- Merge upstream changes
- Add Xavier Toth patches
This commit is contained in:
Daniel J Walsh
parent
ceb150c168
commit
59571abd0d
@ -1597,6 +1597,11 @@ unprivuser = module
|
||||
#
|
||||
prelude = module
|
||||
|
||||
# Layer: services
|
||||
# Module: pads
|
||||
#
|
||||
pads = module
|
||||
|
||||
# Layer: services
|
||||
# Module: kerneloops
|
||||
#
|
||||
|
||||
@ -33240,7 +33240,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.8/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/system/userdomain.if 2008-09-15 11:58:54.000000000 -0400
|
||||
+++ serefpolicy-3.5.8/policy/modules/system/userdomain.if 2008-09-16 09:56:01.000000000 -0400
|
||||
@@ -28,10 +28,14 @@
|
||||
class context contains;
|
||||
')
|
||||
@ -34377,7 +34377,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# cjp: why?
|
||||
files_read_kernel_symbol_table($1_t)
|
||||
|
||||
@@ -1189,36 +1183,45 @@
|
||||
@@ -1189,36 +1183,49 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -34416,6 +34416,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
optional_policy(`
|
||||
- setroubleshoot_stream_connect($1_t)
|
||||
+ cron_per_role_template($1, $1_usertype, $1_r)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ nsplugin_per_role_template($1, $1_usertype, $1_r)
|
||||
+ ')
|
||||
+
|
||||
@ -34436,7 +34440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -1295,8 +1298,6 @@
|
||||
@@ -1295,8 +1302,6 @@
|
||||
# Manipulate other users crontab.
|
||||
allow $1_t self:passwd crontab;
|
||||
|
||||
@ -34445,7 +34449,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core_if($1_t)
|
||||
kernel_getattr_message_if($1_t)
|
||||
@@ -1318,8 +1319,6 @@
|
||||
@@ -1318,8 +1323,6 @@
|
||||
|
||||
dev_getattr_generic_blk_files($1_t)
|
||||
dev_getattr_generic_chr_files($1_t)
|
||||
@ -34454,7 +34458,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# Allow MAKEDEV to work
|
||||
dev_create_all_blk_files($1_t)
|
||||
dev_create_all_chr_files($1_t)
|
||||
@@ -1374,13 +1373,6 @@
|
||||
@@ -1374,13 +1377,6 @@
|
||||
# But presently necessary for installing the file_contexts file.
|
||||
seutil_manage_bin_policy($1_t)
|
||||
|
||||
@ -34468,7 +34472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
postgresql_unconfined($1_t)
|
||||
')
|
||||
@@ -1432,6 +1424,7 @@
|
||||
@@ -1432,6 +1428,7 @@
|
||||
dev_relabel_all_dev_nodes($1)
|
||||
|
||||
files_create_boot_flag($1)
|
||||
@ -34476,7 +34480,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Necessary for managing /boot/efi
|
||||
fs_manage_dos_files($1)
|
||||
@@ -1461,10 +1454,6 @@
|
||||
@@ -1461,10 +1458,6 @@
|
||||
seutil_run_semanage($1,$2,$3)
|
||||
seutil_run_setfiles($1, $2, $3)
|
||||
|
||||
@ -34487,7 +34491,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
aide_run($1,$2, $3)
|
||||
')
|
||||
@@ -1484,6 +1473,14 @@
|
||||
@@ -1484,6 +1477,14 @@
|
||||
optional_policy(`
|
||||
netlabel_run_mgmt($1,$2, $3)
|
||||
')
|
||||
@ -34502,7 +34506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1741,11 +1738,15 @@
|
||||
@@ -1741,11 +1742,15 @@
|
||||
#
|
||||
template(`userdom_user_home_content',`
|
||||
gen_require(`
|
||||
@ -34521,7 +34525,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1841,11 +1842,11 @@
|
||||
@@ -1841,11 +1846,11 @@
|
||||
#
|
||||
template(`userdom_search_user_home_dirs',`
|
||||
gen_require(`
|
||||
@ -34535,7 +34539,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1875,11 +1876,11 @@
|
||||
@@ -1875,11 +1880,11 @@
|
||||
#
|
||||
template(`userdom_list_user_home_dirs',`
|
||||
gen_require(`
|
||||
@ -34549,7 +34553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1923,12 +1924,12 @@
|
||||
@@ -1923,12 +1928,12 @@
|
||||
#
|
||||
template(`userdom_user_home_domtrans',`
|
||||
gen_require(`
|
||||
@ -34565,7 +34569,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1958,10 +1959,11 @@
|
||||
@@ -1958,10 +1963,11 @@
|
||||
#
|
||||
template(`userdom_dontaudit_list_user_home_dirs',`
|
||||
gen_require(`
|
||||
@ -34579,7 +34583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1993,11 +1995,47 @@
|
||||
@@ -1993,11 +1999,47 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_dirs',`
