rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Zero out customizable types

Browse Source
This commit is contained in:
Daniel J Walsh 2007-12-19 21:45:51 +00:00
parent 2587107071
commit 5615fe1b3d
2 changed files with 198 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

315
policy-20071130.patch
View File

@ -2035,7 +2035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.2.5/policy/modules/apps/java.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.2.5/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400 --- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/java.if 2007-12-19 05:38:08.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/apps/java.if 2007-12-19 16:29:03.000000000 -0500
@@ -32,7 +32,7 @@ @@ -32,7 +32,7 @@
## </summary> ## </summary>
## </param> ## </param>
@ -2124,7 +2124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
') ')
######################################## ########################################
@@ -219,3 +272,66 @@ @@ -219,3 +272,67 @@
corecmd_search_bin($1) corecmd_search_bin($1)
domtrans_pattern($1, java_exec_t, java_t) domtrans_pattern($1, java_exec_t, java_t)
') ')
@ -2191,10 +2191,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
+ role $2 types java_t; + role $2 types java_t;
+ allow java_t $3:chr_file rw_term_perms; + allow java_t $3:chr_file rw_term_perms;
+') +')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.2.5/policy/modules/apps/java.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.2.5/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2007-12-19 05:32:09.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/java.te 2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/java.te 2007-12-19 05:38:08.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/apps/java.te 2007-12-19 16:44:59.000000000 -0500
@@ -6,13 +6,6 @@ @@ -6,16 +6,10 @@
# Declarations # Declarations
# #
@ -2208,7 +2209,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
type java_t; type java_t;
type java_exec_t; type java_exec_t;
init_system_domain(java_t,java_exec_t) init_system_domain(java_t,java_exec_t)
@@ -23,11 +16,23 @@ +typealias java_t alias unconfined_java_t;
########################################
#
@@ -23,11 +17,23 @@
# #
# execheap is needed for itanium/BEA jrocket # execheap is needed for itanium/BEA jrocket
@ -2246,7 +2251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys
+userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t) +userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.5/policy/modules/apps/mono.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.5/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/mono.if 2007-12-19 05:38:08.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/apps/mono.if 2007-12-19 16:28:53.000000000 -0500
@@ -18,3 +18,105 @@ @@ -18,3 +18,105 @@
corecmd_search_bin($1) corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t) domtrans_pattern($1, mono_exec_t, mono_t)
@ -6838,6 +6843,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
+optional_policy(` +optional_policy(`
+ inetd_service_domain(inetd_child_t,bin_t) + inetd_service_domain(inetd_child_t,bin_t)
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.2.5/policy/modules/services/inn.te
--- nsaserefpolicy/policy/modules/services/inn.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/inn.te 2007-12-19 15:36:20.000000000 -0500
@@ -22,7 +22,7 @@
files_pid_file(innd_var_run_t)
type news_spool_t;
-files_type(news_spool_t)
+files_mountpoint(news_spool_t)
########################################
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.2.5/policy/modules/services/kerberos.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.2.5/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc 2006-11-16 17:15:21.000000000 -0500 --- nsaserefpolicy/policy/modules/services/kerberos.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/kerberos.fc 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/kerberos.fc 2007-12-19 05:38:09.000000000 -0500
@ -8285,7 +8302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
