- Add boolean to disallow unconfined_t login

2009-02-03 15:26:10 +00:00 · 2009-02-03 15:26:10 +00:00 · 574cab47f1
parent 0554a10b80
commit 574cab47f1
2 changed files with 214 additions and 63 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -2875,8 +2875,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.3/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.te	2009-01-19 13:10:02.000000000 -0500
-@@ -0,0 +1,277 @@
+++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.te	2009-02-02 09:39:29.000000000 -0500
+@@ -0,0 +1,288 @@
 +
 +policy_module(nsplugin, 1.0.0)
 +
@ -2892,6 +2892,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </desc>
 +gen_tunable(allow_nsplugin_execmem, false)
 +
+## <desc>
+## <p>
+## Allow nsplugin code to connect to unreserved ports
+## </p>
+## </desc>
+gen_tunable(nsplugin_can_network, True)
+
 +type nsplugin_exec_t;
 +application_executable_file(nsplugin_exec_t)
 +
@ -2940,6 +2947,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow nsplugin_config_t self:process { execstack execmem };
 +')
 +	
+tunable_policy(`nsplugin_can_network',`
+	corenet_tcp_connect_all_unreserved_ports(nsplugin_t)
+')
+
 +manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
 +exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
 +manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
@ -4313,8 +4324,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.3/policy/modules/kernel/corenetwork.if.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/corenetwork.if.in	2009-01-19 13:13:31.000000000 -0500
-@@ -1579,6 +1579,24 @@
+++ serefpolicy-3.6.3/policy/modules/kernel/corenetwork.if.in	2009-02-02 09:34:32.000000000 -0500
+@@ -1504,6 +1504,24 @@
+ 
+ ########################################
+ ## <summary>
+##	Connect TCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_unreserved_ports',`
+	gen_require(`
+		attribute port_type, reserved_port_type;
+	')
+
+	allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+ ##	Do not audit attempts to connect TCP sockets
+ ##	all reserved ports.
+ ## </summary>
+@@ -1579,6 +1597,24 @@
 
 ########################################
 ## <summary>
@ -9419,6 +9455,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +typealias httpd_sys_script_rw_t   alias httpd_fastcgi_script_rw_t;
 +typealias httpd_sys_script_t      alias httpd_fastcgi_script_t;
 +typealias httpd_var_run_t         alias httpd_fastcgi_var_run_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.6.3/policy/modules/services/apcupsd.fc
+--- nsaserefpolicy/policy/modules/services/apcupsd.fc	2008-10-08 19:00:27.000000000 -0400
+++ serefpolicy-3.6.3/policy/modules/services/apcupsd.fc	2009-02-02 08:21:34.000000000 -0500
+@@ -5,6 +5,7 @@
+ ')
+ 
+ /usr/sbin/apcupsd		--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
+/sbin/apcupsd			--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
+ 
+ /var/log/apcupsd\.events.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
+ /var/log/apcupsd\.status.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.3/policy/modules/services/apm.te
 --- nsaserefpolicy/policy/modules/services/apm.te	2009-01-05 15:39:43.000000000 -0500
 +++ serefpolicy-3.6.3/policy/modules/services/apm.te	2009-01-28 09:26:27.000000000 -0500
@ -14526,6 +14573,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
 +manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
 +
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.6.3/policy/modules/services/mysql.fc
+--- nsaserefpolicy/policy/modules/services/mysql.fc	2008-11-18 18:57:20.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/mysql.fc	2009-02-02 08:23:53.000000000 -0500
+@@ -10,6 +10,7 @@
+ #
+ # /usr
+ #
+/usr/bin/mysqld_safe	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
+ /usr/libexec/mysqld	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
+ 
+ /usr/sbin/mysqld(-max)?	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.3/policy/modules/services/mysql.te
+--- nsaserefpolicy/policy/modules/services/mysql.te	2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/mysql.te	2009-02-02 08:24:35.000000000 -0500
+@@ -65,6 +65,7 @@
+ kernel_read_system_state(mysqld_t)
+ kernel_read_kernel_sysctls(mysqld_t)
+ 
+can_exec(mysqld_t, mysqld_exec_t)
+ corenet_all_recvfrom_unlabeled(mysqld_t)
+ corenet_all_recvfrom_netlabel(mysqld_t)
+ corenet_tcp_sendrecv_generic_if(mysqld_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.3/policy/modules/services/nagios.fc
 --- nsaserefpolicy/policy/modules/services/nagios.fc	2008-08-07 11:15:11.000000000 -0400
 +++ serefpolicy-3.6.3/policy/modules/services/nagios.fc	2009-01-19 13:10:02.000000000 -0500
@ -19924,13 +19993,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 auth_write_login_records(rshd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.3/policy/modules/services/rsync.te
 --- nsaserefpolicy/policy/modules/services/rsync.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/rsync.te	2009-01-19 13:10:02.000000000 -0500
-@@ -119,5 +119,8 @@
+++ serefpolicy-3.6.3/policy/modules/services/rsync.te	2009-02-02 08:28:58.000000000 -0500
+@@ -119,5 +119,9 @@
 