|
||||
gen_require(`
|
||||
@ -34629,7 +34633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2029,10 +2067,10 @@
|
||||
@@ -2029,10 +2071,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_setattr_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -34642,7 +34646,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2062,11 +2100,11 @@
|
||||
@@ -2062,11 +2104,11 @@
|
||||
#
|
||||
template(`userdom_read_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -34656,7 +34660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2096,11 +2134,11 @@
|
||||
@@ -2096,11 +2138,11 @@
|
||||
#
|
||||
template(`userdom_dontaudit_read_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -34671,7 +34675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2130,10 +2168,14 @@
|
||||
@@ -2130,10 +2172,14 @@
|
||||
#
|
||||
template(`userdom_dontaudit_write_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -34688,7 +34692,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2163,11 +2205,11 @@
|
||||
@@ -2163,11 +2209,11 @@
|
||||
#
|
||||
template(`userdom_read_user_home_content_symlinks',`
|
||||
gen_require(`
|
||||
@ -34702,7 +34706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2197,11 +2239,11 @@
|
||||
@@ -2197,11 +2243,11 @@
|
||||
#
|
||||
template(`userdom_exec_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -34716,7 +34720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2231,10 +2273,10 @@
|
||||
@@ -2231,10 +2277,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_exec_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -34729,7 +34733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2266,12 +2308,12 @@
|
||||
@@ -2266,12 +2312,12 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -34745,7 +34749,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2303,10 +2345,10 @@
|
||||
@@ -2303,10 +2349,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_manage_user_home_content_dirs',`
|
||||
gen_require(`
|
||||
@ -34758,7 +34762,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2338,12 +2380,12 @@
|
||||
@@ -2338,12 +2384,12 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_symlinks',`
|
||||
gen_require(`
|
||||
@ -34774,7 +34778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2375,12 +2417,12 @@
|
||||
@@ -2375,12 +2421,12 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_pipes',`
|
||||
gen_require(`
|
||||
@ -34790,7 +34794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2412,12 +2454,12 @@
|
||||
@@ -2412,12 +2458,12 @@
|
||||
#
|
||||
template(`userdom_manage_user_home_content_sockets',`
|
||||
gen_require(`
|
||||
@ -34806,7 +34810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2462,11 +2504,11 @@
|
||||
@@ -2462,11 +2508,11 @@
|
||||
#
|
||||
template(`userdom_user_home_dir_filetrans',`
|
||||
gen_require(`
|
||||
@ -34820,7 +34824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2511,11 +2553,11 @@
|
||||
@@ -2511,11 +2557,11 @@
|
||||
#
|
||||
template(`userdom_user_home_content_filetrans',`
|
||||
gen_require(`
|
||||
@ -34834,7 +34838,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2555,11 +2597,11 @@
|
||||
@@ -2555,11 +2601,11 @@
|
||||
#
|
||||
template(`userdom_user_home_dir_filetrans_user_home_content',`
|
||||
gen_require(`
|
||||
@ -34848,7 +34852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2589,11 +2631,11 @@
|
||||
@@ -2589,11 +2635,11 @@
|
||||
#
|
||||
template(`userdom_write_user_tmp_sockets',`
|
||||
gen_require(`
|
||||
@ -34862,7 +34866,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2623,11 +2665,11 @@
|
||||
@@ -2623,11 +2669,11 @@
|
||||
#
|
||||
template(`userdom_list_user_tmp',`
|
||||
gen_require(`
|
||||
@ -34876,7 +34880,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2659,10 +2701,10 @@
|
||||
@@ -2659,10 +2705,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_list_user_tmp',`
|
||||
gen_require(`
|
||||
@ -34889,7 +34893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2694,10 +2736,10 @@
|
||||
@@ -2694,10 +2740,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_manage_user_tmp_dirs',`