+ +
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.5/policy/modules/services/polkit.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.5/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/polkit.te 2007-12-19 09:39:14.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/polkit.te 2007-12-19 15:17:09.000000000 -0500
@@ -0,0 +1,63 @@ @@ -0,0 +1,63 @@
+policy_module(polkit_auth,1.0.0) +policy_module(polkit_auth,1.0.0)
+ +
@ -8303,7 +8320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
+files_type(polkit_var_lib_t) +files_type(polkit_var_lib_t)
+ +
+type polkit_var_run_t; +type polkit_var_run_t;
+files_pid_files(polkit_var_run_t) +files_pid_file(polkit_var_run_t)
+ +
+######################################## +########################################
+# +#
@ -13759,7 +13776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.5/policy/modules/system/unconfined.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.5/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500 --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/unconfined.if 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/system/unconfined.if 2007-12-19 16:24:05.000000000 -0500
@@ -12,14 +12,13 @@ @@ -12,14 +12,13 @@
# #
interface(`unconfined_domain_noaudit',` interface(`unconfined_domain_noaudit',`
@ -13794,7 +13811,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
kernel_unconfined($1) kernel_unconfined($1)
corenet_unconfined($1) corenet_unconfined($1)
@@ -589,7 +589,7 @@ @@ -581,7 +581,6 @@
interface(`unconfined_dbus_connect',`
gen_require(`
type unconfined_t;
- class dbus acquire_svc;
')
allow $1 unconfined_t:dbus acquire_svc;
@@ -589,7 +588,7 @@
######################################## ########################################
## <summary> ## <summary>
@ -13803,7 +13828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -597,20 +597,53 @@ @@ -597,20 +596,53 @@
## </summary> ## </summary>
## </param> ## </param>
# #
@ -13864,7 +13889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -618,31 +651,132 @@ @@ -618,31 +650,132 @@
## </summary> ## </summary>
## </param> ## </param>
# #
@ -14009,7 +14034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
') ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500 --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2007-12-19 16:35:02.000000000 -0500
@@ -9,32 +9,48 @@ @@ -9,32 +9,48 @@
# usage in this module of types created by these # usage in this module of types created by these
# calls is not correct, however we dont currently # calls is not correct, however we dont currently
@ -14184,12 +14209,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
') ')
optional_policy(` optional_policy(`
@@ -205,11 +203,22 @@ @@ -205,11 +203,30 @@
') ')
optional_policy(` optional_policy(`
- wine_domtrans(unconfined_t) - wine_domtrans(unconfined_t)
+ wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- xserver_domtrans_xdm_xserver(unconfined_t)
+ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
+
+optional_policy(`
+ mono_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+') +')
+ +
+optional_policy(` +optional_policy(`
@ -14200,34 +14234,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+ +
+optional_policy(` +optional_policy(`
+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) + kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
') +')
+
optional_policy(` +optional_policy(`
- xserver_domtrans_xdm_xserver(unconfined_t)
+ xserver_run_xdm_xserver(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + xserver_run_xdm_xserver(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ xserver_xdm_rw_shm(unconfined_t) + xserver_xdm_rw_shm(unconfined_t)
') ')
######################################## ########################################
@@ -219,14 +228,35 @@ @@ -219,14 +236,36 @@
allow unconfined_execmem_t self:process { execstack execmem }; allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t) unconfined_domain_noaudit(unconfined_execmem_t)
+allow unconfined_execmem_t unconfined_t:process transition; +allow unconfined_execmem_t unconfined_t:process transition;