 tunable_policy(`rsync_export_all_ro',`
 	fs_read_noxattr_fs_files(rsync_t) 
 +	auth_read_all_dirs_except_shadow(rsync_t)
 	auth_read_all_files_except_shadow(rsync_t)
+	auth_read_all_symlinks_except_shadow(rsync_t)
 +	auth_tunable_read_shadow(rsync_t)
 ')
 +auth_can_read_shadow_passwords(rsync_t)
@ -20365,7 +20435,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.3/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/samba.te	2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/samba.te	2009-02-03 10:22:51.000000000 -0500
@@ -66,6 +66,13 @@
 ## </desc>
 gen_tunable(samba_share_nfs, false)
@ -20519,7 +20589,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ifdef(`hide_broken_symptoms', `
 	files_dontaudit_getattr_default_dirs(smbd_t)
 	files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -350,8 +377,20 @@
+@@ -338,20 +365,27 @@
+ ')
+ 
+ tunable_policy(`samba_enable_home_dirs',`
+-	userdom_manage_user_home_content_dirs(smbd_t)
+-	userdom_manage_user_home_content_files(smbd_t)
+-	userdom_manage_user_home_content_symlinks(smbd_t)
+-	userdom_manage_user_home_content_sockets(smbd_t)
+-	userdom_manage_user_home_content_pipes(smbd_t)
+-	userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
+	userdom_manage_user_home_content(smbd_t)
+ ')
+ 
+ # Support Samba sharing of NFS mount points
 tunable_policy(`samba_share_nfs',`
 	fs_manage_nfs_dirs(smbd_t)
 	fs_manage_nfs_files(smbd_t)
@ -20540,7 +20623,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	cups_read_rw_config(smbd_t)
 	cups_stream_connect(smbd_t)
-@@ -359,6 +398,16 @@
+@@ -359,6 +393,16 @@
 
 optional_policy(`
 	kerberos_use(smbd_t)
@ -20557,7 +20640,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -381,8 +430,10 @@
+@@ -381,8 +425,10 @@
 
 tunable_policy(`samba_export_all_ro',`
 	fs_read_noxattr_fs_files(smbd_t) 
@ -20568,7 +20651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	auth_read_all_files_except_shadow(nmbd_t)
 ')
 
-@@ -454,6 +505,7 @@
+@@ -454,6 +500,7 @@
 dev_getattr_mtrr_dev(nmbd_t)
 
 fs_getattr_all_fs(nmbd_t)
@ -20576,7 +20659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 fs_search_auto_mountpoints(nmbd_t)
 
 domain_use_interactive_fds(nmbd_t)
-@@ -553,19 +605,33 @@
+@@ -553,19 +600,33 @@
 userdom_use_user_terminals(smbmount_t)
 userdom_use_all_users_fds(smbmount_t)
 
@ -20613,7 +20696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
 
-@@ -585,6 +651,9 @@
+@@ -585,6 +646,9 @@
 files_pid_filetrans(swat_t, swat_var_run_t, file)
 
 allow swat_t winbind_exec_t:file mmap_file_perms;
@ -20623,7 +20706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
-@@ -609,15 +678,18 @@
+@@ -609,15 +673,18 @@
 
 dev_read_urand(swat_t)
 
@ -20642,7 +20725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 logging_search_logs(swat_t)
 
 miscfiles_read_localization(swat_t)
-@@ -635,6 +707,17 @@
+@@ -635,6 +702,17 @@
 	kerberos_use(swat_t)
 ')
 