|
||||
gen_require(`
|
||||
@ -34902,7 +34906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2727,12 +2769,12 @@
|
||||
@@ -2727,12 +2773,12 @@
|
||||
#
|
||||
template(`userdom_read_user_tmp_files',`
|
||||
gen_require(`
|
||||
@ -34918,7 +34922,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2764,10 +2806,10 @@
|
||||
@@ -2764,10 +2810,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_read_user_tmp_files',`
|
||||
gen_require(`
|
||||
@ -34931,7 +34935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2799,10 +2841,10 @@
|
||||
@@ -2799,10 +2845,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_append_user_tmp_files',`
|
||||
gen_require(`
|
||||
@ -34944,7 +34948,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2832,12 +2874,12 @@
|
||||
@@ -2832,12 +2878,12 @@
|
||||
#
|
||||
template(`userdom_rw_user_tmp_files',`
|
||||
gen_require(`
|
||||
@ -34960,7 +34964,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2869,10 +2911,10 @@
|
||||
@@ -2869,10 +2915,10 @@
|
||||
#
|
||||
template(`userdom_dontaudit_manage_user_tmp_files',`
|
||||
gen_require(`
|
||||
@ -34973,7 +34977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2904,12 +2946,12 @@
|
||||
@@ -2904,12 +2950,12 @@
|
||||
#
|
||||
template(`userdom_read_user_tmp_symlinks',`
|
||||
gen_require(`
|
||||
@ -34989,7 +34993,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2941,11 +2983,11 @@
|
||||
@@ -2941,11 +2987,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_dirs',`
|
||||
gen_require(`
|
||||
@ -35003,7 +35007,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2977,11 +3019,11 @@
|
||||
@@ -2977,11 +3023,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_files',`
|
||||
gen_require(`
|
||||
@ -35017,7 +35021,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3013,11 +3055,11 @@
|
||||
@@ -3013,11 +3059,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_symlinks',`
|
||||
gen_require(`
|
||||
@ -35031,7 +35035,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3049,11 +3091,11 @@
|
||||
@@ -3049,11 +3095,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_pipes',`
|
||||
gen_require(`
|
||||
@ -35045,7 +35049,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3085,11 +3127,11 @@
|
||||
@@ -3085,11 +3131,11 @@
|
||||
#
|
||||
template(`userdom_manage_user_tmp_sockets',`
|
||||
gen_require(`
|
||||
@ -35059,7 +35063,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3134,10 +3176,10 @@
|
||||
@@ -3134,10 +3180,10 @@
|
||||
#
|
||||
template(`userdom_user_tmp_filetrans',`
|
||||
gen_require(`
|
||||
@ -35072,7 +35076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_search_tmp($2)
|
||||
')
|
||||
|
||||
@@ -3178,19 +3220,19 @@
|
||||
@@ -3178,19 +3224,19 @@
|
||||
#
|
||||
template(`userdom_tmp_filetrans_user_tmp',`
|
||||
gen_require(`
|
||||
@ -35096,7 +35100,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
@@ -4616,11 +4658,11 @@
|
||||
@@ -4616,11 +4662,11 @@
|
||||
#
|
||||
interface(`userdom_search_all_users_home_dirs',`
|
||||
gen_require(`
|
||||
@ -35110,7 +35114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4640,6 +4682,14 @@
|
||||
@@ -4640,6 +4686,14 @@
|
||||
|
||||
files_list_home($1)
|
||||
allow $1 home_dir_type:dir list_dir_perms;
|
||||
@ -35125,7 +35129,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4677,6 +4727,8 @@
|
||||
@@ -4677,6 +4731,8 @@
|
||||
')
|
||||
|
||||
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
|
||||
@ -35134,7 +35138,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4721,6 +4773,25 @@
|
||||
@@ -4721,6 +4777,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -35160,7 +35164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Create, read, write, and delete all files
|
||||
## in all users home directories.
|
||||
## </summary>
|
||||
@@ -4946,7 +5017,7 @@
|
||||
@@ -4946,7 +5021,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -35169,72 +35173,155 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5318,6 +5389,42 @@
|
||||
@@ -5318,7 +5393,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read and write unprivileged user ttys.