optional_policy(` optional_policy(`
+ init_dbus_chat_script(unconfined_execmem_t)
+
dbus_stub(unconfined_execmem_t) dbus_stub(unconfined_execmem_t)
init_dbus_chat_script(unconfined_execmem_t) - init_dbus_chat_script(unconfined_execmem_t)
unconfined_dbus_chat(unconfined_execmem_t)
+ dbus_connect_system_bus(unconfined_execmem_t) + dbus_connect_system_bus(unconfined_execmem_t)
+ unconfined_dbus_connect(unconfined_execmem_t) + unconfined_dbus_connect(unconfined_execmem_t)
+ unconfined_dbus_chat(unconfined_execmem_t)
+ optional_policy(`
+ avahi_dbus_chat(unconfined_execmem_t)
+ ')
optional_policy(` optional_policy(`
+ avahi_dbus_chat(unconfined_execmem_t)
+ ')
+
+ optional_policy(`
hal_dbus_chat(unconfined_execmem_t) hal_dbus_chat(unconfined_execmem_t)
') ')
+ +
@ -14260,7 +14295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2007-12-19 16:35:24.000000000 -0500
@@ -29,8 +29,9 @@ @@ -29,8 +29,9 @@
') ')
@ -14945,7 +14980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
typeattribute $1_tty_device_t user_ttynode; typeattribute $1_tty_device_t user_ttynode;
############################## ##############################
@@ -1025,16 +991,37 @@ @@ -1025,16 +991,29 @@
# #
# privileged home directory writers # privileged home directory writers
@ -14972,24 +15007,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ optional_policy(` + optional_policy(`
+ cups_dbus_chat($1_usertype) + cups_dbus_chat($1_usertype)
+ ') + ')
+ ')
+
+ optional_policy(`
+ java_per_role_template($1, $1_t, $1_r)
+ ') + ')
optional_policy(` optional_policy(`
loadkeys_run($1_t,$1_r,$1_tty_device_t) loadkeys_run($1_t,$1_r,$1_tty_device_t)
') ')
+
+ optional_policy(`
+ mono_per_role_template($1, $1_t, $1_r)
+ ')
+ +
') ')
####################################### #######################################
@@ -1062,6 +1049,13 @@ @@ -1062,6 +1041,13 @@
userdom_restricted_user_template($1) userdom_restricted_user_template($1)
@ -15003,7 +15030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_xwindows_client_template($1) userdom_xwindows_client_template($1)
############################## ##############################
@@ -1070,14 +1064,14 @@ @@ -1070,14 +1056,14 @@
# #
authlogin_per_role_template($1, $1_t, $1_r) authlogin_per_role_template($1, $1_t, $1_r)
@ -15023,7 +15050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
logging_dontaudit_send_audit_msgs($1_t) logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain # Need to to this just so screensaver will work. Should be moved to screensaver domain
@@ -1085,33 +1079,14 @@ @@ -1085,33 +1071,14 @@
selinux_get_enforce_mode($1_t) selinux_get_enforce_mode($1_t)
optional_policy(` optional_policy(`
@ -15045,13 +15072,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- -
- optional_policy(` - optional_policy(`
- java_per_role_template($1, $1_t, $1_r) - java_per_role_template($1, $1_t, $1_r)
- ')
-
- optional_policy(`
- mono_per_role_template($1, $1_t, $1_r)
+ alsa_read_rw_config($1_usertype) + alsa_read_rw_config($1_usertype)
') ')
- optional_policy(`
- mono_per_role_template($1, $1_t, $1_r)
- ')
-
- optional_policy(` - optional_policy(`
- setroubleshoot_dontaudit_stream_connect($1_t) - setroubleshoot_dontaudit_stream_connect($1_t)
- ') - ')
@ -15063,7 +15090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
####################################### #######################################
@@ -1121,10 +1096,10 @@ @@ -1121,10 +1088,10 @@
## </summary> ## </summary>
## <desc> ## <desc>
## <p> ## <p>
@ -15078,7 +15105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## This template creates a user domain, types, and ## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories, ## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files. ## tmp, and tmpfs files.
@@ -1187,12 +1162,11 @@ @@ -1187,12 +1154,11 @@
# and may change other protocols # and may change other protocols
tunable_policy(`user_tcp_server',` tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t) corenet_tcp_bind_all_nodes($1_t)
