- Add devicekit policy

This commit is contained in:
Daniel J Walsh 2009-01-19 22:10:11 +00:00
parent 4e42f3a511
commit 70d5ccf098

View File

@ -11412,6 +11412,216 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_udp_sendrecv_generic_if(dcc_client_t) corenet_udp_sendrecv_generic_if(dcc_client_t)
corenet_udp_sendrecv_generic_node(dcc_client_t) corenet_udp_sendrecv_generic_node(dcc_client_t)
corenet_udp_sendrecv_all_ports(dcc_client_t) corenet_udp_sendrecv_all_ports(dcc_client_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.3/policy/modules/services/devicekit.fc
--- nsaserefpolicy/policy/modules/services/devicekit.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/devicekit.fc 2009-01-19 17:04:16.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
+/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.3/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/devicekit.if 2009-01-19 17:09:09.000000000 -0500
@@ -0,0 +1,139 @@
+
+## <summary>policy for devicekit</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run devicekit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`devicekit_domtrans',`
+ gen_require(`
+ type devicekit_t;
+ type devicekit_exec_t;
+ ')
+
+ domtrans_pattern($1,devicekit_exec_t,devicekit_t)
+')
+
+
+########################################
+## <summary>
+## Read devicekit PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_read_pid_files',`
+ gen_require(`
+ type devicekit_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 devicekit_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage devicekit var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_manage_var_run',`
+ gen_require(`
+ type devicekit_var_run_t;
+ ')
+
+ manage_dirs_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
+ manage_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
+ manage_lnk_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
+')
+
+
+########################################
+## <summary>
+## Send and receive messages from
+## devicekit over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_dbus_chat',`
+ gen_require(`
+ type devicekit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_t:dbus send_msg;
+ allow devicekit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## devicekit power over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_power_dbus_chat',`
+ gen_require(`
+ type devicekit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_power_t:dbus send_msg;
+ allow devicekit_power_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an devicekit environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the devicekit domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the user terminal.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`devicekit_admin',`
+ gen_require(`
+ type devicekit_t;
+ ')
+
+ allow $1 devicekit_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, devicekit_t, devicekit_t)
+
+
+ devicekit_manage_var_run($1)
+
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.3/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/devicekit.te 2009-01-19 17:06:44.000000000 -0500
@@ -0,0 +1,55 @@
+policy_module(devicekit,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type devicekit_t;
+type devicekit_exec_t;
+dbus_system_domain(devicekit_t, devicekit_exec_t)
+
+permissive devicekit_t;
+
+type devicekit_power_t;
+type devicekit_power_exec_t;
+dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+
+permissive devicekit_power_t;
+
+type devicekit_var_run_t;
+files_pid_file(devicekit_var_run_t)
+
+#
+# DeviceKit local policy
+#
+
+manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+files_pid_filetrans(devicekit_t,devicekit_var_run_t, { file dir })
+
+fs_list_inotifyfs(devicekit_t)
+
+optional_policy(`
+ dbus_system_bus_client(devicekit_t)
+')
+
+#
+# DeviceKit-Power local policy
+#
+
+dev_rw_netcontrol(devicekit_power_t)
+files_read_etc_files(devicekit_power_t)
+fs_list_inotifyfs(devicekit_power_t)
+
+optional_policy(`
+ polkit_read_reload(devicekit_power_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(devicekit_power_t)
+ allow devicekit_power_t devicekit_t:dbus send_msg;
+ allow devicekit_t devicekit_power_t:dbus send_msg;
+')
+
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.3/policy/modules/services/dhcp.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.3/policy/modules/services/dhcp.if
--- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500 --- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/dhcp.if 2009-01-19 13:10:02.000000000 -0500 +++ serefpolicy-3.6.3/policy/modules/services/dhcp.if 2009-01-19 13:10:02.000000000 -0500
@ -21508,7 +21718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## display. ## display.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-19 14:47:14.000000000 -0500 +++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-19 17:08:51.000000000 -0500
@@ -34,6 +34,13 @@ @@ -34,6 +34,13 @@
## <desc> ## <desc>
@ -21838,7 +22048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -515,12 +572,35 @@ @@ -515,12 +572,41 @@
') ')
optional_policy(` optional_policy(`
@ -21852,14 +22062,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dbus_system_bus_client(xdm_t) + dbus_system_bus_client(xdm_t)
+ +
+ optional_policy(` + optional_policy(`
+ devicekit_power_dbus_chat(xdm_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(xdm_t) + hal_dbus_chat(xdm_t)
+ ') + ')
+ +
+ optional_policy(` + optional_policy(`
+ networkmanager_dbus_chat(xdm_t) + networkmanager_dbus_chat(xdm_t)
+ ') + ')
+
+') +')