@ -20660,7 +20743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Winbind local policy
-@@ -642,7 +725,7 @@
+@@ -642,7 +720,7 @@
 
 allow winbind_t self:capability { dac_override ipc_lock setuid };
 dontaudit winbind_t self:capability sys_tty_config;
@ -20669,7 +20752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow winbind_t self:fifo_file rw_fifo_file_perms;
 allow winbind_t self:unix_dgram_socket create_socket_perms;
 allow winbind_t self:unix_stream_socket create_stream_socket_perms;
-@@ -683,9 +766,10 @@
+@@ -683,9 +761,10 @@
 manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
 files_pid_filetrans(winbind_t, winbind_var_run_t, file)
 
@ -20682,7 +20765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 corenet_all_recvfrom_unlabeled(winbind_t)
 corenet_all_recvfrom_netlabel(winbind_t)
-@@ -709,10 +793,12 @@
+@@ -709,10 +788,12 @@
 
 auth_domtrans_chk_passwd(winbind_t)
 auth_use_nsswitch(winbind_t)
@ -20695,7 +20778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 logging_send_syslog_msg(winbind_t)
 
-@@ -768,8 +854,13 @@
+@@ -768,8 +849,13 @@
 userdom_use_user_terminals(winbind_helper_t)
 
 optional_policy(`
@ -20709,7 +20792,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -778,6 +869,16 @@
+@@ -778,6 +864,16 @@
 #
 
 optional_policy(`
@ -20726,7 +20809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	type samba_unconfined_script_t;
 	type samba_unconfined_script_exec_t;
 	domain_type(samba_unconfined_script_t)
-@@ -788,9 +889,43 @@
+@@ -788,9 +884,43 @@
 	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
 	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
 
@ -21996,7 +22079,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.3/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/ssh.te	2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/ssh.te	2009-02-02 14:39:09.000000000 -0500
@@ -75,7 +75,7 @@
 ubac_constrained(ssh_tmpfs_t)
 
@ -23252,7 +23335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/xserver.te	2009-01-28 13:23:35.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te	2009-02-02 14:36:35.000000000 -0500
@@ -34,6 +34,13 @@
 
 ## <desc>
@ -23652,17 +23735,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	seutil_sigchld_newrole(xdm_t)
 ')
 
-@@ -550,8 +651,8 @@
+@@ -550,9 +651,11 @@
 ')
 
 optional_policy(`
 -	unconfined_domain(xdm_t)
- 	unconfined_domtrans(xdm_t)
+-	unconfined_domtrans(xdm_t)
+	unconfined_shell_domtrans(xdm_t)
 +	unconfined_signal(xdm_t)
+')
 
+optional_policy(`
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -571,6 +672,10 @@
+ 	')
+@@ -571,6 +674,10 @@
 ')
 
 optional_policy(`
@ -23673,7 +23760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	xfs_stream_connect(xdm_t)
 ')
 
-@@ -587,7 +692,7 @@
+@@ -587,7 +694,7 @@
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
 
@ -23682,7 +23769,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dontaudit xserver_t self:capability chown;
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:memprotect mmap_zero;
-@@ -602,9 +707,11 @@
+@@ -602,9 +709,11 @@
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -23694,7 +23781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
 
-@@ -622,7 +729,7 @@
+@@ -622,7 +731,7 @@
 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
 
@ -23703,7 +23790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,6 +742,15 @@
+@@ -635,6 +744,15 @@
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
 
@ -23719,7 +23806,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Create files in /var/log with the xserver_log_t type.
 manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
 logging_log_filetrans(xserver_t, xserver_log_t,file)
-@@ -680,9 +796,14 @@
+@@ -680,9 +798,14 @@
 dev_rw_xserver_misc(xserver_t)
 # read events - the synaptics touchpad driver reads raw events
 dev_rw_input_dev(xserver_t)
@ -23734,7 +23821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 files_read_etc_files(xserver_t)
 files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +818,13 @@
+@@ -697,8 +820,13 @@
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -23748,7 +23835,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 selinux_validate_context(xserver_t)
 selinux_compute_access_vector(xserver_t)
-@@ -720,6 +846,7 @@
+@@ -720,6 +848,7 @@
 
 miscfiles_read_localization(xserver_t)
 miscfiles_read_fonts(xserver_t)
@ -23756,7 +23843,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 modutils_domtrans_insmod(xserver_t)
 