@ -15093,7 +15120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
# Run pppd in pppd_t by default for user # Run pppd in pppd_t by default for user
@@ -1278,8 +1252,6 @@ @@ -1278,8 +1244,6 @@
# Manipulate other users crontab. # Manipulate other users crontab.
allow $1_t self:passwd crontab; allow $1_t self:passwd crontab;
@ -15102,7 +15129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t) kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t) kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t) kernel_getattr_message_if($1_t)
@@ -1416,6 +1388,7 @@ @@ -1416,6 +1380,7 @@
dev_relabel_all_dev_nodes($1) dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1) files_create_boot_flag($1)
@ -15110,7 +15137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi # Necessary for managing /boot/efi
fs_manage_dos_files($1) fs_manage_dos_files($1)
@@ -1781,10 +1754,14 @@ @@ -1781,10 +1746,14 @@
template(`userdom_user_home_content',` template(`userdom_user_home_content',`
gen_require(` gen_require(`
attribute $1_file_type; attribute $1_file_type;
@ -15126,7 +15153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -1880,11 +1857,11 @@ @@ -1880,11 +1849,11 @@
# #
template(`userdom_search_user_home_dirs',` template(`userdom_search_user_home_dirs',`
gen_require(` gen_require(`
@ -15140,7 +15167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -1914,11 +1891,11 @@ @@ -1914,11 +1883,11 @@
# #
template(`userdom_list_user_home_dirs',` template(`userdom_list_user_home_dirs',`
gen_require(` gen_require(`
@ -15154,7 +15181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -1962,12 +1939,12 @@ @@ -1962,12 +1931,12 @@
# #
template(`userdom_user_home_domtrans',` template(`userdom_user_home_domtrans',`
gen_require(` gen_require(`
@ -15170,7 +15197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -1997,10 +1974,10 @@ @@ -1997,10 +1966,10 @@
# #
template(`userdom_dontaudit_list_user_home_dirs',` template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(` gen_require(`
@ -15183,7 +15210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2032,11 +2009,47 @@ @@ -2032,11 +2001,47 @@
# #
template(`userdom_manage_user_home_content_dirs',` template(`userdom_manage_user_home_content_dirs',`
gen_require(` gen_require(`
@ -15233,7 +15260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2068,10 +2081,10 @@ @@ -2068,10 +2073,10 @@
# #
template(`userdom_dontaudit_setattr_user_home_content_files',` template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(` gen_require(`
@ -15246,7 +15273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2101,11 +2114,11 @@ @@ -2101,11 +2106,11 @@
# #
template(`userdom_read_user_home_content_files',` template(`userdom_read_user_home_content_files',`
gen_require(` gen_require(`
@ -15260,7 +15287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2135,11 +2148,11 @@ @@ -2135,11 +2140,11 @@
# #
template(`userdom_dontaudit_read_user_home_content_files',` template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(` gen_require(`
@ -15275,7 +15302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2169,10 +2182,10 @@ @@ -2169,10 +2174,10 @@
# #
template(`userdom_dontaudit_write_user_home_content_files',` template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(` gen_require(`
@ -15288,7 +15315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2202,11 +2215,11 @@ @@ -2202,11 +2207,11 @@
# #
template(`userdom_read_user_home_content_symlinks',` template(`userdom_read_user_home_content_symlinks',`
gen_require(` gen_require(`
@ -15302,7 +15329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2236,11 +2249,11 @@ @@ -2236,11 +2241,11 @@
# #
template(`userdom_exec_user_home_content_files',` template(`userdom_exec_user_home_content_files',`
gen_require(` gen_require(`
@ -15316,7 +15343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2270,10 +2283,10 @@ @@ -2270,10 +2275,10 @@
# #
template(`userdom_dontaudit_exec_user_home_content_files',` template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(` gen_require(`
@ -15329,7 +15356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2305,12 +2318,12 @@ @@ -2305,12 +2310,12 @@
# #
template(`userdom_manage_user_home_content_files',` template(`userdom_manage_user_home_content_files',`
gen_require(` gen_require(`
@ -15345,7 +15372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2342,10 +2355,10 @@ @@ -2342,10 +2347,10 @@