+ +
+
+optional_policy(` +optional_policy(`
# Talk to the console mouse server. # Talk to the console mouse server.
gpm_stream_connect(xdm_t) gpm_stream_connect(xdm_t)
@ -21874,7 +22090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_exec(xdm_t) hostname_exec(xdm_t)
') ')
@@ -542,6 +622,19 @@ @@ -542,6 +628,19 @@
') ')
optional_policy(` optional_policy(`
@ -21894,7 +22110,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(xdm_t) seutil_sigchld_newrole(xdm_t)
') ')
@@ -550,8 +643,8 @@ @@ -550,8 +649,8 @@
') ')
optional_policy(` optional_policy(`
@ -21904,7 +22120,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',` ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem }; allow xdm_t self:process { execheap execmem };
@@ -571,6 +664,10 @@ @@ -571,6 +670,10 @@
') ')
optional_policy(` optional_policy(`
@ -21915,7 +22131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xfs_stream_connect(xdm_t) xfs_stream_connect(xdm_t)
') ')
@@ -635,6 +732,15 @@ @@ -635,6 +738,15 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t) files_search_var_lib(xserver_t)
@ -21931,7 +22147,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Create files in /var/log with the xserver_log_t type. # Create files in /var/log with the xserver_log_t type.
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
logging_log_filetrans(xserver_t, xserver_log_t,file) logging_log_filetrans(xserver_t, xserver_log_t,file)
@@ -682,6 +788,7 @@ @@ -682,6 +794,7 @@
dev_rw_input_dev(xserver_t) dev_rw_input_dev(xserver_t)
dev_rwx_zero(xserver_t) dev_rwx_zero(xserver_t)
@ -21939,7 +22155,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_mmap_low(xserver_t) domain_mmap_low(xserver_t)
files_read_etc_files(xserver_t) files_read_etc_files(xserver_t)
@@ -697,6 +804,7 @@ @@ -697,6 +810,7 @@
fs_search_nfs(xserver_t) fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t) fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t) fs_search_ramfs(xserver_t)
@ -21947,7 +22163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mls_xwin_read_to_clearance(xserver_t) mls_xwin_read_to_clearance(xserver_t)
@@ -806,7 +914,7 @@ @@ -806,7 +920,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read }; allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search; dontaudit xserver_t xdm_var_lib_t:dir search;
@ -21956,7 +22172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Label pid and temporary files with derived types. # Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
@@ -830,6 +938,10 @@ @@ -830,6 +944,10 @@
xserver_use_user_fonts(xserver_t) xserver_use_user_fonts(xserver_t)
@ -21967,7 +22183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t) fs_manage_nfs_files(xserver_t)
@@ -844,11 +956,14 @@ @@ -844,11 +962,14 @@
optional_policy(` optional_policy(`
dbus_system_bus_client(xserver_t) dbus_system_bus_client(xserver_t)
@ -21983,7 +22199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -856,6 +971,11 @@ @@ -856,6 +977,11 @@
rhgb_rw_tmpfs_files(xserver_t) rhgb_rw_tmpfs_files(xserver_t)
') ')
@ -21995,7 +22211,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
######################################## ########################################
# #
# Rules common to all X window domains # Rules common to all X window domains
@@ -972,6 +1092,37 @@ @@ -972,6 +1098,37 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@ -22033,7 +22249,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`TODO',` ifdef(`TODO',`
tunable_policy(`allow_polyinstantiation',` tunable_policy(`allow_polyinstantiation',`
# xdm needs access for linking .X11-unix to poly /tmp # xdm needs access for linking .X11-unix to poly /tmp
@@ -986,3 +1137,13 @@ @@ -986,3 +1143,13 @@