-@@ -742,7 +869,7 @@
+@@ -742,7 +871,7 @@
 ')
 
 ifdef(`enable_mls',`
@ -23765,7 +23852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
 ')
 
-@@ -774,6 +901,10 @@
+@@ -774,6 +903,10 @@
 ')
 
 optional_policy(`
@ -23776,7 +23863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	rhgb_getpgid(xserver_t)
 	rhgb_signal(xserver_t)
 ')
-@@ -806,7 +937,7 @@
+@@ -806,7 +939,7 @@
 allow xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xserver_t xdm_var_lib_t:dir search;
 
@ -23785,7 +23872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +958,14 @@
+@@ -827,9 +960,14 @@
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -23800,7 +23887,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xserver_t)
 	fs_manage_nfs_files(xserver_t)
-@@ -844,11 +980,14 @@
+@@ -844,11 +982,14 @@
 
 optional_policy(`
 	dbus_system_bus_client(xserver_t)
@ -23816,7 +23903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -856,6 +995,11 @@
+@@ -856,6 +997,11 @@
 	rhgb_rw_tmpfs_files(xserver_t)
 ')
 
@ -23828,7 +23915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Rules common to all X window domains
-@@ -881,6 +1025,8 @@
+@@ -881,6 +1027,8 @@
 # X Server
 # can read server-owned resources
 allow x_domain xserver_t:x_resource read;
@ -23837,7 +23924,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # can mess with own clients
 allow x_domain self:x_client { manage destroy };
 
-@@ -905,6 +1051,8 @@
+@@ -905,6 +1053,8 @@
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
 
@ -23846,7 +23933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # X Colormaps
 # can use the default colormap
 allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,6 +1120,37 @@
+@@ -972,6 +1122,37 @@
 allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
 
@ -23884,7 +23971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ifdef(`TODO',`
 tunable_policy(`allow_polyinstantiation',`
 # xdm needs access for linking .X11-unix to poly /tmp
-@@ -986,3 +1165,12 @@
+@@ -986,3 +1167,12 @@
 #
 allow xdm_t user_home_type:file unlink;
 ') dnl end TODO
@ -27634,7 +27721,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/opt/real/(.*/)?realplay\.bin --	gen_context(system_u:object_r:execmem_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.3/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/unconfined.if	2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.if	2009-02-02 14:49:54.000000000 -0500
@@ -12,14 +12,13 @@
 #
 interface(`unconfined_domain_noaudit',`
@ -27692,7 +27779,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 
 	optional_policy(`
-@@ -367,6 +376,24 @@
+@@ -227,13 +236,9 @@
+ #
+ interface(`unconfined_shell_domtrans',`
+ 	gen_require(`
+-		type unconfined_t;
+		type unconfined_login_domain;
+ 	')
+-
+-	corecmd_shell_domtrans($1,unconfined_t)
+-	allow unconfined_t $1:fd use;
+-	allow unconfined_t $1:fifo_file rw_file_perms;
+-	allow unconfined_t $1:process sigchld;
+	typeattribute $1 unconfined_login_domain
+ ')
+ 
+ ########################################
+@@ -367,6 +372,24 @@
 
 ########################################
 ## <summary>
@ -27717,7 +27820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Send generic signals to the unconfined domain.
 ## </summary>
 ## <param name="domain">
-@@ -581,3 +608,150 @@
+@@ -581,3 +604,150 @@
 
 	allow $1 unconfined_t:dbus acquire_svc;
 ')
@ -27870,11 +27973,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.3/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/unconfined.te	2009-01-30 10:55:24.000000000 -0500
-@@ -6,35 +6,77 @@
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.te	2009-02-02 14:52:21.000000000 -0500
+@@ -5,36 +5,86 @@
+ #
 # Declarations
 #
- 
+attribute unconfined_login_domain;
+
 +## <desc>
 +## <p>
 +## Transition to confined nsplugin domains from unconfined user
@ -27884,6 +27989,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +## <desc>
 +## <p>
+## Allow a user to login as an unconfined domain
+## </p>
+## </desc>
+gen_tunable(unconfined_login, true)
+
+## <desc>
+## <p>
 +## Allow unconfined domain to map low memory in the kernel
 +## </p>
 +## </desc>
@ -27895,7 +28007,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </p>
 +## </desc>
 +gen_tunable(allow_unconfined_qemu_transition, false)
-+
+ 
 # usage in this module of types created by these
 # calls is not correct, however we dont currently
 # have another method to add access to these types
@ -27956,7 +28068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 libs_run_ldconfig(unconfined_t, unconfined_r)
 