# #
template(`userdom_dontaudit_manage_user_home_content_dirs',` template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(` gen_require(`
@ -15358,7 +15385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2377,12 +2390,12 @@ @@ -2377,12 +2382,12 @@
# #
template(`userdom_manage_user_home_content_symlinks',` template(`userdom_manage_user_home_content_symlinks',`
gen_require(` gen_require(`
@ -15374,7 +15401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2414,12 +2427,12 @@ @@ -2414,12 +2419,12 @@
# #
template(`userdom_manage_user_home_content_pipes',` template(`userdom_manage_user_home_content_pipes',`
gen_require(` gen_require(`
@ -15390,7 +15417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2451,12 +2464,12 @@ @@ -2451,12 +2456,12 @@
# #
template(`userdom_manage_user_home_content_sockets',` template(`userdom_manage_user_home_content_sockets',`
gen_require(` gen_require(`
@ -15406,7 +15433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2501,11 +2514,11 @@ @@ -2501,11 +2506,11 @@
# #
template(`userdom_user_home_dir_filetrans',` template(`userdom_user_home_dir_filetrans',`
gen_require(` gen_require(`
@ -15420,7 +15447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2550,11 +2563,11 @@ @@ -2550,11 +2555,11 @@
# #
template(`userdom_user_home_content_filetrans',` template(`userdom_user_home_content_filetrans',`
gen_require(` gen_require(`
@ -15434,7 +15461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2594,11 +2607,11 @@ @@ -2594,11 +2599,11 @@
# #
template(`userdom_user_home_dir_filetrans_user_home_content',` template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(` gen_require(`
@ -15448,7 +15475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2628,11 +2641,11 @@ @@ -2628,11 +2633,11 @@
# #
template(`userdom_write_user_tmp_sockets',` template(`userdom_write_user_tmp_sockets',`
gen_require(` gen_require(`
@ -15462,7 +15489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2662,11 +2675,11 @@ @@ -2662,11 +2667,11 @@
# #
template(`userdom_list_user_tmp',` template(`userdom_list_user_tmp',`
gen_require(` gen_require(`
@ -15476,7 +15503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2698,10 +2711,10 @@ @@ -2698,10 +2703,10 @@
# #
template(`userdom_dontaudit_list_user_tmp',` template(`userdom_dontaudit_list_user_tmp',`
gen_require(` gen_require(`
@ -15489,7 +15516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2733,10 +2746,10 @@ @@ -2733,10 +2738,10 @@
# #
template(`userdom_dontaudit_manage_user_tmp_dirs',` template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(` gen_require(`
@ -15502,7 +15529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2766,12 +2779,12 @@ @@ -2766,12 +2771,12 @@
# #
template(`userdom_read_user_tmp_files',` template(`userdom_read_user_tmp_files',`
gen_require(` gen_require(`
@ -15518,7 +15545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2803,10 +2816,10 @@ @@ -2803,10 +2808,10 @@
# #
template(`userdom_dontaudit_read_user_tmp_files',` template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(` gen_require(`
@ -15531,7 +15558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2838,10 +2851,48 @@ @@ -2838,10 +2843,48 @@
# #
template(`userdom_dontaudit_append_user_tmp_files',` template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(` gen_require(`
@ -15582,7 +15609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2871,12 +2922,12 @@ @@ -2871,12 +2914,12 @@
# #
template(`userdom_rw_user_tmp_files',` template(`userdom_rw_user_tmp_files',`
gen_require(` gen_require(`
@ -15598,7 +15625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2908,10 +2959,10 @@ @@ -2908,10 +2951,10 @@
# #
template(`userdom_dontaudit_manage_user_tmp_files',` template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(` gen_require(`
@ -15611,7 +15638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2943,12 +2994,12 @@ @@ -2943,12 +2986,12 @@
# #
template(`userdom_read_user_tmp_symlinks',` template(`userdom_read_user_tmp_symlinks',`
gen_require(` gen_require(`
@ -15627,7 +15654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -2980,11 +3031,11 @@ @@ -2980,11 +3023,11 @@
# #
template(`userdom_manage_user_tmp_dirs',` template(`userdom_manage_user_tmp_dirs',`
gen_require(` gen_require(`
@ -15641,7 +15668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -3016,11 +3067,11 @@ @@ -3016,11 +3059,11 @@
# #
template(`userdom_manage_user_tmp_files',` template(`userdom_manage_user_tmp_files',`
gen_require(` gen_require(`