# #
allow xdm_t user_home_type:file unlink; allow xdm_t user_home_type:file unlink;
') dnl end TODO ') dnl end TODO
@ -26194,7 +26410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-19 13:10:02.000000000 -0500 +++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-19 17:08:20.000000000 -0500
@@ -30,8 +30,9 @@ @@ -30,8 +30,9 @@
') ')
@ -26594,7 +26810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
############################## ##############################
# #
@@ -512,189 +525,194 @@ @@ -512,189 +525,198 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@ -26763,54 +26979,57 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
- hal_dbus_chat($1_t) - hal_dbus_chat($1_t)
+ evolution_dbus_chat($1_usertype) + devkit_power_dbus_chat($1_usertype)
+ evolution_alarm_dbus_chat($1_usertype)
') ')
optional_policy(` optional_policy(`
- networkmanager_dbus_chat($1_t) - networkmanager_dbus_chat($1_t)
- ') - ')
+ hal_dbus_chat($1_usertype) + evolution_dbus_chat($1_usertype)
+ evolution_alarm_dbus_chat($1_usertype)
') ')
optional_policy(` optional_policy(`
- inetd_use_fds($1_t) - inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t) - inetd_rw_tcp_sockets($1_t)
+ networkmanager_dbus_chat($1_usertype) + hal_dbus_chat($1_usertype)
') ')
optional_policy(` optional_policy(`
- inn_read_config($1_t) - inn_read_config($1_t)
- inn_read_news_lib($1_t) - inn_read_news_lib($1_t)
- inn_read_news_spool($1_t) - inn_read_news_spool($1_t)
+ vpnc_dbus_chat($1_usertype) + networkmanager_dbus_chat($1_usertype)
+ ')
') ')
optional_policy(` optional_policy(`
- locate_read_lib_files($1_t) - locate_read_lib_files($1_t)
+ inetd_use_fds($1_usertype) + vpnc_dbus_chat($1_usertype)
+ inetd_rw_tcp_sockets($1_usertype) + ')
') ')
- # for running depmod as part of the kernel packaging process - # for running depmod as part of the kernel packaging process
optional_policy(` optional_policy(`
- modutils_read_module_config($1_t) - modutils_read_module_config($1_t)
+ inetd_use_fds($1_usertype)
+ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- mta_rw_spool($1_t)
+ inn_read_config($1_usertype) + inn_read_config($1_usertype)
+ inn_read_news_lib($1_usertype) + inn_read_news_lib($1_usertype)
+ inn_read_news_spool($1_usertype) + inn_read_news_spool($1_usertype)
') ')
optional_policy(`
- mta_rw_spool($1_t)
+ locate_read_lib_files($1_usertype)
')
+ # for running depmod as part of the kernel packaging process
optional_policy(` optional_policy(`
- tunable_policy(`allow_user_mysql_connect',` - tunable_policy(`allow_user_mysql_connect',`
- mysql_stream_connect($1_t) - mysql_stream_connect($1_t)
- ') + locate_read_lib_files($1_usertype)
')
+
+ # for running depmod as part of the kernel packaging process
+ optional_policy(`
+ modutils_read_module_config($1_usertype) + modutils_read_module_config($1_usertype)
') ')
@ -26832,16 +27051,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- postgresql_stream_connect($1_t) - postgresql_stream_connect($1_t)
- postgresql_tcp_connect($1_t) - postgresql_tcp_connect($1_t)
+ postgresql_stream_connect($1_usertype) + postgresql_stream_connect($1_usertype)
+ ')
') ')
+
+ optional_policy(`
+ # to allow monitoring of pcmcia status
+ pcmcia_read_pid($1_usertype)
') ')
optional_policy(` optional_policy(`
- resmgr_stream_connect($1_t) - resmgr_stream_connect($1_t)
+ # to allow monitoring of pcmcia status
+ pcmcia_read_pid($1_usertype)
+ ')
+
+ optional_policy(`
+ pcscd_read_pub_files($1_usertype) + pcscd_read_pub_files($1_usertype)
+ pcscd_stream_connect($1_usertype) + pcscd_stream_connect($1_usertype)
') ')