-@@ -42,26 +84,39 @@
+@@ -42,26 +92,39 @@
 logging_run_auditctl(unconfined_t, unconfined_r)
 
 mount_run_unconfined(unconfined_t, unconfined_r)
@ -27998,7 +28110,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -102,12 +157,24 @@
+@@ -102,12 +165,24 @@
 	')
 
 	optional_policy(`
@ -28023,7 +28135,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -119,31 +186,33 @@
+@@ -119,31 +194,33 @@
 ')
 
 optional_policy(`
@ -28064,7 +28176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -155,36 +224,38 @@
+@@ -155,36 +232,38 @@
 ')
 
 optional_policy(`
@ -28115,7 +28227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -192,7 +263,7 @@
+@@ -192,7 +271,7 @@
 ')
 
 optional_policy(`
@ -28124,7 +28236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -204,11 +275,12 @@
+@@ -204,11 +283,12 @@
 ')
 
 optional_policy(`
@ -28139,7 +28251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -218,14 +290,60 @@
+@@ -218,14 +298,68 @@
 
 allow unconfined_execmem_t self:process { execstack execmem };
 unconfined_domain_noaudit(unconfined_execmem_t)
@ -28183,7 +28295,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		type mplayer_exec_t;
 +	')
 +	domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
-+')
+ ')
 +
 +optional_policy(`
 +tunable_policy(`allow_unconfined_nsplugin_transition',`', `
@ -28191,7 +28303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		type mozilla_exec_t;
 +	')
 +	domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
- ')
+')
 +')
 +
 +optional_policy(`
@ -28202,6 +28314,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+tunable_policy(`unconfined_login',`
+	corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
+	allow unconfined_t unconfined_login_domain:fd use;
+	allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
+	allow unconfined_t unconfined_login_domain:process sigchld;
+')
+	
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.3/policy/modules/system/userdomain.fc
 --- nsaserefpolicy/policy/modules/system/userdomain.fc	2008-11-11 16:13:48.000000000 -0500
 +++ serefpolicy-3.6.3/policy/modules/system/userdomain.fc	2009-01-19 13:10:02.000000000 -0500
@ -28216,7 +28336,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if	2009-01-30 09:14:16.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if	2009-02-03 10:23:11.000000000 -0500
@@ -30,8 +30,9 @@
 	')
 
@ -29682,7 +29802,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Send a dbus message to all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -2981,3 +3235,285 @@
+@@ -2981,3 +3235,313 @@
 
 	allow $1 userdomain:dbus send_msg;
 ')
@ -29968,6 +30088,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	exec_files_pattern($1, admin_home_t, admin_home_t)
 +')
 +
+
+#######################################
+## <summary>
+##	Manage all files/directories in the homedir
+## </summary>
+## <param name="userdomain">
+##	<summary>
+##	The user domain
+##	</summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_manage_user_home_content',`
+	gen_require(`
+		type user_home_dir_t;
+		attribute user_home_type;
+	')
+
+	files_list_home($1)
+	manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+	manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+	manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+	manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+	manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+	filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+
+')
+
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.3/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2009-01-19 11:07:34.000000000 -0500
 +++ serefpolicy-3.6.3/policy/modules/system/userdomain.te	2009-01-19 13:10:02.000000000 -0500
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.3
-Release: 12%{?dist}
+Release: 13%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -234,7 +234,7 @@ make clean
 %installCmds olpc mcs n y allow
 %endif

-make UNK_PERMS=allow NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
+make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
 mkdir %{buildroot}%{_usr}/share/selinux/devel/
 mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
 install -m 755 $RPM_SOURCE_DIR/policygentool %{buildroot}%{_usr}/share/selinux/devel/
@ -444,6 +444,9 @@ exit 0
 %endif

 %changelog
+* Mon Feb 2 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-13
+- Add boolean to disallow unconfined_t login
+
 * Fri Jan 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-12
 - Add back transition from xguest to mozilla