@ -15655,7 +15682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -3052,11 +3103,11 @@ @@ -3052,11 +3095,11 @@
# #
template(`userdom_manage_user_tmp_symlinks',` template(`userdom_manage_user_tmp_symlinks',`
gen_require(` gen_require(`
@ -15669,7 +15696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -3088,11 +3139,11 @@ @@ -3088,11 +3131,11 @@
# #
template(`userdom_manage_user_tmp_pipes',` template(`userdom_manage_user_tmp_pipes',`
gen_require(` gen_require(`
@ -15683,7 +15710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -3124,11 +3175,11 @@ @@ -3124,11 +3167,11 @@
# #
template(`userdom_manage_user_tmp_sockets',` template(`userdom_manage_user_tmp_sockets',`
gen_require(` gen_require(`
@ -15697,7 +15724,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -3173,10 +3224,10 @@ @@ -3173,10 +3216,10 @@
# #
template(`userdom_user_tmp_filetrans',` template(`userdom_user_tmp_filetrans',`
gen_require(` gen_require(`
@ -15710,7 +15737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($2) files_search_tmp($2)
') ')
@@ -3217,10 +3268,10 @@ @@ -3217,10 +3260,10 @@
# #
template(`userdom_tmp_filetrans_user_tmp',` template(`userdom_tmp_filetrans_user_tmp',`
gen_require(` gen_require(`
@ -15723,7 +15750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4225,11 +4276,11 @@ @@ -4225,11 +4268,11 @@
# #
interface(`userdom_search_staff_home_dirs',` interface(`userdom_search_staff_home_dirs',`
gen_require(` gen_require(`
@ -15737,7 +15764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4245,10 +4296,10 @@ @@ -4245,10 +4288,10 @@
# #
interface(`userdom_dontaudit_search_staff_home_dirs',` interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(` gen_require(`
@ -15750,7 +15777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4264,11 +4315,11 @@ @@ -4264,11 +4307,11 @@
# #
interface(`userdom_manage_staff_home_dirs',` interface(`userdom_manage_staff_home_dirs',`
gen_require(` gen_require(`
@ -15764,7 +15791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4283,16 +4334,16 @@ @@ -4283,16 +4326,16 @@
# #
interface(`userdom_relabelto_staff_home_dirs',` interface(`userdom_relabelto_staff_home_dirs',`
gen_require(` gen_require(`
@ -15784,7 +15811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## users home directory. ## users home directory.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4301,12 +4352,27 @@ @@ -4301,12 +4344,27 @@
## </summary> ## </summary>
## </param> ## </param>
# #
@ -15815,7 +15842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4321,13 +4387,13 @@ @@ -4321,13 +4379,13 @@
# #
interface(`userdom_read_staff_home_content_files',` interface(`userdom_read_staff_home_content_files',`
gen_require(` gen_require(`
@ -15833,7 +15860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4525,10 +4591,10 @@ @@ -4525,10 +4583,10 @@
# #
interface(`userdom_getattr_sysadm_home_dirs',` interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(` gen_require(`
@ -15846,7 +15873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4545,10 +4611,10 @@ @@ -4545,10 +4603,10 @@
# #
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(` gen_require(`
@ -15859,7 +15886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4563,10 +4629,10 @@ @@ -4563,10 +4621,10 @@
# #
interface(`userdom_search_sysadm_home_dirs',` interface(`userdom_search_sysadm_home_dirs',`
gen_require(` gen_require(`
@ -15872,7 +15899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4582,10 +4648,10 @@ @@ -4582,10 +4640,10 @@
# #
interface(`userdom_dontaudit_search_sysadm_home_dirs',` interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(` gen_require(`
@ -15885,7 +15912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4600,10 +4666,10 @@ @@ -4600,10 +4658,10 @@
# #
interface(`userdom_list_sysadm_home_dirs',` interface(`userdom_list_sysadm_home_dirs',`
gen_require(` gen_require(`
@ -15898,7 +15925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4619,10 +4685,10 @@ @@ -4619,10 +4677,10 @@
# #
interface(`userdom_dontaudit_list_sysadm_home_dirs',` interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(` gen_require(`
@ -15911,7 +15938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4638,12 +4704,11 @@ @@ -4638,12 +4696,11 @@
# #
interface(`userdom_dontaudit_read_sysadm_home_content_files',` interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(` gen_require(`
@ -15927,7 +15954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4670,10 +4735,10 @@ @@ -4670,10 +4727,10 @@