|
||||
+## Write all unprivileged users files in /tmp
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_manage_unpriv_users_tmp_files',`
|
||||
+ gen_require(`
|
||||
+ type user_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ manage_files_pattern($1, user_tmp_t, user_tmp_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Write all unprivileged users lnk_files in /tmp
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_manage_unpriv_users_tmp_symlinks',`
|
||||
+ gen_require(`
|
||||
+ type user_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Read and write unprivileged user ttys.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -5368,7 +5475,7 @@
|
||||
attribute userdomain;
|
||||
')
|
||||
|
||||
- read_files_pattern($1,userdomain,userdomain)
|
||||
+ ps_process_pattern($1, userdomain)
|
||||
kernel_search_proc($1)
|
||||
')
|
||||
|
||||
@@ -5483,7 +5590,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Send a dbus message to all user domains.
|
||||
+## Manage keys for all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5491,7 +5598,43 @@
|
||||
@@ -5326,18 +5401,17 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`userdom_dbus_send_all_users',`
|
||||
-interface(`userdom_use_unpriv_users_ttys',`
|
||||
+interface(`userdom_manage_unpriv_users_tmp_files',`
|
||||
gen_require(`
|
||||
- attribute user_ttynode;
|
||||
+ type user_tmp_t;
|
||||
')
|
||||
|
||||
- allow $1 user_ttynode:chr_file rw_term_perms;
|
||||
+ manage_files_pattern($1, user_tmp_t, user_tmp_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Do not audit attempts to use unprivileged
|
||||
-## user ttys.
|
||||
+## Write all unprivileged users lnk_files in /tmp
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5345,17 +5419,17 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`userdom_dontaudit_use_unpriv_users_ttys',`
|
||||
+interface(`userdom_manage_unpriv_users_tmp_symlinks',`
|
||||
gen_require(`
|
||||
- attribute user_ttynode;
|
||||
+ type user_tmp_t;
|
||||
')
|
||||
|
||||
- dontaudit $1 user_ttynode:chr_file rw_file_perms;
|
||||
+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read the process state of all user domains.
|
||||
+## Read and write unprivileged user ttys.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5363,18 +5437,18 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`userdom_read_all_users_state',`
|
||||
+interface(`userdom_use_unpriv_users_ttys',`
|
||||
gen_require(`
|
||||
- attribute userdomain;
|
||||
+ attribute user_ttynode;
|
||||
')
|
||||
|
||||
- read_files_pattern($1,userdomain,userdomain)
|
||||
- kernel_search_proc($1)
|
||||
+ allow $1 user_ttynode:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Get the attributes of all user domains.
|
||||
+## Do not audit attempts to use unprivileged
|
||||
+## user ttys.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5382,17 +5456,54 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`userdom_getattr_all_users',`
|
||||
+interface(`userdom_dontaudit_use_unpriv_users_ttys',`
|
||||
gen_require(`
|
||||
- attribute userdomain;
|
||||
+ attribute user_ttynode;
|
||||
')
|
||||
|
||||
- allow $1 userdomain:process getattr;
|
||||
+ dontaudit $1 user_ttynode:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Inherit the file descriptors from all user domains
|
||||
+## Read the process state of all user domains.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_read_all_users_state',`
|
||||
+ gen_require(`
|
||||
+ attribute userdomain;
|
||||
+ ')
|
||||
+
|
||||
+ ps_process_pattern($1, userdomain)
|
||||
+ kernel_search_proc($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Get the attributes of all user domains.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_getattr_all_users',`
|
||||
+ gen_require(`
|
||||
+ attribute userdomain;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 userdomain:process getattr;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Inherit the file descriptors from all user domains
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5483,6 +5594,42 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Manage keys for all user domains.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_manage_all_users_keys',`
|
||||
+ gen_require(`
|
||||
+ attribute userdomain;
|
||||
@ -35263,19 +35350,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Send a dbus message to all user domains.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_dbus_send_all_users',`
|
||||
gen_require(`
|
||||
attribute userdomain;
|
||||
class dbus send_msg;
|
||||
@@ -5513,3 +5656,524 @@
|
||||
## Send a dbus message to all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -5513,3 +5660,524 @@
|
||||
interface(`userdom_unconfined',`
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user