1 user_home_dir_type:dir search_dir_perms;
-+')
-+########################################
-+## <summary>
-+##	Read all users home directories symlinks.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_read_all_users_home_dirs_symlinks',`
-+	gen_require(`
- 		attribute home_dir_type;
 	')
 
 	files_list_home($1)
 -	allow $1 home_dir_type:dir search_dir_perms;
+	allow $1 user_home_dir_type:dir search_dir_perms;
+ ')
+-
+ ########################################
+ ## <summary>
+-##	List all users home directories.
+##	Read all users home directories symlinks.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4765,18 +4829,18 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_list_all_users_home_dirs',`
+interface(`userdom_read_all_users_home_dirs_symlinks',`
+ 	gen_require(`
+ 		attribute home_dir_type;
+ 	')
+ 
+ 	files_list_home($1)
+-	allow $1 home_dir_type:dir list_dir_perms;
 +	allow $1 home_dir_type:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
-@@ -4772,6 +4840,14 @@
- 
- 	files_list_home($1)
- 	allow $1 home_dir_type:dir list_dir_perms;
+ ## <summary>
+-##	Search all users home directories.
+##	List all users home directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4784,9 +4848,36 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_search_all_users_home_content',`
+interface(`userdom_list_all_users_home_dirs',`
+ 	gen_require(`
+-		attribute home_dir_type, home_type;
+		attribute home_dir_type;
+	')
+
+	files_list_home($1)
+	allow $1 home_dir_type:dir list_dir_perms;
 +
 +	tunable_policy(`use_nfs_home_dirs',`
 +		fs_list_nfs(crond_t)
@ -16246,10 +16330,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	tunable_policy(`use_samba_home_dirs',`
 +		fs_list_cifs(crond_t)
 +	')
- ')
+')
+
+########################################
+## <summary>
+##	Search all users home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_search_all_users_home_content',`
+	gen_require(`
+		attribute home_dir_type, home_type;
+ 	')
 
- ########################################
-@@ -5109,7 +5185,7 @@
+ 	files_list_home($1)
+@@ -5109,7 +5200,7 @@
 #
 interface(`userdom_relabelto_generic_user_home_dirs',`
 	gen_require(`
@ -16258,29 +16357,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 
 	files_search_home($1)
-@@ -5298,8 +5374,8 @@
+@@ -5298,6 +5389,49 @@
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete directories in
-##	unprivileged users home directories.
 +##	append all unprivileged users home directory
 +##	files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5307,13 +5383,56 @@
- ##	</summary>
- ## </param>
- #
-interface(`userdom_manage_unpriv_users_home_content_dirs',`
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 +interface(`userdom_append_unpriv_users_home_content_files',`
- 	gen_require(`
- 		attribute user_home_dir_type, user_home_type;
- 	')
- 
- 	files_search_home($1)
-	manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+	gen_require(`
+		attribute user_home_dir_type, user_home_type;
+	')
+
+	files_search_home($1)
 +	allow $1 user_home_type:dir list_dir_perms;
 +	append_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
 +')
@ -16309,26 +16404,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +########################################
 +## <summary>
-+##	Create, read, write, and delete directories in
-+##	unprivileged users home directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_manage_unpriv_users_home_content_dirs',`
-+	gen_require(`
-+		attribute user_home_dir_type, user_home_type;
-+	')
-+
-+	files_search_home($1)
-+	manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
- ')
- 
- ########################################
-@@ -5503,6 +5622,24 @@
+ ##	Create, read, write, and delete directories in
+ ##	unprivileged users home directories.
+ ## </summary>
+@@ -5503,6 +5637,24 @@
 
 ########################################
 ## <summary>
@ -16353,7 +16432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Read and write unprivileged user ttys.
 ## </summary>
 ## <param name="domain">
-@@ -5668,6 +5805,24 @@
+@@ -5668,6 +5820,24 @@
 
 ########################################
 ## <summary>
@ -16378,7 +16457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Send a dbus message to all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -5698,3 +5853,277 @@
+@@ -5698,3 +5868,277 @@
 interface(`userdom_unconfined',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -379,6 +379,10 @@ exit 0
 %endif

 %changelog
+* Tue Dec 11 2007 Dan Walsh <dwalsh@redhat.com> 3.2.3-2
+- Fixes for polkit
+- Allow xserver to ptrace
+
 * Tue Dec 11 2007 Dan Walsh <dwalsh@redhat.com> 3.2.3-1
 - Add polkit policy
 - Symplify userdom context, remove automatic per_role changes