# #
interface(`userdom_sysadm_home_dir_filetrans',` interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(` gen_require(`
@ -15940,7 +15967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4688,10 +4753,10 @@ @@ -4688,10 +4745,10 @@
# #
interface(`userdom_search_sysadm_home_content_dirs',` interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(` gen_require(`
@ -15953,7 +15980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4706,13 +4771,13 @@ @@ -4706,13 +4763,13 @@
# #
interface(`userdom_read_sysadm_home_content_files',` interface(`userdom_read_sysadm_home_content_files',`
gen_require(` gen_require(`
@ -15971,7 +15998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -4748,16 +4813,15 @@ @@ -4748,16 +4805,15 @@
# #
interface(`userdom_search_all_users_home_dirs',` interface(`userdom_search_all_users_home_dirs',`
gen_require(` gen_require(`
@ -15991,7 +16018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -4765,18 +4829,18 @@ @@ -4765,18 +4821,18 @@
## </summary> ## </summary>
## </param> ## </param>
# #
@ -16013,7 +16040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -4784,18 +4848,64 @@ @@ -4784,33 +4840,79 @@
## </summary> ## </summary>
## </param> ## </param>
# #
@ -16033,18 +16060,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## <summary> ## <summary>
-## Do not audit attempts to search all users home directories. -## Do not audit attempts to search all users home directories.
+## List all users home directories. +## List all users home directories.
+## </summary> ## </summary>
+## <param name="domain"> ## <param name="domain">
+## <summary> ## <summary>
-## Domain to not audit.
+## Domain allowed access. +## Domain allowed access.
+## </summary> ## </summary>
+## </param> ## </param>
+# #
-interface(`userdom_dontaudit_search_all_users_home_content',`
+interface(`userdom_list_all_users_home_dirs',` +interface(`userdom_list_all_users_home_dirs',`
+ gen_require(` gen_require(`
- attribute home_dir_type, home_type;
+ attribute home_dir_type; + attribute home_dir_type;
+ ') ')
+
- dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
-')
-
+ files_list_home($1) + files_list_home($1)
+ allow $1 home_dir_type:dir list_dir_perms; + allow $1 home_dir_type:dir list_dir_perms;
+ +
@ -16079,10 +16112,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+######################################## +########################################
+## <summary> +## <summary>
+## Do not audit attempts to search all users home directories. +## Do not audit attempts to search all users home directories.
## </summary> +## </summary>
## <param name="domain"> +## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_all_users_home_content',`
+ gen_require(`
+ attribute home_dir_type, home_type;
+ ')
+
+ dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
+')
+
########################################
## <summary> ## <summary>
@@ -5109,7 +5219,7 @@ ## Read all files in all users home directories.
@@ -5109,7 +5211,7 @@
# #
interface(`userdom_relabelto_generic_user_home_dirs',` interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(` gen_require(`
@ -16091,7 +16139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
files_search_home($1) files_search_home($1)
@@ -5298,6 +5408,49 @@ @@ -5298,6 +5400,49 @@
######################################## ########################################
## <summary> ## <summary>
@ -16141,7 +16189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete directories in ## Create, read, write, and delete directories in
## unprivileged users home directories. ## unprivileged users home directories.
## </summary> ## </summary>
@@ -5503,6 +5656,24 @@ @@ -5503,6 +5648,24 @@
######################################## ########################################
## <summary> ## <summary>
@ -16166,7 +16214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Read and write unprivileged user ttys. ## Read and write unprivileged user ttys.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -5668,6 +5839,42 @@ @@ -5668,6 +5831,42 @@
######################################## ########################################
## <summary> ## <summary>
@ -16209,7 +16257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains. ## Send a dbus message to all user domains.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -5698,3 +5905,277 @@ @@ -5698,3 +5897,277 @@
interface(`userdom_unconfined',` interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.') refpolicywarn(`$0($*) has been deprecated.')