@ -26871,7 +27090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
####################################### #######################################
@@ -722,15 +740,29 @@ @@ -722,15 +744,29 @@
userdom_base_user_template($1) userdom_base_user_template($1)
@ -26907,7 +27126,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
############################## ##############################
# #
@@ -746,70 +778,72 @@ @@ -746,70 +782,72 @@
allow $1_t self:context contains; allow $1_t self:context contains;
@ -27013,7 +27232,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
') ')
@@ -846,6 +880,28 @@ @@ -846,6 +884,28 @@
# Local policy # Local policy
# #
@ -27042,7 +27261,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
loadkeys_run($1_t,$1_r) loadkeys_run($1_t,$1_r)
') ')
@@ -876,7 +932,7 @@ @@ -876,7 +936,7 @@
userdom_restricted_user_template($1) userdom_restricted_user_template($1)
@ -27051,17 +27270,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
############################## ##############################
# #
@@ -884,14 +940,18 @@ @@ -884,14 +944,18 @@
# #
auth_role($1_r, $1_t) auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t) - auth_search_pam_console_data($1_t)
+ auth_search_pam_console_data($1_usertype) + auth_search_pam_console_data($1_usertype)
+
+ xserver_role($1_r, $1_t)
- dev_read_sound($1_t) - dev_read_sound($1_t)
- dev_write_sound($1_t) - dev_write_sound($1_t)
+ xserver_role($1_r, $1_t)
+
+ dev_read_sound($1_usertype) + dev_read_sound($1_usertype)
+ dev_write_sound($1_usertype) + dev_write_sound($1_usertype)
# gnome keyring wants to read this. # gnome keyring wants to read this.
@ -27075,7 +27294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_dontaudit_send_audit_msgs($1_t) logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain # Need to to this just so screensaver will work. Should be moved to screensaver domain
@@ -899,28 +959,24 @@ @@ -899,28 +963,24 @@
selinux_get_enforce_mode($1_t) selinux_get_enforce_mode($1_t)
optional_policy(` optional_policy(`
@ -27110,7 +27329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
') ')
@@ -931,8 +987,7 @@ @@ -931,8 +991,7 @@
## </summary> ## </summary>
## <desc> ## <desc>
## <p> ## <p>
@ -27120,7 +27339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </p> ## </p>
## <p> ## <p>
## This template creates a user domain, types, and ## This template creates a user domain, types, and
@@ -954,8 +1009,8 @@ @@ -954,8 +1013,8 @@
# Declarations # Declarations
# #
@ -27130,7 +27349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1) userdom_common_user_template($1)
############################## ##############################
@@ -964,11 +1019,10 @@ @@ -964,11 +1023,10 @@
# #
# port access is audited even if dac would not have allowed it, so dontaudit it here # port access is audited even if dac would not have allowed it, so dontaudit it here
@ -27143,7 +27362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: why? # cjp: why?
files_read_kernel_symbol_table($1_t) files_read_kernel_symbol_table($1_t)
@@ -986,37 +1040,47 @@ @@ -986,37 +1044,47 @@
') ')
') ')
@ -27194,17 +27413,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
+ optional_policy(` + optional_policy(`
+ mount_run($1_t, $1_r) + mount_run($1_t, $1_r)
+ ') ')
+ +
+ # Run pppd in pppd_t by default for user + # Run pppd in pppd_t by default for user
+ optional_policy(` + optional_policy(`
+ ppp_run_cond($1_t, $1_r) + ppp_run_cond($1_t, $1_r)
') + ')
+ +
') ')
####################################### #######################################
@@ -1050,7 +1114,7 @@ @@ -1050,7 +1118,7 @@
# #
template(`userdom_admin_user_template',` template(`userdom_admin_user_template',`