') ')
@ -16984,12 +17032,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.i
+## <summary>Policy for guest user</summary> +## <summary>Policy for guest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.2.5/policy/modules/users/guest.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.2.5/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/guest.te 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/users/guest.te 2007-12-19 16:37:00.000000000 -0500
@@ -0,0 +1,4 @@ @@ -0,0 +1,12 @@
+policy_module(guest,1.0.1) +policy_module(guest,1.0.1)
+userdom_restricted_user_template(guest) +userdom_restricted_user_template(guest)
+userdom_restricted_user_template(gadmin)
+ +
+optional_policy(`
+ java_per_role_template(guest, guest_t, guest_r)
+')
+
+optional_policy(`
+ mono_per_role_template(guest, guest_t, guest_r)
+')
+
+userdom_restricted_user_template(gadmin)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.2.5/policy/modules/users/logadm.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.2.5/policy/modules/users/logadm.fc
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/logadm.fc 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/users/logadm.fc 2007-12-19 05:38:09.000000000 -0500
@ -17088,8 +17144,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.
+## <summary>Policy for xguest user</summary> +## <summary>Policy for xguest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.2.5/policy/modules/users/xguest.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.2.5/policy/modules/users/xguest.te
--- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/xguest.te 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/users/xguest.te 2007-12-19 16:36:37.000000000 -0500
@@ -0,0 +1,55 @@ @@ -0,0 +1,66 @@
+policy_module(xguest,1.0.1) +policy_module(xguest,1.0.1)
+ +
+## <desc> +## <desc>
@ -17115,7 +17171,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.
+ +
+userdom_restricted_xwindows_user_template(xguest) +userdom_restricted_xwindows_user_template(xguest)
+ +
+optional_policy(`
+ mozilla_per_role_template(xguest, xguest_t, xguest_r) + mozilla_per_role_template(xguest, xguest_t, xguest_r)
+')
+
+optional_policy(`
+ java_per_role_template(xguest, xguest_t, xguest_r)
+')
+
+optional_policy(`
+ mono_per_role_template(xguest, xguest_t, xguest_r)
+')
+ +
+# Allow mounting of file systems +# Allow mounting of file systems
+optional_policy(` +optional_policy(`
@ -17145,6 +17211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.
+ bluetooth_dbus_chat(xguest_t) + bluetooth_dbus_chat(xguest_t)
+ ') + ')
+') +')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.2.5/policy/support/obj_perm_sets.spt diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.2.5/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-10-12 08:56:09.000000000 -0400 --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.2.5/policy/support/obj_perm_sets.spt 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/support/obj_perm_sets.spt 2007-12-19 05:38:09.000000000 -0500

6
selinux-policy.spec
View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.2.5 Version: 3.2.5
Release: 1%{?dist} Release: 2%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -104,6 +104,7 @@ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
install -m0644 $RPM_SOURCE_DIR/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ install -m0644 $RPM_SOURCE_DIR/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
install -m0644 $RPM_SOURCE_DIR/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ install -m0644 $RPM_SOURCE_DIR/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
echo -n > %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
%nil %nil
%define fileList() \ %define fileList() \
@ -382,6 +383,9 @@ exit 0
%endif %endif
%changelog %changelog
* Wed Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-2
- Zero out customizable types
* Wed Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-1 * Wed Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-1
- Fix definiton of admin_home_t - Fix definiton of admin_home_t