gen_require(` gen_require(`
@ -27213,7 +27432,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
############################## ##############################
@@ -1059,8 +1123,7 @@ @@ -1059,8 +1127,7 @@
# #
# Inherit rules for ordinary users. # Inherit rules for ordinary users.
@ -27223,7 +27442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_obj_id_change_exemption($1_t) domain_obj_id_change_exemption($1_t)
role system_r types $1_t; role system_r types $1_t;
@@ -1083,7 +1146,8 @@ @@ -1083,7 +1150,8 @@
# Skip authentication when pam_rootok is specified. # Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok; allow $1_t self:passwd rootok;
@ -27233,7 +27452,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t) kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t) kernel_getattr_core_if($1_t)
@@ -1106,8 +1170,6 @@ @@ -1106,8 +1174,6 @@
dev_getattr_generic_blk_files($1_t) dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t) dev_getattr_generic_chr_files($1_t)
@ -27242,7 +27461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work # Allow MAKEDEV to work
dev_create_all_blk_files($1_t) dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t) dev_create_all_chr_files($1_t)
@@ -1162,20 +1224,6 @@ @@ -1162,20 +1228,6 @@
# But presently necessary for installing the file_contexts file. # But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t) seutil_manage_bin_policy($1_t)
@ -27263,7 +27482,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
postgresql_unconfined($1_t) postgresql_unconfined($1_t)
') ')
@@ -1221,6 +1269,7 @@ @@ -1221,6 +1273,7 @@
dev_relabel_all_dev_nodes($1) dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1) files_create_boot_flag($1)
@ -27271,7 +27490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi # Necessary for managing /boot/efi
fs_manage_dos_files($1) fs_manage_dos_files($1)
@@ -1286,11 +1335,15 @@ @@ -1286,11 +1339,15 @@
interface(`userdom_user_home_content',` interface(`userdom_user_home_content',`
gen_require(` gen_require(`
type user_home_t; type user_home_t;
@ -27287,7 +27506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1387,7 +1440,7 @@ @@ -1387,7 +1444,7 @@
######################################## ########################################
## <summary> ## <summary>
@ -27296,7 +27515,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1420,6 +1473,14 @@ @@ -1420,6 +1477,14 @@
allow $1 user_home_dir_t:dir list_dir_perms; allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1) files_search_home($1)
@ -27311,7 +27530,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1435,9 +1496,11 @@ @@ -1435,9 +1500,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(` gen_require(`
type user_home_dir_t; type user_home_dir_t;
@ -27323,7 +27542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1494,6 +1557,25 @@ @@ -1494,6 +1561,25 @@
allow $1 user_home_dir_t:dir relabelto; allow $1 user_home_dir_t:dir relabelto;
') ')
@ -27349,7 +27568,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
######################################## ########################################
## <summary> ## <summary>
## Create directories in the home dir root with ## Create directories in the home dir root with
@@ -1547,9 +1629,9 @@ @@ -1547,9 +1633,9 @@
type user_home_dir_t, user_home_t; type user_home_dir_t, user_home_t;
') ')
@ -27361,7 +27580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1568,6 +1650,8 @@ @@ -1568,6 +1654,8 @@
') ')
dontaudit $1 user_home_t:dir search_dir_perms; dontaudit $1 user_home_t:dir search_dir_perms;
@ -27370,7 +27589,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1643,6 +1727,7 @@ @@ -1643,6 +1731,7 @@
type user_home_dir_t, user_home_t; type user_home_dir_t, user_home_t;
') ')
@ -27378,7 +27597,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1) files_search_home($1)
') ')
@@ -1741,6 +1826,62 @@ @@ -1741,6 +1830,62 @@
######################################## ########################################
## <summary> ## <summary>
@ -27441,7 +27660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute user home files. ## Execute user home files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1757,14 +1898,6 @@ @@ -1757,14 +1902,6 @@
files_search_home($1) files_search_home($1)
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
@ -27456,7 +27675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1787,6 +1920,46 @@ @@ -1787,6 +1924,46 @@
######################################## ########################################
## <summary> ## <summary>
@ -27503,7 +27722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete files ## Create, read, write, and delete files
## in a user home subdirectory. ## in a user home subdirectory.
## </summary> ## </summary>
@@ -2819,6 +2992,24 @@ @@ -2819,6 +2996,24 @@
######################################## ########################################
## <summary> ## <summary>
@ -27528,7 +27747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to use user ttys. ## Do not audit attempts to use user ttys.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -2851,6 +3042,7 @@ @@ -2851,6 +3046,7 @@
') ')
read_files_pattern($1,userdomain,userdomain) read_files_pattern($1,userdomain,userdomain)
@ -27536,7 +27755,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1) kernel_search_proc($1)
') ')
@@ -2965,6 +3157,24 @@ @@ -2965,6 +3161,24 @@
######################################## ########################################
## <summary> ## <summary>
@ -27561,7 +27780,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send a dbus message to all user domains. ## Send a dbus message to all user domains.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -2981,3 +3191,264 @@ @@ -2981,3 +3195,264 @@
allow $1 userdomain:dbus send_msg; allow $1 userdomain:dbus send_msg;
') ')